Refactor everything to be driven by bin/aci-tunnel

Tested and works a treat!

Dockerfile

@@ -2,10 +2,13 @@ FROM alpine
 MAINTAINER rtyler@brokenco.de
 EXPOSE 22
 
-RUN apk add -U openssh-server
+# curl and bash are for debugging
+# ... ncurses is for nyan cat ^_^
+RUN apk add -U -u openssh-server libcurl curl bash ncurses
 
 COPY sshd_config /etc/ssh/
 COPY run-sshd /usr/sbin/
+COPY bin/nyan /usr/bin/
 
 RUN adduser -h /home/aci -D aci && passwd -u aci
 RUN mkdir /home/aci/.ssh && chmod 700 /home/aci/.ssh && chown -R aci /home/aci

Makefile

@@ -12,6 +12,17 @@ check: build # Verify the container
 clean: # Clean up any built resources
 	docker rmi $$(docker images -q -f "reference=$(IMAGE)") || true
 
+run: # Run the container locally, listening on port 2022
+	docker run --rm -ti -p 2022:22 \
+		-e SSH_PUBKEY="$(shell cat ~/.ssh/id_rsa.pub)" \
+		--name aci-tunnel $(IMAGE):$(IMAGE_TAG)
+
+connect: # Connect to a locally running container
+	ssh -p 2022 \
+		-o UserKnownHostsFile=/dev/null \
+		-o StrictHostKeyChecking=no \
+		aci@localhost
+
 # Cute hack thanks to:
 # https://marmelab.com/blog/2016/02/29/auto-documented-makefile.html
 help: ## Display this help text

bin/aci-tunnel

@@ -0,0 +1,93 @@
+#!/bin/bash
+########w#######################################################################
+# Advanced configuration
+#
+PUBKEY=$HOME/.ssh/id_rsa.pub
+IMAGE=rtyler/aci-tunnel:latest
+#
+########w#######################################################################
+
+
+# Internal variables
+AZ_GROUP=aci
+AZ_CONTAINER=tunnel
+AZ_REGION=westus
+TUNNEL_USER=aci
+TUNNEL_IP=
+
+ports=()
+forwards=()
+
+# Functions for handling starting/stopping
+########w#######################################################################
+shutdown() {
+    echo ">> Attempting to cleanly shut off remote tunnel"
+    az container delete -g ${AZ_GROUP} -n ${AZ_CONTAINER}
+    echo ">> Remote tunnel deleted"
+    exit
+}
+trap shutdown INT TERM
+
+prepare_group() {
+    az group exists -n ${AZ_GROUP} -o json | grep true > /dev/null
+    if [ $? -ne 0 ]; then
+        echo ">> Creating Azure Resource Group '${AZ_GROUP}'"
+        az group create -n ${AZ_GROUP} -l ${AZ_REGION}
+    fi;
+}
+
+startup() {
+    echo ">> Launching tunnel.. "
+    # The pubkey must be encoded in base64 because the az command cannot handle
+    # environment variables with newlines in them
+    az container create -g ${AZ_GROUP} -n ${AZ_CONTAINER} \
+        --image ${IMAGE} \
+        -e BASE64_PUBKEY="$(cat ${PUBKEY} | base64 -w 0)" \
+        --ports 22 ${ports[@]} \
+        --ip-address Public \
+        -o none
+    echo ">> Remote tunnel active"
+}
+
+verify_env() {
+    which az > /dev/null
+    if [ $? -ne 0 ]; then
+        echo ">> This script expects the azure-cli (az) to be installed"
+        exit 1;
+    fi;
+    which base64 > /dev/null
+    if [ $? -ne 0 ]; then
+        echo ">>> This script expects a base64 binary to be present"
+        exit 1;
+    fi;
+}
+########w#######################################################################
+
+########w#######################################################################
+
+verify_env
+
+if [ ! "${1}" ]; then
+    echo ">> Please invoke this script with a space-delimited list of ports to forward"
+    exit 1;
+fi;
+# Prepare some arrays for later usage
+for p in $@; do
+    forwards+=("-R \*:${p}:localhost:${p}")
+    ports+=("${p}")
+done
+
+echo ">> Preparing tunnel.."
+prepare_group
+startup
+
+
+TUNNEL_IP=$(az container show -g ${AZ_GROUP} -n ${AZ_CONTAINER} -o tsv --query 'ipAddress.ip' | sed -e 's/\r//')
+echo ">> Connecting to remote tunnel at ${TUNNEL_IP}"
+ssh -t ${forwards[@]} \
+    -o StrictHostKeyChecking=no \
+    -o UserKnownHostsFile=/dev/null \
+    -l ${TUNNEL_USER} \
+    $TUNNEL_IP "clear;echo 'Tunnel is active! YAY' && nyan"
+
+shutdown

bin/nyan

@@ -0,0 +1,82 @@
+#!/bin/bash
+# originally from: https://gist.github.com/shinohai/899b387d9d8654ec6d55
+
+# config
+IMGS=(
+"
+ +      o     +              o    \n\
+     +             o     +       +\n\
+ o          +                     \n\
+     o  +           +        +    \n\
+ +        o     o       +        o\n\
+ -_-_-_-_-_-_-_,------,      o    \n\
+ _-_-_-_-_-_-_-|   /\_/\          \n\
+ -_-_-_-_-_-_-~|__( ^ .^)  +     +\n\
+ _-_-_-_-_-_-_-\"\"  \"\"         \n\
+ +      o         o   +       o   \n\
+     +         +                  \n\
+ o        o         o      o     +\n\
+     o           +                \n\
+ +      +     o        o      +   \n
+" "
+     o  +           +        +    \n\
+ o          +                    o\n\
+     o                 +          \n\
+ +      o     +              o    \n\
+  o     +        o               +\n\
+ _-_-_-_-_-_-_-,------,  o      + \n\
+ -_-_-_-_-_-_-_|   /\_/\    +     \n\
+ _-_-_-_-_-_-_~|__( ^ .^)     o   \n\
+ -_-_-_-_-_-_-_  \"\"  \"\"       \n\
+ +      +     o        o      +   \n\
+ o        +                o     +\n\
+ +      o         +     +       o \n\
+     +         +                  \n\
+        +           o        +    \n
+" )
+REFRESH="0.5"
+AUDIO_FILE="/tmp/nyan-cat.mp3"
+# end
+
+# count lines of first ascii picture in array
+LINES_PER_IMG=$(( $(echo $IMGS[0] | sed 's/\\n/\n/g' | wc -l) + 1 ))
+
+# tput $1 LINES_PER_IMG times, used for cuu1(cursor up) cud1(cursor down)
+tput_loop() { for((x=0; x < $LINES_PER_IMG; x++)); do tput $1; done; }
+
+# ^C abort, script cleanup
+trap sigtrap INT
+sigtrap()
+    {
+    # make cursor visible again
+    tput cvvis
+
+    # reset cursor
+    tput_loop "cud1"
+
+    # stop audio
+    #kill `pgrep vlc`
+    #kill `pgrep mplayer` 2&> /dev/null
+
+    echo "caught signal SIGINT(CTRL+C), quitting ..."
+    exit 1
+    }
+
+# need multi-space strings
+IFS='%'
+
+# start audio, vlc & mplayer examples
+#vlc $AUDIO_FILE --quiet --loop --volume=100 &
+#mplayer -really-quiet -loop 0 $AUDIO_FILE < /dev/null &
+
+# hide the cursor
+tput civis
+
+# main loop, pretty self explanatory
+while [ 1 ]; do for x in "${IMGS[@]}"; do
+    echo -ne $x
+    tput_loop "cuu1"
+    sleep $REFRESH
+done; done
+
+# will never reach here, CTRL+C is required to quit

run-sshd

@@ -7,10 +7,14 @@ if [ ! -f ${KEYFILE} ]; then
     ssh-keygen -f ${KEYFILE} -N "" -t rsa;
 fi;
 
+if [ "${BASE64_PUBKEY}" ]; then
+    export SSH_PUBKEY=$(echo ${BASE64_PUBKEY} | base64 -d)
+fi;
+
 if [ "${SSH_PUBKEY}" ]; then
     echo ${SSH_PUBKEY} > ${PUBKEY}
     chmod 600 ${PUBKEY}
     chown aci ${PUBKEY}
 fi;
 
-exec /usr/sbin/sshd -Dd
+exec /usr/sbin/sshd -D

sshd_config

@@ -3,10 +3,7 @@ Port 22
 ListenAddress 0.0.0.0
 #ListenAddress ::
 
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
+HostKey /etc/ssh/ssh_host_rsa_key
 # Ciphers and keying
 #RekeyLimit default none
 
@@ -22,84 +19,20 @@ ListenAddress 0.0.0.0
 #MaxAuthTries 6
 #MaxSessions 10
 
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
+PubkeyAuthentication yes
 AuthorizedKeysFile	.ssh/authorized_keys
 
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication no
 PermitEmptyPasswords no
 
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
-
-#AllowAgentForwarding yes
-# Feel free to re-enable these if your use case requires them.
-AllowTcpForwarding no
+AllowAgentForwarding yes
+AllowTcpForwarding yes
 GatewayPorts yes
 X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
 TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
+PermitTunnel yes
 # no default banner path
 #Banner none
 
 # override default of no subsystems
 Subsystem	sftp	/usr/lib/ssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server