Merge pull request #593 from jdeathe/centos-7-develop

jdeathe · web-flow · commit 76517ed48837 · 2018-11-10T15:39:05.000Z
Release changes for 2.4.1
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,12 @@
 
 Summary of release changes for Version 2 - CentOS-7
 
+### 2.4.1 - 2018-11-10
+
+- Adds feature to set system time zone via `SSH_TIMEZONE`.
+- Adds feature to enable password authentication.
+- Adds default of removing insecure public key when enabling password authentication.
+
 ### 2.4.0 - 2018-08-12
 
 - Updates source tag to CentOS 7.5.1804.
diff --git a/Dockerfile b/Dockerfile
@@ -133,23 +133,25 @@ EXPOSE 22
 # Set default environment variables
 # -----------------------------------------------------------------------------
 ENV SSH_AUTHORIZED_KEYS="" \
-	SSH_AUTOSTART_SSHD=true \
-	SSH_AUTOSTART_SSHD_BOOTSTRAP=true \
+	SSH_AUTOSTART_SSHD="true" \
+	SSH_AUTOSTART_SSHD_BOOTSTRAP="true" \
 	SSH_CHROOT_DIRECTORY="%h" \
-	SSH_INHERIT_ENVIRONMENT=false \
+	SSH_INHERIT_ENVIRONMENT="false" \
+	SSH_PASSWORD_AUTHENTICATION="false" \
 	SSH_SUDO="ALL=(ALL) ALL" \
+	SSH_TIMEZONE="UTC" \
 	SSH_USER="app-admin" \
-	SSH_USER_FORCE_SFTP=false \
+	SSH_USER_FORCE_SFTP="false" \
 	SSH_USER_HOME="/home/%u" \
 	SSH_USER_ID="500:500" \
 	SSH_USER_PASSWORD="" \
-	SSH_USER_PASSWORD_HASHED=false \
+	SSH_USER_PASSWORD_HASHED="false" \
 	SSH_USER_SHELL="/bin/bash"
 
 # -----------------------------------------------------------------------------
 # Set image metadata
 # -----------------------------------------------------------------------------
-ARG RELEASE_VERSION="2.4.0"
+ARG RELEASE_VERSION="2.4.1"
 LABEL \
 	maintainer="James Deathe <james.deathe@gmail.com>" \
 	install="docker run \
diff --git a/README.md b/README.md
@@ -7,12 +7,12 @@ Includes public key authentication, Automated password generation and supports c
 
 ## Overview & links
 
-The latest CentOS-6 / CentOS-7 based releases can be pulled from the `centos-6` / `centos-7` Docker tags respectively. For production use it is recommended to select a specific release tag - the convention is `centos-6-1.9.0` OR `1.9.0` for the [1.9.0](https://github.com/jdeathe/centos-ssh/tree/1.9.0) release tag and `centos-7-2.4.0` OR `2.4.0` for the [2.4.0](https://github.com/jdeathe/centos-ssh/tree/2.4.0) release tag.
+The latest CentOS-6 / CentOS-7 based releases can be pulled from the `centos-6` / `centos-7` Docker tags respectively. For production use it is recommended to select a specific release tag - the convention is `centos-6-1.9.1` OR `1.9.1` for the [1.9.1](https://github.com/jdeathe/centos-ssh/tree/1.9.1) release tag and `centos-7-2.4.1` OR `2.4.1` for the [2.4.1](https://github.com/jdeathe/centos-ssh/tree/2.4.1) release tag.
 
 ### Tags and respective `Dockerfile` links
 
-- `centos-7`,`centos-7-2.4.0`,`2.4.0` [(centos-7/Dockerfile)](https://github.com/jdeathe/centos-ssh/blob/centos-7/Dockerfile)
-- `centos-6`,`centos-6-1.9.0`,`1.9.0` [(centos-6/Dockerfile)](https://github.com/jdeathe/centos-ssh/blob/centos-6/Dockerfile)
+- `centos-7`,`centos-7-2.4.1`,`2.4.1` [(centos-7/Dockerfile)](https://github.com/jdeathe/centos-ssh/blob/centos-7/Dockerfile)
+- `centos-6`,`centos-6-1.9.1`,`1.9.1` [(centos-6/Dockerfile)](https://github.com/jdeathe/centos-ssh/blob/centos-6/Dockerfile)
 
 The Dockerfile can be used to build a base image that is the bases for several other docker images.
 
@@ -105,10 +105,10 @@ $ docker run \
   --rm \
   --privileged \
   --volume /:/media/root \
-  jdeathe/centos-ssh:2.4.0 \
+  jdeathe/centos-ssh:2.4.1 \
   /usr/sbin/scmi install \
     --chroot=/media/root \
-    --tag=2.4.0 \
+    --tag=2.4.1 \
     --name=ssh.pool-1.1.1 \
     --setopt="--volume {{NAME}}.config-ssh:/etc/ssh"
 ```
@@ -122,10 +122,10 @@ $ docker run \
   --rm \
   --privileged \
   --volume /:/media/root \
-  jdeathe/centos-ssh:2.4.0 \
+  jdeathe/centos-ssh:2.4.1 \
   /usr/sbin/scmi uninstall \
     --chroot=/media/root \
-    --tag=2.4.0 \
+    --tag=2.4.1 \
     --name=ssh.pool-1.1.1 \
     --setopt="--volume {{NAME}}.config-ssh:/etc/ssh"
 ```
@@ -139,10 +139,10 @@ $ docker run \
   --rm \
   --privileged \
   --volume /:/media/root \
-  jdeathe/centos-ssh:2.4.0 \
+  jdeathe/centos-ssh:2.4.1 \
   /usr/sbin/scmi install \
     --chroot=/media/root \
-    --tag=2.4.0 \
+    --tag=2.4.1 \
     --name=ssh.pool-1.1.1 \
     --manager=systemd \
     --register \
@@ -164,7 +164,7 @@ Since release tags `1.7.2` / `2.1.2` the install template has been added to the
 _NOTE:_ A prerequisite of the following examples is that the image has been pulled (or loaded from the release package).
 
 ```
-$ docker pull jdeathe/centos-ssh:2.4.0
+$ docker pull jdeathe/centos-ssh:2.4.1
 ```
 
 To see detailed information about the image run `scmi` with the `--info` option. To see all available `scmi` options run with the `--help` option.
@@ -173,7 +173,7 @@ To see detailed information about the image run `scmi` with the `--info` option.
 $ eval "sudo -E $(
     docker inspect \
     -f "{{.ContainerConfig.Labels.install}}" \
-    jdeathe/centos-ssh:2.4.0
+    jdeathe/centos-ssh:2.4.1
   ) --info"
 ```
 
@@ -183,7 +183,7 @@ To perform an installation using the docker name `ssh.pool-1.2.1` simply use the
 $ eval "sudo -E $(
     docker inspect \
     -f "{{.ContainerConfig.Labels.install}}" \
-    jdeathe/centos-ssh:2.4.0
+    jdeathe/centos-ssh:2.4.1
   ) --name=ssh.pool-1.2.1"
 ```
 
@@ -193,7 +193,7 @@ To uninstall use the *same command* that was used to install but with the `unins
 $ eval "sudo -E $(
     docker inspect \
     -f "{{.ContainerConfig.Labels.uninstall}}" \
-    jdeathe/centos-ssh:2.4.0
+    jdeathe/centos-ssh:2.4.1
   ) --name=ssh.pool-1.2.1"
 ```
 
@@ -206,7 +206,7 @@ To see detailed information about the image run `scmi` with the `--info` option.
 ```
 $ sudo -E atomic install \
   -n ssh.pool-1.3.1 \
-  jdeathe/centos-ssh:2.4.0 \
+  jdeathe/centos-ssh:2.4.1 \
   --info
 ```
 
@@ -215,14 +215,14 @@ To perform an installation using the docker name `ssh.pool-1.3.1` simply use the
 ```
 $ sudo -E atomic install \
   -n ssh.pool-1.3.1 \
-  jdeathe/centos-ssh:2.4.0
+  jdeathe/centos-ssh:2.4.1
 ```
 
 Alternatively, you could use the `scmi` options `--name` or `-n` for naming the container.
 
 ```
 $ sudo -E atomic install \
-  jdeathe/centos-ssh:2.4.0 \
+  jdeathe/centos-ssh:2.4.1 \
   --name ssh.pool-1.3.1
 ```
 
@@ -231,7 +231,7 @@ To uninstall use the *same command* that was used to install but with the `unins
 ```
 $ sudo -E atomic uninstall \
   -n ssh.pool-1.3.1 \
-  jdeathe/centos-ssh:2.4.0
+  jdeathe/centos-ssh:2.4.1
 ```
 
 #### Using environment variables
@@ -359,6 +359,16 @@ The SSH user's environment is reset by default meaning that the Docker environme
 ...
 ```
 
+##### SSH_PASSWORD_AUTHENTICATION
+
+The SSH password authentication is disabled by default; allowing access by public/private key based authentication only. This is the recommended configuration however it may be necessary to allow password based access if you have client's that are unable to use key based authentication. Use `SSH_PASSWORD_AUTHENTICATION` to enable password authentication.
+
+```
+...
+  --env "SSH_PASSWORD_AUTHENTICATION=true" \
+...
+```
+
 ##### SSH_SUDO
 
 On first run the SSH user is created with a the sudo rule `ALL=(ALL)  ALL` which allows the user to run all commands but a password is required. If you want to limit the access to specific commands or allow sudo without a password prompt `SSH_SUDO` can be used.
@@ -369,6 +379,16 @@ On first run the SSH user is created with a the sudo rule `ALL=(ALL)  ALL` which
 ...
 ```
 
+##### SSH_TIMEZONE
+
+If you require a locale based system time zone `SSH_TIMEZONE` can be used when running the container.
+
+```
+...
+  --env "SSH_TIMEZONE=Europe/London" \
+...
+```
+
 ##### SSH_USER
 
 On first run the SSH user is created with the default username of "app-admin". If you require an alternative username `SSH_USER` can be used when running the container.
diff --git a/default.mk b/default.mk
@@ -8,6 +8,7 @@ define DOCKER_CONTAINER_PARAMETERS
 --env "SSH_AUTOSTART_SSHD_BOOTSTRAP=$(SSH_AUTOSTART_SSHD_BOOTSTRAP)" \
 --env "SSH_CHROOT_DIRECTORY=$(SSH_CHROOT_DIRECTORY)" \
 --env "SSH_INHERIT_ENVIRONMENT=$(SSH_INHERIT_ENVIRONMENT)" \
+--env "SSH_PASSWORD_AUTHENTICATION=$(SSH_PASSWORD_AUTHENTICATION)" \
 --env "SSH_SUDO=$(SSH_SUDO)" \
 --env "SSH_USER=$(SSH_USER)" \
 --env "SSH_USER_FORCE_SFTP=$(SSH_USER_FORCE_SFTP)" \
diff --git a/environment.mk b/environment.mk
@@ -37,7 +37,9 @@ SSH_AUTOSTART_SSHD ?= true
 SSH_AUTOSTART_SSHD_BOOTSTRAP ?= true
 SSH_CHROOT_DIRECTORY ?= %h
 SSH_INHERIT_ENVIRONMENT ?= false
+SSH_PASSWORD_AUTHENTICATION ?= false
 SSH_SUDO ?= ALL=(ALL) ALL
+SSH_TIMEZONE ?= UTC
 SSH_USER ?= app-admin
 SSH_USER_FORCE_SFTP ?= false
 SSH_USER_HOME ?= /home/%u
diff --git a/src/etc/services-config/ssh/authorized_keys b/src/etc/services-config/ssh/authorized_keys
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key
diff --git a/src/etc/services-config/ssh/sshd-bootstrap.conf b/src/etc/services-config/ssh/sshd-bootstrap.conf
@@ -1,8 +1,10 @@
 SSH_AUTHORIZED_KEYS="${SSH_AUTHORIZED_KEYS:-}"
 SSH_CHROOT_DIRECTORY="${SSH_CHROOT_DIRECTORY:-%h}"
 SSH_INHERIT_ENVIRONMENT="${SSH_INHERIT_ENVIRONMENT:-false}"
+SSH_PASSWORD_AUTHENTICATION="${SSH_PASSWORD_AUTHENTICATION:-false}"
 SSH_ROOT_PASSWORD=
 SSH_SUDO="${SSH_SUDO:-ALL=(ALL) ALL}"
+SSH_TIMEZONE="${SSH_TIMEZONE:-UTC}"
 SSH_USER="${SSH_USER:-app-admin}"
 SSH_USER_FORCE_SFTP="${SSH_USER_FORCE_SFTP:-false}"
 SSH_USER_HOME="${SSH_USER_HOME:-/home/%u}"
diff --git a/src/etc/systemd/system/centos-ssh@.service b/src/etc/systemd/system/centos-ssh@.service
@@ -51,14 +51,16 @@ Environment="DOCKER_USER=jdeathe"
 Environment="DOCKER_IMAGE_NAME=centos-ssh"
 Environment="DOCKER_CONTAINER_OPTS="
 Environment="DOCKER_IMAGE_PACKAGE_PATH=/var/opt/scmi/packages"
-Environment="DOCKER_IMAGE_TAG=2.4.0"
+Environment="DOCKER_IMAGE_TAG=2.4.1"
 Environment="DOCKER_PORT_MAP_TCP_22=2020"
 Environment="SSH_AUTHORIZED_KEYS="
 Environment="SSH_AUTOSTART_SSHD=true"
 Environment="SSH_AUTOSTART_SSHD_BOOTSTRAP=true"
 Environment="SSH_CHROOT_DIRECTORY=%%h"
 Environment="SSH_INHERIT_ENVIRONMENT=false"
+Environment="SSH_PASSWORD_AUTHENTICATION=false"
 Environment="SSH_SUDO=ALL=(ALL) ALL"
+Environment="SSH_TIMEZONE=UTC"
 Environment="SSH_USER=app-admin"
 Environment="SSH_USER_FORCE_SFTP=false"
 Environment="SSH_USER_HOME=/home/%%u"
@@ -100,7 +102,9 @@ ExecStart=/bin/bash -c \
     --env \"SSH_AUTOSTART_SSHD_BOOTSTRAP=${SSH_AUTOSTART_SSHD_BOOTSTRAP}\" \
     --env \"SSH_CHROOT_DIRECTORY=${SSH_CHROOT_DIRECTORY}\" \
     --env \"SSH_INHERIT_ENVIRONMENT=${SSH_INHERIT_ENVIRONMENT}\" \
+    --env \"SSH_PASSWORD_AUTHENTICATION=${SSH_PASSWORD_AUTHENTICATION}\" \
     --env \"SSH_SUDO=${SSH_SUDO}\" \
+    --env \"SSH_TIMEZONE=${SSH_TIMEZONE}\" \
     --env \"SSH_USER=${SSH_USER}\" \
     --env \"SSH_USER_FORCE_SFTP=${SSH_USER_FORCE_SFTP}\" \
     --env \"SSH_USER_HOME=${SSH_USER_HOME}\" \
diff --git a/src/opt/scmi/default.sh b/src/opt/scmi/default.sh
@@ -27,7 +27,9 @@ DOCKER_CONTAINER_PARAMETERS="--name ${DOCKER_NAME} \
 --env \"SSH_AUTOSTART_SSHD_BOOTSTRAP=${SSH_AUTOSTART_SSHD_BOOTSTRAP}\" \
 --env \"SSH_CHROOT_DIRECTORY=${SSH_CHROOT_DIRECTORY}\" \
 --env \"SSH_INHERIT_ENVIRONMENT=${SSH_INHERIT_ENVIRONMENT}\" \
+--env \"SSH_PASSWORD_AUTHENTICATION=${SSH_PASSWORD_AUTHENTICATION}\" \
 --env \"SSH_SUDO=${SSH_SUDO}\" \
+--env \"SSH_TIMEZONE=${SSH_TIMEZONE}\" \
 --env \"SSH_USER=${SSH_USER}\" \
 --env \"SSH_USER_FORCE_SFTP=${SSH_USER_FORCE_SFTP}\" \
 --env \"SSH_USER_HOME=${SSH_USER_HOME}\" \
diff --git a/src/opt/scmi/environment.sh b/src/opt/scmi/environment.sh
@@ -39,7 +39,9 @@ SSH_AUTOSTART_SSHD="${SSH_AUTOSTART_SSHD:-true}"
 SSH_AUTOSTART_SSHD_BOOTSTRAP="${SSH_AUTOSTART_SSHD_BOOTSTRAP:-true}"
 SSH_CHROOT_DIRECTORY="${SSH_CHROOT_DIRECTORY:-%h}"
 SSH_INHERIT_ENVIRONMENT="${SSH_INHERIT_ENVIRONMENT:-false}"
+SSH_PASSWORD_AUTHENTICATION="${SSH_PASSWORD_AUTHENTICATION:-false}"
 SSH_SUDO="${SSH_SUDO:-ALL=(ALL) ALL}"
+SSH_TIMEZONE="${SSH_TIMEZONE:-UTC}"
 SSH_USER="${SSH_USER:-app-admin}"
 SSH_USER_FORCE_SFTP="${SSH_USER_FORCE_SFTP:-false}"
 SSH_USER_HOME="${SSH_USER_HOME:-/home/%u}"
diff --git a/src/opt/scmi/service-unit.sh b/src/opt/scmi/service-unit.sh
@@ -11,7 +11,9 @@ readonly SERVICE_UNIT_ENVIRONMENT_KEYS="
  SSH_AUTOSTART_SSHD_BOOTSTRAP
  SSH_CHROOT_DIRECTORY
  SSH_INHERIT_ENVIRONMENT
+ SSH_PASSWORD_AUTHENTICATION
  SSH_SUDO
+ SSH_TIMEZONE
  SSH_USER
  SSH_USER_FORCE_SFTP
  SSH_USER_HOME
diff --git a/src/usr/sbin/sshd-bootstrap b/src/usr/sbin/sshd-bootstrap
diff --git a/test/shpec/operation_shpec.sh b/test/shpec/operation_shpec.sh
diff --git a/test/ssh-password-auth.exp b/test/ssh-password-auth.exp

Original file line number	Diff line number	Diff line change
`@@ -1 +0,0 @@`
`1`		`-ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key`