SSH_USER_HOME on mapped host directory does not work

[daniel-es6]

I mounted the host directory to the container using /some/host/directory:/host
and set SSH_USER_HOME to /host/%u

The container boot up for the first time, and then will fail to start with error message like below:

2021-03-21 03:28:24,033 INFO exited: system-timezone-wrapper (exit status 0; expected)
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
mkdir: cannot create directory '/host/userxx/.ssh': File exists
2021-03-21 03:28:24,261 INFO exited: sshd-bootstrap (exit status 1; not expected)
2021-03-21 03:28:24,268 INFO reaped unknown pid 112
2021-03-21 03:28:24,607 INFO reaped unknown pid 96
ERROR: sshd-wrapper timed out waiting on sshd-bootstrap
2021-03-21 03:28:28,041 INFO exited: sshd-wrapper (exit status 1; not expected)
2021-03-21 03:28:29,042 INFO gave up: sshd-wrapper entered FATAL state, too many start retries too quickly

[jdeathe]

https://github.com/jdeathe/centos-ssh/blob/2.6.1/src/usr/sbin/sshd-bootstrap#L1238-L1246

mkdir will return an error if the .ssh directory exists. Could switch to install here instead:

install \
  --owner="${ssh_user}" \
  --group="${ssh_user}" \
  --mode=700 \
  -d "${ssh_user_home}"/.ssh
install \
  --owner="${ssh_user}" \
  --group="${ssh_user}" \
  --mode=600 \
  -T /dev/null \
  "${ssh_user_home}"/.ssh/authorized_keys

[jdeathe]

@daniel-es6 Thanks for your interest in the project and for reporting this issue. The current release (2.6.1) is not able to support mapping a user's home directory that already contains an .ssh directory.

It should be possible to resolve this issue but please be aware that, if mapping the host's ${HOME} directory, it will replace the contents of ${HOME}/.ssh/authorized_keys on the host.

[jdeathe]

Steps to replicate on OSX:

install -d -o "$(id -u)" -g "$(id -g)" -m 755 "/tmp/${USER}"
install -d -o "$(id -u)" -g "$(id -g)" -m 700 "/tmp/${USER}/.ssh"
cd "/tmp/${USER}"
tee "/tmp/${USER}/docker-compose.yml" > /dev/null <<-'EOT'
version: "2.0"
volumes:
  ssh_keys:
    driver: "local"
services:
  ssh:
    image: "jdeathe/centos-ssh:2.6.1"
    volumes:
      - "ssh_keys:/etc/ssh"
      - "/tmp/${USER}:/host/${USER}"
    ports:
      - "22:22"
    environment:
      SSH_USER: "${USER}"
      SSH_USER_HOME: "/host/%u"
EOT
docker-compose up

[daniel-es6]

Thanks for responding quickly. Look forward to version 2.7.0!

[jdeathe]

Proof-of-concept work-around on OSX:

install -d -o "$(id -u)" -g "$(id -g)" -m 755 "/tmp/${USER}"
install -d -o "$(id -u)" -g "$(id -g)" -m 700 "/tmp/${USER}/.ssh"
cd "/tmp/${USER}"
tee "/tmp/${USER}/Dockerfile" > /dev/null <<-'EOT'
FROM jdeathe/centos-ssh:2.6.1
# Patch sshd-bootstrap
RUN \
  sed -r -i -e '/^\t# SSH require files$/,/^\t# Details output for SSH public key fingerprints$/ {//!d;}' /usr/sbin/sshd-bootstrap; \
  sed -r -i -e '/^\t# SSH require files$/,/^\t# Details output for SSH public key fingerprints$/ s~^(\t# SSH require files)$~\1\n\tinstall --owner="${ssh_user}" --group="${ssh_user}" --mode=700 -d "${ssh_user_home}"/.ssh\n\tinstall --owner="${ssh_user}" --group="${ssh_user}" --mode=600 -T /dev/null "${ssh_user_home}"/.ssh/authorized_keys~' /usr/sbin/sshd-bootstrap
EOT
tee "/tmp/${USER}/docker-compose.yml" > /dev/null <<-EOT
version: "2.0"
volumes:
  ssh_keys:
    driver: "local"
services:
  ssh:
    build:
      context: "."
      dockerfile: "Dockerfile"
    volumes:
      - "ssh_keys:/etc/ssh"
      - "/tmp/${USER}:/host/${USER}"
    ports:
      - "22:22"
    environment:
      SSH_USER: "${USER}"
      SSH_USER_ID: "${UID}:${UID}"
      SSH_USER_HOME: "/host/%u"
EOT
docker-compose build
docker-compose up

[jdeathe]

@daniel-es6 Instructions on how to patch until 2.7.0 is released ☝️

[daniel-es6]

Cool!

[daniel-es6]

just tried, got an error:
install: cannot create regular file '/host/.../.ssh/authorized_keys': No such file or directory

[jdeathe]

@daniel-es6 There was a missing \n in my patch example. I've updated the example now.

[daniel-es6]

It's working now. So nice being able to persist user settings.