From e506059858b106284443f1444192b4de87bccc57 Mon Sep 17 00:00:00 2001
From: Kiritow <1362050620@qq.com>
Date: Wed, 3 Mar 2021 16:13:26 +0800
Subject: [PATCH] Add ssh-base image

---
 ssh-base/Dockerfile | 18 ++++++++++++++++++
 ssh-base/Readme.md  | 28 ++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 ssh-base/Dockerfile
 create mode 100644 ssh-base/Readme.md

diff --git a/ssh-base/Dockerfile b/ssh-base/Dockerfile
new file mode 100644
index 0000000..de92a72
--- /dev/null
+++ b/ssh-base/Dockerfile
@@ -0,0 +1,18 @@
+FROM ubuntu-cn-systemd:latest
+RUN apt update \
+	&& apt install openssh-server -y \
+	&& rm -rf /var/lib/apt/lists/* \
+	&& rm -f /run/nologin
+
+# Default: No password login, No PAM
+RUN sed -e 's/UsePAM yes/UsePAM no/g' -e 's/#PasswordAuthentication yes/PasswordAuthentication no/g' -i /etc/ssh/sshd_config
+
+# Another method: Leave PAM on, but it needs a few more fixes.
+
+# 1. PAM LoginUID fix. Otherwise user is kicked off after login.
+# Or you might start container with --cap-add AUDIT_CONTROL
+# RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd
+
+# 2. systemd-logind hang 25s fix
+# RUN sed 's/ProtectHostname=yes/ProtectHostname=no/g' -i /lib/systemd/system/systemd-logind.service
+
diff --git a/ssh-base/Readme.md b/ssh-base/Readme.md
new file mode 100644
index 0000000..b75e3db
--- /dev/null
+++ b/ssh-base/Readme.md
@@ -0,0 +1,28 @@
+# ssh-base
+
+This is the base image of ssh server, bundled with systemd.
+
+By default, `UsePAM` and `PasswordAuthentication` are both set to `no`.
+
+The Dockerfile contains an alternative way to setup sshd, which could leave `UsePAM` set to `yes`.
+
+The following fixes are included:
+
+1. `/etc/pam.d/sshd` fix
+
+    `pam_loginuid.so` is set to optional, otherwise user will be kicked off after login.
+    
+    https://stackoverflow.com/questions/28134239/how-to-ssh-into-docker
+
+2. `/run/nologin` removed
+
+    Prevents ssh login from printing `System is booting up. Unprivileged users are not permitted to log in yet. Please come back later. For technical details, see pam_nologin(8).`
+
+    https://stackoverflow.com/questions/58682387/error-while-trying-to-ssh-a-docker-container-system-is-booting-up
+
+3. `systemd-logind.service` fix
+
+    `ProtectHostname` is set to `no`. This fixes 25 second of hang up every login.
+
+    https://bugzilla.redhat.com/show_bug.cgi?id=1841139
+