cmd/initContainer: Unbreak access to CA certificates in sshd(8) sessions
When a Toolbx container is set up to use the p11-kit-client.so PKCS #11
module instead of the usual p11-kit-trust.so module, the
P11_KIT_SERVER_ADDRESS environment variable must be set inside the
container, so that it can communicate with the host operating system.
Currently, this works as described above with the 'enter' and 'run'
commands, but not within child sessions started by an sshd(8) [1]
instance running inside a container, because P11_KIT_SERVER_ADDRESS is
absent.
To make this work, sshd(8) [1] must be configured [2] to set
P11_KIT_SERVER_ADDRESS in its child sessions.
If sshd(8) uses the /etc/ssh/sshd_config.d directory for configuration,
then the entry point will automatically do this from now on. This
requires at least OpenSSH 8.2, which added support for the 'Include'
directive in sshd_config(5) [2,3], and the directive must be used to
include the configuration from /etc/ssh/sshd_config.d.
Otherwise, the user will have to do it themself. eg., Ubuntu 16.04
Xenial Xerus and 18.04 Bionic Beaver don't use /etc/ssh/sshd_config.d
because their OpenSSH is too old [4,5].
Note that the permissions of the /etc/ssh/sshd_config.d directory and
its contents differ across operating system distributions. OSes within
the Fedora family use 0700 for the directory and 0600 for its contents.
Arch Linux and Ubuntu use 0755 and 0644. The entry point tries to
follow the permissions used by the distribution.
Fallout from 5ed2442214
[1] https://man7.org/linux/man-pages/man8/sshd.8.html
[2] https://man7.org/linux/man-pages/man5/sshd_config.5.html
[3] OpenSSH commit c2bd7f74b0e0f3a3
https://github.com/openssh/openssh-portable/commit/c2bd7f74b0e0f3a3
https://bugzilla.mindrot.org/show_bug.cgi?id=2468
[4] https://code.launchpad.net/~git-ubuntu-import/ubuntu/+source/openssh/+git/openssh/+ref/ubuntu/xenial-updates
[5] https://code.launchpad.net/~git-ubuntu-import/ubuntu/+source/openssh/+git/openssh/+ref/ubuntu/bionic-updates
https://github.com/containers/toolbox/issues/626
https://github.com/containers/toolbox/issues/1674
This commit is contained in:
Debarshi Ray
parent
55582290eb
commit
f1f7d9c3d3
|
|
@ -600,10 +600,11 @@ func configurePKCS11(targetUser *user.User) error {
|
|||
}
|
||||
}
|
||||
|
||||
if path, err := utils.GetP11KitServerSocket(targetUser); err != nil {
|
||||
serverSocket, err := utils.GetP11KitServerSocket(targetUser)
|
||||
if err != nil {
|
||||
return err
|
||||
} else if !utils.PathExists(path) {
|
||||
logrus.Debugf("%s: socket %s not found", logPrefix, path)
|
||||
} else if !utils.PathExists(serverSocket) {
|
||||
logrus.Debugf("%s: socket %s not found", logPrefix, serverSocket)
|
||||
logrus.Debugf("%s: skipping", logPrefix)
|
||||
return nil
|
||||
}
|
||||
|
|
@ -622,6 +623,10 @@ func configurePKCS11(targetUser *user.User) error {
|
|||
return fmt.Errorf("failed to configure PKCS #11 to read from the host: %w", err)
|
||||
}
|
||||
|
||||
if err := configureSSHD(serverSocket); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
@ -647,6 +652,51 @@ func configureRPM() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func configureSSHD(p11KitServerSocket string) error {
|
||||
const logPrefix = "Configuring sshd(8) to set P11_KIT_SERVER_ADDRESS"
|
||||
logrus.Debugf("%s", logPrefix)
|
||||
|
||||
sshdConfigD := "/etc/ssh/sshd_config.d"
|
||||
fileInfo, err := os.Stat(sshdConfigD)
|
||||
if err != nil {
|
||||
if errors.Is(err, os.ErrNotExist) {
|
||||
logrus.Debugf("%s: directory %s not found", logPrefix, sshdConfigD)
|
||||
logrus.Debugf("%s: skipping", logPrefix)
|
||||
return nil
|
||||
} else {
|
||||
logrus.Debugf("%s: failed to stat %s: %s", logPrefix, sshdConfigD, err)
|
||||
return fmt.Errorf("failed to stat %s", sshdConfigD)
|
||||
}
|
||||
}
|
||||
|
||||
fileMode := fileInfo.Mode()
|
||||
if !fileMode.IsDir() {
|
||||
logrus.Debugf("%s: directory %s not found", logPrefix, sshdConfigD)
|
||||
logrus.Debugf("%s: skipping", logPrefix)
|
||||
return nil
|
||||
}
|
||||
|
||||
sshdConfig := filepath.Join(sshdConfigD, "90-toolbx.conf")
|
||||
|
||||
var builder strings.Builder
|
||||
fmt.Fprintf(&builder, "# Written by Toolbx\n")
|
||||
fmt.Fprintf(&builder, "# https://containertoolbx.org/\n")
|
||||
fmt.Fprintf(&builder, "\n")
|
||||
fmt.Fprintf(&builder, "SetEnv P11_KIT_SERVER_ADDRESS=unix:path=%s\n", p11KitServerSocket)
|
||||
|
||||
sshdConfigString := builder.String()
|
||||
sshdConfigBytes := []byte(sshdConfigString)
|
||||
|
||||
filePerm := fileMode.Perm()
|
||||
filePerm = filePerm & 0666
|
||||
|
||||
if err := renameio.WriteFile(sshdConfig, sshdConfigBytes, filePerm); err != nil {
|
||||
return fmt.Errorf("failed to configure sshd(8) to set P11_KIT_SERVER_ADDRESS: %w", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShell string, homeLink bool) error {
|
||||
if homeLink {
|
||||
if err := redirectPath("/home", "/var/home", true); err != nil {
|
||||
|
|
|
|||
Loading…
Reference in New Issue