Merge pull request #56 from panubo/feature/ssh-only-mode

Feature/ssh only mode / Alpine upgrade
panubo · Aug 28, 2020 · 79a23b4 · 79a23b4
2 parents 3df7210 + 55d24e9
commit 79a23b4
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 14 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.11
+FROM alpine:3.12
 
 RUN apk update && \
     apk add bash git openssh rsync augeas shadow rssh && \

diff --git a/README.md b/README.md
@@ -17,26 +17,31 @@ Configure the container with the following environment variables or optionally m
 
 - `GATEWAY_PORTS` if "true" sshd will allow gateway ports
 - `TCP_FORWARDING` if "true" sshd will allow TCP forwarding
+- `DISABLE_SFTP` if "true" sshd will not accept sftp connections. Note: This does not
+prevent file access unless you define a restricted shell for each user that prevents executing
+programs that grant file access.
 
-The following three optional modes, SFTP, SCP and Rsync are mutually exclusive. Only one can be
-enabled at a time:
+### Restricted Modes
 
-### SFTP Only
+The following three restricted modes, SFTP only, SCP only and Rsync only are mutually exclusive. If no mode is defined,
+then all connection types will be accepted. Only one mode can be enabled at a time:
+
+#### SFTP Only
 
 - `SFTP_MODE` if "true" sshd will only accept sftp connections
 - `SFTP_CHROOT` if in sftp only mode sftp will be chrooted to this directory. Default "/data"
 
-### SCP Only
+#### SCP Only
 
 - `SCP_MODE` if "true" sshd will only accept scp connections (uses rssh)
 
-### Rsync Only
+#### Rsync Only
 
 - `RSYNC_MODE` if "true" sshd will only accept rsync connections (uses rssh)
 
 ## SSH Host Keys
 
-SSH uses host keys to identify the server. To avoid receiving security warning the host keys should be mounted on an external volume.
+SSH uses host keys to identify the server. To avoid receiving a security warning the host keys should be mounted on an external volume.
 
 By default this image will create new host keys in `/etc/ssh/keys` which should be mounted on an external volume. If you are using existing keys and they are mounted in `/etc/ssh` this image will use the default host key location making this image compatible with existing setups.
 

diff --git a/entry.sh b/entry.sh
@@ -132,8 +132,7 @@ else
     echo "INFO: password authentication is disabled by default. Set SSH_ENABLE_PASSWORD_AUTH=true to enable."
 fi
 
-# SFTP only mode
-if [[ "${SFTP_MODE}" == "true" ]]; then
+configure_sftp_only_mode() {
     echo "INFO: configuring sftp only mode"
     : ${SFTP_CHROOT:='/data'}
     chown 0:0 ${SFTP_CHROOT}
@@ -146,23 +145,29 @@ if [[ "${SFTP_MODE}" == "true" ]]; then
         'set /files/etc/ssh/sshd_config/ForceCommand internal-sftp' \
         "set /files/etc/ssh/sshd_config/ChrootDirectory ${SFTP_CHROOT}" \
     | augtool -s 1> /dev/null
-elif [[ "${SCP_MODE}" == "true" ]]; then
-  echo "INFO: configuring scp only mode"
+}
+
+configure_scp_only_mode() {
+    echo "INFO: configuring scp only mode"
     USERS=$(echo $SSH_USERS | tr "," "\n")
     for U in $USERS; do
         _NAME=$(echo "${U}" | cut -d: -f1)
         usermod -s '/usr/bin/rssh' ${_NAME}
     done
     (grep '^[a-zA-Z]' /etc/rssh.conf.default; echo "allowscp") > /etc/rssh.conf
-elif [[ "${RSYNC_MODE}" == "true" ]]; then
-  echo "INFO: configuring rsync only mode"
+}
+
+configure_rsync_only_mode() {
+    echo "INFO: configuring rsync only mode"
     USERS=$(echo $SSH_USERS | tr "," "\n")
     for U in $USERS; do
         _NAME=$(echo "${U}" | cut -d: -f1)
         usermod -s '/usr/bin/rssh' ${_NAME}
     done
     (grep '^[a-zA-Z]' /etc/rssh.conf.default; echo "allowrsync") > /etc/rssh.conf
-else
+}
+
+configure_ssh_options() {
     # Enable AllowTcpForwarding
     if [[ "${TCP_FORWARDING}" == "true" ]]; then
         echo 'set /files/etc/ssh/sshd_config/AllowTcpForwarding yes' | augtool -s 1> /dev/null
@@ -171,6 +176,24 @@ else
     if [[ "${GATEWAY_PORTS}" == "true" ]]; then
         echo 'set /files/etc/ssh/sshd_config/GatewayPorts yes' | augtool -s 1> /dev/null
     fi
+    # Disable SFTP
+    if [[ "${DISABLE_SFTP}" == "true" ]]; then
+        printf '%s\n' \
+            'rm /files/etc/ssh/sshd_config/Subsystem/sftp' \
+            'rm /files/etc/ssh/sshd_config/Subsystem' \
+        | augtool -s 1> /dev/null
+    fi
+}
+
+# Configure mutually exclusive modes
+if [[ "${SFTP_MODE}" == "true" ]]; then
+    configure_sftp_only_mode
+elif [[ "${SCP_MODE}" == "true" ]]; then
+    configure_scp_only_mode
+elif [[ "${RSYNC_MODE}" == "true" ]]; then
+    configure_rsync_only_mode
+else
+    configure_ssh_options
 fi
 
 # Run scripts in /etc/entrypoint.d