rustdesk/rustdesk-server
1
0
Fork 0
mirror of https://github.com/rustdesk/rustdesk-server.git synced 2025-07-01 23:35:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

keypair verification before container startup

Browse Source
This commit is contained in:
Paolo Asperti 2022-07-21 16:45:21 +02:00
parent 06bd1117f6
commit fab70ce8e7
No known key found for this signature in database
GPG Key ID: 06D46905D19D5182
2 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -185,6 +185,8 @@ We use these environment variables:
You can obviously keep the key pair in a docker volume, but the best practices tells you to not write the keys on the filesystem; so we provide a couple of options. You can obviously keep the key pair in a docker volume, but the best practices tells you to not write the keys on the filesystem; so we provide a couple of options.
On container startup, the presence of the keypair is checked (`/data/id_ed25519.pub` and `/data/id_ed25519`) and if one of these keys doesn't exist, it's recreated from ENV variables or docker secrets. On container startup, the presence of the keypair is checked (`/data/id_ed25519.pub` and `/data/id_ed25519`) and if one of these keys doesn't exist, it's recreated from ENV variables or docker secrets.
Then the validity of the keypair is checked: if public and private keys doesn't match, the container will stop.
If you provide no keys, `hbbs` will generate one for you, and it'll place it in the default location.
#### Use ENV to store the key pair #### Use ENV to store the key pair

33
docker/rootfs/etc/s6-overlay/s6-rc.d/key-secret/up.real
View File

@ -26,10 +26,33 @@ if [ ! -f /data/id_ed25519 ] && [ ! "$KEY_PRIV" = "" ] ; then
echo "Private key created from ENV variable" echo "Private key created from ENV variable"
fi fi
# fix perms # check if both keys provided
if [ -f /data/id_ed25519.pub ] ; then if [ -f /data/id_ed25519.pub ] && [ ! -f /data/id_ed25519 ] ; then
chmod 600 /data/id_ed25519.pub echo "Private key missing."
echo "You must provide BOTH the private and the public key."
/run/s6/basedir/bin/halt
exit 1
fi fi
if [ -f /data/id_ed25519 ] ; then
chmod 600 /data/id_ed25519 if [ ! -f /data/id_ed25519.pub ] && [ -f /data/id_ed25519 ] ; then
echo "Public key missing."
echo "You must provide BOTH the private and the public key."
/run/s6/basedir/bin/halt
exit 1
fi fi
# here we have either no keys or both
# if we have both keys, we fix permissions and ownership
# and check for keypair validation
if [ -f /data/id_ed25519.pub ] && [ -f /data/id_ed25519 ] ; then
chmod 0600 /data/id_ed25519.pub /data/id_ed25519
chown root:root /data/id_ed25519.pub /data/id_ed25519
/usr/bin/rustdesk-utils validatekeypair "$(cat /data/id_ed25519.pub)" "$(cat /data/id_ed25519)" || {
echo "Key pair not valid"
/run/s6/basedir/bin/halt
exit 1
}
fi
# if we have no keypair, hbbs will generate one