Initial

Dockerfile

@@ -0,0 +1,77 @@
+FROM alpine:latest
+
+# Install necessary packages
+RUN apk update && apk add --no-cache openssh openrc openssh-keygen bash sudo python3 py3-pip net-tools
+
+# Create a non-root user (admin)
+RUN adduser -D admin
+RUN echo "admin:password" | chpasswd
+RUN addgroup admin wheel
+RUN adduser admin wheel
+
+# SSH Configuration
+RUN mkdir -p /var/run/sshd /app /app/ssh
+RUN chmod -R 777 /app
+
+# SSH Configuration
+#RUN mkdir /app
+
+# Copy all the contents of the /app folder
+COPY . /app
+
+
+# Generate SSH keys and print them
+#RUN ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N "" && \
+#    cat /etc/ssh/ssh_host_rsa_key && \
+#    ssh-keygen -t ecdsa -b 256 -f /etc/ssh/ssh_host_ecdsa_key -N "" && \
+#    cat /etc/ssh/ssh_host_ecdsa_key && \
+#    ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N "" && \
+#    cat /etc/ssh/ssh_host_ed25519_key
+
+# Generate SSH keys
+RUN ssh-keygen -t rsa -b 2048 -f /etc/ssh/ssh_host_rsa_key -N "" && \
+    ssh-keygen -t ecdsa -b 256 -f /etc/ssh/ssh_host_ecdsa_key -N "" && \
+    ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
+
+# Secure SSH Configuration
+RUN sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config && \
+    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config && \
+    sed -i 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config && \
+    sed -i 's/#UsePAM yes/UsePAM no/' /etc/ssh/sshd_config && \
+    sed -i 's/#Port 22/Port 2222/' /etc/ssh/sshd_config && \
+    echo "AllowUsers admin" >> /etc/ssh/sshd_config
+
+
+# Copy all the contents of /etc/ssh to /app/ssh
+RUN mkdir -p /app/ssh && cp -r /etc/ssh/* /app/ssh
+
+
+# Set the permissions for the SSH keys
+RUN chmod 777 /etc/ssh/ssh_host_* && \
+    touch /app/ssh/ssh_known_hosts && \
+    chmod 777 /app/ssh/ssh_* && \
+    chmod 777 /home
+
+# List contents of /etc/ssh and /app/ssh
+RUN ls -l /etc/ssh/ && \
+    ls -l /app/ssh/
+
+# Install WebSSH
+RUN python3 -m venv /app/venv && \
+    /app/venv/bin/pip install --no-cache-dir --upgrade pip && \
+    /app/venv/bin/pip install --no-cache-dir -r /app/WebSSH/requirements.txt && \
+    /app/venv/bin/pip list 
+    
+# Expose the new SSH port
+EXPOSE 2222
+
+RUN chmod -R 777 /app
+
+# Copy the start.sh script
+#RUN chmod 777 /app/venv/lib/python3.12/site-packages/
+#RUN touch /app/venv/lib/python3.12/site-packages/known_hosts
+#RUN chmod 777 /app/venv/lib/python3.12/site-packages/known_hosts
+
+EXPOSE 7860
+
+CMD ["/app/start.sh"]

WebSSH/Fonts.py

@@ -0,0 +1,34 @@
+import os
+import importlib.util
+
+# Automatically detect the path to the webssh package
+spec = importlib.util.find_spec('webssh')
+base_dir = os.path.dirname(spec.origin) if spec else None
+font_dirs = ['static', 'css', 'fonts']
+max_body_size = 1 * 1024 * 1024
+
+
+class Font(object):
+
+    def __init__(self, filename, dirs):
+        self.family = self.get_family(filename)
+        self.url = self.get_url(filename, dirs)
+
+    def get_family(self, filename):
+        return filename.split('.')[0]
+
+    def get_url(self, filename, dirs):
+        return '/'.join(dirs + [filename])
+
+def get_font_filename(font, font_dir):
+    filenames = {f for f in os.listdir(font_dir) if not f.startswith('.')
+                 and os.path.isfile(os.path.join(font_dir, f))}
+    if font:
+        if font not in filenames:
+            raise ValueError(
+                'Font file {!r} not found'.format(os.path.join(font_dir, font))
+            )
+    elif filenames:
+        font = filenames.pop()
+
+    return font

WebSSH/Tools.py

@@ -0,0 +1,95 @@
+import os
+import ssl
+import sys
+import logging
+import os.path
+import importlib.util
+
+# Automatically detect the path to the webssh package
+spec = importlib.util.find_spec('webssh')
+base_dir = os.path.dirname(spec.origin) if spec else None
+
+#font_dirs = ['static', 'css', 'fonts']
+max_body_size = 1 * 1024 * 1024
+
+#base_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+#font_dirs = ['webssh', 'static', 'css', 'fonts']
+
+def print_version(flag):
+    if flag:
+        print(__version__)
+        sys.exit(0)
+
+def is_valid_encoding(encoding):
+    try:
+        u'test'.encode(encoding)
+    except LookupError:
+        return False
+    except ValueError:
+        return False
+    return True
+
+def check_encoding_setting(encoding):
+    if encoding and not is_valid_encoding(encoding):
+        raise ValueError('Unknown character encoding {!r}.'.format(encoding))
+
+def get_server_settings(options):
+    settings = dict(
+        xheaders=options.xheaders,
+        max_body_size=max_body_size,
+        trusted_downstream=get_trusted_downstream(options.tdstream)
+    )
+    return settings
+
+def get_trusted_downstream(tdstream):
+    result = set()
+    for ip in tdstream.split(','):
+        ip = ip.strip()
+        if ip:
+            to_ip_address(ip)
+            result.add(ip)
+    return result
+    
+def get_origin_setting(options):
+    if options.origin == '*':
+        if not options.debug:
+            raise ValueError(
+                'Wildcard origin policy is only allowed in debug mode.'
+            )
+        else:
+            return '*'
+
+    origin = options.origin.lower()
+    if origin in ['same', 'primary']:
+        return origin
+
+    origins = set()
+    for url in origin.split(','):
+        orig = parse_origin_from_url(url)
+        if orig:
+            origins.add(orig)
+
+    if not origins:
+        raise ValueError('Empty origin list')
+
+    return origins
+
+    
+def get_ssl_context(options):
+    if not options.certfile and not options.keyfile:
+        return None
+    elif not options.certfile:
+        raise ValueError('certfile is not provided')
+    elif not options.keyfile:
+        raise ValueError('keyfile is not provided')
+    elif not os.path.isfile(options.certfile):
+        raise ValueError('File {!r} does not exist'.format(options.certfile))
+    elif not os.path.isfile(options.keyfile):
+        raise ValueError('File {!r} does not exist'.format(options.keyfile))
+    else:
+        ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
+        ssl_ctx.load_cert_chain(options.certfile, options.keyfile)
+        return ssl_ctx
+
+
+

WebSSH/__main__.py

@@ -0,0 +1,166 @@
+import os
+import webssh
+import logging
+import paramiko
+import subprocess
+import tornado.web
+import tornado.ioloop
+from tornado.options import define, options
+#from webssh.settings import get_origin_setting
+from webssh.handler import IndexHandler, WsockHandler, NotFoundHandler
+from .Fonts import Font, get_font_filename, base_dir, font_dirs, max_body_size
+from .Tools import get_ssl_context, get_origin_setting, get_server_settings, check_encoding_setting, print_version
+
+logging.getLogger("tornado.access").setLevel(logging.DEBUG)
+logging.getLogger("tornado.application").setLevel(logging.DEBUG)
+logging.getLogger("tornado.general").setLevel(logging.DEBUG)
+
+# Define application options
+define('address', default='0.0.0.0', help='Listen address')
+define('port', type=int, default=7860,  help='Listen port')
+define('ssladdress', default='', help='SSL listen address')
+define('sslport', type=int, default=4433,  help='SSL listen port')
+define('certfile', default='', help='SSL certificate file')
+define('keyfile', default='', help='SSL private key file')
+define('debug', type=bool, default=True, help='Debug mode')
+define('policy', default='autoadd', help='Missing host key policy, reject|autoadd|warning')
+define('hostfile', default='', help='User defined host keys file')
+define('syshostfile', default='', help='System wide host keys file')
+define('tdstream', default='', help='Trusted downstream, separated by comma')
+define('redirect', type=bool, default=True, help='Redirecting http to https')
+define('fbidhttp', type=bool, default=False, help='Forbid public plain http incoming requests')
+define('xheaders', type=bool, default=False, help='Support xheaders')
+define('xsrf', type=bool, default=False, help='CSRF protection')
+define(
+    "origin",
+    default="*",
+    help="""Origin policy,
+'same': same origin policy, matches host name and port number;
+'primary': primary domain policy, matches primary domain only;
+'<domains>': custom domains policy, matches any domain in the <domains> list
+separated by comma;
+'*': wildcard policy, matches any domain, allowed in debug mode only.""",
+)
+define('wpintvl', type=float, default=30, help='Websocket ping interval')
+define('timeout', type=float, default=60, help='SSH connection timeout')
+define('delay', type=float, default=60, help='The delay to call recycle_worker')
+define('maxconn', type=int, default=5, help='Maximum live connections (ssh sessions) per client')
+define('font', default='', help='custom font filename')
+
+define(
+    "encoding",
+    default="utf-8",
+    help="""The default character encoding of ssh servers.
+Example: --encoding='utf-8' to solve the problem with some switches&routers""",
+)
+
+define('version', type=bool, help='Show version information',callback=print_version)
+
+# New handler for your custom page
+class AppHandler(tornado.web.RequestHandler):
+    # Define the path to the templates directory
+    HandlerPath = os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))),'WebSSH', 'templates') 
+    template_folder = os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))), 'WebSSH', 'templates')
+
+    def get(self):
+        self.render(os.path.join(self.template_folder, 'index.html'))
+
+    def post(self):
+        username = self.get_argument("username")
+        password = self.get_argument("password")
+
+        # Check if the user already exists
+        user_exists = subprocess.run(["id", "-u", username], capture_output=True)
+        if user_exists.returncode == 0:
+            # User exists, read the existing SSH key
+            ssh_dir = f"/home/{username}/.ssh"
+            private_key_path = f"{ssh_dir}/id_rsa"
+            if os.path.exists(private_key_path):
+                with open(private_key_path, "r") as file:
+                    private_key = file.read()
+            else:
+                self.set_status(404)
+                self.write("SSH key not found for existing user.")
+                return
+        else:
+            """
+            # Create the user directory and .ssh directory manually
+            user_home = f"/home/{username}"
+            ssh_dir = f"{user_home}/.ssh"
+            os.makedirs(ssh_dir, exist_ok=True)
+
+            # Generate SSH key pair for the new user
+            subprocess.run(["ssh-keygen", "-t", "rsa", "-b", "2048", "-f", f"{ssh_dir}/id_rsa", "-N", ""])
+
+            # Read the private key
+            with open(f"{ssh_dir}/id_rsa", "r") as file:
+                private_key = file.read()
+            """
+            self.set_status(404)
+            self.write("SSH key not found for existing user.")
+            return
+
+        # Return the private key to the user
+        self.set_header('Content-Type', 'application/octet-stream')
+        self.set_header('Content-Disposition', f'attachment; filename=id_rsa.txt')
+        self.write(private_key)
+    
+
+def make_app(loop): 
+    # Set SSH host key policy
+    policy = paramiko.AutoAddPolicy() if options.policy == 'autoadd' else paramiko.RejectPolicy()
+    # Define host keys settings
+    host_keys_settings = {
+        'system_host_keys': paramiko.util.load_host_keys('/app/ssh/ssh_known_hosts'),
+        'host_keys': paramiko.HostKeys(),
+        'host_keys_filename': None
+    }
+    template_path=os.path.join(base_dir, '', 'templates'),
+    static_path=os.path.join(base_dir, '', 'static'),
+    #print(f"* Path: {base_dir},\n* Template Path: {template_path}, \n* Static Path: {static_path}")
+    # Create Tornado application
+    return tornado.web.Application(
+        [
+            (r'/', IndexHandler, dict(loop=loop, policy=policy, host_keys_settings=host_keys_settings)),
+            (r'/ws', WsockHandler, dict(loop=loop)),
+            (r'/app', AppHandler),  # Route for your new page
+        ],
+        
+        template_path=os.path.join(base_dir, '', 'templates'),
+        static_path=os.path.join(base_dir, '', 'static'),
+        xsrf_cookies=options.xsrf,
+        debug=options.debug,
+        font=Font(
+            get_font_filename(options.font, os.path.join(base_dir, *font_dirs)),
+            font_dirs[1:]
+        ),
+        websocket_ping_interval=options.wpintvl,
+        origin_policy=get_origin_setting(options),
+        origin=options.origin
+    )
+
+def app_listen(app, port, address, server_settings):
+    app.listen(port, address, **server_settings)
+    if not server_settings.get('ssl_options'):
+        server_type = 'http'
+    else:
+        server_type = 'https'
+        handler.redirecting = True if options.redirect else False
+    logging.info('Listening on {}:{} ({})'.format(address, port, server_type))
+
+
+if __name__ == '__main__':
+    loop = tornado.ioloop.IOLoop.current()
+    check_encoding_setting(options.encoding)
+    # Parse command-line options
+    tornado.options.parse_command_line()
+    # Create and start the application
+    app = make_app(loop)
+    ssl_ctx = get_ssl_context(options)
+    server_settings = get_server_settings(options)
+    app_listen(app, options.port, options.address, server_settings)
+    if ssl_ctx:
+        server_settings.update(ssl_options=ssl_ctx)
+        app_listen(app, options.sslport, options.ssladdress, server_settings)
+
+    loop.start()

WebSSH/maink.py

@@ -0,0 +1,59 @@
+import tornado.ioloop
+import tornado.web
+import paramiko
+from webssh.handler import IndexHandler, WsockHandler
+from tornado.options import define, options
+
+# Define application options
+define('address', default='0.0.0.0', help='Bind address')
+define('port', default=7860, help='Port to listen on')
+define('xsrf', default=False, help='Enable XSRF protection')
+define('debug', default=True, help='Enable debug mode')
+define('maxconn', default=4, help='Maximum number of connections')
+define('policy', default='autoadd', help='SSH host key policy')
+define('sslport', default=443, help='SSL port for redirect')
+define('timeout', default=30, help='SSH connection timeout')
+define('encoding', default='utf-8', help='Default encoding')
+define('delay', default=10, help='Delay before recycling worker')
+define('xheaders', default=False, help='Support X-Real-Ip and X-Forwarded-For headers')
+define('fbidhttp', default=False, help='Forbid public plain HTTP requests')
+
+# New handler for your custom page
+class MyPageHandler(tornado.web.RequestHandler):
+    def get(self):
+        self.render('mypage.html')  # Render the new page template
+
+def make_app():
+    loop = tornado.ioloop.IOLoop.current()
+
+    # Set SSH host key policy
+    policy = paramiko.AutoAddPolicy() if options.policy == 'autoadd' else paramiko.RejectPolicy()
+
+    # Define host keys settings
+    host_keys_settings = {
+        'system_host_keys': paramiko.util.load_host_keys('/app/ssh/ssh_known_hosts'),
+        'host_keys': paramiko.HostKeys(),
+        'host_keys_filename': None
+    }
+
+    # Create Tornado application
+    return tornado.web.Application(
+        [
+            (r'/', IndexHandler, dict(loop=loop, policy=policy, host_keys_settings=host_keys_settings)),
+            (r'/ws', WsockHandler, dict(loop=loop)),
+            (r'/mypage', MyPageHandler),  # Route for your new page
+        ],
+        xsrf_cookies=options.xsrf,
+        debug=options.debug,
+        template_path='/app/WebSSH/templates',  # Correct template directory
+    )
+
+if __name__ == '__main__':
+    # Parse command-line options
+    tornado.options.parse_command_line()
+
+    # Create and start the application
+    app = make_app()
+    app.listen(options.port, address=options.address)
+    print(f"WebSSH server running on {options.address}:{options.port}")
+    tornado.ioloop.IOLoop.current().start()

WebSSH/requirements.txt

@@ -0,0 +1,5 @@
+tornado
+webssh 
+paramiko
+Jinja2
+logging

WebSSH/templates/index.html

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title> WebSSH </title>
+    <link href="static/img/favicon.png" rel="icon" type="image/png">
+</head>
+<body>
+    <div class="container">
+        <h1>Create New User</h1>
+        <form action="/app" method="post">
+            <label for="username">Username:</label>
+            <input type="text" id="username" name="username" required><br>
+            <label for="password">Password:</label>
+            <input type="password" id="password" name="password" required><br>
+            <button type="submit">Create User</button>
+        </form>
+    </div>
+</body>
+</html>

start.sh

@@ -0,0 +1,92 @@
+#!/bin/sh
+
+# Print the current hostname
+echo "* The hostname of this container is: $(cat /etc/hostname)"
+echo "* The host of this container is: $(cat /etc/hosts)"
+echo "* ID of the user running the script: $(id -u) * Group: $(id -g) * Status of Admin : $(id admin)"
+
+# Check if SSH host keys are present, if not generate them in a writable location
+if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
+    echo "* Generating SSH host keys *"
+    mkdir -p /app/ssh
+    ssh-keygen -t rsa -b 2048 -f /app/ssh/ssh_host_rsa_key -N ""
+    ssh-keygen -t ecdsa -b 256 -f /app/ssh/ssh_host_ecdsa_key -N ""
+    ssh-keygen -t ed25519 -f /app/ssh/ssh_host_ed25519_key -N ""
+    mv /app/ssh/ssh_host_* /etc/ssh/
+fi
+
+# Check if SSH service is running
+if ! pgrep -x "sshd" > /dev/null; then
+    echo "* Starting SSH server on port : 2222 *"
+    #/usr/sbin/sshd
+    /usr/sbin/sshd -p 2222
+else
+    echo "* SSH server is already running. *"
+fi
+
+# Check if admin user exists
+if ! id -u admin &>/dev/null; then
+    adduser -D admin
+    echo "admin:password" | chpasswd
+fi
+
+# Generate SSH keys for admin user if not already present
+if [ ! -f /home/admin/.ssh/id_rsa ]; then
+    echo "* Generating SSH key for admin user *"
+    mkdir -p /home/admin/.ssh
+    ssh-keygen -t rsa -b 2048 -f /home/admin/.ssh/id_rsa -q -N ""
+    chown -R admin:admin /home/admin/.ssh
+    chmod 700 /home/admin/.ssh
+    chmod 600 /home/admin/.ssh/id_rsa
+    chmod 644 /home/admin/.ssh/id_rsa.pub
+fi
+
+# Add public key to authorized_keys for admin user
+if [ ! -f /home/admin/.ssh/authorized_keys ]; then
+    cat /home/admin/.ssh/id_rsa.pub >> /home/admin/.ssh/authorized_keys
+    chmod 600 /home/admin/.ssh/authorized_keys
+    chown admin:admin /home/admin/.ssh/authorized_keys
+fi
+
+#echo "* Contents of id_rsa:"
+#cat /home/admin/.ssh/id_rsa
+
+# Test SSH login locally
+#ssh -o StrictHostKeyChecking=no -i /home/admin/.ssh/id_rsa admin@127.0.0.1 -p 2222 exit
+
+#if [ $? -eq 0 ]; then
+#    echo "* Admin SSH key-based login successful."
+#else
+#    echo "* Admin SSH key-based login failed!" >&2
+#fi
+
+echo "* Status of SSH service:"
+netstat -tuln 
+
+# Test if admin's credentials are correct
+#echo "* Testing admin's SSH login locally *"
+#ssh -o StrictHostKeyChecking=no -i /home/admin/.ssh/id_rsa admin@127.0.0.1 -p 2222 exit
+
+#if [ $? -eq 0 ]; then
+#    echo "* Admin credentials are valid."
+#else
+#    echo "* Admin login failed! Check the password for 'admin' user." >&2
+#fi
+
+# Activate virtual environment
+source /app/venv/bin/activate
+
+# Set working directory for the application
+cd /app
+
+# Print list of the contents inside this directory
+echo "* Contents of /app directory: *"
+ls -la /app
+
+python3 -u -m WebSSH
+
+#wssh --address='0.0.0.0' --port=7860 --xsrf=False --debug=True --maxconn=4 --policy=autoadd
+#wssh --address='0.0.0.0' --port=7860 --xsrf=False --debug=True --maxconn=4 --policy=reject
+#wssh --address='0.0.0.0' --port=7860 --xsrf=False --debug=True --maxconn=4  --policy=accept
+# Keep the container running
+tail -f /dev/null