Customize sshd with sshd config.d (#525)

* Update OpenSSH server image version and add no penalties configuration

* Refactor SSH configuration paths and update test scripts for public key handling

* Update Docker Compose volumes to remove read-only flag for shared directory

* Remove end-to-end test files and related Docker configuration for CA public cert authentication

CONTRIBUTING.md

@@ -33,7 +33,7 @@ SSHPIPERD_DEBUG=1 docker-compose up --force-recreate --build -d
 you will have two sshd:
 
  * `host-password:2222`: a password only sshd server (user: `user`, password: `pass`)
- * `host-publickey:2222`: a public key only sshd server (put your public key in `/sshconfig_publickey/.config/authorized_keys`)
+ * `host-publickey:2222`: a public key only sshd server (put your public key in `/publickey_authorized_keys/authorized_keys`)
 
 more settings: <https://github.com/linuxserver/docker-openssh-server>
 

e2e/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.4'
 
 services:
   host-password:
-    image: lscr.io/linuxserver/openssh-server:9.7_p1-r4-ls184
+    image: lscr.io/linuxserver/openssh-server:9.9_p1-r2-ls190
     environment:
       - PASSWORD_ACCESS=true
       - USER_PASSWORD=pass
@@ -15,13 +15,13 @@ services:
       - sshpiper.network=e2e_default
     volumes:
       - shared:/shared
-      - sshconfig_password:/config
+      - ./sshdconfig/no_penalties.conf:/config/sshd/sshd_config.d/no_penalties.conf:ro
     networks:
       - default
       - netdistract
 
   host-publickey:
-    image: lscr.io/linuxserver/openssh-server:9.7_p1-r4-ls184
+    image: lscr.io/linuxserver/openssh-server:9.9_p1-r2-ls190
     environment:
       - USER_NAME=user
       - LOG_STDOUT=true
@@ -31,18 +31,20 @@ services:
       - sshpiper.authorized_keys=c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSU5SR1RIMzI1ckRVcDEydHBsd3VrSG1SOHl0YkM5VFBaODg2Z0NzdHluUDEgdGVzdEB0ZXN0Cg==
       - sshpiper.private_key=LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNEVVJreDk5dWF3MUtkZHJhWmNMcEI1a2ZNcld3dlV6MmZQT29BckxjcHo5UUFBQUpDK2owK1N2bzlQCmtnQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDRFVSa3g5OXVhdzFLZGRyYVpjTHBCNWtmTXJXd3ZVejJmUE9vQXJMY3B6OVEKQUFBRURjUWdkaDJ6MnIvNmJscTB6aUoxbDZzNklBWDhDKzlRSGZBSDkzMWNITk85UkdUSDMyNXJEVXAxMnRwbHd1a0htUgo4eXRiQzlUUFo4ODZnQ3N0eW5QMUFBQUFEV0p2YkdsaGJrQjFZblZ1ZEhVPQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K
     volumes:
-      - shared:/shared      
-      - sshconfig_publickey:/config
+      - shared:/shared
+      - publickey_authorized_keys:/config/.ssh/
+      - ./sshdconfig/no_penalties.conf:/config/sshd/sshd_config.d/no_penalties.conf:ro
 
   host-capublickey:
-    build: ./cahost
-    labels:
-      - sshpiper.port=2222
-      - sshpiper.network=e2e_default
+    image: lscr.io/linuxserver/openssh-server:9.9_p1-r2-ls190
+    environment:
+      - USER_NAME=ca_user
+      - LOG_STDOUT=true
     volumes:
       - shared:/shared
-    networks:
-      - default
+      - ./sshdconfig/no_penalties.conf:/config/sshd/sshd_config.d/no_penalties.conf:ro
+      - ./sshdconfig/trusted-ca.conf:/config/sshd/sshd_config.d/trusted-ca.conf:ro
+      - ./sshdconfig/trusted-ca.pub:/config/sshd/trusted-ca.pub:ro
 
 
   host-k8s-proxy:
@@ -95,8 +97,7 @@ services:
     volumes:
       - ..:/src
       - shared:/shared
-      - sshconfig_publickey:/sshconfig_publickey
-      - sshconfig_password:/sshconfig_password
+      - publickey_authorized_keys:/publickey_authorized_keys
       - /var/run/docker.sock:/var/run/docker.sock
       - kubeconfig:/root/.kube:ro
     command: ["./e2eentry.sh"]
@@ -121,9 +122,7 @@ volumes:
       type: tmpfs
       device: tmpfs
 
-  sshconfig_publickey:
-
-  sshconfig_password:
+  publickey_authorized_keys:
 
   kubeconfig:
 

e2e/docker_test.go

@@ -72,7 +72,7 @@ func TestDocker(t *testing.T) {
 			t.Errorf("failed to write to test key: %v", err)
 		}
 
-		if err := os.WriteFile("/sshconfig_publickey/.ssh/authorized_keys", []byte(`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINRGTH325rDUp12tplwukHmR8ytbC9TPZ886gCstynP1`), 0400); err != nil {
+		if err := os.WriteFile("/publickey_authorized_keys/authorized_keys", []byte(`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINRGTH325rDUp12tplwukHmR8ytbC9TPZ886gCstynP1`), 0400); err != nil {
 			t.Errorf("failed to write to authorized_keys: %v", err)
 		}
 

e2e/e2eentry.sh

@@ -4,11 +4,6 @@ set -x
 # use entrypoint.sh to generate the ssh_host_ed25519_key
 PLUGIN="dummy_badname/" bash /sshpiperd/entrypoint.sh 2>/dev/null
 
-# Create an ssh key pair and then sign the public key with the ca cert
-chmod 600 cahost/ca
-ssh-keygen -t ssh-ed25519 -f /etc/ssh/ssh_user -N ""
-ssh-keygen -s cahost/ca -I ssh_user -n client_123 /etc/ssh/ssh_user.pub
-
 if [ "${SSHPIPERD_DEBUG}" == "1" ]; then
     echo "enter debug on hold mode"
     echo "run [docker exec -ti e2e_testrunner_1 bash] to run to attach"

e2e/k8sworkload.yaml

@@ -255,7 +255,7 @@ stringData:
     8ytbC9TPZ886gCstynP1AAAADWJvbGlhbkB1YnVudHU=
     -----END OPENSSH PRIVATE KEY-----    
   ssh-publickey-cert: |
-    [email protected] AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIMIr7E6Il5fvTpixHHDCszKhlRbzXrB0fnWtxYAYdyVlAAAAINRGTH325rDUp12tplwukHmR8ytbC9TPZ886gCstynP1AAAAAAAAAAAAAAABAAAAC2s4c2UyZV90ZXN0AAAADgAAAApjbGllbnRfMTIzAAAAAAAAAAD//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJrzCeQ3a+m8PnA/KUmK+JAfC1tM7SG2gkGmW29nXj1nAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEDICm0JT8fakTkWTRjDtbjjMx0dUrvGvPb+Qzi2592/39CqBj8cEqZAF/DesCJhKmO+hyN4jDxTcKPhPM0y2/sH
+    [email protected] AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIAf6qglkclnZFuSIlW4ClXcwq+SCYJn7rCYcUpbVVaKrAAAAINRGTH325rDUp12tplwukHmR8ytbC9TPZ886gCstynP1AAAAAAAAAAAAAAABAAAACHNzaF91c2VyAAAACwAAAAdjYV91c2VyAAAAAAAAAAD//////////wAAAAAAAACCAAAAFXBlcm1pdC1YMTEtZm9yd2FyZGluZwAAAAAAAAAXcGVybWl0LWFnZW50LWZvcndhcmRpbmcAAAAAAAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJrzCeQ3a+m8PnA/KUmK+JAfC1tM7SG2gkGmW29nXj1nAAAAUwAAAAtzc2gtZWQyNTUxOQAAAECM8mKjWLhTKmhj4sb6r0CVaTz/vO8oy1o/7OzmQyUMMa1ex4mo+HB3RHa5eUGOdcFAJu6O8r6GBEah+O0maH8A
 kind: Secret
 metadata:
   name: host-publickey-key-ca
@@ -271,7 +271,7 @@ spec:
     authorized_keys_file: /files/authorized_keys
   to:
     host: host-capublickey:2222
-    username: "client_123"
+    username: "ca_user"
     private_key_secret:
       name: host-publickey-key-ca
     ignore_hostkey: true

e2e/kubernetes_test.go

@@ -56,7 +56,7 @@ func TestKubernetes(t *testing.T) {
 				t.Errorf("failed to write to test key: %v", err)
 			}
 
-			if err := os.WriteFile("/sshconfig_publickey/.ssh/authorized_keys", []byte(`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINRGTH325rDUp12tplwukHmR8ytbC9TPZ886gCstynP1`), 0400); err != nil {
+			if err := os.WriteFile("/publickey_authorized_keys/authorized_keys", []byte(`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINRGTH325rDUp12tplwukHmR8ytbC9TPZ886gCstynP1`), 0400); err != nil {
 				t.Errorf("failed to write to authorized_keys: %v", err)
 			}
 

e2e/sshdconfig/no_penalties.conf

@@ -0,0 +1 @@
+PerSourcePenaltyExemptList 0.0.0.0/0

e2e/sshdconfig/trusted-ca.conf

@@ -0,0 +1 @@
+TrustedUserCAKeys /config/sshd/trusted-ca.pub

e2e/workingdir_test.go

@@ -188,7 +188,7 @@ func TestWorkingDirectory(t *testing.T) {
 			if err := runCmdAndWait(
 				"/bin/cp",
 				path.Join(userdir, "id_rsa.pub"),
-				"/sshconfig_publickey/.ssh/authorized_keys",
+				"/publickey_authorized_keys/authorized_keys",
 			); err != nil {
 				t.Errorf("failed to copy public key: %v", err)
 			}

e2e/yaml_test.go

@@ -129,7 +129,7 @@ func TestYaml(t *testing.T) {
 		if err := runCmdAndWait(
 			"/bin/cp",
 			path.Join(yamldir, "id_rsa.pub"),
-			"/sshconfig_publickey/.ssh/authorized_keys",
+			"/publickey_authorized_keys/authorized_keys",
 		); err != nil {
 			t.Errorf("failed to copy public key: %v", err)
 		}