Merge pull request #1137 from Koalab99/openssh-server-trusted-ca

openssh-server: trusted-ca Initial commit

Author: aptalca

.github/workflows/BuildImage.yml

@@ -12,10 +12,10 @@ on:
 env:
   GITHUB_REPO: "linuxserver/docker-mods" #don't modify
   ENDPOINT: "linuxserver/mods" #don't modify
-  BASEIMAGE: "replace_baseimage" #replace
-  MODNAME: "replace_modname" #replace
+  BASEIMAGE: "openssh-server" #replace
+  MODNAME: "trusted-ca" #replace
   MOD_VERSION: ${{ inputs.mod_version }} #don't modify
-  MULTI_ARCH: "true" #set to false if not needed
+  MULTI_ARCH: "false" #set to false if not needed
 
 jobs:
   set-vars:

Dockerfile

@@ -2,7 +2,7 @@
 
 FROM scratch
 
-LABEL maintainer="username"
+LABEL maintainer="Koalab99"
 
 # copy local files
 COPY root/ /

Dockerfile.complex

@@ -1,25 +1,59 @@
-# Rsync - Docker mod for openssh-server
-
-This mod adds rsync to openssh-server, to be installed/updated during container start.
-
-In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync`
-
-If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2`
-
-# Mod creation instructions
-
-* Fork the repo, create a new branch based on the branch `template`.
-* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done.
-* Inspect the `root` folder contents. Edit, add and remove as necessary.
-* After all init scripts and services are created, run `find ./  -path "./.git" -prune -o \( -name "run" -o -name "finish" -o -name "check" \) -not -perm -u=x,g=x,o=x -print -exec chmod +x {} +` to fix permissions.
-* Edit this readme with pertinent info, delete these instructions.
-* Finally edit the `.github/workflows/BuildImage.yml`. Customize the vars for `BASEIMAGE` and `MODNAME`. Set the versioning logic and `MULTI_ARCH` if needed.
-* Ask the team to create a new branch named `<baseimagename>-<modname>`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch.
-* Submit PR against the branch created by the team.
-
-
-## Tips and tricks
-
-* Some images have helpers built in, these images are currently:
-    * [Openvscode-server](https://github.com/linuxserver/docker-openvscode-server/pull/10/files)
-    * [Code-server](https://github.com/linuxserver/docker-code-server/pull/95)
+# Trusted CA - Docker mod for openssh-server
+
+This mod allow the configuration of the `TrustedUserCAKeys` directive, which allows ssh authentication using certificates.
+
+In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-trusted-ca`
+
+If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-trusted-ca|linuxserver/mods:openssh-server-mod2`
+
+## Mod environment variables
+In order to add a certificate authority, you can add your CA's public keys in one or multiple environment variables:
+* `TRUSTED_CA="your_ca_pubkey"` to add one CA to the TrustedCA file from text.
+* `TRUSTED_CA_URL="https://example.com/trusted_ca.key"` to retrieve one or more trusted CA from a URL.
+* `TRUSTED_CA_FILE="/mounted_file"` to add one or more CA from a file (inside the container's tree).
+* `TRUSTED_CA_DIR="/mounted_dir"` to add CAs from the content of a directory (inside the container's tree).
+
+You can use multiple environment variables at the same time to add different CAs.
+
+Certificates are added/removed from the server when the container is starting, so you will need to restart your container for your change to take effect.
+
+# Example
+If you want to build your own CA:
+```
+# Create temp directory and cd there
+cd $(mktemp -d)
+
+# Generate key pairs (x and x.pub)
+ssh-keygen -b 4096 -t ed25519 -f myca
+ssh-keygen -b 4096 -t ed25519 -f userkey
+
+# Sign users pubkeys (x-cert.pub)
+ssh-keygen -s myca -I my_user_certificate_id -n myuser userkey.pub
+```
+
+Notes: `-n` parameter gives the username principals, it must match the target user (see `man 1 ssh-keygen`).
+
+```
+services:
+  openssh-server:
+    image: linuxserver/openssh-server
+    environment:
+      - DOCKER_MODS=linuxserver/mods:openssh-server-trusted-ca
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+      - USER_NAME=myuser
+      - TRUSTED_CA_FILE=/pubkey
+    volumes:
+      - ./myca.pub:/pubkey:ro,z
+    ports:
+      - 2222:2222
+```
+
+You can then connect using:
+```
+ssh -p 2222 -i ./userkey myuser@127.0.0.1
+
+# Or specify the certificate explicitly:
+ssh -o CertificateFile=./userkey-cert.pub -p 2222 -i ./userkey myuser@127.0.0.1
+```