-
Notifications
You must be signed in to change notification settings - Fork 33
/
Copy pathentrypoint.sh
executable file
·174 lines (131 loc) · 5.23 KB
/
entrypoint.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
#!/usr/bin/env bash
set -e
# enable debug mode if desired
if [[ "${DEBUG}" == "true" ]]; then
set -x
fi
log() {
LEVEL="${1}"
TO_LOG="${2}"
WHITE='\033[1;37m'
YELLOW='\033[1;33m'
RED='\033[1;31m'
NO_COLOR='\033[0m'
if [[ "${LEVEL}" == "warning" ]]; then
LOG_LEVEL="${YELLOW}WARN${NO_COLOR}"
elif [[ "${LEVEL}" == "error" ]]; then
LOG_LEVEL="${RED}ERROR${NO_COLOR}"
else
LOG_LEVEL="${WHITE}INFO${NO_COLOR}"
if [[ -z "${TO_LOG}" ]]; then
TO_LOG="${1}"
fi
fi
echo -e "[${LOG_LEVEL}] ${TO_LOG}"
}
ensure_mod() {
FILE="${1}"
MOD="${2}"
U_ID="${3}"
G_ID="${4}"
chmod "${MOD}" "${FILE}"
chown "${U_ID}":"${G_ID}" "${FILE}"
}
generate_passwd() {
hexdump -e '"%02x"' -n 16 /dev/urandom
}
# ensure backward comaptibility for earlier versions of this image
if [[ -n "${KEYPAIR_LOGIN}" ]] && [[ "${KEYPAIR_LOGIN}" == "true" ]]; then
ROOT_KEYPAIR_LOGIN_ENABLED="${KEYPAIR_LOGIN}"
fi
if [[ -n "${ROOT_PASSWORD}" ]]; then
ROOT_LOGIN_UNLOCKED="true"
fi
# enable root login if keypair login is enabled
if [[ "${ROOT_KEYPAIR_LOGIN_ENABLED}" == "true" ]]; then
ROOT_LOGIN_UNLOCKED="true"
fi
# initiate default sshd-config if there is none available
if [[ ! "$(ls -A /etc/ssh)" ]]; then
cp -a "${CACHED_SSH_DIRECTORY}"/* /etc/ssh/.
fi
rm -rf "${CACHED_SSH_DIRECTORY}"
# generate host keys if not present
ssh-keygen -A 1>/dev/null
log "Applying configuration for 'root' user ..."
if [[ "${ROOT_LOGIN_UNLOCKED}" == "true" ]] ; then
# generate random root password
if [[ -z "${ROOT_PASSWORD}" ]]; then
log " generating random password for user 'root'"
ROOT_PASSWORD="$(generate_passwd)"
fi
echo "root:${ROOT_PASSWORD}" | chpasswd &>/dev/null
log " password for user 'root' set"
log "warning" " user 'root' is now UNLOCKED"
# set root login mode by password or keypair
if [[ "${ROOT_KEYPAIR_LOGIN_ENABLED}" == "true" ]] && [[ -f "${HOME}/.ssh/authorized_keys" ]]; then
sed -i "s/#PermitRootLogin.*/PermitRootLogin without-password/" /etc/ssh/sshd_config
sed -i "s/#PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
ensure_mod "${HOME}/.ssh/authorized_keys" "0600" "root" "root"
log " enabled login by keypair and disabled password-login for user 'root'"
else
sed -i "s/#PermitRootLogin.*/PermitRootLogin\ yes/" /etc/ssh/sshd_config
log " enabled login by password for user 'root'"
fi
else
sed -i "s/#PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config
log " disabled login for user 'root'"
log " user 'root' is now LOCKED"
fi
printf "\n"
log "Applying configuration for additional users ..."
if [[ ! -x "${USER_LOGIN_SHELL}" ]]; then
log "error" " can not allocate desired shell '${USER_LOGIN_SHELL}', falling back to '${USER_LOGIN_SHELL_FALLBACK}' ..."
USER_LOGIN_SHELL="${USER_LOGIN_SHELL_FALLBACK}"
fi
log " desired shell is ${USER_LOGIN_SHELL}"
if [[ -n "${SSH_USERS}" ]]; then
IFS=","
for USER in ${SSH_USERS}; do
log " '${USER}'"
USER_NAME="$(echo "${USER}" | cut -d ':' -f 1)"
USER_UID="$(echo "${USER}" | cut -d ':' -f 2)"
USER_GID="$(echo "${USER}" | cut -d ':' -f 3)"
if [[ -z "${USER_NAME}" ]] || [[ -z "${USER_UID}" ]] || [[ -z "${USER_GID}" ]]; then
log "error" " skipping invalid data '${USER_NAME}' - UID: '${USER_UID}' GID: '${USER_GID}'"
continue
fi
USER_GROUP="${USER_NAME}"
if getent group "${USER_GID}" &>/dev/null ; then
USER_GROUP="$(getent group "${USER_GID}" | cut -d ':' -f 1)"
log "warning" " desired GID is already present in system. Using the present group-name - GID: '${USER_GID}' GNAME: '${USER_GROUP}'"
else
addgroup -g "${USER_GID}" "${USER_GROUP}"
fi
if getent passwd "${USER_NAME}" &>/dev/null ; then
log "warning" " desired USER_NAME is already present in system. Skipping creation - USER_NAME: '${USER_NAME}'"
else
adduser -s "${USER_LOGIN_SHELL}" -D -u "${USER_UID}" -G "${USER_GROUP}" "${USER_NAME}"
log " user '${USER_NAME}' created - UID: '${USER_UID}' GID: '${USER_GID}' GNAME: '${USER_GROUP}'"
fi
passwd -u "${USER_NAME}" &>/dev/null || true
mkdir -p "/home/${USER_NAME}/.ssh"
MOUNTED_AUTHORIZED_KEYS="${AUTHORIZED_KEYS_VOLUME}/${USER_NAME}"
LOCAL_AUTHORIZED_KEYS="/home/${USER_NAME}/.ssh/authorized_keys"
if [[ ! -e "${MOUNTED_AUTHORIZED_KEYS}" ]]; then
log "warning" " no SSH authorized_keys found for user '${USER_NAME}'"
else
cp "${MOUNTED_AUTHORIZED_KEYS}" "${LOCAL_AUTHORIZED_KEYS}"
log " copied ${MOUNTED_AUTHORIZED_KEYS} to ${LOCAL_AUTHORIZED_KEYS}"
ensure_mod "${LOCAL_AUTHORIZED_KEYS}" "0600" "${USER_NAME}" "${USER_GID}"
log " set mod 0600 on ${LOCAL_AUTHORIZED_KEYS}"
fi
printf "\n"
done
unset IFS
else
log " no additional SSH-users set"
fi
echo ""
# do not detach (-D), log to stderr (-e), passthrough other arguments
exec /usr/sbin/sshd -D -e "$@"