Re: [PLUG] sshd as regular user

[PaulNM via plug <plug@lists.phillylinux.org>]

On 6/16/20 10:40 PM, brent timothy saner via plug wrote:
> Which means unless it's running as root or via sudo, those conditionals
> are going to evaluate to true (in this case, presumably, a true
> condition means "no worky").
>
> So nope. Can't run as a regular user.
>
> Dropbear[1] might let you but it's... not pleasant if you expect OpenSSH
> features to be present (and I think they still don't support ed25519 keys).


At this point OP's best bet is probably to run a docker container, 
either a custom-built one or a pre-built like linuxserver/openssh-server.

I have a family member's computer backing up to a server of mine using 
Duplicati. To provide a little isolation and help keep configuration 
clean, I settled on using a docker image. Docker lets you run a 
container as a user, as said user's ID. This lets you have a 
specific-user-only instance of ssh without access to the rest of the system.

I first created a regular user and group on the hosting server 
specifically for this, with a password of ! so they can't login to the 
system.

My (redacted with X) docker-compose.yml file (additional notes underneath):


---
version: "2.1"
services:
  openssh-X:
    image: linuxserver/openssh-server
    container_name: openssh-X
    environment:
      - PUID=XXXX
      - PGID=XXXX
      - SUDO_ACCESS=false
      - PASSWORD_ACCESS=true
      - USER_PASSWORD=XXXXX
      - USER_NAME=XXXXX
    volumes:
      - /home/XXXXX/SSHfiles/config:/config
    ports:
      - XXXX:2222
    healthcheck:
      disable: true
    restart: unless-stopped


Notes:
PUID/PGID should be set to match the user/group id's of the user you 
created earlier. That lets the docker container run as that same user 
and have access to their home directory.

USER_PASSWORD/NAME are for the internal docker container sshd, so you 
can set them to whatever you want.

ports: XXXX should be set to the public port number you want it to 
appear on your host server. This maps whatever you use for XXXX to 
linuxserver/openssh-server's internal port 2222, where it runs openssh.

Healthcheck is disabled on my system because it produces excessive, 
unnecessary errors in my logs. I use ansible to manage my server anyway, 
which performs a similar function (albeit slightly delayed).

There are other ways to handle the internal usernames/groups/permissions 
of that docker image. There are also other pre-built ssh images around. 
You could even just use a base image of any preferred distro and treat 
it as a separate, lightweight, stripped-down, server.

My long term goals are to get the username/password out of the 
dockerfile and keep them in my off-server ansible config, and to get 
healthcheck working. (Or at least get my logging to dump the erroneously 
generated error messages.)

-- PaulNM




___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug