Last updated on 2020-02-23
Contents
Why?
While this SSH container was initially designed to support the Burp Suite container, it does not depend on the Burp container. In other words, the SSH container can be used generically* to provide an auxiliary SSH service to any other container.
*with minor adjustments to its entrypoint.sh
Here are some advantages provided by its design:
- Default SSH configuration:
sshdexecutes asrootbut does not allow login asroot.
- Creates unprivileged account for primary use.
- Meant for file operations only; not administration of the SSH container itself.
- Login is performed with SSH keys set up when building the container.
- Provides file access in other containers via shared volumes.
dockerfile
The following is based on this dockerfile version.
debian:buster-slim:
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
scribe:
|
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
Note line 13: for convenience, it will cause the current directory to be ~/share upon login.
|
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
- Make sure
/run/sshdexists, so thatsshdcan run. - Copy
entrypoint.shandauthorized_keysto the container.authorized_keysis supplied when building the container.
- Set read/write privileges for
scribeonauthorized_keys. - Expose port 22 and set
entrypoint.shto execute when the container runs.
entrypoint.sh
The following is based on this entrypoint.sh version.
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
Create a few directories to host files from shared volumes. These directory names are the only adjustment needed to use the SSH container generically. They simply need to correspond to shared Docker volumes.
Then, just give scribe access to its own home directory, and run sshd by means of exec in order to clean up the parent process.
Building and running
You can find interactive build and execution scripts for the Burp Suite and its auxiliary containers at github.com/elespike/burp_containers!
To build the container, simply:
- Ensure the current directory is where the
dockerfileresides - Copy your desired
authorized_keysfile to the current directory - Execute
sudo docker build -t sshd:latest .
Note the trailing ., which just represents the current directory.
-t sshd:latest tags the build so we can reference it when running the container, as outlined below.
sudo docker run -d -it --rm |
Runs the container as a daemon (background process), with an interactive TTY, and remove it from disk when stopped. |
--mount src=burp_share,dst=/home/scribe/burp_share,ro=false |
Mounts the burp_share volume to /home/scribe/burp_share in the SSH container. |
--mount src=novnc_share,dst=/home/scribe/novnc_share,ro=false |
Mounts the novnc_share volume to /home/scribe/novnc_share in the SSH container. |
-p 0.0.0.0:2200:22/tcp |
Listens on all of the host’s interfaces (0.0.0.0), on port 2200, and forwards all TCP traffic to port 22 on the container. |
sshd:latest |
Runs the build tagged sshd:latest. |
The --mount options should match the Docker volumes and directories you’ll be using with your own containers, if not the Burp and noVNC ones discussed in the previous article.
Needless to say, the same volumes should be mounted on each container whose files you’d like to access via the SSH container.
A complete example, with definitions for all containers discussed in this series as well as interactive build and run scripts, is present at github.com/elespike/burp_containers.
To wrap up this series, let’s explore the containers that provide a noVNC client and server for remote GUI display, or for local GUI display in the absence of an X server: