forked from binlab/docker-bastion
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bastion
138 lines (117 loc) · 3.69 KB
/
bastion
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/usr/bin/env sh
export SETUP_KEYS_PATH="${SETUP_KEYS_PATH:=/etc/bastion/ssh-keys}"
if [ -f "$SETUP_KEYS_PATH" ] || [ -L "$SETUP_KEYS_PATH" ]; then
/usr/sbin/setup-keys.sh
fi
unset SETUP_KEYS_PATH
HOST_KEYS_PATH_PREFIX="${HOST_KEYS_PATH_PREFIX:=/}"
HOST_KEYS_PATH="${HOST_KEYS_PATH:=/etc/ssh}"
if [ "$PUBKEY_AUTHENTICATION" == "false" ]; then
CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=no"
else
CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=yes"
fi
if [ -n "$AUTHORIZED_KEYS" ]; then
CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=$AUTHORIZED_KEYS"
else
CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=authorized_keys"
fi
if [ -n "$TRUSTED_USER_CA_KEYS" ]; then
CONFIG_TRUSTED_USER_CA_KEYS="-o TrustedUserCAKeys=$TRUSTED_USER_CA_KEYS"
CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=/etc/ssh/auth_principals/%u"
fi
if [ "$GATEWAY_PORTS" == "true" ]; then
CONFIG_GATEWAY_PORTS="-o GatewayPorts=yes"
else
CONFIG_GATEWAY_PORTS="-o GatewayPorts=no"
fi
if [ "$PERMIT_TUNNEL" == "true" ]; then
CONFIG_PERMIT_TUNNEL="-o PermitTunnel=yes"
else
CONFIG_PERMIT_TUNNEL="-o PermitTunnel=no"
fi
if [ "$X11_FORWARDING" == "true" ]; then
CONFIG_X11_FORWARDING="-o X11Forwarding=yes"
else
CONFIG_X11_FORWARDING="-o X11Forwarding=no"
fi
if [ "$TCP_FORWARDING" == "false" ]; then
CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=no"
else
CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=yes"
fi
if [ "$AGENT_FORWARDING" == "false" ]; then
CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=no"
else
CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=yes"
fi
# Connection limits, timeouts and thresholds
if [ -n "$CLIENT_ALIVE_COUNT_MAX" ]; then
CONFIG_CLIENT_ALIVE_COUNT_MAX="-o ClientAliveCountMax=$CLIENT_ALIVE_COUNT_MAX"
else
CONFIG_CLIENT_ALIVE_COUNT_MAX=""
fi
if [ -n "$CLIENT_ALIVE_INTERVAL" ]; then
CONFIG_CLIENT_ALIVE_INTERVAL="-o ClientAliveInterval=$CLIENT_ALIVE_INTERVAL"
else
CONFIG_CLIENT_ALIVE_INTERVAL=""
fi
if [ "$TCP_KEEP_ALIVE" = "false" ]; then
CONFIG_TCP_KEEP_ALIVE="-o TCPKeepAlive=no"
else
CONFIG_TCP_KEEP_ALIVE="-o TCPKeepAlive=yes"
fi
# Debug level from 1 to 3
if [ $DEBUG_LEVEL = "1" ]; then
CONFIG_DEBUG_LEVEL="-d"
elif [ $DEBUG_LEVEL = "2" ]; then
CONFIG_DEBUG_LEVEL="-dd"
elif [ $DEBUG_LEVEL = "3" ]; then
CONFIG_DEBUG_LEVEL="-ddd"
else
CONFIG_DEBUG_LEVEL=""
fi
# LogLevel
if [ -n "$LOG_LEVEL" ]; then
CONFIG_LOG_LEVEL="-o LogLevel=$LOG_LEVEL"
else
CONFIG_LOG_LEVEL=""
fi
# Generate keys if they don't exist
if [ ! -f "$HOST_KEYS_PATH/ssh_host_rsa_key" ]; then
/usr/bin/ssh-keygen -A -f "$HOST_KEYS_PATH_PREFIX"
fi
if [ -n "$LISTEN_ADDRESS" ]; then
CONFIG_LISTEN_ADDRESS="-o ListenAddress=$LISTEN_ADDRESS"
else
CONFIG_LISTEN_ADDRESS="-o ListenAddress=0.0.0.0"
fi
if [ -n "$LISTEN_PORT" ]; then
CONFIG_LISTEN_PORT="-o Port=$LISTEN_PORT"
else
CONFIG_LISTEN_PORT="-o Port=22"
fi
/usr/sbin/sshd -D -e -4 \
$CONFIG_DEBUG_LEVEL \
-o "HostKey=$HOST_KEYS_PATH/ssh_host_rsa_key" \
-o "HostKey=$HOST_KEYS_PATH/ssh_host_ecdsa_key" \
-o "HostKey=$HOST_KEYS_PATH/ssh_host_ed25519_key" \
-o "PasswordAuthentication=no" \
-o "PermitEmptyPasswords=no" \
-o "PermitRootLogin=no" \
-o "AllowGroups=$BASTION_GROUP" \
$CONFIG_PUBKEY_AUTHENTICATION \
$CONFIG_AUTHORIZED_KEYS \
$CONFIG_GATEWAY_PORTS \
$CONFIG_PERMIT_TUNNEL \
$CONFIG_X11_FORWARDING \
$CONFIG_AGENT_FORWARDING \
$CONFIG_TCP_FORWARDING \
$CONFIG_TRUSTED_USER_CA_KEYS \
$CONFIG_AUTHORIZED_PRINCIPALS_FILE \
$CONFIG_CLIENT_ALIVE_COUNT_MAX \
$CONFIG_CLIENT_ALIVE_INTERVAL \
$CONFIG_TCP_KEEP_ALIVE \
$CONFIG_LOG_LEVEL \
$CONFIG_LISTEN_ADDRESS \
$CONFIG_LISTEN_PORT