Keep ssh tunnel open with autossh, and give root user ssh keys so unprivileged user cant access the host

dangerzone-converter/Dockerfile

@@ -10,72 +10,72 @@ RUN apk -U upgrade && \
     poppler-utils \
     py3-magic \
     py3-pillow \
-    sudo
+    sudo \
-# tesseract-ocr \
+    tesseract-ocr \
-# tesseract-ocr-data-afr \
+    tesseract-ocr-data-afr \
-# tesseract-ocr-data-ara \
+    tesseract-ocr-data-ara \
-# tesseract-ocr-data-aze \
+    tesseract-ocr-data-aze \
-# tesseract-ocr-data-bel \
+    tesseract-ocr-data-bel \
-# tesseract-ocr-data-ben \
+    tesseract-ocr-data-ben \
-# tesseract-ocr-data-bul \
+    tesseract-ocr-data-bul \
-# tesseract-ocr-data-cat \
+    tesseract-ocr-data-cat \
-# tesseract-ocr-data-ces \
+    tesseract-ocr-data-ces \
-# tesseract-ocr-data-chi_sim \
+    tesseract-ocr-data-chi_sim \
-# tesseract-ocr-data-chi_tra \
+    tesseract-ocr-data-chi_tra \
-# tesseract-ocr-data-chr \
+    tesseract-ocr-data-chr \
-# tesseract-ocr-data-dan \
+    tesseract-ocr-data-dan \
-# tesseract-ocr-data-deu \
+    tesseract-ocr-data-deu \
-# tesseract-ocr-data-ell \
+    tesseract-ocr-data-ell \
-# tesseract-ocr-data-enm \
+    tesseract-ocr-data-enm \
-# tesseract-ocr-data-epo \
+    tesseract-ocr-data-epo \
-# tesseract-ocr-data-equ \
+    tesseract-ocr-data-equ \
-# tesseract-ocr-data-est \
+    tesseract-ocr-data-est \
-# tesseract-ocr-data-eus \
+    tesseract-ocr-data-eus \
-# tesseract-ocr-data-fin \
+    tesseract-ocr-data-fin \
-# tesseract-ocr-data-fra \
+    tesseract-ocr-data-fra \
-# tesseract-ocr-data-frk \
+    tesseract-ocr-data-frk \
-# tesseract-ocr-data-frm \
+    tesseract-ocr-data-frm \
-# tesseract-ocr-data-glg \
+    tesseract-ocr-data-glg \
-# tesseract-ocr-data-grc \
+    tesseract-ocr-data-grc \
-# tesseract-ocr-data-heb \
+    tesseract-ocr-data-heb \
-# tesseract-ocr-data-hin \
+    tesseract-ocr-data-hin \
-# tesseract-ocr-data-hrv \
+    tesseract-ocr-data-hrv \
-# tesseract-ocr-data-hun \
+    tesseract-ocr-data-hun \
-# tesseract-ocr-data-ind \
+    tesseract-ocr-data-ind \
-# tesseract-ocr-data-isl \
+    tesseract-ocr-data-isl \
-# tesseract-ocr-data-ita \
+    tesseract-ocr-data-ita \
-# tesseract-ocr-data-ita_old \
+    tesseract-ocr-data-ita_old \
-# tesseract-ocr-data-jpn \
+    tesseract-ocr-data-jpn \
-# tesseract-ocr-data-kan \
+    tesseract-ocr-data-kan \
-# tesseract-ocr-data-kat \
+    tesseract-ocr-data-kat \
-# tesseract-ocr-data-kor \
+    tesseract-ocr-data-kor \
-# tesseract-ocr-data-lav \
+    tesseract-ocr-data-lav \
-# tesseract-ocr-data-lit \
+    tesseract-ocr-data-lit \
-# tesseract-ocr-data-mal \
+    tesseract-ocr-data-mal \
-# tesseract-ocr-data-mkd \
+    tesseract-ocr-data-mkd \
-# tesseract-ocr-data-mlt \
+    tesseract-ocr-data-mlt \
-# tesseract-ocr-data-msa \
+    tesseract-ocr-data-msa \
-# tesseract-ocr-data-nld \
+    tesseract-ocr-data-nld \
-# tesseract-ocr-data-nor \
+    tesseract-ocr-data-nor \
-# tesseract-ocr-data-pol \
+    tesseract-ocr-data-pol \
-# tesseract-ocr-data-por \
+    tesseract-ocr-data-por \
-# tesseract-ocr-data-ron \
+    tesseract-ocr-data-ron \
-# tesseract-ocr-data-rus \
+    tesseract-ocr-data-rus \
-# tesseract-ocr-data-slk \
+    tesseract-ocr-data-slk \
-# tesseract-ocr-data-slv \
+    tesseract-ocr-data-slv \
-# tesseract-ocr-data-spa \
+    tesseract-ocr-data-spa \
-# tesseract-ocr-data-spa_old \
+    tesseract-ocr-data-spa_old \
-# tesseract-ocr-data-sqi \
+    tesseract-ocr-data-sqi \
-# tesseract-ocr-data-srp \
+    tesseract-ocr-data-srp \
-# tesseract-ocr-data-swa \
+    tesseract-ocr-data-swa \
-# tesseract-ocr-data-swe \
+    tesseract-ocr-data-swe \
-# tesseract-ocr-data-tam \
+    tesseract-ocr-data-tam \
-# tesseract-ocr-data-tel \
+    tesseract-ocr-data-tel \
-# tesseract-ocr-data-tgl \
+    tesseract-ocr-data-tgl \
-# tesseract-ocr-data-tha \
+    tesseract-ocr-data-tha \
-# tesseract-ocr-data-tur \
+    tesseract-ocr-data-tur \
-# tesseract-ocr-data-ukr \
+    tesseract-ocr-data-ukr \
-# tesseract-ocr-data-vie
+    tesseract-ocr-data-vie
 
 # Install pdftk
 RUN \

dangerzone/gui/vm.py

@@ -230,9 +230,10 @@ class Vm(QtCore.QObject):
         args_str = " ".join(pipes.quote(s) for s in args)
         print("> " + args_str)
         # To be able to login to the VM from the console, remove the stdout, stderr, and stdin args below
-        self.hyperkit_p = subprocess.Popen(
+        # self.hyperkit_p = subprocess.Popen(
-            args, stdout=self.devnull, stderr=self.devnull, stdin=self.devnull
+        #     args, stdout=self.devnull, stderr=self.devnull, stdin=self.devnull
-        )
+        # )
+        self.hyperkit_p = subprocess.Popen(args)
 
         # Wait for SSH thread
         self.wait_t = WaitForSsh(self.sshd_tunnel_port)

install/vm-builder/etc/apk/world

@@ -1,6 +1,6 @@
 alpine-base
 podman
 dropbear
-sshfs
+autossh
 python3
 sudo

install/vm-builder/etc/init.d/dangerzone

@@ -8,10 +8,6 @@ start() {
     # Create user
     /usr/sbin/adduser -D -u 1001 user
 
-	# Make folder for user mounts
-	mkdir /home/user/mnt
-	chown user:user /home/user/mnt
-
 	# Move containers into home dir
 	mkdir -p /home/user/.local/share
 	mv /etc/container-data /home/user/.local/share/containers

install/vm-builder/etc/ssh-to-host.py

@@ -16,53 +16,55 @@ def main():
 
     info = json.loads(s[0 : s.find(b"\0")])
 
-    # Create SSH files
+    # Create root's SSH files
-    os.makedirs("/home/user/.ssh", exist_ok=True)
+    os.makedirs("/root/.ssh", exist_ok=True)
 
-    with open("/home/user/.ssh/id_ed25519", "w") as f:
+    with open("/root/.ssh/id_ed25519", "w") as f:
         f.write(info["id_ed25519"])
         f.write("\n")
 
-    with open("/home/user/.ssh/id_ed25519.pub", "w") as f:
+    with open("/root/.ssh/id_ed25519.pub", "w") as f:
         f.write(info["id_ed25519.pub"])
         f.write("\n")
 
+    with open("/root/.ssh/config", "w") as f:
+        f.write("Host hostbox\n")
+        f.write(f"  Hostname {info['ip']}\n")
+        f.write(f"  Port {info['port']}\n")
+        f.write(f"  User {info['user']}\n")
+        f.write(f"  RemoteForward {info['tunnel_port']} 127.0.0.1:22\n")
+        f.write("  IdentityFile /root/.ssh/id_ed25519\n")
+        f.write("  ServerAliveInterval 30\n")
+        f.write("  ServerAliveCountMax 3\n")
+        f.write("  StrictHostKeyChecking no\n")
+        f.write("\n")
+
+    os.chmod("/root/.ssh", 0o700)
+    os.chmod("/root/.ssh/id_ed25519", 0o600)
+    os.chmod("/root/.ssh/id_ed25519.pub", 0o600)
+    os.chmod("/root/.ssh/config", 0o600)
+
+    # Create user's SSH files
+    os.makedirs("/home/user/.ssh", exist_ok=True)
+
     with open("/home/user/.ssh/authorized_keys", "w") as f:
         f.write(info["id_ed25519.pub"])
         f.write("\n")
 
-    with open("/home/user/.ssh/config", "w") as f:
-        f.write("Host hostbox\n")
-        f.write(f"  Hostname {info['ip']}\n")
-        f.write(f"  Port {info['port']}\n")
-        f.write(f"  User {info['user']}\n")
-        f.write("  IdentityFile /home/user/.ssh/id_ed25519\n")
-        f.write("\n")
-
     os.chmod("/home/user/.ssh", 0o700)
-    os.chmod("/home/user/.ssh/id_ed25519", 0o600)
-    os.chmod("/home/user/.ssh/id_ed25519.pub", 0o644)
     os.chmod("/home/user/.ssh/authorized_keys", 0o600)
-    os.chmod("/home/user/.ssh/config", 0o600)
 
     shutil.chown("/home/user/.ssh", "user", "user")
-    shutil.chown("/home/user/.ssh/id_ed25519", "user", "user")
-    shutil.chown("/home/user/.ssh/id_ed25519.pub", "user", "user")
     shutil.chown("/home/user/.ssh/authorized_keys", "user", "user")
-    shutil.chown("/home/user/.ssh/config", "user", "user")
 
     # Start SSH reverse port forward
     subprocess.run(
         [
-            "/usr/bin/sudo",
+            "/usr/bin/autossh",
-            "-u",
+            "-M",
-            "user",
+            "0",
-            "/usr/bin/ssh",
+            "-f",
-            "-o",
-            "StrictHostKeyChecking=no",
             "-N",
-            "-R",
-            f"{info['tunnel_port']}:127.0.0.1:22",
             "hostbox",
         ]
     )

install/vm-builder/mkimg.dangerzone.sh

@@ -9,5 +9,5 @@ profile_dangerzone() {
 	kernel_cmdline="console=tty0 console=ttyS0,115200"
 	syslinux_serial="0 115200"
 	apkovl="genapkovl-dangerzone.sh"
-    apks="$apks podman dropbear sshfs python3 sudo"
+    apks="$apks podman dropbear autossh python3 sudo"
 }