[images]: vs-debug SSHD fixes

nforgeio · Nov 8, 2023 · 728fe31 · 728fe31
1 parent 17d4561
commit 728fe31
Show file tree

Hide file tree

Showing 10 changed files with 83 additions and 9 deletions.
diff --git a/Images/vs-debug/Dockerfile b/Images/vs-debug/Dockerfile
@@ -49,11 +49,15 @@ RUN apt-get update \
 
 # We need to explcitly configure the server's SSH certificates so developers
 # won't need to verify the SSH connection everytime a new pod is deployed.
+#
+# NOTE: These keys must NEVER BE CHANGED so that older versions of the
+#       KubernetesDebugger will still work against newer debug containers.
 
-COPY ssh/* /etc/ssh
+COPY ssh/host/*           /etc/ssh
+COPY ssh/root/id_rsa.pub  /root/.ssh/authorized_keys
 
-# We're going to allow root login via SSH with a blank password to make
-# ie easy to attach a debugger to a Kubernetes pod with this container
+# We're going to allow root SSh login via a hardcoded key pair to make it
+# easy to attach a debugger to a Kubernetes pod when this container is
 # attached as an ephemeral sidecar.
 #
 # This looks insecure but the user doing this will be using Kubernetes
@@ -63,17 +67,18 @@ COPY ssh/* /etc/ssh
 EXPOSE 22
 
 RUN mkdir -p /etc/ssh/sshd_config.d \
-    && echo "PermitRootLogin yes"         > /etc/ssh/sshd_config.d/05-auth.conf \
-    && echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config.d/05-auth.conf \
-    && echo "PermitEmptyPasswords yes"   >> /etc/ssh/sshd_config.d/05-auth.conf \
-    && echo "ssh"                         > /etc/securetty \
+    && echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/05-auth.conf \
+    && echo "ssh"                 > /etc/securetty \
     && touch /root/.hushlogin \
     && passwd --delete root \
-    && chmod 600 /etc/ssh/*
+    && chmod 600 /etc/ssh/* \
+    && chmod 600 /root/.ssh/authorized_keys \
+    && mkdir -p /run/sshd \
+    && chmod 700 /run/sshd
 
 # Start the SSHD server when the container starts.
 
-CMD ["service", "ssh", "start"]
+CMD ["/usr/sbin/sshd", "-D"]
 
 #------------------------------------------------------------------------------
 # Install the .NET diagnostic tools.

diff --git a/Images/vs-debug/ssh/ssh_host_ecdsa_key → Images/vs-debug/ssh/host/ssh_host_ecdsa_key b/Images/vs-debug/ssh/ssh_host_ecdsa_key → Images/vs-debug/ssh/host/ssh_host_ecdsa_key
diff --git a/Images/vs-debug/ssh/ssh_host_ecdsa_key.pub → .../vs-debug/ssh/host/ssh_host_ecdsa_key.pub b/Images/vs-debug/ssh/ssh_host_ecdsa_key.pub → .../vs-debug/ssh/host/ssh_host_ecdsa_key.pub
diff --git a/Images/vs-debug/ssh/ssh_host_ed25519_key → ...es/vs-debug/ssh/host/ssh_host_ed25519_key b/Images/vs-debug/ssh/ssh_host_ed25519_key → ...es/vs-debug/ssh/host/ssh_host_ed25519_key
diff --git a/Images/vs-debug/ssh/ssh_host_ed25519_key.pub → ...s-debug/ssh/host/ssh_host_ed25519_key.pub b/Images/vs-debug/ssh/ssh_host_ed25519_key.pub → ...s-debug/ssh/host/ssh_host_ed25519_key.pub
diff --git a/Images/vs-debug/ssh/ssh_host_rsa_key → Images/vs-debug/ssh/host/ssh_host_rsa_key b/Images/vs-debug/ssh/ssh_host_rsa_key → Images/vs-debug/ssh/host/ssh_host_rsa_key
diff --git a/Images/vs-debug/ssh/ssh_host_rsa_key.pub → ...es/vs-debug/ssh/host/ssh_host_rsa_key.pub b/Images/vs-debug/ssh/ssh_host_rsa_key.pub → ...es/vs-debug/ssh/host/ssh_host_rsa_key.pub
diff --git a/Images/vs-debug/ssh/root/README.md b/Images/vs-debug/ssh/root/README.md
@@ -0,0 +1,19 @@
+This folder holds the SSH key pair used by the **KubernetesDebugger** to authenticate with
+**vs-debug** ephemeral containers.  These files should **NEVER CHANGE** because doing so
+will prevent older versions of the debbugger from connecting.  If these really need to change
+for some reason, you'll need to update **KubernetesDebugger** with the new private key.
+
+NOTE: I tried doing password-less SSH root authentication and that worked for Docker containers
+      but does not work for Kubernetes.CRI-O.  Note that SSH security is redundant for debugging
+      scenarios because the user will already be authenticated with the Kubernetes cluster and
+      the API server will enforce RBAC permissions when the SSH tunnel to the ephemeral container
+      is established.  So using fixed keys is not really a security problem.
+
+id_rsa:
+
+The private root SSH key which will be embedded in **KubernetesDebugger**.
+
+id_rsa.pub:
+
+The private root SSH key which will be appended to `/root/.ssh/authorized_keys`
+when the container image is built.
diff --git a/Images/vs-debug/ssh/root/id_rsa b/Images/vs-debug/ssh/root/id_rsa
@@ -0,0 +1,49 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAgEAxVjcByGc8ZN1yl/kRQs5BAcGwEKwv7rXNMkDrHHE8u05ml3OJ04B
+kixJnL8MKr8+HlJiEwyru9B1HRQeuwMVZ657U4A14ioMqRHEo6V5mUEiiirCWB0jH6KAYz
+Vc+60KOZdhmrqLEMbnLO6qT0g3BJ9K+b5UtASeuKAd7woCSo1fOr2VVx+GzZoaensn0ac7
+NFnA1m7Nq7UyovOKSB66a5XSMJH37rh8IEtEuhedJwRP93k+3W0MNEwm6FPpobZ62G9TvX
+hwMDxfP0BKrZFJZ32nggeWvfhf7NA/iMeQvfiviT28OdJHDFU5F6q6sXBJhNooGhyXPASo
+WDi5lkTA4C7dgviwWzGjlywey1L8h283U1oZVafTDLclmJwrxD1Nu8h3kj/tCUfrZXuvLR
+dPp66MeW39LzyI8oq2X1ag1v06JLDEMSVF6FRsQm3+0l0OXKtiRFbUonSJi/D3M7hS5Xmq
+oS2wiBnbPGyE174QZPU/sXlXSncsZKwJ4KG2+WDfpuAgwMzuHMhaqSAfBXzR6s2bDlVImF
+SGv5sArdyXCBJnnR3QJpyJ0VurTPU0KjacR70Y7VpqGSyQ9U4NuVHsf+37+RQplLbI5Ixr
+eDCXBeYryyiA5vmK+pZqfpzes+o6AsnmFcE5Aq1e5xSo231gfRdQpFRJ1qC/Km2h3o7sNg
+0AAAdI6TXouOk16LgAAAAHc3NoLXJzYQAAAgEAxVjcByGc8ZN1yl/kRQs5BAcGwEKwv7rX
+NMkDrHHE8u05ml3OJ04BkixJnL8MKr8+HlJiEwyru9B1HRQeuwMVZ657U4A14ioMqRHEo6
+V5mUEiiirCWB0jH6KAYzVc+60KOZdhmrqLEMbnLO6qT0g3BJ9K+b5UtASeuKAd7woCSo1f
+Or2VVx+GzZoaensn0ac7NFnA1m7Nq7UyovOKSB66a5XSMJH37rh8IEtEuhedJwRP93k+3W
+0MNEwm6FPpobZ62G9TvXhwMDxfP0BKrZFJZ32nggeWvfhf7NA/iMeQvfiviT28OdJHDFU5
+F6q6sXBJhNooGhyXPASoWDi5lkTA4C7dgviwWzGjlywey1L8h283U1oZVafTDLclmJwrxD
+1Nu8h3kj/tCUfrZXuvLRdPp66MeW39LzyI8oq2X1ag1v06JLDEMSVF6FRsQm3+0l0OXKti
+RFbUonSJi/D3M7hS5XmqoS2wiBnbPGyE174QZPU/sXlXSncsZKwJ4KG2+WDfpuAgwMzuHM
+haqSAfBXzR6s2bDlVImFSGv5sArdyXCBJnnR3QJpyJ0VurTPU0KjacR70Y7VpqGSyQ9U4N
+uVHsf+37+RQplLbI5IxreDCXBeYryyiA5vmK+pZqfpzes+o6AsnmFcE5Aq1e5xSo231gfR
+dQpFRJ1qC/Km2h3o7sNg0AAAADAQABAAACAQC4KrzrSssUBvEd828rn9WNlKEQOyyHQO4l
+LJJpE6MgsZHYJUKGG54Ls5je1sub+O0XjvpHnMOHenpQsL4c+Du5jnM48aVXcrZt8U75CS
+v5gXeiSVUktcxZcWUvMFWd6VZpeIR1yTCOb5C9tdzqMBJoFd/6QUz60nTtBz/oHAcXW+dL
+AjGkJJ/Ar9eWBeibFt2BdWEovC7j1y1yNKUPuN1wGVkWSqJ9/VyZJqT0paTbDIM0B8pLCc
+Eh7Q9CMU0OxSTPZtVXNFY+LZkVhgIrCDLgibsQ9dQPZQLgFVe1ZcgGAVaPVTWbIEl9kOq+
+0212ubtiZ9SUyam5MP+JlSZcvbzf1YrKREb4vOrvyAPwmjX2A/GWlHf4INL9+JHFSTf/C8
+3JZ2XPQmmo802gciExBb4ZBkrmlJqOPeVfusKUqURi5QOPV6uo3y8XhJ1cWm1W4JvLxsdi
+DEZyTYeGo3yZVTfFfd/dCw37/eOTuyHWYijPiEj7tw+vfey2g2sisNWtflzDSaIr1boIey
+w3bxTMjIXfA+Kl4FU3pjZXyvye5a1j4V6x/ZloPYY30awq0YQNUGp6Ca5lNVbYTdJDk07j
+UPvBphULbcnSm8Qw5xGpHjPBXRuT8e0Ulm31Q8bT+O/TRrnbCcpJCotb4upqDedq/dJf0K
+I2eS+pLj2kNiXNZlPQAQAAAQBJjsozcj+tE7m5FL1R3oPK40BHFX4mHl+lb9OotchM/tOc
+zYu3qCvg8+hckfbIdULfrQD12kKWQAyZy+8DqqNWEApzNZvhvpJ/q4L1XjKQqJghvmDpV6
+EEzbPKm+7Q8wzDaqTMoZF0fsAurUFpDvpUC09YQLv3iwhlPUsUJZfa7uI4LwU2sFJ6HV5q
+bKyJEtT0jdcFcf8FfJdPRT5uoF/YCrT+SCox23FhJ67/JfKMNu1ONCmalUJNEtNkG5docx
+50QIQS4VzBPv8PWebb4n/QK4+rMJuSOVI4Ft7pqEHAlY8uDj1UWmhOWirF/OjTxhN7xTuL
+XljNDDgUO6KrW4lAAAABAQDvE97xo/vG7uunG84RDaGcNb2q7S34vwlkrCBXqwXRVY9D+8
++3PrVvWMAj1jo8LDRrfKMLVLmDO+l9ejPHEHQqVwSF2Dq9oWxDnE4IUuaP2FsV5SqCZcZj
+3VfTLnn+1tU/daa+aHdSk9npOPonDOi0amfqDLVzCnHiRfUHK/47dH6ClGh6KSpBWkNhdD
+QbDBNQp+X0kuWkwiU5nHjeSXtCUHst1yTBXJdGIYRSdK4pXzx5WAx5KkL73gI6s/+aFUaB
+C4A5bhXwqMK4yzsAXpCG/DPL/UNx4BvCRDN/ztoSUHyk97KerNYX1NyJ8x/IgulfykOg9F
+StSKR8odPRFw2BAAABAQDTUNMDIBMvwU7aBFN92HYS3ZOmVpiPygwuWCB0d1VLIgsChx4E
+PX/TY3LQW0NCnRwc+M/stz+s9oSDh/wYWYTFzPkknSJkurmHxHcG1RHiOpvgWZozGIFeWj
+ZqDS8eX4WjkJVlORnv91ArAQ05QaDQuFa4MmlLI4Dvdq0aMJN08DC+XeCLZyknlJhlLNQf
+Swi0fvzVZTKnzoXyzWl0yq40GiHaOeDpFGzIRPwdAodANHYZ08TnSxkKyD2gHXTfH6S08I
+hhSlg1TcmT26RtE9w0GjB4M+o80NP41UIse6h1LJbFgeoYt771WX/O6iKNqh54VBXphaaG
+xcYvYEQEyMaNAAAAEXJvb3RAMjBkMjFlNWYzMzY2AQ==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/Images/vs-debug/ssh/root/id_rsa.pub b/Images/vs-debug/ssh/root/id_rsa.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFWNwHIZzxk3XKX+RFCzkEBwbAQrC/utc0yQOsccTy7TmaXc4nTgGSLEmcvwwqvz4eUmITDKu70HUdFB67AxVnrntTgDXiKgypEcSjpXmZQSKKKsJYHSMfooBjNVz7rQo5l2GauosQxucs7qpPSDcEn0r5vlS0BJ64oB3vCgJKjV86vZVXH4bNmhp6eyfRpzs0WcDWbs2rtTKi84pIHrprldIwkffuuHwgS0S6F50nBE/3eT7dbQw0TCboU+mhtnrYb1O9eHAwPF8/QEqtkUlnfaeCB5a9+F/s0D+Ix5C9+K+JPbw50kcMVTkXqrqxcEmE2igaHJc8BKhYOLmWRMDgLt2C+LBbMaOXLB7LUvyHbzdTWhlVp9MMtyWYnCvEPU27yHeSP+0JR+tle68tF0+nrox5bf0vPIjyirZfVqDW/ToksMQxJUXoVGxCbf7SXQ5cq2JEVtSidImL8PczuFLleaqhLbCIGds8bITXvhBk9T+xeVdKdyxkrAngobb5YN+m4CDAzO4cyFqpIB8FfNHqzZsOVUiYVIa/mwCt3JcIEmedHdAmnInRW6tM9TQqNpxHvRjtWmoZLJD1Tg25Uex/7fv5FCmUtsjkjGt4MJcF5ivLKIDm+Yr6lmp+nN6z6joCyeYVwTkCrV7nFKjbfWB9F1CkVEnWoL8qbaHejuw2DQ== root@20d21e5f3366
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFWNwHIZzxk3XKX+RFCzkEBwbAQrC/utc0yQOsccTy7TmaXc4nTgGSLEmcvwwqvz4eUmITDKu70HUdFB67AxVnrntTgDXiKgypEcSjpXmZQSKKKsJYHSMfooBjNVz7rQo5l2GauosQxucs7qpPSDcEn0r5vlS0BJ64oB3vCgJKjV86vZVXH4bNmhp6eyfRpzs0WcDWbs2rtTKi84pIHrprldIwkffuuHwgS0S6F50nBE/3eT7dbQw0TCboU+mhtnrYb1O9eHAwPF8/QEqtkUlnfaeCB5a9+F/s0D+Ix5C9+K+JPbw50kcMVTkXqrqxcEmE2igaHJc8BKhYOLmWRMDgLt2C+LBbMaOXLB7LUvyHbzdTWhlVp9MMtyWYnCvEPU27yHeSP+0JR+tle68tF0+nrox5bf0vPIjyirZfVqDW/ToksMQxJUXoVGxCbf7SXQ5cq2JEVtSidImL8PczuFLleaqhLbCIGds8bITXvhBk9T+xeVdKdyxkrAngobb5YN+m4CDAzO4cyFqpIB8FfNHqzZsOVUiYVIa/mwCt3JcIEmedHdAmnInRW6tM9TQqNpxHvRjtWmoZLJD1Tg25Uex/7fv5FCmUtsjkjGt4MJcF5ivLKIDm+Yr6lmp+nN6z6joCyeYVwTkCrV7nFKjbfWB9F1CkVEnWoL8qbaHejuw2DQ== root@20d21e5f3366