From 37cd856425e6540387e14250e47f4f5ba8dd933b Mon Sep 17 00:00:00 2001
From: "Hongli Lai (Phusion)" <hongli@phusion.nl>
Date: Thu, 6 Feb 2014 13:07:47 +0100
Subject: [PATCH] Disable the insecure SSH key by default

---
 Changelog.md              |  1 +
 README.md                 | 36 ++++++++++++++++++++++++++----------
 image/enable_insecure_key | 17 +++++++++++++++++
 image/system_services.sh  |  5 ++++-
 test/runner.sh            | 12 ++++++++++--
 5 files changed, 58 insertions(+), 13 deletions(-)
 create mode 100755 image/enable_insecure_key

diff --git a/Changelog.md b/Changelog.md
index 59d999b..92ecacc 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,6 +1,7 @@
 ## 0.9.5 (release date pending)
 
  * Environment variables are now no longer reset by runit. This is achieved by running `runsvdir` directly instead of through Debian's `runsvdir-start`.
+ * The insecure SSH key is now disabled by default. You have to explicitly opt-in to use it.
 
 ## 0.9.4 (release date: 2014-02-03)
 
diff --git a/README.md b/README.md
index caf091e..013ab1e 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ You can configure the stock `ubuntu` image yourself from your Dockerfile, so why
    * [Getting started](#getting_started)
    * [Adding additional daemons](#adding_additional_daemons)
    * [Running scripts during container startup](#running_startup_scripts)
-   * [Login to the container](#login)
+   * [Login to the container via SSH](#login)
  * [Building the image yourself](#building)
  * [Conclusion](#conclusion)
 
@@ -91,8 +91,6 @@ You don't have to download anything manually. The above command will automatical
 
 The image is called `phusion/baseimage`, and is available on the Docker registry.
 
-By default, it allows SSH access for the key in `image/insecure_key`. This makes it easy for you to login to the container, but you should replace this key as soon as possible.
-
     # Use phusion/baseimage as base image. To make your builds reproducible, make
     # sure you lock down to a specific version, not to `latest`!
     # See https://github.com/phusion/baseimage-docker/blob/master/Changelog.md for
@@ -102,9 +100,6 @@ By default, it allows SSH access for the key in `image/insecure_key`. This makes
     # Set correct environment variables.
     ENV HOME /root
     
-    # Remove authentication rights for insecure_key.
-    RUN rm -f /root/.ssh/authorized_keys /home/*/.ssh/authorized_keys
-    
     # Regenerate SSH host keys. baseimage-docker does not contain any, so you
     # have to do that yourself. You may also comment out this instruction; the
     # init system will auto-generate one during boot.
@@ -160,13 +155,26 @@ The following example shows how you can add a startup script. This script simply
     ADD logtime.sh /etc/my_init.d/logtime.sh
 
 <a name="login"></a>
-### Login to the container
+### Login to the container via SSH
 
 You can use SSH to login to any container that is based on baseimage-docker.
 
-Start a container based on baseimage-docker (or a container based on an image based on baseimage-docker):
+The first thing that you need to do is to ensure that you have the right SSH keys installed inside the container. By default, no keys are installed, so you can't login. For convenience reasons, we provide [a pregenerated, insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key) that you easily enable. However, please be aware that using this key is for convenience only. It does not provide any insecurity because this key (both the public and the private side) are publicly available. In production environments, you should use your own keys.
 
-    docker run phusion/baseimage
+Edit your Dockerfile to install an SSH key:
+
+    ## Install an SSH of your choice.
+    ADD your_key /tmp/your_key
+    RUN cat /tmp/your_key >> /root/.ssh/authorized_keys && rm -f /tmp/your_key
+
+    ## -OR-
+
+    ## Uncomment this to enable the insecure key.
+    # RUN /usr/sbin/enable_insecure_key
+
+Then rebuild your image. Once you have that, start a container based on that image:
+
+    docker run your-image-name
 
 Find out the ID of the container that you just ran:
 
@@ -176,8 +184,16 @@ Once you have the ID, look for its IP address with:
 
     docker inspect <ID> | grep IPAddress
 
-Now SSH into the container. In this example we're using [the default insecure key](https://github.com/phusion/baseimage-docker/blob/master/image/insecure_key), but if you're followed the instructions well then you've already replaced that with your own key. You did replace the key, didn't you?
+Now SSH into the container as follows:
 
+    ssh -i /path-to/your_key root@<IP address>
+
+    # -OR-
+
+    # If you're using the insecure key, download it and SSH
+    # into the container using that key.
+    curl -o insecure_key -fSL https://github.com/phusion/baseimage-docker/raw/master/image/insecure_key
+    chmod 700 insecure_key
     ssh -i insecure_key root@<IP address>
 
 <a name="building"></a>
diff --git a/image/enable_insecure_key b/image/enable_insecure_key
new file mode 100755
index 0000000..1a3c8b5
--- /dev/null
+++ b/image/enable_insecure_key
@@ -0,0 +1,17 @@
+#!/bin/bash
+set -e
+
+AUTHORIZED_KEYS=/root/.ssh/authorized_keys
+
+if [[ -e "$AUTHORIZED_KEYS" ]] && grep -q baseimage-docker-insecure-key "$AUTHORIZED_KEYS"; then
+	echo "Insecure key has already been added to $AUTHORIZED_KEYS."
+else
+	DIR=`dirname "$AUTHORIZED_KEYS"`
+	echo "Creating directory $DIR..."
+	mkdir -p "$DIR"
+	chmod 700 "$DIR"
+	chown root:root "$DIR"
+	echo "Editing $AUTHORIZED_KEYS..."
+	cat /etc/insecure_key.pub > "$AUTHORIZED_KEYS"
+	echo "Success: insecure key has been added to $AUTHORIZED_KEYS"
+fi
diff --git a/image/system_services.sh b/image/system_services.sh
index 913990c..c7da97b 100755
--- a/image/system_services.sh
+++ b/image/system_services.sh
@@ -28,7 +28,10 @@ cp /build/00_regen_ssh_host_keys.sh /etc/my_init.d/
 mkdir -p /root/.ssh
 chmod 700 /root/.ssh
 chown root:root /root/.ssh
-cat /build/insecure_key.pub > /root/.ssh/authorized_keys
+cp /build/insecure_key.pub /etc/insecure_key.pub
+chmod 644 /etc/insecure_key.pub
+chown root:root /etc/insecure_key.pub
+cp /build/enable_insecure_key /usr/sbin/
 
 ## Install cron daemon.
 $minimal_apt_get_install cron
diff --git a/test/runner.sh b/test/runner.sh
index 415c514..328fc49 100644
--- a/test/runner.sh
+++ b/test/runner.sh
@@ -12,11 +12,19 @@ function cleanup()
 	echo " --> Stopping container"
 	docker stop $ID >/dev/null
 	docker rm $ID >/dev/null
+	docker rmi baseimage_test >/dev/null 2>/dev/null
 }
 
-echo " --> Starting container"
 PWD=`pwd`
-ID=`docker run -d -v $PWD/test:/test $NAME:$VERSION`
+
+echo " --> Preparing container"
+ID=`docker run -d $NAME:$VERSION enable_insecure_key`
+docker wait $ID >/dev/null
+docker commit $ID baseimage_test >/dev/null
+docker rm $ID >/dev/null
+
+echo " --> Starting container"
+ID=`docker run -d -v $PWD/test:/test baseimage_test /sbin/my_init`
 sleep 1
 
 echo " --> Obtaining IP"