From 016b451d61b4fd238543c9d6065a10d541428e14 Mon Sep 17 00:00:00 2001 From: busti Date: Thu, 4 Feb 2021 03:02:57 +0100 Subject: [PATCH] initial commit --- Dockerfile | 41 +++++++++++++++++++++++++++++++++++++++++ common-auth | 25 +++++++++++++++++++++++++ common-session | 28 ++++++++++++++++++++++++++++ nsswitch.conf | 21 +++++++++++++++++++++ skel/readme.md | 1 + sssd.conf | 39 +++++++++++++++++++++++++++++++++++++++ startup.sh | 5 +++++ 7 files changed, 160 insertions(+) create mode 100644 Dockerfile create mode 100644 common-auth create mode 100644 common-session create mode 100644 nsswitch.conf create mode 100644 skel/readme.md create mode 100644 sssd.conf create mode 100644 startup.sh diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d13c589 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,41 @@ +FROM debian:stable +MAINTAINER busti + +ENV DEBIAN_FRONTEND noninteractive + +RUN apt-get update && apt install -y --no-install-recommends \ + openssh-server \ + sssd \ + sssd-ldap \ + libnss-sss \ + libpam-sss \ + libpam-modules \ + gettext \ + && apt-get autoclean \ + && apt-get autoremove \ + && rm -rf /var/lib/apt/lists/* + +RUN mkdir /var/run/sshd +RUN passwd --lock root +RUN sed -i 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' /etc/pam.d/sshd +RUN sed -i 's/#*PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config +RUN echo "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" >> /etc/ssh/sshd_config +RUN echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config +RUN echo "session optional pam_mkhomedir.so" >> /etc/pam.d/common_session + +RUN echo "proc /proc proc defaults,hidepid=2 0 0" >> /etc/fstab + +WORKDIR /home + +EXPOSE 22 + +COPY sssd.conf /etc/sssd/sssd.conf.env +COPY nsswitch.conf /etc/nsswitch.conf +COPY common-session /etc/pam.d/common-session +COPY skel /etc/skel + +COPY startup.sh /root/startup.sh + +VOLUME /home + +CMD ["/bin/bash", "/root/startup.sh"] diff --git a/common-auth b/common-auth new file mode 100644 index 0000000..5facfa2 --- /dev/null +++ b/common-auth @@ -0,0 +1,25 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=1 default=ignore] pam_unix.so nullok_secure +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/common-session b/common-session new file mode 100644 index 0000000..0d34f1d --- /dev/null +++ b/common-session @@ -0,0 +1,28 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_mkhomedir.so skel=/etc/skel/ umask=0067 silent +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session optional pam_sss.so +session optional pam_systemd.so +# end of pam-auth-update config diff --git a/nsswitch.conf b/nsswitch.conf new file mode 100644 index 0000000..ff68702 --- /dev/null +++ b/nsswitch.conf @@ -0,0 +1,21 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: files sss +group: files sss +shadow: files sss +gshadow: files + +hosts: files dns +networks: files + +protocols: db files +services: db files sss +ethers: db files +rpc: db files + +netgroup: nis sss +sudoers: files sss diff --git a/skel/readme.md b/skel/readme.md new file mode 100644 index 0000000..ea99b9c --- /dev/null +++ b/skel/readme.md @@ -0,0 +1 @@ +Welcome to your home directory diff --git a/sssd.conf b/sssd.conf new file mode 100644 index 0000000..80f956c --- /dev/null +++ b/sssd.conf @@ -0,0 +1,39 @@ +[sssd] +services = nss, pam, ssh +config_file_version = 2 +domains = default +debug_level = 3 + +[nss] +override_homedir = /home/%u +override_shell = /bin/bash +debug_level = 3 + +[pam] +offline_credentials_expiration = 60 +pam_verbosity = 3 + +[ssh] +debug_level = 3 + +[sudo] + +[domain/default] +id_provider = ldap +auth_provider = ldap +ldap_uri = $LDAP_URI +ldap_default_bind_dn = $LDAP_DEFAULT_BIND_DN +ldap_default_authtok = $LDAP_DEFAULT_AUTHTOK +ldap_default_authtok_type = password + +ldap_user_search_base = ou=members,dc=neulandlabor,dc=de +ldap_user_ssh_public_key = businessCategory + +ldap_id_use_start_tls = False + +cache_credentials = true +enumerate = true +debug_level = 9 + +access_provider = ldap +ldap_access_filter = accountStatus=active diff --git a/startup.sh b/startup.sh new file mode 100644 index 0000000..9fbc3d9 --- /dev/null +++ b/startup.sh @@ -0,0 +1,5 @@ +envsubst < /etc/sssd/sssd.conf.env > /etc/sssd/sssd.conf + +rm -rf /var/run/sssd.pid +/usr/sbin/sssd -f +/usr/sbin/sshd -e -D