From b222249f3be625ec2b4d4762bb4dc0113707d046 Mon Sep 17 00:00:00 2001
From: Adam <git@spad.co.uk>
Date: Mon, 28 Jun 2021 23:15:33 +0100
Subject: [PATCH] Add pam support, rebase to 3.14 (#45)

---
 .github/workflows/external_trigger.yml |  4 +--
 Dockerfile                             | 42 +++++++++++++-------------
 Dockerfile.aarch64                     | 42 +++++++++++++-------------
 Dockerfile.armhf                       | 42 +++++++++++++-------------
 Jenkinsfile                            |  6 ++--
 README.md                              |  1 +
 jenkins-vars.yml                       |  6 ++--
 readme-vars.yml                        |  1 +
 root/etc/cont-init.d/10-adduser        | 17 +++++++++++
 root/etc/services.d/openssh-server/run |  2 +-
 10 files changed, 91 insertions(+), 72 deletions(-)

diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml
index 5a662d1..fb5247e 100755
--- a/.github/workflows/external_trigger.yml
+++ b/.github/workflows/external_trigger.yml
@@ -18,8 +18,8 @@ jobs:
           fi
           echo "**** External trigger running off of master branch. To disable this trigger, set a Github secret named \"PAUSE_EXTERNAL_TRIGGER_OPENSSH_SERVER_MASTER\". ****"
           echo "**** Retrieving external version ****"
-          EXT_RELEASE=$(curl -sL "http://nl.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
-            && awk '/^P:'"openssh-server"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://')
+          EXT_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
+            && awk '/^P:'"openssh-server-pam"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://')
           if [ -z "${EXT_RELEASE}" ] || [ "${EXT_RELEASE}" == "null" ]; then
             echo "**** Can't retrieve external version, exiting ****"
             FAILURE_REASON="Can't retrieve external version for openssh-server branch master"
diff --git a/Dockerfile b/Dockerfile
index 3542474..75ac526 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/linuxserver/baseimage-alpine:3.13
+FROM ghcr.io/linuxserver/baseimage-alpine:3.14
 
 # set version label
 ARG BUILD_DATE
@@ -8,26 +8,26 @@ LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DA
 LABEL maintainer="aptalca"
 
 RUN \
- echo "**** install runtime packages ****" && \
- apk add --no-cache --upgrade \
-	curl \
-	logrotate \
-	nano \
-	sudo && \
- echo "**** install openssh-server ****" && \
- if [ -z ${OPENSSH_RELEASE+x} ]; then \
-	OPENSSH_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
-	&& awk '/^P:openssh-server$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
- fi && \
- apk add --no-cache \
-	openssh-client==${OPENSSH_RELEASE} \
-	openssh-server==${OPENSSH_RELEASE} \
-	openssh-sftp-server==${OPENSSH_RELEASE} && \
- echo "**** setup openssh environment ****" && \
- sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && \
- usermod --shell /bin/bash abc && \
- rm -rf \
-	/tmp/*
+  echo "**** install runtime packages ****" && \
+  apk add --no-cache --upgrade \
+    curl \
+    logrotate \
+    nano \
+    sudo && \
+  echo "**** install openssh-server ****" && \
+  if [ -z ${OPENSSH_RELEASE+x} ]; then \
+    OPENSSH_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp && \
+    awk '/^P:openssh-server-pam$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
+  fi && \
+  apk add --no-cache \
+    openssh-client==${OPENSSH_RELEASE} \
+    openssh-server-pam==${OPENSSH_RELEASE} \
+    openssh-sftp-server==${OPENSSH_RELEASE} && \
+  echo "**** setup openssh environment ****" && \
+  sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && \
+  usermod --shell /bin/bash abc && \
+  rm -rf \
+    /tmp/*
 
 # add local files
 COPY /root /
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index 1f69a84..d9b3007 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -1,4 +1,4 @@
-FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.13
+FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.14
 
 # set version label
 ARG BUILD_DATE
@@ -8,26 +8,26 @@ LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DA
 LABEL maintainer="aptalca"
 
 RUN \
- echo "**** install runtime packages ****" && \
- apk add --no-cache --upgrade \
-	curl \
-	logrotate \
-	nano \
-	sudo && \
- echo "**** install openssh-server ****" && \
- if [ -z ${OPENSSH_RELEASE+x} ]; then \
-	OPENSSH_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
-	&& awk '/^P:openssh-server$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
- fi && \
- apk add --no-cache \
-	openssh-client==${OPENSSH_RELEASE} \
-	openssh-server==${OPENSSH_RELEASE} \
-	openssh-sftp-server==${OPENSSH_RELEASE} && \
- echo "**** setup openssh environment ****" && \
- sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && \
- usermod --shell /bin/bash abc && \
- rm -rf \
-	/tmp/*
+  echo "**** install runtime packages ****" && \
+  apk add --no-cache --upgrade \
+    curl \
+    logrotate \
+    nano \
+    sudo && \
+  echo "**** install openssh-server ****" && \
+  if [ -z ${OPENSSH_RELEASE+x} ]; then \
+    OPENSSH_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.14/main/aarch64/APKINDEX.tar.gz" | tar -xz -C /tmp && \
+    awk '/^P:openssh-server-pam$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
+  fi && \
+  apk add --no-cache \
+    openssh-client==${OPENSSH_RELEASE} \
+    openssh-server-pam==${OPENSSH_RELEASE} \
+    openssh-sftp-server==${OPENSSH_RELEASE} && \
+  echo "**** setup openssh environment ****" && \
+  sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && \
+  usermod --shell /bin/bash abc && \
+  rm -rf \
+    /tmp/*
 
 # add local files
 COPY /root /
diff --git a/Dockerfile.armhf b/Dockerfile.armhf
index df0fdde..156b009 100644
--- a/Dockerfile.armhf
+++ b/Dockerfile.armhf
@@ -1,4 +1,4 @@
-FROM ghcr.io/linuxserver/baseimage-alpine:arm32v7-3.13
+FROM ghcr.io/linuxserver/baseimage-alpine:arm32v7-3.14
 
 # set version label
 ARG BUILD_DATE
@@ -8,26 +8,26 @@ LABEL build_version="Linuxserver.io version:- ${VERSION} Build-date:- ${BUILD_DA
 LABEL maintainer="aptalca"
 
 RUN \
- echo "**** install runtime packages ****" && \
- apk add --no-cache --upgrade \
-	curl \
-	logrotate \
-	nano \
-	sudo && \
- echo "**** install openssh-server ****" && \
- if [ -z ${OPENSSH_RELEASE+x} ]; then \
-	OPENSSH_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp \
-	&& awk '/^P:openssh-server$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
- fi && \
- apk add --no-cache \
-	openssh-client==${OPENSSH_RELEASE} \
-	openssh-server==${OPENSSH_RELEASE} \
-	openssh-sftp-server==${OPENSSH_RELEASE} && \
- echo "**** setup openssh environment ****" && \
- sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && \
- usermod --shell /bin/bash abc && \
- rm -rf \
-	/tmp/*
+  echo "**** install runtime packages ****" && \
+  apk add --no-cache --upgrade \
+    curl \
+    logrotate \
+    nano \
+    sudo && \
+  echo "**** install openssh-server ****" && \
+  if [ -z ${OPENSSH_RELEASE+x} ]; then \
+    OPENSSH_RELEASE=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/v3.14/main/armhf/APKINDEX.tar.gz" | tar -xz -C /tmp && \
+    awk '/^P:openssh-server-pam$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://'); \
+  fi && \
+  apk add --no-cache \
+    openssh-client==${OPENSSH_RELEASE} \
+    openssh-server-pam==${OPENSSH_RELEASE} \
+    openssh-sftp-server==${OPENSSH_RELEASE} && \
+  echo "**** setup openssh environment ****" && \
+  sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config && \
+  usermod --shell /bin/bash abc && \
+  rm -rf \
+    /tmp/*
 
 # add local files
 COPY /root /
diff --git a/Jenkinsfile b/Jenkinsfile
index 6e5d636..54da09f 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -24,9 +24,9 @@ pipeline {
     DEV_DOCKERHUB_IMAGE = 'lsiodev/openssh-server'
     PR_DOCKERHUB_IMAGE = 'lspipepr/openssh-server'
     DIST_IMAGE = 'alpine'
-    DIST_TAG = '3.13'
-    DIST_REPO = 'http://nl.alpinelinux.org/alpine/v3.13/main/'
-    DIST_REPO_PACKAGES = 'openssh-server'
+    DIST_TAG = '3.14'
+    DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.14/main/'
+    DIST_REPO_PACKAGES = 'openssh-server-pam'
     MULTIARCH='true'
     CI='true'
     CI_WEB='false'
diff --git a/README.md b/README.md
index 123c61e..c85270e 100644
--- a/README.md
+++ b/README.md
@@ -281,6 +281,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **28.06.21:** - Rebasing to alpine 3.14. Add support for PAM.
 * **10.02.21:** - Rebasing to alpine 3.13. Add openssh-client for scp.
 * **21.10.20:** - Implement s6-log for openssh, which adds local timestamps to logs and can be used with a log parser like fail2ban.
 * **20.10.20:** - Set umask for sftp.
diff --git a/jenkins-vars.yml b/jenkins-vars.yml
index ac8a867..5cedea0 100644
--- a/jenkins-vars.yml
+++ b/jenkins-vars.yml
@@ -15,9 +15,9 @@ repo_vars:
   - DEV_DOCKERHUB_IMAGE = 'lsiodev/openssh-server'
   - PR_DOCKERHUB_IMAGE = 'lspipepr/openssh-server'
   - DIST_IMAGE = 'alpine'
-  - DIST_TAG = '3.13'
-  - DIST_REPO = 'http://nl.alpinelinux.org/alpine/v3.13/main/'
-  - DIST_REPO_PACKAGES = 'openssh-server'
+  - DIST_TAG = '3.14'
+  - DIST_REPO = 'http://dl-cdn.alpinelinux.org/alpine/v3.14/main/'
+  - DIST_REPO_PACKAGES = 'openssh-server-pam'
   - MULTIARCH='true'
   - CI='true'
   - CI_WEB='false'
diff --git a/readme-vars.yml b/readme-vars.yml
index 71baeee..a6ed5a1 100644
--- a/readme-vars.yml
+++ b/readme-vars.yml
@@ -91,6 +91,7 @@ app_setup_block: |
 
 # changelog
 changelogs:
+  - { date: "28.06.21:", desc: "Rebasing to alpine 3.14. Add support for PAM." }
   - { date: "10.02.21:", desc: "Rebasing to alpine 3.13. Add openssh-client for scp." }
   - { date: "21.10.20:", desc: "Implement s6-log for openssh, which adds local timestamps to logs and can be used with a log parser like fail2ban." }
   - { date: "20.10.20:", desc: "Set umask for sftp." }
diff --git a/root/etc/cont-init.d/10-adduser b/root/etc/cont-init.d/10-adduser
index c042f1c..5906562 100644
--- a/root/etc/cont-init.d/10-adduser
+++ b/root/etc/cont-init.d/10-adduser
@@ -32,6 +32,23 @@ User uid:    $(id -u "$USER_NAME")
 User gid:    $(id -g "$USER_NAME")
 -------------------------------------
 "
+
+time32="$(date +%Y)"
+
+if [[ "${time32}" == "1970" || "${time32}" == "1969" ]] && [ "$(uname -m)" == "armv7l" ]; then
+  echo '
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+
+Your DockerHost is most likely running an outdated version of libseccomp
+
+To fix this, please visit https://docs.linuxserver.io/faq#libseccomp
+
+Some apps might not behave correctly without this
+
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+'
+fi
+
 chown "$USER_NAME":"$USER_NAME" /app
 chown "$USER_NAME":"$USER_NAME" /config
 chown "$USER_NAME":"$USER_NAME" /defaults
diff --git a/root/etc/services.d/openssh-server/run b/root/etc/services.d/openssh-server/run
index 76fb785..c7e6d97 100644
--- a/root/etc/services.d/openssh-server/run
+++ b/root/etc/services.d/openssh-server/run
@@ -3,4 +3,4 @@
 USER_NAME=${USER_NAME:-linuxserver.io}
 
 exec 2>&1 \
-        s6-setuidgid ${USER_NAME} /usr/sbin/sshd -D -e -p 2222
+        s6-setuidgid ${USER_NAME} /usr/sbin/sshd.pam -D -e -p 2222