-
Notifications
You must be signed in to change notification settings - Fork 5
/
init.sh
41 lines (36 loc) · 1.12 KB
/
init.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/bin/bash
echo -e "$BASTION_TRUSTED" > /ssh/trusted
echo -e "$BASTION_HOST_KEY" > /ssh/ssh_host_key
echo -e "$BASTION_HOST_PUB_KEY" > /ssh/ssh_host_key.pub
chmod 0600 /ssh/ssh_host_key
# Backward compatibility
BASTION_HOST_CERT_PATH=/ssh_mount/ssh_host_rsa_key-cert.pub
if test -f /ssh_mount/ssh_host_key-cert.pub; then
BASTION_HOST_CERT_PATH=/ssh_mount/ssh_host_key-cert.pub
fi
tee /ssh/sshd_config <<EOF
Port 9722
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
HostKey /ssh/ssh_host_key
HostCertificate $BASTION_HOST_CERT_PATH
MaxAuthTries 25
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator man postmaster cron ftp sshd at squid xfs games postgres cyrus vpopmail ntp smmsp guest nobody
Match User bastion
AllowAgentForwarding no
AllowTcpForwarding yes
PermitOpen *:22
GatewayPorts no
X11Forwarding no
PermitTunnel no
ForceCommand echo 'Pritunl Zero Bastion Host'
TrustedUserCAKeys /ssh/trusted
AuthorizedPrincipalsFile /ssh/principals
Match all
EOF
/usr/sbin/sshd -D -f /ssh/sshd_config