Enable sshd operation in docker

First, install openssh-server in docker. After the installation is complete, switch to the installation directory /etc/ssh of openssh-server.

Run ssh-keygen to generate the corresponding key.

First, take a look at the sshd configuration file sshd_config, which contains the following:

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

There are encryption methods such as rsa, dsa, ecdsa, and ed25519. The corresponding key pairs are generated according to these encryption methods.

[root@655f62a4ed82 ssh]# ssh-keygen -t rsa //Generate rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
0e:fa:07:36:bb:87:c1:60:14:be:41:41:01:1b:4b:bc root@655f62a4ed82
The key's randomart image is:
+--[RSA 2048]----+
| .+o*+ |
| ..*. |
|oooo|
| E oo |
| ..o. S |
| .*o |
| .. *. |
| .oo |
| o+ |
+-----------------+
[root@655f62a4ed82 ssh]# ssh-keygen -t dsa //Generate dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
ee:8c:db:a8:24:68:0d:33:79:eb:09:33:ed:74:c3:66 root@655f62a4ed82
The key's randomart image is:
+--[DSA 1024]----+
| |
| |
| |
| . |
| = . S |
| .B o . |
|.=.=.E . |
|.Bo= .* |
| +..+.+ |
+-----------------+
[root@655f62a4ed82 ssh]# ssh-keygen -t ecdsa //Generate ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
84:74:de:d1:e4:98:a1:5c:27:25:8e:b7:d6:27:fd:c9 root@655f62a4ed82
The key's randomart image is:
+--[ECDSA 256]---+
| . . *++ |
| . = * X. |
| . * * . |
| . . o . |
|S ooo |
| . o...|
| E.|
| |
| |
+-----------------+
[root@655f62a4ed82 ssh]# ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_ed25519.
Your public key has been saved in /root/.ssh/id_ed25519.pub.
The key fingerprint is:
d8:40:95:1f:07:96:8a:83:7f:af:19:01:3b:b4:79:91 root@655f62a4ed82
The key's randomart image is:
+--[ED25519 256--+
| ....oo |
| . .oo . |
| .+.Eo o |
| ..oO... |
| .*.S |
| .o.. |
| ... |
| o. |
| o. |
+-----------------+
[root@655f62a4ed82 ssh]# cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

After the key pair is generated, you need to modify the location of the above files in sshd_config.

HostKey /root/.ssh/id_rsa
HostKey /root/.ssh/id_dsa
HostKey /root/.ssh/id_ecdsa
HostKey /root/.ssh/id_ed25519

Run /usr/sbin/sshd to check whether port 22 is enabled. If it is enabled, it indicates successful startup.

[root@655f62a4ed82 ssh]# /usr/sbin/sshd
[root@655f62a4ed82 ssh]# lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 37 root 3u IPv4 250907 0t0 TCP *:ssh (LISTEN)
sshd 37 root 4u IPv6 250909 0t0 TCP *:ssh (LISTEN)

Additional knowledge: When running the sshd process in the Docker container, remote login crashes (Exit status 254)

Note:

background

An sshd process is running in the container, mapping a port for external remote connection. Every time you connect, you will be logged out immediately after entering the password. The phenomenon is as follows:

[root@localhost /]# ssh [email protected] -p 8000
[email protected]'s password: 
Last login: Tue Nov 6 14:46:17 2018 from 192.168.0.6
Connection to 192.168.0.6 closed.

Check the debugging information and the final exit printout is as follows:

......
Connection to 192.168.0.6 closed.
Transferred: sent 2264, received 2224 bytes, in 0.0 seconds
Bytes per second: sent 235367.6, received 231209.1
debug1: Exit status 254

analyze

From the printout, there is already Last login information, so the password must have been entered correctly, and I have logged into the system, but it failed during the initialization of the environment. First, I considered the configuration of hosts.deny. After commenting the relevant configuration, the problem still exists.

It is said on the Internet that commenting out the UsePAM configuration in the sshd configuration file means not using the pam authentication module.

#UsePAM yes

After modifying and restarting the sshd process, it works as expected. As for the reason, all of them said that the timeout disconnection function was enabled under the default configuration. This is nonsense. The default link disconnection time cannot be so short, and why the sshd process runs normally in a non-docker environment. I don't accept this reason. Then let’s take a look again. There is no problem if pam authentication is not used, so I commented out the sshd-related configurations in /etc/pam.d/ one by one, but still couldn't find the problem.

At this time, I thought I could take a look at the pam log, which should provide some clues. By the way, RedHat and CentOS store pam logs in /var/log/secure, and Ubuntu and Debian store authentication information in /var/log/auth.log.

Sure enough, there is an error message in pam.

Nov 6 15:36:56 bbb sshd[11016]: Accepted password for root from 192.168.0.6 port 56394 ssh2
Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'nproc': Operation not permitted
Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'nofile': Operation not permitted
Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'memlock': Operation not permitted
Nov 6 15:36:56 bbb sshd[11016]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 6 15:36:56 bbb sshd[11016]: error: PAM: pam_open_session(): Permission denied
Nov 6 15:36:56 bbb sshd[11016]: Received disconnect from 192.168.0.6: 11: disconnected by user

It can be seen that this is caused by insufficient permissions to set parameters such as nproc, nofile, memlock, etc., and these configurations are in the pam component and are saved in the following two files:

/etc/security/limits.conf
/etc/security/limits.d/90-nproc.conf

Comment out the relevant settings in these two files, turn on pam authentication, and the ssh connection will be successful. That's the problem.

There are other methods

1. Because it is caused by insufficient permissions, bring the --privileged parameter when starting the container and use a privileged user to solve the problem

2. Because there is an error in configuring ulimits, you can use the --ulimit=[] parameter to configure it when starting the container

The above article about enabling sshd operation in docker is all I have to share with you. I hope it can give you a reference. I also hope that you will support 123WORDPRESS.COM.

You may also be interested in:

Solve the problem of starting two ports that occupy different ports when docker run
Two ways to exit bash in docker container under Linux
Docker uses Supervisor to manage process operations

<<: Summary of common functions and usage methods of WeChat applet development

>>: MySQL query data by hour, fill in 0 if there is no data