首先在docker中安裝openssh-server,安裝完畢后切換到openssh-server的安裝目錄/etc/ssh下面。
運行ssh-keygen生成對應的密鑰。
先看看sshd的配置文件sshd_config�,里面有如下內容:
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
有rsa,dsa,ecdsa,ed25519的加密方式,根據這幾種加密方式來生成對應的密鑰對�����。
[root@655f62a4ed82 ssh]# ssh-keygen -t rsa //生成rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
0e:fa:07:36:bb:87:c1:60:14:be:41:41:01:1b:4b:bc root@655f62a4ed82
The key's randomart image is:
+--[ RSA 2048]----+
| .+o*+ |
| ..*. |
| ooo |
| E oo |
| ..o. S |
| .*o |
| .. *. |
| .o o |
| o+ |
+-----------------+
[root@655f62a4ed82 ssh]# ssh-keygen -t dsa //生成dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
ee:8c:db:a8:24:68:0d:33:79:eb:09:33:ed:74:c3:66 root@655f62a4ed82
The key's randomart image is:
+--[ DSA 1024]----+
| |
| |
| |
| . |
| = . S |
| .B o . |
|.=.=.E . |
|. Bo= .* |
| +..+.+ |
+-----------------+
[root@655f62a4ed82 ssh]# ssh-keygen -t ecdsa //生成ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/root/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ecdsa.
Your public key has been saved in /root/.ssh/id_ecdsa.pub.
The key fingerprint is:
84:74:de:d1:e4:98:a1:5c:27:25:8e:b7:d6:27:fd:c9 root@655f62a4ed82
The key's randomart image is:
+--[ECDSA 256]---+
| . . *++ |
| . = * X. |
| . * * . |
| . . o . |
| S o o o |
| . o...|
| E.|
| |
| |
+-----------------+
[root@655f62a4ed82 ssh]# ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519.
Your public key has been saved in /root/.ssh/id_ed25519.pub.
The key fingerprint is:
d8:40:95:1f:07:96:8a:83:7f:af:19:01:3b:b4:79:91 root@655f62a4ed82
The key's randomart image is:
+--[ED25519 256--+
| ....oo |
| . .oo . |
| .+.Eo o |
| ..oO... |
| .*.S |
| .o.. |
| ... |
| o. |
| o. |
+-----------------+
[root@655f62a4ed82 ssh]# cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
密鑰對生成完畢后�,需要修改sshd_config中上述文件所在的位置的。
HostKey /root/.ssh/id_rsa
HostKey /root/.ssh/id_dsa
HostKey /root/.ssh/id_ecdsa
HostKey /root/.ssh/id_ed25519
運行/usr/sbin/sshd,查看22端口號是否開啟��,開啟說明啟動成功����。
[root@655f62a4ed82 ssh]# /usr/sbin/sshd
[root@655f62a4ed82 ssh]# lsof -i:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 37 root 3u IPv4 250907 0t0 TCP *:ssh (LISTEN)
sshd 37 root 4u IPv6 250909 0t0 TCP *:ssh (LISTEN)
補充知識:Docker容器內運行sshd進程,遠程登錄閃退(Exit status 254)
注:
背景
在容器內運行了一個sshd進程����,映射出一個端口供外部遠程連接?���?梢悦看芜B接的時候,輸入密碼后立即就退出了����,現(xiàn)象如下:
[root@localhost /]# ssh root@192.168.0.6 -p 8000
root@192.168.0.6's password:
Last login: Tue Nov 6 14:46:17 2018 from 192.168.0.6
Connection to 192.168.0.6 closed.
查看調試信息���,最后退出的打印如下:
......
Connection to 192.168.0.6 closed.
Transferred: sent 2264, received 2224 bytes, in 0.0 seconds
Bytes per second: sent 235367.6, received 231209.1
debug1: Exit status 254
分析
從打印來看,已經有Last login的信息���,所以密碼肯定是輸入正確的��,也已經登錄系統(tǒng)�,那就是在初始化的環(huán)境的時候跪了�。首先考慮了hosts.deny的配置,注釋相關配置后問題依舊�。
網上有說注釋sshd配置文件中的UsePAM配置,也就是不使用pam鑒權模塊����,
#UsePAM yes
修改完重啟sshd進程,這下果然可以了��。至于原因��,清一色的說是什么默認配置下�����,啟用了超時斷開連接功能��。這就是在扯���,默認的鏈接斷開時間不可能這么短����,而且為什么在非docker環(huán)境下sshd進程運行是正常的���。我是不接受這個理由的��。那就再看看唄����。不使用pam鑒權就沒問題�,于是又挨個把/etc/pam.d/里和sshd相關的配置一個一個注釋,還是沒發(fā)現(xiàn)問題所在�����。
這時想到可以看看pam的日志���,應該有些提示吧�。順帶提一下�, RedHat和CentOS的pam日志存放在/var/log/secure中�����,Ubuntu和Debian在 /var/log/auth.log中存儲認證信息����。
果然�,pam里有錯誤信息,
Nov 6 15:36:56 bbb sshd[11016]: Accepted password for root from 192.168.0.6 port 56394 ssh2
Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'nproc': Operation not permitted
Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'nofile': Operation not permitted
Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'memlock': Operation not permitted
Nov 6 15:36:56 bbb sshd[11016]: pam_unix(sshd:session): session opened for user root by (uid=0)
Nov 6 15:36:56 bbb sshd[11016]: error: PAM: pam_open_session(): Permission denied
Nov 6 15:36:56 bbb sshd[11016]: Received disconnect from 192.168.0.6: 11: disconnected by user
可見�,這是由于設置nproc、nofile�、memlock等參數(shù)權限不夠而導致,而這些配置是在pam組件里���,由以下兩個文件保存配置����,
/etc/security/limits.conf
/etc/security/limits.d/90-nproc.conf
將這兩個文件里面的相關設置注釋����,打開pam鑒權,ssh連接成功了�����。這才是問題所在�����。
另外還有其他方法
1��、因為是由于權限不夠導致�,那就在啟動容器的時候帶上--privileged參數(shù),使用特權用戶�����,同樣可以解決該問題
2�����、因為是在配置ulimits時錯誤�����,那么可以在啟動容器時使用--ulimit=[]參數(shù)來配置
以上這篇在docker中開啟sshd操作就是小編分享給大家的全部內容了��,希望能給大家一個參考���,也希望大家多多支持腳本之家�����。
