From 57c9c24932be433b1a332c75515b65f0d0bb632e Mon Sep 17 00:00:00 2001 From: "Kenneth P. Salerno" Date: Tue, 31 Dec 2024 06:47:09 -0500 Subject: [PATCH 1/4] Fixes ssh to Debian 12.8 container: 1) enable quiet login by removing /etc/update-motd.d/10-uname and truncating /etc/motd 2) modify PAM sshd session setting making pam_loginuid module optional --- debian/Dockerfile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/Dockerfile b/debian/Dockerfile index 4d0ed222..255ed37f 100644 --- a/debian/Dockerfile +++ b/debian/Dockerfile @@ -98,6 +98,13 @@ RUN sed -i /etc/ssh/sshd_config \ -e 's/#LogLevel.*/LogLevel INFO/' && \ mkdir /var/run/sshd +# modify PAM to allow SSH access to container +RUN sed -i 's/\(session\s*\)required\(\s*pam_loginuid.so\)/\1optional\2/' \ + /etc/pam.d/sshd + +# remove motd to have quiet login +RUN rm -f /etc/update-motd.d/10-uname; cat /dev/null >/etc/motd + # VOLUME directive must happen after setting up permissions and content VOLUME "${AGENT_WORKDIR}" "${JENKINS_AGENT_HOME}"/.jenkins "/tmp" "/run" "/var/run" WORKDIR "${JENKINS_AGENT_HOME}" From 8df3a7d8972edb0d15d1d5125b89f6ee6f0218e7 Mon Sep 17 00:00:00 2001 From: "Kenneth P. Salerno" Date: Tue, 31 Dec 2024 10:08:32 -0500 Subject: [PATCH 2/4] Merge the three SSH setup RUN blocks together --- debian/Dockerfile | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/debian/Dockerfile b/debian/Dockerfile index 255ed37f..80521aa4 100644 --- a/debian/Dockerfile +++ b/debian/Dockerfile @@ -96,14 +96,10 @@ RUN sed -i /etc/ssh/sshd_config \ -e 's/#PasswordAuthentication.*/PasswordAuthentication no/' \ -e 's/#SyslogFacility.*/SyslogFacility AUTH/' \ -e 's/#LogLevel.*/LogLevel INFO/' && \ - mkdir /var/run/sshd - -# modify PAM to allow SSH access to container -RUN sed -i 's/\(session\s*\)required\(\s*pam_loginuid.so\)/\1optional\2/' \ - /etc/pam.d/sshd - -# remove motd to have quiet login -RUN rm -f /etc/update-motd.d/10-uname; cat /dev/null >/etc/motd + mkdir /var/run/sshd; \ + sed -i 's/\(session\s*\)required\(\s*pam_loginuid.so\)/\1optional\2/' \ + /etc/pam.d/sshd; \ + rm -f /etc/update-motd.d/10-uname; cat /dev/null >/etc/motd # VOLUME directive must happen after setting up permissions and content VOLUME "${AGENT_WORKDIR}" "${JENKINS_AGENT_HOME}"/.jenkins "/tmp" "/run" "/var/run" From 6218992986cfe55f5b8aa14753e0df9fd90dd248 Mon Sep 17 00:00:00 2001 From: "Kenneth P. Salerno" Date: Tue, 31 Dec 2024 10:14:01 -0500 Subject: [PATCH 3/4] Converting command separation from ';' to conditional '&&' to carry over return codes --- debian/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/Dockerfile b/debian/Dockerfile index 80521aa4..22a7403b 100644 --- a/debian/Dockerfile +++ b/debian/Dockerfile @@ -96,10 +96,10 @@ RUN sed -i /etc/ssh/sshd_config \ -e 's/#PasswordAuthentication.*/PasswordAuthentication no/' \ -e 's/#SyslogFacility.*/SyslogFacility AUTH/' \ -e 's/#LogLevel.*/LogLevel INFO/' && \ - mkdir /var/run/sshd; \ + mkdir /var/run/sshd && \ sed -i 's/\(session\s*\)required\(\s*pam_loginuid.so\)/\1optional\2/' \ - /etc/pam.d/sshd; \ - rm -f /etc/update-motd.d/10-uname; cat /dev/null >/etc/motd + /etc/pam.d/sshd && \ + rm -f /etc/update-motd.d/10-uname && cat /dev/null >/etc/motd # VOLUME directive must happen after setting up permissions and content VOLUME "${AGENT_WORKDIR}" "${JENKINS_AGENT_HOME}"/.jenkins "/tmp" "/run" "/var/run" From a13f9c8170135e0ac0dfe843c28753caf4e9ad7c Mon Sep 17 00:00:00 2001 From: "Kenneth P. Salerno" Date: Wed, 1 Jan 2025 19:38:48 -0500 Subject: [PATCH 4/4] Sticking to style and convention in this Dockerfile, implementing in a more elegant way the following: 1) Quiet login: disabling motd in PAM 2) enabling dropping of privileges in container: remove the requirement for CAP_AUDIT_CONTROL in PAM for SSH login --- debian/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/Dockerfile b/debian/Dockerfile index 22a7403b..cc4d66c1 100644 --- a/debian/Dockerfile +++ b/debian/Dockerfile @@ -97,9 +97,9 @@ RUN sed -i /etc/ssh/sshd_config \ -e 's/#SyslogFacility.*/SyslogFacility AUTH/' \ -e 's/#LogLevel.*/LogLevel INFO/' && \ mkdir /var/run/sshd && \ - sed -i 's/\(session\s*\)required\(\s*pam_loginuid.so\)/\1optional\2/' \ - /etc/pam.d/sshd && \ - rm -f /etc/update-motd.d/10-uname && cat /dev/null >/etc/motd + sed -i /etc/pam.d/sshd \ + -e 's/\(session\s*\)required\(\s*pam_loginuid.so\)/\1optional\2/' \ + -e '/pam_motd/s/^/#/' # VOLUME directive must happen after setting up permissions and content VOLUME "${AGENT_WORKDIR}" "${JENKINS_AGENT_HOME}"/.jenkins "/tmp" "/run" "/var/run"