diff --git a/Dockerfile b/Dockerfile index 09e82d4..e29a90d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,11 @@ FROM alpine MAINTAINER Anil Madhavapeddy -RUN apk update && apk add openssh && \ - apk add --update --repository http://dl-cdn.alpinelinux.org/alpine/edge/community/ tini +RUN apk update && apk add openssh socat RUN mkdir /root/.ssh && \ - chmod 700 /root/.ssh && \ - ssh-keygen -A -COPY ssh-find-agent.sh /root/ssh-find-agent.sh + chmod 700 /root/.ssh +COPY ssh-forward-agent.sh /root/ssh-forward-agent.sh +COPY docker-entrypoint.sh / EXPOSE 22 -VOLUME ["/root/.ssh/authorized_keys"] -ENTRYPOINT ["/usr/bin/tini","--"] +VOLUME ["/ssh-agent"] +ENTRYPOINT ["/docker-entrypoint.sh"] CMD ["/usr/sbin/sshd","-D"] diff --git a/Makefile b/Makefile index 49c0488..038f634 100644 --- a/Makefile +++ b/Makefile @@ -10,7 +10,7 @@ install: @mkdir -p $(PREFIX)/share/pinata-ssh-agent cp Dockerfile $(PREFIX)/share/pinata-ssh-agent cp ssh-build.sh $(PREFIX)/share/pinata-ssh-agent/ssh-build - cp ssh-find-agent.sh $(PREFIX)/share/pinata-ssh-agent/ssh-find-agent.sh + cp ssh-forward-agent.sh $(PREFIX)/share/pinata-ssh-agent/ssh-forward-agent.sh @mkdir -p $(BINDIR) cp pinata-build-sshd.sh $(BINDIR)/pinata-build-sshd cp pinata-ssh-forward.sh $(BINDIR)/pinata-ssh-forward diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100755 index 0000000..f55b510 --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,9 @@ +#!/bin/sh +set -e + +echo $AUTHORIZED_KEYS | base64 -d >/root/.ssh/authorized_keys +chown root:root /root/.ssh/authorized_keys + +ssh-keygen -A + +exec "$@" diff --git a/pinata-build-sshd.sh b/pinata-build-sshd.sh index 23e9a85..99b6e0d 100755 --- a/pinata-build-sshd.sh +++ b/pinata-build-sshd.sh @@ -1,4 +1,3 @@ #!/bin/sh -cd /usr/local/share/pinata-ssh-agent docker build -t pinata-sshd . diff --git a/pinata-ssh-forward.sh b/pinata-ssh-forward.sh index 4b236d4..f99fa03 100755 --- a/pinata-ssh-forward.sh +++ b/pinata-ssh-forward.sh @@ -1,25 +1,39 @@ -#!/bin/sh -e +#!/bin/sh +set -e IMAGE_NAME=pinata-sshd CONTAINER_NAME=pinata-sshd -LOCAL_STATE=~/.pinata-sshd -LOCAL_PORT=2244 +VOLUME_NAME=ssh-agent +HOST_PORT=2244 +AUTHORIZED_KEYS=$(ssh-add -L | base64 | tr -d '\n') +KNOWN_HOSTS_FILE=$(mktemp -t dsaf.XXX) + +trap "rm ${KNOWN_HOSTS_FILE}" EXIT docker rm -f ${CONTAINER_NAME} >/dev/null 2>&1 || true -rm -rf ${LOCAL_STATE} -mkdir -p ${LOCAL_STATE} + +docker volume create --name ${VOLUME_NAME} docker run --name ${CONTAINER_NAME} \ - -v ~/.ssh/id_rsa.pub:/root/.ssh/authorized_keys \ - -v ${LOCAL_STATE}:/tmp \ - -d -p ${LOCAL_PORT}:22 ${IMAGE_NAME} > /dev/null + -e AUTHORIZED_KEYS="${AUTHORIZED_KEYS}" \ + -v ${VOLUME_NAME}:/ssh-agent \ + -d -p ${HOST_PORT}:22 ${IMAGE_NAME} > /dev/null + +if [ "${DOCKER_HOST}" ]; then + HOST_IP=$(echo $DOCKER_HOST | awk -F '//' '{print $2}' | awk -F ':' '{print $1}') +else + HOST_IP=127.0.0.1 +fi + +# FIXME Find a way to get rid of this additional 1s wait +sleep 1 +while [ 1 ] && ! nc -z -w5 ${HOST_IP} ${HOST_PORT}; do sleep 0.1; done -IP=`docker inspect --format '{{(index (index .NetworkSettings.Ports "22/tcp") 0).HostIp }}' ${CONTAINER_NAME}` -ssh-keyscan -p ${LOCAL_PORT} ${IP} > ${LOCAL_STATE}/known_hosts 2>/dev/null +ssh-keyscan -p ${HOST_PORT} ${HOST_IP} > ${KNOWN_HOSTS_FILE} 2>/dev/null -ssh -f -o "UserKnownHostsFile=${LOCAL_STATE}/known_hosts" \ - -A -p ${LOCAL_PORT} root@${IP} \ - /root/ssh-find-agent.sh +ssh -f -o "UserKnownHostsFile=${KNOWN_HOSTS_FILE}" \ + -A -p ${HOST_PORT} root@${HOST_IP} \ + /root/ssh-forward-agent.sh echo 'Agent forwarding successfully started.' echo 'Run "pinata-ssh-mount" to get a command-line fragment that' diff --git a/pinata-ssh-mount.sh b/pinata-ssh-mount.sh index 9835091..3a70aae 100755 --- a/pinata-ssh-mount.sh +++ b/pinata-ssh-mount.sh @@ -1,5 +1,4 @@ #!/bin/sh -LOCAL_STATE=~/.pinata-sshd -AGENT=`cat ${LOCAL_STATE}/agent_socket_path | sed -e 's,/tmp/,,g'` -echo "-v ${LOCAL_STATE}/$AGENT:/tmp/ssh-agent.sock --env SSH_AUTH_SOCK=/tmp/ssh-agent.sock" +echo "--volume=ssh-agent:/ssh-agent" +echo "--env=SSH_AUTH_SOCK=/ssh-agent/ssh-agent.sock" diff --git a/ssh-find-agent.sh b/ssh-find-agent.sh deleted file mode 100755 index 9dfb677..0000000 --- a/ssh-find-agent.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -e -# Log the location of the SSH agent to a file - -finish() { - rm -f /tmp/agent_socket_path -} -trap finish EXIT -echo $SSH_AUTH_SOCK > /tmp/agent_socket_path -tail -f /dev/null diff --git a/ssh-forward-agent.sh b/ssh-forward-agent.sh new file mode 100755 index 0000000..0022f40 --- /dev/null +++ b/ssh-forward-agent.sh @@ -0,0 +1,6 @@ +#!/bin/sh -e +# Forward SSH agent socket to a well-known location +FORWARDED_SOCKET=/ssh-agent/ssh-agent.sock + +rm -f ${FORWARDED_SOCKET} +socat UNIX-LISTEN:${FORWARDED_SOCKET},fork,mode=777 UNIX-CONNECT:${SSH_AUTH_SOCK}