lxc/templates/lxc-sshd.in

	lxc-sshd.in revision 70e279574cd07e743d1f6e498d569add3fa6a7de
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn#!/bin/bash
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser#
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser# lxc: linux Container library
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# Authors:
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# Daniel Lezcano <daniel.lezcano@free.fr>
acbb59f50d5196facde837ea377f70e98ce1e6f8Serge Hallyn
acbb59f50d5196facde837ea377f70e98ce1e6f8Serge Hallyn# This library is free software; you can redistribute it and/or
acbb59f50d5196facde837ea377f70e98ce1e6f8Serge Hallyn# modify it under the terms of the GNU Lesser General Public
acbb59f50d5196facde837ea377f70e98ce1e6f8Serge Hallyn# License as published by the Free Software Foundation; either
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# version 2.1 of the License, or (at your option) any later version.
acbb59f50d5196facde837ea377f70e98ce1e6f8Serge Hallyn
acbb59f50d5196facde837ea377f70e98ce1e6f8Serge Hallyn# This library is distributed in the hope that it will be useful,
acbb59f50d5196facde837ea377f70e98ce1e6f8Serge Hallyn# but WITHOUT ANY WARRANTY; without even the implied warranty of
acbb59f50d5196facde837ea377f70e98ce1e6f8Serge Hallyn# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# Lesser General Public License for more details.
acbb59f50d5196facde837ea377f70e98ce1e6f8Serge Hallyn
acbb59f50d5196facde837ea377f70e98ce1e6f8Serge Hallyn# You should have received a copy of the GNU Lesser General Public
acbb59f50d5196facde837ea377f70e98ce1e6f8Serge Hallyn# License along with this library; if not, write to the Free Software
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyninstall_sshd()
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser{
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser    rootfs=$1
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber    tree="\
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser$rootfs/var/run/sshd \
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn$rootfs/var/empty/sshd \
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn$rootfs/var/lib/empty/sshd \
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn$rootfs/etc/ssh \
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn$rootfs/dev/shm \
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn$rootfs/proc \
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn$rootfs/bin \
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn$rootfs/sbin \
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn$rootfs/usr \
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn$rootfs/tmp \
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn$rootfs/home \
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn$rootfs/root \
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn$rootfs/lib \
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn$rootfs/lib64"
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallyn    mkdir -p $tree
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    if [ $? -ne 0 ]; then
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    return 1
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    fi
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    return 0
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn}
42ff5f0f8767114d060f5031055038a1a1c3759aSerge Hallyn
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynconfigure_sshd()
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn{
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    rootfs=$1
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    cat <<EOF > $rootfs/etc/passwd
4759162d078d86628956cae4846c6efccf548e67Serge Hallynroot:x:0:0:root:/root:/bin/bash
4759162d078d86628956cae4846c6efccf548e67Serge Hallynsshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
4759162d078d86628956cae4846c6efccf548e67Serge HallynEOF
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn
daaf41b36790bdaae855048e56ed090b17a77c97Stéphane Graber    cat <<EOF > $rootfs/etc/group
4759162d078d86628956cae4846c6efccf548e67Serge Hallynroot:x:0:root
4759162d078d86628956cae4846c6efccf548e67Serge Hallynsshd:x:74:
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberEOF
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graberssh-keygen -t rsa -f $rootfs/etc/ssh/ssh_host_rsa_key
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynssh-keygen -t dsa -f $rootfs/etc/ssh/ssh_host_dsa_key
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber    # by default setup root password with no password
9313e1e628160ca64f9e7fcec6500056c9a0725fStéphane Graber    cat <<EOF > $rootfs/etc/ssh/sshd_config
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberPort 22
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberProtocol 2
f02ce27d4b1a9d01b88d0ffaf626e5bafa671bf0Stéphane GraberHostKey /etc/ssh/ssh_host_rsa_key
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberHostKey /etc/ssh/ssh_host_dsa_key
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberUsePrivilegeSeparation yes
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberKeyRegenerationInterval 3600
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberServerKeyBits 768
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberSyslogFacility AUTH
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberLogLevel INFO
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberLoginGraceTime 120
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberPermitRootLogin yes
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberStrictModes yes
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberRSAAuthentication yes
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberPubkeyAuthentication yes
57d116ab501594c2e50ab45f1cf2fae48c5eab09Serge HallynIgnoreRhosts yes
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge HallynRhostsRSAAuthentication no
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberHostbasedAuthentication no
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberPermitEmptyPasswords yes
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberChallengeResponseAuthentication no
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane GraberEOF
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber    return 0
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber}
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Grabercopy_configuration()
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber{
bf7d76cf3ae180820c0a29e0bfbaa97c20ce6a3dSerge Hallyn    path=$1
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    rootfs=$2
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber    name=$3
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graber
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Grabercat <<EOF >> $path/config
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graberlxc.utsname = $name
f2a95ee1bf54c949614a68bf152ea9a8e1d3a172Stéphane Graberlxc.pts = 1024
1aad9e44d65e7c20dabc4c99f57bcf532db66c68Serge Hallynlxc.rootfs = $rootfs
0a3673e80732ab83d807d406fb2fd3c3b7f54ad3Stéphane Graberlxc.mount.entry=/dev $rootfs/dev none ro,bind 0 0
0a3673e80732ab83d807d406fb2fd3c3b7f54ad3Stéphane Graberlxc.mount.entry=/lib $rootfs/lib none ro,bind 0 0
0a3673e80732ab83d807d406fb2fd3c3b7f54ad3Stéphane Graberlxc.mount.entry=/bin $rootfs/bin none ro,bind 0 0
0a3673e80732ab83d807d406fb2fd3c3b7f54ad3Stéphane Graberlxc.mount.entry=/usr /$rootfs/usr none ro,bind 0 0
0a3673e80732ab83d807d406fb2fd3c3b7f54ad3Stéphane Graberlxc.mount.entry=/sbin $rootfs/sbin none ro,bind 0 0
17abf2784de1047fb2904ff130ee5efe4ea7b598Elan Ruusamäelxc.mount.entry=tmpfs $rootfs/var/run/sshd tmpfs mode=0644 0 0
0a3673e80732ab83d807d406fb2fd3c3b7f54ad3Stéphane Graberlxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none bind 0 0
0a3673e80732ab83d807d406fb2fd3c3b7f54ad3Stéphane GraberEOF
0a3673e80732ab83d807d406fb2fd3c3b7f54ad3Stéphane Graber
0a3673e80732ab83d807d406fb2fd3c3b7f54ad3Stéphane Graberif [ "$(uname -m)" = "x86_64" ]; then
0a3673e80732ab83d807d406fb2fd3c3b7f54ad3Stéphane Graber    cat <<EOF >> $path/config
0a3673e80732ab83d807d406fb2fd3c3b7f54ad3Stéphane Graberlxc.mount.entry=/lib64 $rootfs/lib64 none ro,bind 0 0
542939c31bb73bab55f2fd71243b98f5559597d1Stéphane GraberEOF
42ff5f0f8767114d060f5031055038a1a1c3759aSerge Hallynfi
42ff5f0f8767114d060f5031055038a1a1c3759aSerge Hallyn}
42ff5f0f8767114d060f5031055038a1a1c3759aSerge Hallyn
5ff337745e4a705293b056ab58f6ea7a92cabbc8Stéphane Graberusage()
542939c31bb73bab55f2fd71243b98f5559597d1Stéphane Graber{
5ff337745e4a705293b056ab58f6ea7a92cabbc8Stéphane Graber    cat <<EOF
42ff5f0f8767114d060f5031055038a1a1c3759aSerge Hallyn$1 -h|--help -p|--path=<path>
42ff5f0f8767114d060f5031055038a1a1c3759aSerge HallynEOF
42ff5f0f8767114d060f5031055038a1a1c3759aSerge Hallyn    return 0
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn}
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynoptions=$(getopt -o hp:n: -l help,path:,name: -- "$@")
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynif [ $? -ne 0 ]; then
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn        usage $(basename $0)
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    exit 1
4759162d078d86628956cae4846c6efccf548e67Serge Hallynfi
4759162d078d86628956cae4846c6efccf548e67Serge Hallyneval set -- "$options"
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn
4759162d078d86628956cae4846c6efccf548e67Serge Hallynwhile true
1897e3bcd36af9f3fe6d3649910a9adb93e5e988Serge Hallyndo
3f5f5d99b0ea1c204699b13d4a0caf4d9e745449Stéphane Graber    case "$1" in
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn        -h|--help)      usage $0 && exit 0;;
52c8f624b5f9ef665f33a7aa80e0aa18b91daa4aSerge Hallyn        -p|--path)      path=$2; shift 2;;
427bffc7a10c9015dc78ef52543f7b8cb9414359Serge Hallyn    -n|--name)      name=$2; shift 2;;
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn        --)             shift 1; break ;;
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser        *)              break ;;
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser    esac
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moserdone
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynif [ "$(id -u)" != "0" ]; then
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    echo "This script should be run as 'root'"
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    exit 1
57d116ab501594c2e50ab45f1cf2fae48c5eab09Serge Hallynfi
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynif [ $0 == "/sbin/init" ]; then
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    type @LXCINITDIR@/lxc-init
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    if [ $? -ne 0 ]; then
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    echo "'lxc-init is not accessible on the system"
57d116ab501594c2e50ab45f1cf2fae48c5eab09Serge Hallyn    exit 1
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser    fi
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    type sshd
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    if [ $? -ne 0 ]; then
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser    echo "'sshd' is not accessible on the system "
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser    exit 1
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser    fi
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser
65d8ae9c4a66f5ca85289c02dc06d63261c84619Scott Moser    exec @LXCINITDIR@/lxc-init -- /usr/sbin/sshd
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    exit 1
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynfi
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynif [ -z "$path" ]; then
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    echo "'path' parameter is required"
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    exit 1
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynfi
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
ed4616b1cfbc84dd01caa8546d813e8c5d482921Christian Bühlerrootfs=$path/rootfs
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyninstall_sshd $rootfs
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynif [ $? -ne 0 ]; then
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    echo "failed to install sshd's rootfs"
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    exit 1
3eecde703e9ac3af788ac17357f378d6b6d7c658Serge Hallynfi
b8bced69a80a8be95fdbbb6b4e9ad7fa85464b1eSerge Hallyn
3eecde703e9ac3af788ac17357f378d6b6d7c658Serge Hallynconfigure_sshd $rootfs
3eecde703e9ac3af788ac17357f378d6b6d7c658Serge Hallynif [ $? -ne 0 ]; then
8a63c0a9d9089e6365e5a696455476febed39d6aStéphane Graber    echo "failed to configure sshd template"
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    exit 1
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynfi
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn
52c8f624b5f9ef665f33a7aa80e0aa18b91daa4aSerge Hallyncopy_configuration $path $rootfs $name
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynif [ $? -ne 0 ]; then
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallyn    echo "failed to write configuration file"
4759162d078d86628956cae4846c6efccf548e67Serge Hallyn    exit 1
d1458ac8d13880f83fa2d1e08623b97c50d311d7Serge Hallynfi
4b954f12173c382f7104a0e9464fa66dd3cade35Dimitri John Ledkov