Merge branch 'dev' into 'master'

Add configuration via ENV and general improvements

See merge request docker/bastion!4

Author: binlab

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.8
+FROM alpine:3.9
 
 LABEL maintainer="Mark <mark.binlab@gmail.com>"
 
@@ -9,22 +9,25 @@ ARG GROUP=bastion
 ARG UID=4096
 ARG GID=4096
 
+ENV HOST_KEYS_PATH_PREFIX="/usr"
+ENV HOST_KEYS_PATH="${HOST_KEYS_PATH_PREFIX}/etc/ssh"
+
+COPY bastion /usr/sbin/bastion
+
 RUN addgroup -S -g ${GID} ${GROUP} \
     && adduser -D -h ${HOME} -s /bin/ash -g "${USER} service" \
            -u ${UID} -G ${GROUP} ${USER} \
     && sed -i "s/${USER}:!/${USER}:*/g" /etc/shadow \
     && set -x \
-    && apk add --no-cache openssh-server
+    && apk add --no-cache openssh-server \
+    && echo "Welcome to Bastion!" > /etc/motd \
+    && chmod +x /usr/sbin/bastion \
+    && mkdir -p ${HOST_KEYS_PATH} \
+    && mkdir /etc/ssh/auth_principals \
+    && echo "bastion" > /etc/ssh/auth_principals/bastion
 
 EXPOSE 22/tcp
 
-VOLUME /etc/ssh
+VOLUME ${HOST_KEYS_PATH}
 
-CMD /usr/bin/ssh-keygen -A \
-    && /usr/sbin/sshd -D -e -4 \
-        -o AuthorizedKeysFile=authorized_keys \
-        -o PubkeyAuthentication=yes \
-        -o PasswordAuthentication=no \
-        -o PermitEmptyPasswords=no \
-        -o PermitRootLogin=no \
-        -o GatewayPorts=yes
+ENTRYPOINT ["bastion"]

README.md

@@ -11,7 +11,7 @@ and usually involves access from untrusted networks orcomputers.
 
 ---
 
-![AWS Bastion](https://dmhnzl5mp9mj6.cloudfront.net/security_awsblog/images/NM_diagram_061316_a.png)
+![AWS Bastion](docs/bastion_host.png)
 
 ## Useful cases
 
@@ -22,6 +22,24 @@ behind a `NAT`. This image based on `Alpine Linux` last version.
 
 ## Usage
 
+###  Describing ENV variables
+
+* `PUBKEY_AUTHENTICATION [true | false]` - Specifies whether public key authentication is allowed. The default is `true`. Note that this option applies to protocol version 2 only.
+
+* `AUTHORIZED_KEYS [/relative/or/not/path/to/file]` - Specifies the file that contains the public keys that can be used for user authentication. `AUTHORIZED_KEYS` may contain tokens of the form `%T` which are substituted during connection setup. The following tokens are defined: `%%` is replaced by a literal `%`, `%h` is replaced by the home directory of the user being authenticated, and `%u` is replaced by the username of that user. After expansion, `AUTHORIZED_KEYS` is taken to be an absolute path or one relative to the user's home directory. The default file is `authorized_keys` and the default home directory is `/var/lib/bastion` and should be present by Docker volume mount by `-v $PWD/authorized_keys:/var/lib/bastion/authorized_keys:ro`.
+
+* `TRUSTED_USER_CA_KEYS [/full/path/to/file]` - Specifies a file containing public keys of certificate authorities that are trusted to sign user certificates for authentication, or none to not use one. Keys are listed one per line; empty lines and comments starting with `#` are allowed. If a certificate is presented for authentication and has its signing CA key listed in this file, then it may be used for authentication for any user listed in the certificate's principals list. Note that certificates that lack a list of principals will not be permitted for authentication using `TRUSTED_USER_CA_KEYS`. Directive `AuthorizedPrincipalsFile` hardcoded to `/etc/ssh/auth_principals/%u` and in time of build and generated one principals file for presented user - `/etc/ssh/auth_principals/bastion` with the one row `bastion`, and this principal should be listed in the certificate's principals list.
+
+* `GATEWAY_PORTS [true | false]` - Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, `sshd` binds remote port forwardings to the loopback address. This prevents other remote hosts from connecting to forwarded ports. `GATEWAY_PORTS` can be used to specify that `sshd` should allow remote port forwardings to bind to non-loopback addresses, thus allowing other hosts to connect. The argument may be `false` to force remote port forwardings to be available to the local host only, `true` to force remote port forwardings to bind to the wildcard address. The default is `false`.
+
+* `PERMIT_TUNNEL [true | false]` - Specifies whether `tun` device forwarding is allowed. The argument must be `true` or `false`. Specifying `true` permits both `point-to-point` (layer 3) and `ethernet` (layer 2). The default is `false`.
+
+* `X11_FORWARDING [true | false]` - Specifies whether `X11` forwarding is permitted. The argument must be `true` or `false`. The default is `false`.
+
+* `TCP_FORWARDING [true | false]` - Specifies whether `TCP` forwarding is permitted. The default is `true`. Note that disabling `TCP` forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
+
+* `AGENT_FORWARDING [true | false]` - Specifies whether `ssh-agent` forwarding is permitted. The default is `true`. Note that disabling agent forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders.
+
 ###  Run Bastion and `expose` port `22222` to outside a host machine
 
 The container assumes your `authorized_keys` file with `644` permissions and mounted under `/var/lib/bastion/authorized_keys`.
@@ -34,17 +52,23 @@ $ docker run -d \
     --name bastion \
     --hostname bastion \
     --restart unless-stopped \
-    -v ./.bastion_keys:/var/lib/bastion/authorized_keys:ro \
-    -v bastion:/etc/ssh:rw
-    --add-host docker-host:172.17.0.1
+    -v $PWD/authorized_keys:/var/lib/bastion/authorized_keys:ro \
+    -v bastion:/usr/etc/ssh:rw \
+    --add-host docker-host:172.17.0.1 \
     -p 22222:22/tcp \
+    -e "PUBKEY_AUTHENTICATION=true" \
+    -e "GATEWAY_PORTS=false" \
+    -e "PERMIT_TUNNEL=false" \
+    -e "X11_FORWARDING=false" \
+    -e "TCP_FORWARDING=true" \
+    -e "AGENT_FORWARDING=true" \
     binlab/bastion
 ```
 
 Docker-compose example:
 
 ```yaml
-version: '3.3'
+version: "3.6"
 services:
   bastion:
     image: binlab/bastion
@@ -55,9 +79,16 @@ services:
       - 22/tcp
     ports:
       - 22222:22/tcp
+    environment:
+      PUBKEY_AUTHENTICATION: "true"
+      GATEWAY_PORTS: "false"
+      PERMIT_TUNNEL: "false"
+      X11_FORWARDING: "false"
+      TCP_FORWARDING: "true"
+      AGENT_FORWARDING: "true"
     volumes:
-      - ./.bastion_keys:/var/lib/bastion/authorized_keys:ro
-      - bastion:/etc/ssh:rw
+      - $PWD/authorized_keys:/var/lib/bastion/authorized_keys:ro
+      - bastion:/usr/etc/ssh:rw
     extra_hosts:
       - docker-host:172.17.0.1
     networks:
@@ -101,7 +132,7 @@ $ ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -f $HOME/.ssh/id_rsa
 * Add `rsa` public key to `.bastion_keys` file
 
 ```shell
-$ cat $HOME/.ssh/id_rsa.pub > ./.bastion_keys
+$ cat $HOME/.ssh/id_rsa.pub > $PWD/.bastion_keys
 ```
 
 * Run [`docker-compose.yml`](docker-compose.yml) configuration - `bastion` & `docker-ssh`

bastion

@@ -0,0 +1,73 @@
+#!/usr/bin/env sh
+
+HOST_KEYS_PATH_PREFIX="${HOST_KEYS_PATH_PREFIX:='/'}"
+HOST_KEYS_PATH="${HOST_KEYS_PATH:='/etc/ssh'}"
+
+if [ "$PUBKEY_AUTHENTICATION" == "false" ]; then
+    CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=no"
+else
+    CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=yes"
+fi
+
+if [ -n "$AUTHORIZED_KEYS" ]; then
+    CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=$AUTHORIZED_KEYS"
+else
+    CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=authorized_keys"
+fi
+
+if [ -n "$TRUSTED_USER_CA_KEYS" ]; then
+    CONFIG_TRUSTED_USER_CA_KEYS="-o TrustedUserCAKeys=$TRUSTED_USER_CA_KEYS"
+    CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=/etc/ssh/auth_principals/%u"
+fi
+
+if [ "$GATEWAY_PORTS" == "true" ]; then
+    CONFIG_GATEWAY_PORTS="-o GatewayPorts=yes"
+else
+    CONFIG_GATEWAY_PORTS="-o GatewayPorts=no"
+fi
+
+if [ "$PERMIT_TUNNEL" == "true" ]; then
+    CONFIG_PERMIT_TUNNEL="-o PermitTunnel=yes"
+else
+    CONFIG_PERMIT_TUNNEL="-o PermitTunnel=no"
+fi
+
+if [ "$X11_FORWARDING" == "true" ]; then
+    CONFIG_X11_FORWARDING="-o X11Forwarding=yes"
+else
+    CONFIG_X11_FORWARDING="-o X11Forwarding=no"
+fi
+
+if [ "$TCP_FORWARDING" == "false" ]; then
+    CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=no"
+else
+    CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=yes"
+fi
+
+if [ "$AGENT_FORWARDING" == "false" ]; then
+    CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=no"
+else
+    CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=yes"
+fi
+
+if [ ! -f "$HOST_KEYS_PATH/ssh_host_rsa_key" ]; then
+    /usr/bin/ssh-keygen -A -f "$HOST_KEYS_PATH_PREFIX"
+fi
+
+/usr/sbin/sshd -D -e -4 \
+    -o "HostKey=$HOST_KEYS_PATH/ssh_host_rsa_key" \
+    -o "HostKey=$HOST_KEYS_PATH/ssh_host_dsa_key" \
+    -o "HostKey=$HOST_KEYS_PATH/ssh_host_ecdsa_key" \
+    -o "HostKey=$HOST_KEYS_PATH/ssh_host_ed25519_key" \
+    -o "PasswordAuthentication=no" \
+    -o "PermitEmptyPasswords=no" \
+    -o "PermitRootLogin=no" \
+    $CONFIG_PUBKEY_AUTHENTICATION \
+    $CONFIG_AUTHORIZED_KEYS \
+    $CONFIG_GATEWAY_PORTS \
+    $CONFIG_PERMIT_TUNNEL \
+    $CONFIG_X11_FORWARDING \
+    $CONFIG_AGENT_FORWARDING \
+    $CONFIG_TCP_FORWARDING \
+    $CONFIG_TRUSTED_USER_CA_KEYS \
+    $CONFIG_AUTHORIZED_PRINCIPALS_FILE

docker-compose.yml

@@ -1,4 +1,4 @@
-version: '3.3'
+version: "3.6"
 services:
   bastion:
     image: binlab/bastion
@@ -10,8 +10,8 @@ services:
     ports:
       - 22222:22/tcp
     volumes:
-      - ./.bastion_keys:/var/lib/bastion/authorized_keys:ro
-      - bastion:/etc/ssh:rw
+      - $PWD/authorized_keys:/var/lib/bastion/authorized_keys:ro
+      - bastion:/usr/etc/ssh:rw
     extra_hosts:
       - docker-host:172.17.0.1
     networks:
@@ -25,8 +25,8 @@ services:
     expose:
       - 22/tcp
     volumes:
-      - ./.bastion_keys:/var/lib/bastion/authorized_keys:ro
-      - docker-ssh:/etc/ssh:rw
+      - $PWD/authorized_keys:/var/lib/bastion/authorized_keys:ro
+      - docker-ssh:/usr/etc/ssh:rw
     networks:
       - bastion