ssh fixes

Author: fenio

docker/Dockerfile

@@ -7,7 +7,9 @@ RUN apt-get update && \
 
 COPY entrypoint.sh /entrypoint.sh
 COPY sshd_config /etc/ssh/sshd_config
-RUN chmod +x /entrypoint.sh
+RUN groupadd -r -g 2137 ve && useradd -m -r -s /bin/bash -u 2137 -g ve ve
+RUN chmod +x /entrypoint.sh && \
+    chown -R ve:ve /var/run/sshd /run /volume /entrypoint.sh /etc/ssh
 
 EXPOSE 2137
 

docker/entrypoint.sh

@@ -1,16 +1,25 @@
 #!/bin/bash
 
+# Create .ssh directory for the ve user if it doesn't exist
+mkdir -p /home/ve/.ssh
+chmod 700 /home/ve/.ssh
+
 # Check if SSH_KEY environment variable is set
 if [ -n "$SSH_KEY" ]; then
-    echo "$SSH_KEY" >> /root/.ssh/authorized_keys
-    echo "Public key added to /root/.ssh/authorized_keys"
+    echo "$SSH_KEY" >> /home/ve/.ssh/authorized_keys
+    chmod 600 /home/ve/.ssh/authorized_keys
+    echo "Public key added to /home/ve/.ssh/authorized_keys"
 fi
 
+# Adjust ownership of .ssh directory and authorized_keys file
+chown -R ve:ve /home/ve/.ssh
+
 # Check the ROLE environment variable
 case "$ROLE" in
     standalone)
         echo "Running as standalone"
         /usr/sbin/sshd -D -e
+        tail -f /dev/null
         ;;
     proxy)
         echo "Running as proxy"

docker/sshd_config

@@ -3,7 +3,7 @@ Port 2137
 PermitRootLogin prohibit-password
 PasswordAuthentication no
 ChallengeResponseAuthentication no
-UsePAM yes
+UsePAM no
 PrintMotd no
 Subsystem sftp /usr/lib/openssh/sftp-server
 

pkg/plugin/mount.go

@@ -162,7 +162,7 @@ func setupPortForwarding(namespace, podName string, port int) error {
 }
 
 func mountPVCOverSSH(namespace, podName string, port int, localMountPoint, pvcName string) error {
-	sshfsCmd := exec.Command("sshfs", "-o", "StrictHostKeyChecking=no,UserKnownHostsFile=/dev/null", fmt.Sprintf("root@localhost:/volume"), localMountPoint, "-p", fmt.Sprintf("%d", port))
+	sshfsCmd := exec.Command("sshfs", "-o", "StrictHostKeyChecking=no,UserKnownHostsFile=/dev/null", fmt.Sprintf("ve@localhost:/volume"), localMountPoint, "-p", fmt.Sprintf("%d", port))
 	sshfsCmd.Stdout = os.Stdout
 	sshfsCmd.Stderr = os.Stderr
 	if err := sshfsCmd.Run(); err != nil {
@@ -200,6 +200,12 @@ func createPodSpec(podName string, port int, pvcName, sshKey, role string) *core
 		})
 	}
 
+	runAsNonRoot := true
+	runAsUser := int64(2137)
+	runAsGroup := int64(2137)
+	allowPrivilegeEscalation := false
+	readOnlyRootFilesystem := false
+
 	container := corev1.Container{
 		Name:  "volume-exposer",
 		Image: "bfenski/volume-exposer:latest",
@@ -209,6 +215,13 @@ func createPodSpec(podName string, port int, pvcName, sshKey, role string) *core
 			},
 		},
 		Env: envVars,
+		SecurityContext: &corev1.SecurityContext{
+			AllowPrivilegeEscalation: &allowPrivilegeEscalation,
+			ReadOnlyRootFilesystem:   &readOnlyRootFilesystem,
+			Capabilities: &corev1.Capabilities{
+				Drop: []corev1.Capability{"ALL"},
+			},
+		},
 	}
 
 	podSpec := &corev1.Pod{
@@ -222,6 +235,11 @@ func createPodSpec(podName string, port int, pvcName, sshKey, role string) *core
 		},
 		Spec: corev1.PodSpec{
 			Containers: []corev1.Container{container},
+			SecurityContext: &corev1.PodSecurityContext{
+				RunAsNonRoot: &runAsNonRoot,
+				RunAsUser:    &runAsUser,
+				RunAsGroup:   &runAsGroup,
+			},
 		},
 	}