cscott/ClawdBox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix: Enforce chmod 600 on SSH host keys at startup

Browse Source
This commit is contained in:
Conan Scott
2026-02-02 03:13:30 +00:00
parent 2edbeac212
commit d7eae1c535
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Dockerfile
View File

@@ -10,11 +10,12 @@ RUN apt-get update && apt-get install -y curl wget git jq un
RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && chmod +x /usr/bin/yq
# Setup SSH directory & Config for OpenShift (Random UID support)
# PID file still needs to be in a transient writable spot
RUN mkdir -p /var/run/sshd && chmod 775 /var/run/sshd
# Custom sshd_config for non-root usage
# POINTS TO PERSISTENT VOLUME (/data/ssh) for host keys
# StrictModes no: Allow looser permissions if absolutely necessary (e.g. random UID with group access)
# But ideally we fix permissions on boot.
RUN echo "Port 2222\nPermitRootLogin no\nPasswordAuthentication no\nPubkeyAuthentication yes\nPidFile /var/run/sshd/sshd.pid\nHostKey /data/ssh/ssh_host_rsa_key\nHostKey /data/ssh/ssh_host_ecdsa_key\nHostKey /data/ssh/ssh_host_ed25519_key\nAuthorizedKeysFile .ssh/authorized_keys\nChallengeResponseAuthentication no\nUsePAM yes\nSubsystem sftp /usr/lib/openssh/sftp-server" > /etc/ssh/sshd_config
# Create a user 'claw' with sudo access
@@ -23,7 +24,6 @@ RUN useradd -m -s /bin/bash claw && echo "claw ALL=(ALL) NOPASSWD:ALL" >> /e
# Prepare volume mount point
# Mount persistent storage here
VOLUME /data
# Critical for OpenShift: Allow root group (gid 0) to write to /data
RUN mkdir -p /data && chown claw:claw /data && chmod 775 /data
# Set working directory to the persistent volume
@@ -33,5 +33,5 @@ WORKDIR /data
EXPOSE 2222
# Start SSH daemon
# Logic: Check for persistent keys in /data/ssh. If missing, generate them.
CMD ["/bin/bash", "-c", "mkdir -p /data/ssh && if [ ! -f /data/ssh/ssh_host_rsa_key ]; then echo 'Generating persistent host keys...'; ssh-keygen -f /data/ssh/ssh_host_rsa_key -N '' -t rsa; ssh-keygen -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa; ssh-keygen -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519; fi && /usr/sbin/sshd -D -f /etc/ssh/sshd_config"]
# Fix: Enforce chmod 600 on keys before starting sshd
CMD ["/bin/bash", "-c", "mkdir -p /data/ssh && if [ ! -f /data/ssh/ssh_host_rsa_key ]; then echo 'Generating persistent host keys...'; ssh-keygen -f /data/ssh/ssh_host_rsa_key -N '' -t rsa; ssh-keygen -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa; ssh-keygen -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519; fi && chmod 600 /data/ssh/ssh_host_*_key && /usr/sbin/sshd -D -f /etc/ssh/sshd_config"]