扫二维码与项目经理沟通
我们在微信上24小时期待你的声音
解答本文疑问/技术咨询/运营咨询/技术建议/互联网交流
这期内容当中小编将会给大家带来有关sshd如何在docker中开启,文章内容丰富且以专业的角度为大家分析和叙述,阅读完这篇文章希望大家可以有所收获。
成都创新互联是一家集网站建设,南召企业网站建设,南召品牌网站建设,网站定制,南召网站建设报价,网络营销,网络优化,南召网站推广为一体的创新建站企业,帮助传统企业提升企业形象加强企业竞争力。可充分满足这一群体相比中小企业更为丰富、高端、多元的互联网需求。同时我们时刻保持专业、时尚、前沿,时刻以成就客户成长自我,坚持不断学习、思考、沉淀、净化自己,让我们为更多的企业打造出实用型网站。首先在docker中安装openssh-server,安装完毕后切换到openssh-server的安装目录/etc/ssh下面。
运行ssh-keygen生成对应的密钥。
先看看sshd的配置文件sshd_config,里面有如下内容:
HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key
有rsa,dsa,ecdsa,ed25519的加密方式,根据这几种加密方式来生成对应的密钥对。
[root@655f62a4ed82 ssh]# ssh-keygen -t rsa //生成rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 0e:fa:07:36:bb:87:c1:60:14:be:41:41:01:1b:4b:bc root@655f62a4ed82 The key's randomart image is: +--[ RSA 2048]----+ | .+o*+ | | ..*. | | ooo | | E oo | | ..o. S | | .*o | | .. *. | | .o o | | o+ | +-----------------+ [root@655f62a4ed82 ssh]# ssh-keygen -t dsa //生成dsa Generating public/private dsa key pair. Enter file in which to save the key (/root/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa. Your public key has been saved in /root/.ssh/id_dsa.pub. The key fingerprint is: ee:8c:db:a8:24:68:0d:33:79:eb:09:33:ed:74:c3:66 root@655f62a4ed82 The key's randomart image is: +--[ DSA 1024]----+ | | | | | | | . | | = . S | | .B o . | |.=.=.E . | |. Bo= .* | | +..+.+ | +-----------------+ [root@655f62a4ed82 ssh]# ssh-keygen -t ecdsa //生成ecdsa Generating public/private ecdsa key pair. Enter file in which to save the key (/root/.ssh/id_ecdsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_ecdsa. Your public key has been saved in /root/.ssh/id_ecdsa.pub. The key fingerprint is: 84:74:de:d1:e4:98:a1:5c:27:25:8e:b7:d6:27:fd:c9 root@655f62a4ed82 The key's randomart image is: +--[ECDSA 256]---+ | . . *++ | | . = * X. | | . * * . | | . . o . | | S o o o | | . o...| | E.| | | | | +-----------------+ [root@655f62a4ed82 ssh]# ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key (/root/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_ed25519. Your public key has been saved in /root/.ssh/id_ed25519.pub. The key fingerprint is: d8:40:95:1f:07:96:8a:83:7f:af:19:01:3b:b4:79:91 root@655f62a4ed82 The key's randomart image is: +--[ED25519 256--+ | ....oo | | . .oo . | | .+.Eo o | | ..oO... | | .*.S | | .o.. | | ... | | o. | | o. | +-----------------+ [root@655f62a4ed82 ssh]# cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
密钥对生成完毕后,需要修改sshd_config中上述文件所在的位置的。
HostKey /root/.ssh/id_rsa HostKey /root/.ssh/id_dsa HostKey /root/.ssh/id_ecdsa HostKey /root/.ssh/id_ed25519
运行/usr/sbin/sshd,查看22端口号是否开启,开启说明启动成功。
[root@655f62a4ed82 ssh]# /usr/sbin/sshd [root@655f62a4ed82 ssh]# lsof -i:22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 37 root 3u IPv4 250907 0t0 TCP *:ssh (LISTEN) sshd 37 root 4u IPv6 250909 0t0 TCP *:ssh (LISTEN)
补充知识:Docker容器内运行sshd进程,远程登录闪退(Exit status 254)
注:
背景
在容器内运行了一个sshd进程,映射出一个端口供外部远程连接。可以每次连接的时候,输入密码后立即就退出了,现象如下:
[root@localhost /]# ssh root@192.168.0.6 -p 8000 root@192.168.0.6's password: Last login: Tue Nov 6 14:46:17 2018 from 192.168.0.6 Connection to 192.168.0.6 closed.
查看调试信息,最后退出的打印如下:
...... Connection to 192.168.0.6 closed. Transferred: sent 2264, received 2224 bytes, in 0.0 seconds Bytes per second: sent 235367.6, received 231209.1 debug1: Exit status 254
分析
从打印来看,已经有Last login的信息,所以密码肯定是输入正确的,也已经登录系统,那就是在初始化的环境的时候跪了。首先考虑了hosts.deny的配置,注释相关配置后问题依旧。
网上有说注释sshd配置文件中的UsePAM配置,也就是不使用pam鉴权模块,
#UsePAM yes
修改完重启sshd进程,这下果然可以了。至于原因,清一色的说是什么默认配置下,启用了超时断开连接功能。这就是在扯,默认的链接断开时间不可能这么短,而且为什么在非docker环境下sshd进程运行是正常的。我是不接受这个理由的。那就再看看呗。不使用pam鉴权就没问题,于是又挨个把/etc/pam.d/里和sshd相关的配置一个一个注释,还是没发现问题所在。
这时想到可以看看pam的日志,应该有些提示吧。顺带提一下, RedHat和CentOS的pam日志存放在/var/log/secure中,Ubuntu和Debian在 /var/log/auth.log中存储认证信息。
果然,pam里有错误信息,
Nov 6 15:36:56 bbb sshd[11016]: Accepted password for root from 192.168.0.6 port 56394 ssh3 Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'nproc': Operation not permitted Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'nofile': Operation not permitted Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for 'memlock': Operation not permitted Nov 6 15:36:56 bbb sshd[11016]: pam_unix(sshd:session): session opened for user root by (uid=0) Nov 6 15:36:56 bbb sshd[11016]: error: PAM: pam_open_session(): Permission denied Nov 6 15:36:56 bbb sshd[11016]: Received disconnect from 192.168.0.6: 11: disconnected by user
可见,这是由于设置nproc、nofile、memlock等参数权限不够而导致,而这些配置是在pam组件里,由以下两个文件保存配置,
/etc/security/limits.conf
/etc/security/limits.d/90-nproc.conf
将这两个文件里面的相关设置注释,打开pam鉴权,ssh连接成功了。这才是问题所在。
另外还有其他方法
1、因为是由于权限不够导致,那就在启动容器的时候带上--privileged参数,使用特权用户,同样可以解决该问题
2、因为是在配置ulimits时错误,那么可以在启动容器时使用--ulimit=[]参数来配置
上述就是小编为大家分享的sshd如何在docker中开启了,如果刚好有类似的疑惑,不妨参照上述分析进行理解。如果想知道更多相关知识,欢迎关注创新互联行业资讯频道。
我们在微信上24小时期待你的声音
解答本文疑问/技术咨询/运营咨询/技术建议/互联网交流