我的要求是必须有一个任何用户都可以使用的自定义 proftpd docker 映像。用户将使用该映像运行 docker 容器,并在运行时将挂载路径挂载到 docker。挂载路径将包含用户将使用的公钥。用户不会提供私钥。用户将生成公钥和私钥,如下所示:
$ ssh-keygen -N "" -f /home/user/.ssh/id_rsa
这应该输出 id_rsa 和 id_rsa.pub 文件。
公钥文件 id_rsa.pub 的内容将被添加到挂载路径 (/mnt/blah/key) 中的文件中,然后在启动 docker 容器时挂载。docker 镜像的入口点脚本如下所示:
DIR=/home/proftpd
#PASSWD_KEY=/mnt/blah/passwd_key
PUB_KEY=/mnt/blah/key
PASSWORD=abcboom
echo $PASSWORD | /usr/bin/ftpasswd --passwd --file=/home/proftpd/ftpd.passwd --name=virtual --uid=1234 --gid=5678 --home=/home/proftpd/ --shell=/bin/bash --stdin
/usr/bin/ftpasswd --group --name=--group --name=virtual --file=/home/proftpd/ftpd.group --gid=5678 --member=1234
touch /home/proftpd/.ssh/authorized_keys
cat $PUB_KEY > /home/proftpd/.ssh/authorized_keys
chmod 600 /home/proftpd/.ssh/authorized_keys
proftpd -n -4 -c /home/proftpd/proftpd.conf -d10
因此,基本上 /mnt/blah/key 的内容被写入 authorized_keys 文件中。但由于要求用户不提供私有 id_rsa 文件内容,有没有办法可以在没有此信息的情况下启动 proftpd 服务器?我知道 proftpd 的官方文档说 proftpd.conf 文件中需要 SFTPHostKey 指令,我已经看到它需要私钥文件。有没有办法解决这个问题?
我有以下 proftpd.conf 文件:
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
AuthUserFile /home/proftpd/ftpd.passwd
AuthGroupFile /home/proftpd/ftpd.group
AuthPAM off
PidFile /home/proftpd/proftpd.pid
ScoreboardFile /home/proftpd/proftpd.scoreboard
WtmpLog off
# Port 21 is the standard FTP port.
Port 2345
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User proftpd
Group proftpd
# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
TraceLog /home/proftpd/trace.log
Trace DEFAULT:10
LoadModule mod_sftp.c
#LoadModule mod_sftp_pam.c
<IfModule mod_sftp.c>
<VirtualHost 0.0.0.0>
SFTPEngine ON
SFTPAuthMethods password publickey
RequireValidShell off
SFTPLog /home/proftpd/log/sftp.log
Port 2360
SFTPLog /home/proftpd/sftp.log
SFTPCompression delayed
SFTPHostKey /home/proftpd/.ssh/id_rsa ---> What to do here??
SFTPAuthorizedUserKeys file:/home/proftpd/.ssh/authorized_keys
SFTPOptions InsecureHostKeyPerms
AuthUserFile /home/proftpd/ftpd.passwd
AuthGroupFile /home/proftpd/ftpd.group
AuthOrder mod_auth_file.c
</VirtualHost>
</IfModule>
任何有关此事的帮助都将不胜感激!