2026-05-09

demyxco · demyxco · commit 33c3f6be3753 · 2026-05-08T17:10:39.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # CHANGELOG
 
+## 2026-05-09
+- Switch base image from Alpine 3.18 to `debian:stable-slim`
+- Replace Alpine setup commands with Debian equivalents and expand installed packages
+- Harden `sshd_config` defaults (auth/session limits, forwarding, keepalive, login grace)
+- Update `bin/demyx-sudo` host key logic to handle `rsa`, `ecdsa`, and `ed25519` keys with bidirectional sync and key generation fallback
+
 ## 2025-07-28
 - Update GitHub Actions workflow to use run ID in commit message for scheduled builds [3da220a](https://github.com/demyxsh/ssh/commit/3da220a894a17b10399f491bcb9f05e7086c5a46)
 
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.18
+FROM debian:stable-slim
 
 LABEL sh.demyx.image        demyx/ssh
 LABEL sh.demyx.maintainer   Demyx <info@demyx.sh>
@@ -20,13 +20,14 @@ ENV SSH_ROOT                "$DEMYX"
 
 # Packages and setup
 RUN set -ex; \
-    apk add --no-cache --update bash openssh sudo tzdata
+    apt update; \
+    apt install -y bash curl git htop nano openssh-client openssh-server sudo tzdata
 
 # Configure Demyx
 RUN set -ex; \
     # Create demyx user
-    addgroup -g 1000 -S demyx; \
-    adduser -u 1000 -D -S -G demyx demyx; \
+    groupadd -g 1000 demyx; \
+    useradd -u 1000 -g demyx -m -s /bin/bash demyx; \
     \
     # Create demyx directories
     install -d -m 0755 -o demyx -g demyx "$DEMYX"; \
@@ -46,9 +47,17 @@ RUN set -ex; \
     sed -i "s|/home/demyx:/sbin/nologin|/home/demyx:/bin/bash|g" /etc/passwd; \
     sed -i "s|#Port 22|Port 2222|g" /etc/ssh/sshd_config; \
     sed -i "s|#PermitRootLogin prohibit-password|PermitRootLogin no|g" /etc/ssh/sshd_config; \
-    sed -i "s|#PubkeyAuthentication|PubkeyAuthentication|g" /etc/ssh/sshd_config; \
-    sed -i "s|#PasswordAuthentication|PasswordAuthentication|g" /etc/ssh/sshd_config; \
-    sed -i "s|#PermitEmptyPasswords no|PermitEmptyPasswords no|g" /etc/ssh/sshd_config; \
+    sed -i "s|#PubkeyAuthentication.*|PubkeyAuthentication no|g" /etc/ssh/sshd_config; \
+    sed -i "s|#PasswordAuthentication.*|PasswordAuthentication yes|g" /etc/ssh/sshd_config; \
+    sed -i "s|#PermitEmptyPasswords.*|PermitEmptyPasswords no|g" /etc/ssh/sshd_config; \
+    sed -i "s|#LoginGraceTime 2m|LoginGraceTime 30|g" /etc/ssh/sshd_config; \
+    sed -i "s|#MaxAuthTries 6|MaxAuthTries 3|g" /etc/ssh/sshd_config; \
+    sed -i "s|#MaxSessions 10|MaxSessions 3|g" /etc/ssh/sshd_config; \
+    sed -i "s|#X11Forwarding yes|X11Forwarding no|g" /etc/ssh/sshd_config; \
+    sed -i "s|#AllowTcpForwarding yes|AllowTcpForwarding local|g" /etc/ssh/sshd_config; \
+    sed -i "s|#PermitUserEnvironment no|PermitUserEnvironment no|g" /etc/ssh/sshd_config; \
+    sed -i "s|#ClientAliveInterval 0|ClientAliveInterval 300|g" /etc/ssh/sshd_config; \
+    sed -i "s|#ClientAliveCountMax 3|ClientAliveCountMax 0|g" /etc/ssh/sshd_config; \
     \
     # Configure sudo
     echo "demyx ALL=(ALL) NOPASSWD:SETENV: /usr/local/bin/demyx-sudo" > /etc/sudoers.d/demyx; \
diff --git a/bin/demyx-sudo b/bin/demyx-sudo
@@ -47,24 +47,29 @@ demyx_sudo_permission() {
     DEMYX_SUDO_PERMISSION=/home/"$DEMYX_USERNAME"
 
     # Prevents ssh errors from local machine
-    if [[ -f "$DEMYX_SUDO_PERMISSION"/.ssh/ssh_host_rsa_key ]]; then
-        if [[ ! -f /etc/ssh/ssh_host_rsa_key ]]; then
-            cp "$DEMYX_SUDO_PERMISSION"/.ssh/ssh_host_rsa_key /etc/ssh
-        fi
-        if [[ ! -f /etc/ssh/ssh_host_rsa_key.pub ]]; then
-            cp "$DEMYX_SUDO_PERMISSION"/.ssh/ssh_host_rsa_key.pub /etc/ssh
-        fi
-    else
-        if [[ ! -f /etc/ssh/ssh_host_rsa_key ]]; then
-            ssh-keygen -A >/dev/null
-        fi
-        if [[ ! -f "$DEMYX_SUDO_PERMISSION"/.ssh/ssh_host_rsa_key ]]; then
-            cp /etc/ssh/ssh_host_rsa_key "$DEMYX_SUDO_PERMISSION"/.ssh
-        fi
-        if [[ ! -f "$DEMYX_SUDO_PERMISSION"/.ssh/ssh_host_rsa_key.pub ]]; then
-            cp /etc/ssh/ssh_host_rsa_key.pub "$DEMYX_SUDO_PERMISSION"/.ssh
+    local DEMYX_SSH_KEY_TYPE=
+    for DEMYX_SSH_KEY_TYPE in rsa ecdsa ed25519; do
+        local DEMYX_SSH_HOME_KEY=
+        local DEMYX_SSH_ETC_KEY=
+        DEMYX_SSH_HOME_KEY="$DEMYX_SUDO_PERMISSION"/.ssh/ssh_host_${DEMYX_SSH_KEY_TYPE}_key
+        DEMYX_SSH_ETC_KEY=/etc/ssh/ssh_host_${DEMYX_SSH_KEY_TYPE}_key
+
+        if [[ -f "$DEMYX_SSH_HOME_KEY" ]]; then
+            cp "$DEMYX_SSH_HOME_KEY" "$DEMYX_SSH_ETC_KEY"
+            if [[ -f "$DEMYX_SSH_HOME_KEY".pub ]]; then
+                cp "$DEMYX_SSH_HOME_KEY".pub "$DEMYX_SSH_ETC_KEY".pub
+            fi
+        elif [[ -f "$DEMYX_SSH_ETC_KEY" ]]; then
+            cp "$DEMYX_SSH_ETC_KEY" "$DEMYX_SSH_HOME_KEY"
+            if [[ -f "$DEMYX_SSH_ETC_KEY".pub ]]; then
+                cp "$DEMYX_SSH_ETC_KEY".pub "$DEMYX_SSH_HOME_KEY".pub
+            fi
+        else
+            ssh-keygen -t "$DEMYX_SSH_KEY_TYPE" -N '' -f "$DEMYX_SSH_ETC_KEY" >/dev/null
+            cp "$DEMYX_SSH_ETC_KEY" "$DEMYX_SSH_HOME_KEY"
+            cp "$DEMYX_SSH_ETC_KEY".pub "$DEMYX_SSH_HOME_KEY".pub
         fi
-    fi
+    done
 
     if [[ -f "$DEMYX_SUDO_PERMISSION"/.ssh/authorized_keys ]]; then
         chmod 644 "$DEMYX_SUDO_PERMISSION"/.ssh/authorized_keys
