Merge pull request rucio#138 from rak108/GSOC-2021

SSH Docker Container

dev/Dockerfile

@@ -27,6 +27,7 @@ RUN yum -y install epel-release && \
     yum -y install gcc httpd mod_ssl mod_auth_kerb python-setuptools python-pip python36u-pip python36-devel \
             python36-mod_wsgi python36-m2crypto gmp-devel krb5-devel git openssl-devel gridsite which libaio memcached \
             nmap-ncat gfal2-all gfal2-util gfal2-python3 fts-rest-cli xrootd-client multitail vim libxml2-devel \
+            openssh-clients \
             xmlsec1-devel xmlsec1-openssl-devel libtool-ltdl-devel && \
     yum clean all && \
     rm -rf /var/cache/yum
@@ -77,10 +78,13 @@ COPY 00-mpm.conf /etc/httpd/conf.modules.d/00-mpm.conf
 COPY httpd.conf /etc/httpd/conf/httpd.conf
 COPY rucio.conf /etc/httpd/conf.d/rucio.conf
 COPY certs/usercert.pem certs/userkey.pem certs/usercertkey.pem $RUCIOHOME/etc/
-RUN chmod 0400 $RUCIOHOME/etc/userkey.pem
+RUN chmod 0400 $RUCIOHOME/etc/userkey.pem && mkdir /root/.ssh && \
+    chmod 700 /root/.ssh
 
 COPY certs/hostcert_rucio.pem /etc/grid-security/hostcert.pem
 COPY certs/hostcert_rucio.key.pem /etc/grid-security/hostkey.pem
+COPY certs/ssh/ruciouser_sshkey.pub /root/.ssh/ruciouser_sshkey.pub
+COPY certs/ssh/ruciouser_sshkey /root/.ssh/ruciouser_sshkey
 RUN chmod 0400 /etc/grid-security/hostkey.pem && \
     chmod 777 /var/log/rucio/trace && \
     rm -rf $RUCIOHOME/tools && \
@@ -108,5 +112,6 @@ RUN rm -r /tmp/rucio && \
 EXPOSE 443
 
 ENV PATH $PATH:$RUCIOHOME/bin
-
+RUN chmod 0600 /root/.ssh/ruciouser_sshkey && \
+    chmod 0644 /root/.ssh/ruciouser_sshkey.pub
 CMD ["httpd","-D","FOREGROUND"]

dev/certs/ssh/ruciouser_sshkey

@@ -0,0 +1,27 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAQEA3PzQJVs/f2pVlY8TEBLwuZ1uHAbFwMSFKDf59/L2hifgWUbeD2HK
+iT6CQJDInvyvyQuNc9uWnMWAUxC6x7/KYuc7Ro1HZdQEuNx0xC9CWrhs32+Aj0HO59qHyY
+UHf6r1t6HwDjWXpu6WIw+SWlLDx6u3uZXh56GGS+wVGuQqsPML9k77jF5wKiAt9F0xueI7
+XXfSyZXtO76QugZTxAkaRqfglxy/gagH1cxBK5+Nw7WjeXZZtGZyAjAmyVD83VHuIGPnMB
+xpe70bhiwo9yW/vOAe2mTo2Uqv00mDfxgPAjs8/gCgZvUiGVXRQgqyYULjo3/oG4RQH4nX
+lJHBKN/7IwAAA8AgOIDKIDiAygAAAAdzc2gtcnNhAAABAQDc/NAlWz9/alWVjxMQEvC5nW
+4cBsXAxIUoN/n38vaGJ+BZRt4PYcqJPoJAkMie/K/JC41z25acxYBTELrHv8pi5ztGjUdl
+1AS43HTEL0JauGzfb4CPQc7n2ofJhQd/qvW3ofAONZem7pYjD5JaUsPHq7e5leHnoYZL7B
+Ua5Cqw8wv2TvuMXnAqIC30XTG54jtdd9LJle07vpC6BlPECRpGp+CXHL+BqAfVzEErn43D
+taN5dlm0ZnICMCbJUPzdUe4gY+cwHGl7vRuGLCj3Jb+84B7aZOjZSq/TSYN/GA8COzz+AK
+Bm9SIZVdFCCrJhQuOjf+gbhFAfideUkcEo3/sjAAAAAwEAAQAAAQB75iKtTyOixHOHjtgZ
+QwVEjEeX3xQwp/4gNoInykj9no3igCEwbpunpyxQFtzkhrfn+FougwdGjlUMPWz7YUSPfy
+V0wPEu3lhnbPLqq7SAOLaR72oc58ChrZxEGBnEMo3hjyGQVevY5Bu5PJnJmm26HUS9AJPP
+0ngBSTPsB9EHs7JirfnjZOuTMx79QE8Y5+gbJEnma5nETU4DUR52e68joStreVabgb0Zl+
+gkKtr6DXav/jD5sOTxPMAUjnw7WC4Sx4pkS112JwJAiNZsnBgTrhq2G2zQNS+Mz1I9WGeO
+Yjdsv3Q5sM9dsZN5xV3tbFdOPGkVMP8SAroqTszPlpOBAAAAgGR2mtRBNGOrPcXIg/sW6s
+ZDABbtvCAsP7cLA3VQzPD3ah6p+cIDWKR5jbD95oXIDwi6oDMa7EBjQQnuC5W76igKHImO
+kxhYot30C1TlzePufJrZx+NLcb9aIMPZy82hukKgppjJR28EOaVzgNWcLc9h5cPRhi43hO
+O21g+tjaH7AAAAgQDu4LiVXeWTCCACACKbJwl0Nn4HwTVXO9UJ2yKiTOU2QsX+0CZoNFt4
+o/famsxhxJo/b/kVF8XYClcjon3r9PbfyV+Sdl489QXZDiw6V0X8Mk+8risFkE57OLIGsq
+UQ7GIfrPFIHzzd4WtacOc0G3lXvPBcW/TR7fqfQuL0QwoBmQAAAIEA7NPQuVTiGjg/slVT
+3Ms0Lfc7+ThF1LRW3d8slbYNY7ag9Hjz/E4wPaDSqSSeVtL10aI6/W++/NSqdnZfBCGRHG
+u2Q11YuGpezV5W1VZzbygzbOaRX+NAUVmqgBw/AvFiPicnThKC+XxMcQ1+9bKR8ZpJYLVK
+WXEkkOfjJMAiUBsAAAAIc3NoIGtleXMBAgM=
+-----END OPENSSH PRIVATE KEY-----

dev/certs/ssh/ruciouser_sshkey.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc/NAlWz9/alWVjxMQEvC5nW4cBsXAxIUoN/n38vaGJ+BZRt4PYcqJPoJAkMie/K/JC41z25acxYBTELrHv8pi5ztGjUdl1AS43HTEL0JauGzfb4CPQc7n2ofJhQd/qvW3ofAONZem7pYjD5JaUsPHq7e5leHnoYZL7BUa5Cqw8wv2TvuMXnAqIC30XTG54jtdd9LJle07vpC6BlPECRpGp+CXHL+BqAfVzEErn43DtaN5dlm0ZnICMCbJUPzdUe4gY+cwHGl7vRuGLCj3Jb+84B7aZOjZSq/TSYN/GA8COzz+AKBm9SIZVdFCCrJhQuOjf+gbhFAfideUkcEo3/sj ssh keys

ssh/Dockerfile

@@ -0,0 +1,24 @@
+FROM centos:7
+
+# Install OpenSSH
+RUN yum install -y epel-release.noarch
+RUN yum upgrade -y
+RUN yum -y install openssh-server openssh-clients sudo  python3-pip && \
+    pip3 install -U dumb-init
+RUN yum clean all && \
+    rm -rf /var/cache/yum
+
+# Server config
+RUN /usr/bin/ssh-keygen -A && \
+    echo '' > /tmp/sshkey.pub
+COPY sshd_config /etc/ssh/sshd_config
+
+# Create storage area
+RUN mkdir /rucio /root/.ssh && \
+    echo '' > /root/.ssh/authorized_keys
+
+# Startup
+EXPOSE 22
+ADD docker-entrypoint.sh /
+ENTRYPOINT ["/usr/local/bin/dumb-init", "--"] 
+CMD ["/bin/bash", "/docker-entrypoint.sh"]

ssh/docker-entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+echo "Starting sshd service.."
+cp /tmp/sshkey.pub /root/.ssh/authorized_keys
+chown root:root /root/.ssh/authorized_keys && chmod 0600 /root/.ssh/authorized_keys
+echo '======== /etc/ssh/sshd_config ========'
+cat /etc/ssh/sshd_config
+echo '=========================================='
+exec /usr/sbin/sshd -D

ssh/sshd_config

@@ -0,0 +1,78 @@
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+
+PubkeyAuthentication yes
+AuthorizedKeysFile     /root/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes