Compare commits
1 Commits
master
...
00cc59e8e9
| Author | SHA1 | Date | |
|---|---|---|---|
| 00cc59e8e9 |
@@ -14,9 +14,6 @@ Ex:
|
|||||||
|
|
||||||
`SSH_USERS=myuser:1000:1000,anotheruser:1001:1001`
|
`SSH_USERS=myuser:1000:1000,anotheruser:1001:1001`
|
||||||
|
|
||||||
### ENV variables `YUBICO_API_ID`, `YUBICO_API_KEY`
|
|
||||||
Get API ID and Key from here: [here](https://upgrade.yubico.com/getapikey/)
|
|
||||||
|
|
||||||
### Key files
|
### Key files
|
||||||
|
|
||||||
The directory mapped to `/conf.d/authorized_keys` contain files for authorized_keys, authorized yubikeys and ssh config.
|
The directory mapped to `/conf.d/authorized_keys` contain files for authorized_keys, authorized yubikeys and ssh config.
|
||||||
@@ -31,4 +28,6 @@ The format of the `.yubi` file is your username followed by a list of the first
|
|||||||
myuser:cccccccgklgc:ccccccclabca:
|
myuser:cccccccgklgc:ccccccclabca:
|
||||||
```
|
```
|
||||||
|
|
||||||
# [The rest of my docker-compose setup](/thomas/docker-server/)
|
# Related setup
|
||||||
|
|
||||||
|
[Router and such](/docker-server/)
|
||||||
@@ -1,7 +1,6 @@
|
|||||||
FROM hermsi/alpine-sshd:latest
|
FROM hermsi/alpine-sshd:latest
|
||||||
|
|
||||||
RUN apk add --upgrade --no-cache \
|
RUN apk add --no-cache \
|
||||||
openssh \
|
|
||||||
openssh-server-pam \
|
openssh-server-pam \
|
||||||
yubico-pam \
|
yubico-pam \
|
||||||
google-authenticator \
|
google-authenticator \
|
||||||
|
|||||||
@@ -43,7 +43,7 @@ ensure_mod() {
|
|||||||
G_ID="${4}"
|
G_ID="${4}"
|
||||||
|
|
||||||
chmod "${MOD}" "${FILE}"
|
chmod "${MOD}" "${FILE}"
|
||||||
chown "${U_ID}":"${G_ID}" "${FILE}"
|
chown "${U_ID}"."${G_ID}" "${FILE}"
|
||||||
}
|
}
|
||||||
|
|
||||||
generate_passwd() {
|
generate_passwd() {
|
||||||
@@ -212,15 +212,10 @@ fi
|
|||||||
# ADDED
|
# ADDED
|
||||||
#############################################
|
#############################################
|
||||||
|
|
||||||
if [[ -n "${YUBICO_API_ID}" ]]; then
|
|
||||||
sed -i "s/#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
|
sed -i "s/#ChallengeResponseAuthentication.*/ChallengeResponseAuthentication yes/" /etc/ssh/sshd_config
|
||||||
sed -i "s/#UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config
|
sed -i "s/#UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config
|
||||||
|
|
||||||
if ! grep -Fxq "auth sufficient pam_yubico.sh" /etc/pam.d/sshd; then
|
echo "auth sufficient pam_yubico.so id=16 debug" >> /etc/pam.d/sshd
|
||||||
echo "auth [success=done default=bad] pam_yubico.so id=${YUBICO_API_ID} key=${YUBICO_API_KEY}" >> /etc/pam.d/sshd
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
#############################################
|
#############################################
|
||||||
# END OF ADDITION
|
# END OF ADDITION
|
||||||
@@ -229,4 +224,4 @@ fi
|
|||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
# do not detach (-D), log to stderr (-e), passthrough other arguments
|
# do not detach (-D), log to stderr (-e), passthrough other arguments
|
||||||
exec /usr/sbin/sshd.pam -D -e "$@"
|
exec /usr/sbin/sshd -D -e "$@"
|
||||||
@@ -1,3 +1,5 @@
|
|||||||
|
version: "3"
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
web:
|
web:
|
||||||
external: true
|
external: true
|
||||||
@@ -10,8 +12,6 @@ services:
|
|||||||
web:
|
web:
|
||||||
environment:
|
environment:
|
||||||
SSH_USERS:
|
SSH_USERS:
|
||||||
YUBICO_API_ID:
|
|
||||||
YUBICO_API_KEY:
|
|
||||||
volumes:
|
volumes:
|
||||||
- ./authorized_keys:/conf.d/authorized_keys
|
- ./authorized_keys:/conf.d/authorized_keys
|
||||||
- ./ssh:/etc/ssh
|
- ./ssh:/etc/ssh
|
||||||
|
|||||||
Reference in New Issue
Block a user