initial commit

Dockerfile

@@ -0,0 +1,41 @@
+FROM debian:stable
+MAINTAINER busti <oss@busti.cool>
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update && apt install -y --no-install-recommends \
+    openssh-server \
+    sssd \
+    sssd-ldap \
+    libnss-sss \
+    libpam-sss \
+    libpam-modules \
+    gettext \
+ && apt-get autoclean \
+ && apt-get autoremove \
+ && rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /var/run/sshd
+RUN passwd --lock root
+RUN sed -i 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' /etc/pam.d/sshd
+RUN sed -i 's/#*PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
+RUN echo "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" >> /etc/ssh/sshd_config
+RUN echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config
+RUN echo "session	optional	pam_mkhomedir.so" >> /etc/pam.d/common_session
+
+RUN echo "proc	/proc	proc	defaults,hidepid=2	0	0" >> /etc/fstab
+
+WORKDIR /home
+
+EXPOSE 22
+
+COPY sssd.conf /etc/sssd/sssd.conf.env
+COPY nsswitch.conf /etc/nsswitch.conf
+COPY common-session /etc/pam.d/common-session
+COPY skel /etc/skel
+
+COPY startup.sh /root/startup.sh
+
+VOLUME /home
+
+CMD ["/bin/bash", "/root/startup.sh"]

common-auth

@@ -0,0 +1,25 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+auth	[success=1 default=ignore]	pam_unix.so nullok_secure
+# here's the fallback if no module succeeds
+auth	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

common-session

@@ -0,0 +1,28 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session [default=1]                     pam_permit.so
+# here's the fallback if no module succeeds
+session requisite                       pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0067 silent
+session required                        pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+session required        pam_unix.so
+session optional                        pam_sss.so
+session optional        pam_systemd.so
+# end of pam-auth-update config

nsswitch.conf

@@ -0,0 +1,21 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         files sss
+group:          files sss
+shadow:         files sss
+gshadow:        files
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files sss
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis sss
+sudoers:	files sss

skel/readme.md

@@ -0,0 +1 @@
+Welcome to your home directory

sssd.conf

@@ -0,0 +1,39 @@
+[sssd]
+services = nss, pam, ssh
+config_file_version = 2
+domains = default
+debug_level = 3
+
+[nss]
+override_homedir = /home/%u
+override_shell = /bin/bash
+debug_level = 3
+
+[pam]
+offline_credentials_expiration = 60
+pam_verbosity = 3
+
+[ssh]
+debug_level = 3
+
+[sudo]
+
+[domain/default]
+id_provider = ldap
+auth_provider = ldap
+ldap_uri = $LDAP_URI
+ldap_default_bind_dn = $LDAP_DEFAULT_BIND_DN
+ldap_default_authtok = $LDAP_DEFAULT_AUTHTOK
+ldap_default_authtok_type = password
+
+ldap_user_search_base = ou=members,dc=neulandlabor,dc=de
+ldap_user_ssh_public_key = businessCategory
+
+ldap_id_use_start_tls = False
+
+cache_credentials = true
+enumerate = true
+debug_level = 9
+
+access_provider = ldap
+ldap_access_filter = accountStatus=active

startup.sh

@@ -0,0 +1,5 @@
+envsubst < /etc/sssd/sssd.conf.env > /etc/sssd/sssd.conf
+
+rm -rf /var/run/sssd.pid
+/usr/sbin/sssd -f
+/usr/sbin/sshd -e -D