Refactor everything to be driven by bin/aci-tunnel
Tested and works a treat!
This commit is contained in:
parent
bf38dbd1b1
commit
073c68bea6
|
@ -2,10 +2,13 @@ FROM alpine
|
|||
MAINTAINER rtyler@brokenco.de
|
||||
EXPOSE 22
|
||||
|
||||
RUN apk add -U openssh-server
|
||||
# curl and bash are for debugging
|
||||
# ... ncurses is for nyan cat ^_^
|
||||
RUN apk add -U -u openssh-server libcurl curl bash ncurses
|
||||
|
||||
COPY sshd_config /etc/ssh/
|
||||
COPY run-sshd /usr/sbin/
|
||||
COPY bin/nyan /usr/bin/
|
||||
|
||||
RUN adduser -h /home/aci -D aci && passwd -u aci
|
||||
RUN mkdir /home/aci/.ssh && chmod 700 /home/aci/.ssh && chown -R aci /home/aci
|
||||
|
|
11
Makefile
11
Makefile
|
@ -12,6 +12,17 @@ check: build # Verify the container
|
|||
clean: # Clean up any built resources
|
||||
docker rmi $$(docker images -q -f "reference=$(IMAGE)") || true
|
||||
|
||||
run: # Run the container locally, listening on port 2022
|
||||
docker run --rm -ti -p 2022:22 \
|
||||
-e SSH_PUBKEY="$(shell cat ~/.ssh/id_rsa.pub)" \
|
||||
--name aci-tunnel $(IMAGE):$(IMAGE_TAG)
|
||||
|
||||
connect: # Connect to a locally running container
|
||||
ssh -p 2022 \
|
||||
-o UserKnownHostsFile=/dev/null \
|
||||
-o StrictHostKeyChecking=no \
|
||||
aci@localhost
|
||||
|
||||
# Cute hack thanks to:
|
||||
# https://marmelab.com/blog/2016/02/29/auto-documented-makefile.html
|
||||
help: ## Display this help text
|
||||
|
|
|
@ -0,0 +1,93 @@
|
|||
#!/bin/bash
|
||||
########w#######################################################################
|
||||
# Advanced configuration
|
||||
#
|
||||
PUBKEY=$HOME/.ssh/id_rsa.pub
|
||||
IMAGE=rtyler/aci-tunnel:latest
|
||||
#
|
||||
########w#######################################################################
|
||||
|
||||
|
||||
# Internal variables
|
||||
AZ_GROUP=aci
|
||||
AZ_CONTAINER=tunnel
|
||||
AZ_REGION=westus
|
||||
TUNNEL_USER=aci
|
||||
TUNNEL_IP=
|
||||
|
||||
ports=()
|
||||
forwards=()
|
||||
|
||||
# Functions for handling starting/stopping
|
||||
########w#######################################################################
|
||||
shutdown() {
|
||||
echo ">> Attempting to cleanly shut off remote tunnel"
|
||||
az container delete -g ${AZ_GROUP} -n ${AZ_CONTAINER}
|
||||
echo ">> Remote tunnel deleted"
|
||||
exit
|
||||
}
|
||||
trap shutdown INT TERM
|
||||
|
||||
prepare_group() {
|
||||
az group exists -n ${AZ_GROUP} -o json | grep true > /dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
echo ">> Creating Azure Resource Group '${AZ_GROUP}'"
|
||||
az group create -n ${AZ_GROUP} -l ${AZ_REGION}
|
||||
fi;
|
||||
}
|
||||
|
||||
startup() {
|
||||
echo ">> Launching tunnel.. "
|
||||
# The pubkey must be encoded in base64 because the az command cannot handle
|
||||
# environment variables with newlines in them
|
||||
az container create -g ${AZ_GROUP} -n ${AZ_CONTAINER} \
|
||||
--image ${IMAGE} \
|
||||
-e BASE64_PUBKEY="$(cat ${PUBKEY} | base64 -w 0)" \
|
||||
--ports 22 ${ports[@]} \
|
||||
--ip-address Public \
|
||||
-o none
|
||||
echo ">> Remote tunnel active"
|
||||
}
|
||||
|
||||
verify_env() {
|
||||
which az > /dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
echo ">> This script expects the azure-cli (az) to be installed"
|
||||
exit 1;
|
||||
fi;
|
||||
which base64 > /dev/null
|
||||
if [ $? -ne 0 ]; then
|
||||
echo ">>> This script expects a base64 binary to be present"
|
||||
exit 1;
|
||||
fi;
|
||||
}
|
||||
########w#######################################################################
|
||||
|
||||
########w#######################################################################
|
||||
|
||||
verify_env
|
||||
|
||||
if [ ! "${1}" ]; then
|
||||
echo ">> Please invoke this script with a space-delimited list of ports to forward"
|
||||
exit 1;
|
||||
fi;
|
||||
# Prepare some arrays for later usage
|
||||
for p in $@; do
|
||||
forwards+=("-R \*:${p}:localhost:${p}")
|
||||
ports+=("${p}")
|
||||
done
|
||||
|
||||
echo ">> Preparing tunnel.."
|
||||
prepare_group
|
||||
startup
|
||||
|
||||
|
||||
TUNNEL_IP=$(az container show -g ${AZ_GROUP} -n ${AZ_CONTAINER} -o tsv --query 'ipAddress.ip' | sed -e 's/\r//')
|
||||
echo ">> Connecting to remote tunnel at ${TUNNEL_IP}"
|
||||
ssh -t ${forwards[@]} \
|
||||
-o StrictHostKeyChecking=no \
|
||||
-o UserKnownHostsFile=/dev/null \
|
||||
-l ${TUNNEL_USER} \
|
||||
$TUNNEL_IP "clear;echo 'Tunnel is active! YAY' && nyan"
|
||||
|
||||
shutdown
|
|
@ -0,0 +1,82 @@
|
|||
#!/bin/bash
|
||||
# originally from: https://gist.github.com/shinohai/899b387d9d8654ec6d55
|
||||
|
||||
# config
|
||||
IMGS=(
|
||||
"
|
||||
+ o + o \n\
|
||||
+ o + +\n\
|
||||
o + \n\
|
||||
o + + + \n\
|
||||
+ o o + o\n\
|
||||
-_-_-_-_-_-_-_,------, o \n\
|
||||
_-_-_-_-_-_-_-| /\_/\ \n\
|
||||
-_-_-_-_-_-_-~|__( ^ .^) + +\n\
|
||||
_-_-_-_-_-_-_-\"\" \"\" \n\
|
||||
+ o o + o \n\
|
||||
+ + \n\
|
||||
o o o o +\n\
|
||||
o + \n\
|
||||
+ + o o + \n
|
||||
" "
|
||||
o + + + \n\
|
||||
o + o\n\
|
||||
o + \n\
|
||||
+ o + o \n\
|
||||
o + o +\n\
|
||||
_-_-_-_-_-_-_-,------, o + \n\
|
||||
-_-_-_-_-_-_-_| /\_/\ + \n\
|
||||
_-_-_-_-_-_-_~|__( ^ .^) o \n\
|
||||
-_-_-_-_-_-_-_ \"\" \"\" \n\
|
||||
+ + o o + \n\
|
||||
o + o +\n\
|
||||
+ o + + o \n\
|
||||
+ + \n\
|
||||
+ o + \n
|
||||
" )
|
||||
REFRESH="0.5"
|
||||
AUDIO_FILE="/tmp/nyan-cat.mp3"
|
||||
# end
|
||||
|
||||
# count lines of first ascii picture in array
|
||||
LINES_PER_IMG=$(( $(echo $IMGS[0] | sed 's/\\n/\n/g' | wc -l) + 1 ))
|
||||
|
||||
# tput $1 LINES_PER_IMG times, used for cuu1(cursor up) cud1(cursor down)
|
||||
tput_loop() { for((x=0; x < $LINES_PER_IMG; x++)); do tput $1; done; }
|
||||
|
||||
# ^C abort, script cleanup
|
||||
trap sigtrap INT
|
||||
sigtrap()
|
||||
{
|
||||
# make cursor visible again
|
||||
tput cvvis
|
||||
|
||||
# reset cursor
|
||||
tput_loop "cud1"
|
||||
|
||||
# stop audio
|
||||
#kill `pgrep vlc`
|
||||
#kill `pgrep mplayer` 2&> /dev/null
|
||||
|
||||
echo "caught signal SIGINT(CTRL+C), quitting ..."
|
||||
exit 1
|
||||
}
|
||||
|
||||
# need multi-space strings
|
||||
IFS='%'
|
||||
|
||||
# start audio, vlc & mplayer examples
|
||||
#vlc $AUDIO_FILE --quiet --loop --volume=100 &
|
||||
#mplayer -really-quiet -loop 0 $AUDIO_FILE < /dev/null &
|
||||
|
||||
# hide the cursor
|
||||
tput civis
|
||||
|
||||
# main loop, pretty self explanatory
|
||||
while [ 1 ]; do for x in "${IMGS[@]}"; do
|
||||
echo -ne $x
|
||||
tput_loop "cuu1"
|
||||
sleep $REFRESH
|
||||
done; done
|
||||
|
||||
# will never reach here, CTRL+C is required to quit
|
6
run-sshd
6
run-sshd
|
@ -7,10 +7,14 @@ if [ ! -f ${KEYFILE} ]; then
|
|||
ssh-keygen -f ${KEYFILE} -N "" -t rsa;
|
||||
fi;
|
||||
|
||||
if [ "${BASE64_PUBKEY}" ]; then
|
||||
export SSH_PUBKEY=$(echo ${BASE64_PUBKEY} | base64 -d)
|
||||
fi;
|
||||
|
||||
if [ "${SSH_PUBKEY}" ]; then
|
||||
echo ${SSH_PUBKEY} > ${PUBKEY}
|
||||
chmod 600 ${PUBKEY}
|
||||
chown aci ${PUBKEY}
|
||||
fi;
|
||||
|
||||
exec /usr/sbin/sshd -Dd
|
||||
exec /usr/sbin/sshd -D
|
||||
|
|
77
sshd_config
77
sshd_config
|
@ -3,10 +3,7 @@ Port 22
|
|||
ListenAddress 0.0.0.0
|
||||
#ListenAddress ::
|
||||
|
||||
#HostKey /etc/ssh/ssh_host_rsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ecdsa_key
|
||||
#HostKey /etc/ssh/ssh_host_ed25519_key
|
||||
|
||||
HostKey /etc/ssh/ssh_host_rsa_key
|
||||
# Ciphers and keying
|
||||
#RekeyLimit default none
|
||||
|
||||
|
@ -22,84 +19,20 @@ ListenAddress 0.0.0.0
|
|||
#MaxAuthTries 6
|
||||
#MaxSessions 10
|
||||
|
||||
#PubkeyAuthentication yes
|
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
||||
# but this is overridden so installations will only check .ssh/authorized_keys
|
||||
PubkeyAuthentication yes
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
|
||||
#AuthorizedPrincipalsFile none
|
||||
|
||||
#AuthorizedKeysCommand none
|
||||
#AuthorizedKeysCommandUser nobody
|
||||
|
||||
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
||||
#HostbasedAuthentication no
|
||||
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
||||
# HostbasedAuthentication
|
||||
#IgnoreUserKnownHosts no
|
||||
# Don't read the user's ~/.rhosts and ~/.shosts files
|
||||
#IgnoreRhosts yes
|
||||
|
||||
# To disable tunneled clear text passwords, change to no here!
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# Change to no to disable s/key passwords
|
||||
#ChallengeResponseAuthentication yes
|
||||
|
||||
# Kerberos options
|
||||
#KerberosAuthentication no
|
||||
#KerberosOrLocalPasswd yes
|
||||
#KerberosTicketCleanup yes
|
||||
#KerberosGetAFSToken no
|
||||
|
||||
# GSSAPI options
|
||||
#GSSAPIAuthentication no
|
||||
#GSSAPICleanupCredentials yes
|
||||
|
||||
# Set this to 'yes' to enable PAM authentication, account processing,
|
||||
# and session processing. If this is enabled, PAM authentication will
|
||||
# be allowed through the ChallengeResponseAuthentication and
|
||||
# PasswordAuthentication. Depending on your PAM configuration,
|
||||
# PAM authentication via ChallengeResponseAuthentication may bypass
|
||||
# the setting of "PermitRootLogin without-password".
|
||||
# If you just want the PAM account and session checks to run without
|
||||
# PAM authentication, then enable this but set PasswordAuthentication
|
||||
# and ChallengeResponseAuthentication to 'no'.
|
||||
#UsePAM no
|
||||
|
||||
#AllowAgentForwarding yes
|
||||
# Feel free to re-enable these if your use case requires them.
|
||||
AllowTcpForwarding no
|
||||
AllowAgentForwarding yes
|
||||
AllowTcpForwarding yes
|
||||
GatewayPorts yes
|
||||
X11Forwarding no
|
||||
#X11DisplayOffset 10
|
||||
#X11UseLocalhost yes
|
||||
#PermitTTY yes
|
||||
#PrintMotd yes
|
||||
#PrintLastLog yes
|
||||
TCPKeepAlive yes
|
||||
#PermitUserEnvironment no
|
||||
#Compression delayed
|
||||
#ClientAliveInterval 0
|
||||
#ClientAliveCountMax 3
|
||||
#UseDNS no
|
||||
#PidFile /run/sshd.pid
|
||||
#MaxStartups 10:30:100
|
||||
#PermitTunnel no
|
||||
#ChrootDirectory none
|
||||
#VersionAddendum none
|
||||
|
||||
PermitTunnel yes
|
||||
# no default banner path
|
||||
#Banner none
|
||||
|
||||
# override default of no subsystems
|
||||
Subsystem sftp /usr/lib/ssh/sftp-server
|
||||
|
||||
# Example of overriding settings on a per-user basis
|
||||
#Match User anoncvs
|
||||
# X11Forwarding no
|
||||
# AllowTcpForwarding no
|
||||
# PermitTTY no
|
||||
# ForceCommand cvs server
|
||||
|
|
Loading…
Reference in New Issue