首先在docker中安裝openssh-server,安裝完畢后切換到openssh-server的安裝目錄/etc/ssh下面。

運(yùn)行ssh-keygen生成對(duì)應(yīng)的密鑰。

先看看sshd的配置文件sshd_config，里面有如下內(nèi)容：

HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_keyHostKey /etc/ssh/ssh_host_ecdsa_keyHostKey /etc/ssh/ssh_host_ed25519_key

有rsa,dsa,ecdsa,ed25519的加密方式，根據(jù)這幾種加密方式來生成對(duì)應(yīng)的密鑰對(duì)。

[root@655f62a4ed82 ssh]# ssh-keygen -t rsa //生成rsaGenerating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:0e:fa:07:36:bb:87:c1:60:14:be:41:41:01:1b:4b:bc root@655f62a4ed82The key’s randomart image is:+--[ RSA 2048]----+| .+o*+ || ..*. || ooo || E oo || ..o. S || .*o || .. *. || .o o || o+ |+-----------------+[root@655f62a4ed82 ssh]# ssh-keygen -t dsa //生成dsaGenerating public/private dsa key pair.Enter file in which to save the key (/root/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_dsa.Your public key has been saved in /root/.ssh/id_dsa.pub.The key fingerprint is:ee:8c:db:a8:24:68:0d:33:79:eb:09:33:ed:74:c3:66 root@655f62a4ed82The key’s randomart image is:+--[ DSA 1024]----+| || || || . || = . S || .B o . ||.=.=.E . ||. Bo= .* || +..+.+ |+-----------------+[root@655f62a4ed82 ssh]# ssh-keygen -t ecdsa //生成ecdsaGenerating public/private ecdsa key pair.Enter file in which to save the key (/root/.ssh/id_ecdsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_ecdsa.Your public key has been saved in /root/.ssh/id_ecdsa.pub.The key fingerprint is:84:74:de:d1:e4:98:a1:5c:27:25:8e:b7:d6:27:fd:c9 root@655f62a4ed82The key’s randomart image is:+--[ECDSA 256]---+| . . *++ || . = * X. || . * * . || . . o . || S o o o || . o...||E.|| || |+-----------------+[root@655f62a4ed82 ssh]# ssh-keygen -t ed25519Generating public/private ed25519 key pair.Enter file in which to save the key (/root/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_ed25519.Your public key has been saved in /root/.ssh/id_ed25519.pub.The key fingerprint is:d8:40:95:1f:07:96:8a:83:7f:af:19:01:3b:b4:79:91 root@655f62a4ed82The key’s randomart image is:+--[ED25519 256--+| ....oo || . .oo . || .+.Eo o || ..oO... || .*.S || .o.. || ... || o. || o. |+-----------------+[root@655f62a4ed82 ssh]# cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

密鑰對(duì)生成完畢后，需要修改sshd_config中上述文件所在的位置的。

HostKey /root/.ssh/id_rsaHostKey /root/.ssh/id_dsaHostKey /root/.ssh/id_ecdsaHostKey /root/.ssh/id_ed25519

運(yùn)行/usr/sbin/sshd,查看22端口號(hào)是否開啟，開啟說明啟動(dòng)成功。

[root@655f62a4ed82 ssh]# /usr/sbin/sshd[root@655f62a4ed82 ssh]# lsof -i:22COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEsshd 37 root 3u IPv4 250907 0t0 TCP *:ssh (LISTEN)sshd 37 root 4u IPv6 250909 0t0 TCP *:ssh (LISTEN)

補(bǔ)充知識(shí)：Docker容器內(nèi)運(yùn)行sshd進(jìn)程，遠(yuǎn)程登錄閃退(Exit status 254)

注：

背景

在容器內(nèi)運(yùn)行了一個(gè)sshd進(jìn)程，映射出一個(gè)端口供外部遠(yuǎn)程連接。可以每次連接的時(shí)候，輸入密碼后立即就退出了，現(xiàn)象如下：

[root@localhost /]# ssh root@192.168.0.6 -p 8000root@192.168.0.6’s password: Last login: Tue Nov 6 14:46:17 2018 from 192.168.0.6Connection to 192.168.0.6 closed.

查看調(diào)試信息，最后退出的打印如下：

......Connection to 192.168.0.6 closed.Transferred: sent 2264, received 2224 bytes, in 0.0 secondsBytes per second: sent 235367.6, received 231209.1debug1: Exit status 254

分析

從打印來看，已經(jīng)有Last login的信息，所以密碼肯定是輸入正確的，也已經(jīng)登錄系統(tǒng)，那就是在初始化的環(huán)境的時(shí)候跪了。首先考慮了hosts.deny的配置，注釋相關(guān)配置后問題依舊。

網(wǎng)上有說注釋sshd配置文件中的UsePAM配置，也就是不使用pam鑒權(quán)模塊，

#UsePAM yes

修改完重啟sshd進(jìn)程，這下果然可以了。至于原因，清一色的說是什么默認(rèn)配置下，啟用了超時(shí)斷開連接功能。這就是在扯，默認(rèn)的鏈接斷開時(shí)間不可能這么短，而且為什么在非docker環(huán)境下sshd進(jìn)程運(yùn)行是正常的。我是不接受這個(gè)理由的。那就再看看唄。不使用pam鑒權(quán)就沒問題，于是又挨個(gè)把/etc/pam.d/里和sshd相關(guān)的配置一個(gè)一個(gè)注釋，還是沒發(fā)現(xiàn)問題所在。

這時(shí)想到可以看看pam的日志，應(yīng)該有些提示吧。順帶提一下， RedHat和CentOS的pam日志存放在/var/log/secure中，Ubuntu和Debian在 /var/log/auth.log中存儲(chǔ)認(rèn)證信息。

果然，pam里有錯(cuò)誤信息，

Nov 6 15:36:56 bbb sshd[11016]: Accepted password for root from 192.168.0.6 port 56394 ssh2Nov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for ’nproc’: Operation not permittedNov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for ’nofile’: Operation not permittedNov 6 15:36:56 bbb sshd[11016]: pam_limits(sshd:session): Could not set limit for ’memlock’: Operation not permittedNov 6 15:36:56 bbb sshd[11016]: pam_unix(sshd:session): session opened for user root by (uid=0)Nov 6 15:36:56 bbb sshd[11016]: error: PAM: pam_open_session(): Permission deniedNov 6 15:36:56 bbb sshd[11016]: Received disconnect from 192.168.0.6: 11: disconnected by user

可見，這是由于設(shè)置nproc、nofile、memlock等參數(shù)權(quán)限不夠而導(dǎo)致，而這些配置是在pam組件里，由以下兩個(gè)文件保存配置，

/etc/security/limits.conf

/etc/security/limits.d/90-nproc.conf

將這兩個(gè)文件里面的相關(guān)設(shè)置注釋，打開pam鑒權(quán)，ssh連接成功了。這才是問題所在。

另外還有其他方法

1、因?yàn)槭怯捎跈?quán)限不夠?qū)е拢蔷驮趩?dòng)容器的時(shí)候帶上--privileged參數(shù)，使用特權(quán)用戶，同樣可以解決該問題

2、因?yàn)槭窃谂渲胾limits時(shí)錯(cuò)誤，那么可以在啟動(dòng)容器時(shí)使用--ulimit=[]參數(shù)來配置

以上這篇在docker中開啟sshd操作就是小編分享給大家的全部?jī)?nèi)容了，希望能給大家一個(gè)參考，也希望大家多多支持好吧啦網(wǎng)。