Merge pull request #35 from dinoallo/enhancement/devbox-ssh

fix: enhance SSH security settings and randomize devbox password

Author: zzjin

OS/debian-ssh/12.6/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/labring-actions/devbox/debian:ce4733
+FROM debian:12.6-slim
 
 COPY /script/startup.sh /usr/start/startup.sh
 
@@ -7,6 +7,16 @@ RUN chmod +x /usr/start/startup.sh && \
     apt-get install -y \
     dumb-init \
     wget \
+    sudo \
+    net-tools \
+    iproute2 \
+    iputils-ping \
+    curl \
+    netcat-openbsd \
+    vim \
+    openssl \
+    make \
+    git \
     openssh-client \
     openssh-server && \
     apt-get clean && \
@@ -18,12 +28,15 @@ RUN chmod +x /usr/start/startup.sh && \
     echo 'X11Forwarding yes' >> /etc/ssh/sshd_config && \ 
     echo 'Port 22' >> /etc/ssh/sshd_config && \
     echo 'AuthorizedKeysFile  /usr/start/.ssh/authorized_keys' >> /etc/ssh/sshd_config && \
+    echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config && \
+    echo 'PermitRootLogin prohibit-password' >> /etc/ssh/sshd_config && \
     useradd -m -s /bin/bash devbox && \
     usermod -aG sudo devbox && \
     echo 'devbox ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers && \
     rm -rf /tmp/* && \
     mkdir -p /home/devbox/.ssh && \
-    echo "devbox:devbox" | sudo chpasswd && \
+    PASS=$(openssl rand -base64 16) && \
+    echo "devbox:$PASS" | sudo chpasswd && \
     chown -R devbox:devbox /home/devbox/.ssh && \
     chmod -R 770 /home/devbox/.ssh 
 
@@ -32,8 +45,6 @@ COPY /OS/debian-ssh/project /home/devbox/project
 RUN sudo chown -R devbox:devbox /home/devbox/project && \
     sudo chmod -R 777 /home/devbox/project
 
-USER root
-
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["sudo", "-E", "/usr/start/startup.sh"]
 

OS/ubuntu-cuda/24.04/Dockerfile

@@ -32,15 +32,18 @@ RUN chmod +x /usr/start/startup.sh && \
     echo 'GatewayPorts yes' >> /etc/ssh/sshd_config && \
     echo 'X11Forwarding yes' >> /etc/ssh/sshd_config && \ 
     echo 'Port 22' >> /etc/ssh/sshd_config && \
-    echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config && \
     echo 'AuthorizedKeysFile  /usr/start/.ssh/authorized_keys' >> /etc/ssh/sshd_config && \
+    echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config && \
+    echo 'PermitRootLogin prohibit-password' >> /etc/ssh/sshd_config && \
     useradd -m -s /bin/bash devbox && \
     usermod -aG sudo devbox && \
     echo 'devbox ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers && \
     echo 'export PATH=/usr/local/cuda/bin:$PATH' >>  /etc/profile && \
     echo 'export LD_LIBRARY_PATH=/usr/local/cuda/lib64:$LD_LIBRARY_PATH' >> /etc/profile && \
     rm -rf /tmp/* && \
     mkdir -p /home/devbox/.ssh && \
+    PASS=$(openssl rand -base64 16) && \
+    echo "devbox:$PASS" | sudo chpasswd && \
     chown -R devbox:devbox /home/devbox/.ssh && \
     chmod -R 770 /home/devbox/.ssh 
 

OS/ubuntu/24.04/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:latest
+FROM ubuntu:24.04
 
 COPY /script/startup.sh /usr/start/startup.sh
 
@@ -33,11 +33,15 @@ RUN chmod +x /usr/start/startup.sh && \
     echo 'X11Forwarding yes' >> /etc/ssh/sshd_config && \ 
     echo 'Port 22' >> /etc/ssh/sshd_config && \
     echo 'AuthorizedKeysFile  /usr/start/.ssh/authorized_keys' >> /etc/ssh/sshd_config && \
+    echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config && \
+    echo 'PermitRootLogin prohibit-password' >> /etc/ssh/sshd_config && \
     useradd -m -s /bin/bash devbox && \
     usermod -aG sudo devbox && \
     echo 'devbox ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers && \
     rm -rf /tmp/* && \
     mkdir -p /home/devbox/.ssh && \
+    PASS=$(openssl rand -base64 16) && \
+    echo "devbox:$PASS" | sudo chpasswd && \
     chown -R devbox:devbox /home/devbox/.ssh && \
     chmod -R 770 /home/devbox/.ssh