Merge pull request #45 from jpculp/custom-username

Support custom username

Dockerfile

@@ -57,16 +57,13 @@ COPY --from=builder /opt/bash /opt/bin/
 RUN rm -f /etc/motd /etc/issue
 ADD --chown=root:root motd /etc/
 
-ADD --chown=root:root ec2-user.sudoers /etc/sudoers.d/ec2-user
 ADD start_admin_sshd.sh /usr/sbin/
 ADD ./sshd_config /etc/ssh/
 ADD ./sheltie /usr/bin/
 
-RUN chmod 440 /etc/sudoers.d/ec2-user
 RUN chmod +x /usr/sbin/start_admin_sshd.sh
 RUN chmod +x /usr/bin/sheltie
 RUN groupadd -g 274 api
-RUN useradd -m -G users,api ec2-user
 
 CMD ["/usr/sbin/start_admin_sshd.sh"]
 ENTRYPOINT ["/bin/bash", "-c"]

README.md

@@ -23,32 +23,32 @@ To use custom public keys for `.ssh/authorized_keys` and/or custom CA keys for `
 
 ```
 {
-   "ssh":{
-      "authorized-keys":[
-         "ssh-rsa EXAMPLEAUTHORIZEDPUBLICKEYHERE my-key-pair"
-      ],
-      "trusted-user-ca-keys":[
-         "ssh-rsa EXAMPLETRUSTEDCAPUBLICKEYHERE authority@ssh-ca.example.com"
-      ]
-   }
+  "ssh": {
+    "authorized-keys": [
+      "ssh-rsa EXAMPLEAUTHORIZEDPUBLICKEYHERE my-key-pair"
+    ],
+    "trusted-user-ca-keys": [
+      "ssh-rsa EXAMPLETRUSTEDCAPUBLICKEYHERE authority@ssh-ca.example.com"
+    ]
+  }
 }
 ```
 
 If you want to access to the admin container using [EC2 instance connect](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html), set `authorized-keys-command` and `authorized-keys-command-user` as follows:
 ```
 {
-    "ssh": {
-      "authorized-keys-command": "/opt/aws/bin/eic_run_authorized_keys %u %f",
-      "authorized-keys-command-user": "ec2-instance-connect"
-    }
+  "ssh": {
+    "authorized-keys-command": "/opt/aws/bin/eic_run_authorized_keys %u %f",
+    "authorized-keys-command-user": "ec2-instance-connect"
+  }
 }
 ```
 
 To change allowed SSH ciphers to a specific set, you can add a ciphers section:
 
 ```
 {
-  "ssh":{
+  "ssh": {
     "authorized-keys...",
     "ciphers": [
         "chacha20-poly1305@openssh.com",
@@ -62,6 +62,17 @@ To change allowed SSH ciphers to a specific set, you can add a ciphers section:
 }
 ```
 
+By default, the admin container's local user will be `ec2-user`. If you would like to change this, you can set the user value like so:
+
+```
+{
+  "user": "bottlerocket",
+  "ssh": {
+    "authorized-keys...",
+  }
+}
+```
+
 Once you've created your JSON, you'll need to base64-encode it and set it as the value of the admin host container's user-data setting in your [instance user data toml](https://github.com/bottlerocket-os/bottlerocket#using-user-data).
 
 ```

start_admin_sshd.sh

@@ -2,11 +2,21 @@
 
 set -e
 
+log() {
+  echo "$*" >&2
+}
+
 declare -r PERSISTENT_STORAGE_BASE_DIR="/.bottlerocket/host-containers/current"
 declare -r SSH_HOST_KEY_DIR="${PERSISTENT_STORAGE_BASE_DIR}/etc/ssh"
 declare -r USER_DATA="${PERSISTENT_STORAGE_BASE_DIR}/user-data"
 
-declare -r LOCAL_USER="ec2-user"
+# Fetch user from user-data json (if any). Default to 'ec2-user' if null or invalid.
+if ! LOCAL_USER=$(jq -e -r '.["user"] // "ec2-user"' "${USER_DATA}" 2>/dev/null) \
+|| [[ ! "${LOCAL_USER}" =~ ^[a-z_][a-z0-9_-]{0,31}$ ]]; then
+  log "Failed to set user from user-data. Proceeding with 'ec2-user'."
+  LOCAL_USER="ec2-user"
+fi
+
 declare -r USER_SSH_DIR="/home/${LOCAL_USER}/.ssh"
 declare -r SSHD_CONFIG_DIR="/etc/ssh"
 declare -r SSHD_CONFIG_FILE="${SSHD_CONFIG_DIR}/sshd_config"
@@ -15,10 +25,6 @@ declare -r SSHD_CONFIG_FILE="${SSHD_CONFIG_DIR}/sshd_config"
 # one of the methods below is available.
 declare -i available_auth_methods=0
 
-log() {
-  echo "$*" >&2
-}
-
 get_user_data_keys() {
     # Extract the keys from user-data json
     local raw_keys
@@ -63,6 +69,10 @@ EOF
   chmod 644 "${proxy_profile}"
 }
 
+# Create local user
+echo "${LOCAL_USER} ALL=(ALL) NOPASSWD: ALL" > "/etc/sudoers.d/${LOCAL_USER}"
+chmod 440 "/etc/sudoers.d/${LOCAL_USER}"
+useradd -m -G users,api "${LOCAL_USER}"
 mkdir -p "${USER_SSH_DIR}"
 chmod 700 "${USER_SSH_DIR}"