handling of known_hosts added

9d336497 · Michał 'rysiek' Woźniak · adfc4f56 · 9d336497 · 9d336497
Commit 9d336497 authored Mar 03, 2016 by Michał 'rysiek' Woźniak
Hide whitespace changes
Inline Side-by-side

Showing with 47 additions and 1 deletion

README.md README.md +28 -0

run.sh run.sh +19 -1

No files found.
--- a/README.md
+++ b/README.md
@@ -13,3 +13,31 @@ It might make good sense to volume-mount the following directories:
 - `/etc/cron.weekly/` (can be read-only)
 - `/etc/cron.hourly/` (can be read-only)
 - `/etc/cron.monthly/` (can be read-only)
+
+## Environment variables
+ 
+ - `SSH_KNOWN_HOSTS` (default: empty)
+
+Known hosts entries to add to `/etc/ssh/ssh_known_hosts` file, in the correct format of `known_hosts` file (described in `sshd` manual).
+
+## `ssh_known_hosts` assembly
+
+If `/etc/ssh/ssh_known_hosts` file does not exist, it will be created. If an `/etc/ssh/ssh_known_hosts.template` exists, it will be used as a template. The file will then be populated with container's own ECDSA public key, and contents of `SSH_KNOWN_HOSTS` environment variable.
+
+## Paths
+
+ - `/etc/ssh/ssh_known_hosts.template`
+
+If that file exists, it is used as a template for `/etc/ssh/ssh_known_hosts` within the container.
+
+ - `/var/pubkeys`
+
+This is where cron's public key will be placed. Volume-mount it into other containers to be able to use it (you can even use `inotify-watch` to watch it).
+ 
+ - `/etc/cron.d/` (this has to be read-write, for `root`->`cron` user replacements)
+ - `/etc/cron.daily/` (can be read-only)
+ - `/etc/cron.weekly/` (can be read-only)
+ - `/etc/cron.hourly/` (can be read-only)
+ - `/etc/cron.monthly/` (can be read-only)
+
+Cron configuration directories.
\ No newline at end of file
--- a/run.sh
+++ b/run.sh
@@ -6,8 +6,26 @@ set -e
 HOMEDIR="/home/cron"
 KEYSDIR="/var/pubkeys"

+# add our own keys to /etc/ssh/ssh_known_hosts
+if [ ! -e /etc/ssh/ssh_known_hosts ]; then
+  echo "+-- setting up /etc/ssh/ssh_known_hosts..."
+  # use the template, if it exists
+  if [ -e /etc/ssh/ssh_known_hosts.template ]; then
+    echo "    +-- basing on template file: /etc/ssh/ssh_known_hosts.template"
+    cat /etc/ssh/ssh_known_hosts.template > /etc/ssh/ssh_known_hosts
+  fi
+  echo "    +-- adding local ECDSA pubkey from: /etc/ssh/ssh_host_ecdsa_key.pub"
+  echo "* $( cat /etc/ssh/ssh_host_ecdsa_key.pub )" >> /etc/ssh/ssh_known_hosts
+  # if SSH_KNOWN_HOSTS is nonempty, let's add that to ssh_known_hosts
+  if [ ! -z ${SSH_KNOWN_HOSTS+x} ]; then
+    echo "    +-- adding known hosts from SSH_KNOWN_HOSTS:"
+    echo -e "${SSH_KNOWN_HOSTS}"
+    echo -e "${SSH_KNOWN_HOSTS}" >> "/etc/ssh/ssh_known_hosts"
+  fi
+  echo "    +-- done."
+fi
+
 # we're not running the sshd, so no SSH_KEYS/authprized_keys needed
-# host keys are also unneeded
 # also, the user should get created in the dockerfile, so no need for doing this here either

 # create the .ssh folder if it does not exist