Open sshd operation in docker
- 2021-09-20 21:56:00
- OfStack
First install openssh-server in docker, and then switch to the installation directory of openssh-server/etc/ssh.
Run ssh-keygen to generate the corresponding key.
First look at the configuration file sshd_config for sshd, which contains the following:
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_keyThere are encryption modes of rsa, dsa, ecdsa and ed25519, and corresponding key pairs are generated according to these encryption modes.
[root@655f62a4ed82 ssh]# ssh-keygen -t rsa // Generate rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
0e:fa:07:36:bb:87:c1:60:14:be:41:41:01:1b:4b:bc root@655f62a4ed82
The key's randomart image is:
+--[ RSA 2048]----+
| .+o*+ |
| ..*. |
| ooo |
| E oo |
| ..o. S |
| .*o |
| .. *. |
| .o o |
| o+ |
+-----------------+
[root@655f62a4ed82 ssh]# ssh-keygen -t dsa // Generate dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
ee:8c:db:a8:24:68:0d:33:79:eb:09:33:ed:74:c3:66 root@655f62a4ed82
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| |
| . |
| = . S |
| .B o . |
|.=.=.E . |
|. Bo= .* |
| +..+.+ |
+-----------------+
[root@655f62a4ed82 ssh]# ssh-keygen -t ecdsa // Generate ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
84:74:de:d1:e4:98:a1:5c:27:25:8e:b7:d6:27:fd:c9 root@655f62a4ed82
The key's randomart image is:
+--[ECDSA 256]---+
| . . *++ |
| . = * X. |
| . * * . |
| . . o . |
| S o o o |
| . o...|
| E.|
| |
| |
+-----------------+
[root@655f62a4ed82 ssh]# ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519.
Your public key has been saved in /root/.ssh/id_ed25519.pub.
The key fingerprint is:
d8:40:95:1f:07:96:8a:83:7f:af:19:01:3b:b4:79:91 root@655f62a4ed82
The key's randomart image is:
+--[ED25519 256--+
| ....oo |
| . .oo . |
| .+.Eo o |
| ..oO... |
| .*.S |
| .o.. |
| ... |
| o. |
| o. |
+-----------------+
[root@655f62a4ed82 ssh]# cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys After the key pair is generated, you need to modify the location of the above files in sshd_config.
HostKey /root/.ssh/id_rsa
HostKey /root/.ssh/id_dsa
HostKey /root/.ssh/id_ecdsa
HostKey /root/.ssh/id_ed25519Run the/usr/sbin/sshd to see if port number 22 is turned on, which indicates successful startup.
[root@655f62a4ed82 ssh]# /usr/sbin/sshd
[root@655f62a4ed82 ssh]# lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 37 root 3u IPv4 250907 0t0 TCP *:ssh (LISTEN)
sshd 37 root 4u IPv6 250909 0t0 TCP *:ssh (LISTEN)
Additional knowledge: Running the sshd process within the Docker container, remote login flashback (Exit status 254)
Note:
Background
An sshd process is running inside the container, mapping a port for external remote connections. You can exit immediately after entering the password every time you connect. The phenomenon is as follows:
[root@localhost /]# ssh root@192.168.0.6 -p 8000
root@192.168.0.6's password:
Last login: Tue Nov 6 14:46:17 2018 from 192.168.0.6
Connection to 192.168.0.6 closed.Check the debugging information, and the last exit print is as follows:
......
Connection to 192.168.0.6 closed.
Transferred: sent 2264, received 2224 bytes, in 0.0 seconds
Bytes per second: sent 235367.6, received 231209.1
debug1: Exit status 254Analysis
From the printing point of view, there is already Last login information, so the password must be entered correctly, and it has already logged into the system, that is, kneeling when initializing the environment. First of all, the configuration of hosts. deny is considered, and the problem remains after annotating the related configuration.
There is a comment on the Internet that UsePAM configuration in sshd configuration file, that is, pam authentication module is not used.
#UsePAM yes
Restart the sshd process after modification, which is really ok. As for the reason, clear 1 color says what is the default configuration, and the timeout disconnection function is enabled. That's why the default link break time can't be that short, and why the sshd process runs normally in a non-docker environment. I don't accept this reason. Then look at it again. There is no problem without pam authentication, so the configuration related to sshd in/etc/pam. d/is annotated one by one, but no problem is found.
At this time, I thought I could see the log of pam, and I should have some tips. Incidentally, pam logs of RedHat and CentOS are stored in/var/log/secure, and Ubuntu and Debian store authentication information in/var/log/auth. log.
Sure enough, there is an error message in pam.
Nov 6 15:36:56 bbb sshd[11016]: Accepted password for root from 192.168.0.6 port 56394 ssh2
Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'nproc': Operation not permitted
Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'nofile': Operation not permitted
Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'memlock': Operation not permitted
Nov 6 15:36:56 bbb sshd[11016]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 6 15:36:56 bbb sshd[11016]: error: PAM: pam_open_session(): Permission denied
Nov 6 15:36:56 bbb sshd[11016]: Received disconnect from 192.168.0.6: 11: disconnected by userIt can be seen that this is due to insufficient permissions to set parameters such as nproc, nofile, memlock, etc. These configurations are stored in the pam component by the following two files.
/etc/security/limits.conf
/etc/security/limits.d/90-nproc.conf
These two files inside the relevant settings annotation, open pam authentication, ssh connection is successful. That's the problem.
There are other ways
1. Because it is caused by insufficient permissions, take the-privileged parameter when starting the container and use privileged users, which can also solve this problem
2. Because it was an error when configuring ulimits, you can configure it with the --ulimit= [] parameter when starting the container