Forward ssh2 ports into docker

internal/wisski/ingredient/barrel/barrel/.dockerignore

@@ -5,4 +5,5 @@
 !conf/*
 !scripts/*
 !patch/*
+!ssh/*
 !wisskiutils/*

internal/wisski/ingredient/barrel/barrel/Dockerfile

@@ -2,9 +2,10 @@ FROM docker.io/library/php:8.0-apache-bullseye
 ARG COMPOSER_VERSION=2.3.8
 WORKDIR /var/www
 
-# install and enable the various required php extension
-RUN apt-get update && apt-get install -y \
+# install and enable the various required php extensions and dropbear ssh server
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
         curl \
+        openssh-server \
         default-mysql-client \
         git \
         imagemagick \
@@ -89,6 +90,7 @@ RUN a2ensite wisski
 VOLUME /var/www/.composer
 VOLUME /var/www/data
 
+
 # Add and configure the entrypoint
 ADD scripts/entrypoint.sh /entrypoint.sh
 
@@ -101,6 +103,12 @@ ADD wisskiutils/ /wisskiutils
 
 # Add the user_shell.sh
 ADD scripts/user_shell.sh /user_shell.sh
+ADD ssh/ /ssh/
+VOLUME /ssh/hostkeys/
+RUN chmod 700 /ssh/keys.sh && \
+    chmod 700 /ssh/start.sh && \
+    chmod 777 /user_shell.sh && \
+    chsh www-data --shell /user_shell.sh
 
 # expose port 8080
 EXPOSE 8080

internal/wisski/ingredient/barrel/barrel/docker-compose.yml

@@ -24,6 +24,7 @@ services:
       - ${GLOBAL_AUTHORIZED_KEYS_FILE}:/var/www/.ssh/global_authorized_keys:ro
       - ${DATA_PATH}/.composer:/var/www/.composer
       - ${DATA_PATH}/data:/var/www/data
+      - ${DATA_PATH}/hostkeys:/ssh/hostkeys:rw
       - ${DATA_PATH}/authorized_keys:/var/www/.ssh/authorized_keys
       - ${RUNTIME_DIR}:/runtime:ro
 

internal/wisski/ingredient/barrel/barrel/scripts/entrypoint.sh

@@ -7,5 +7,8 @@ chown www-data:www-data /var/www
 chown www-data:www-data /var/www/.composer
 chown www-data:www-data /var/www/data/
 
+# start up dropbear
+/ssh/start.sh &
+
 # run the original entrypoint
 docker-php-entrypoint "$@"

internal/wisski/ingredient/barrel/barrel/scripts/user_shell.sh

@@ -1,5 +1,12 @@
 #!/bin/bash
+set -e
 
 # This script is used to start a user shell inside the docker container. 
 cd "/var/www/data/project"
-sudo -u www-data "PATH=/var/www/data/project/vendor/bin:$PATH" /bin/bash "$@"
+export "PATH=/var/www/data/project/vendor/bin:$PATH"
+
+if [ "$USER" = "www-data" ]; then
+    /bin/bash "$@"
+else
+    sudo -u www-data  /bin/bash "$@"
+fi;

internal/wisski/ingredient/barrel/barrel/ssh/keys.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+cat /var/www/.ssh/authorized_keys /var/www/.ssh/global_authorized_keys 2> /dev/null || exit 0

internal/wisski/ingredient/barrel/barrel/ssh/sshd_config

@@ -0,0 +1,27 @@
+# sshd_config file for distillery ssh server
+
+# listen on port 22
+Port 22
+ListenAddress 0.0.0.0
+
+# Use hostkeys from /ssh/hostkeys
+HostKey /ssh/hostkeys/ssh_host_rsa_key
+HostKey /ssh/hostkeys/ssh_host_ecdsa_key
+HostKey /ssh/hostkeys/ssh_host_ed25519_key
+
+# Disable forwarding and motd
+X11Forwarding no
+PrintMotd no
+
+# allow sftp
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+# allow only www-data to login
+AllowUsers www-data
+
+# allow only public keys using /ssh/keys.sh
+PubkeyAuthentication yes     
+AuthenticationMethods publickey
+AuthorizedKeysFile none
+AuthorizedKeysCommand /ssh/keys.sh
+AuthorizedKeysCommandUser root

internal/wisski/ingredient/barrel/barrel/ssh/start.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# create the sshd directory
+if [ ! -d /run/sshd ]; then
+   mkdir /run/sshd
+   chmod 0755 /run/sshd
+fi
+
+# regenerate key files if they do not yet exist
+[[ -f "/ssh/hostkeys/ssh_host_rsa_key" ]] || ssh-keygen -q -N "" -t dsa -f /ssh/hostkeys/ssh_host_rsa_key
+[[ -f "/ssh/hostkeys/ssh_host_ecdsa_key" ]] || ssh-keygen -q -N "" -t ecdsa -f /ssh/hostkeys/ssh_host_ecdsa_key
+[[ -f "/ssh/hostkeys/ssh_host_ed25519_key" ]] || ssh-keygen -q -N "" -t ed25519 -f /ssh/hostkeys/ssh_host_ed25519_key
+
+/usr/sbin/sshd -e -D -f /ssh/sshd_config