Login/Register
Setup Docker Container with SSH server?
Asked Answered
Solved dockersshcontainersalpine-linuxsshd
F

1

5

I want to setup a very minimalistic alpine linux docker container with the following capabilities:

  • It runs an ssh server
  • It copies over a SSH public key of my choice to which I can then authenticate

I looked into various options, and in the end decided to write my own small Dockerfile. However, I ran into some problems.

Dockerfile

FROM alpine:latest

RUN apk update
RUN apk upgrade
RUN apk add openssh-server

RUN mkdir -p /var/run/sshd
RUN mkdir -p /root/.ssh

ADD authorized_keys /root/.ssh/authorized_keys
ADD entrypoint.sh /entrypoint.sh
RUN chmod 755 /entrypoint.sh

EXPOSE 22
CMD ["/entrypoint.sh"]

entrypoint.sh

#!/bin/sh
/usr/sbin/sshd -D

authorized_keys

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP8cIHIPgV9QoAaSsYNGHktiP/QnWfKPOeyzjujUXgQMQLBw3jJ1EBe04Lk3FXTMxwrKk3Dxq0VhJ+Od6UwzPDg=

Starting the container gives an error: sshd: no hostkeys available -- exiting. How can I fix my Dockerfile, to ensure the ssh server is running correctly and the authorized_keys file is there. What am I missing?

Fanelli answered 17/12, 2020 at 11:49 Comment(1)
You might try to start sshd with debug flags: /usr/sbin/sshd -D -ddd to see if that can give any usefull info.Veiling
L
9

In order to start, the SSH daemon does need host keys.
Those does not represents the keys that you are going to use to connect to your container, just the keys that define this specific host.

A host key is a cryptographic key used for authenticating computers in the SSH protocol.

Source: https://www.ssh.com/ssh/host-key

So you have to generate some keys for your host, you can then safely ignore those if you do not really intend to use them.

Generating those keys can be done via

ssh-keygen -A

So in your image, just adding a

RUN ssh-keygen -A

should do.

For the record, here is my own sshd Alpine image:

FROM alpine

RUN apk add --no-cache \ 
        openssh \
    && ssh-keygen -A \
    && mkdir /root/.ssh \
    && chmod 0700 /root/.ssh \
    && echo "root:$(openssl rand 96 | openssl enc -A -base64)" | chpasswd \
    && ln -s /etc/ssh/ssh_host_ed25519_key.pub /root/.ssh/authorized_keys

EXPOSE 22

CMD ["/usr/sbin/sshd", "-D", "-e"]

Extra notes:

  • I am reusing the SSH keys generated by ssh-keygen -A, exposing them in a volume, this is the reason why I am doing the command: 
    ln -s /etc/ssh/ssh_host_ed25519_key.pub /root/.ssh/authorized_keys
  • Because this is just an Ansible node cluster lab, I am SSH'ing this machine as the root user, this is why I need the, quite insecure 
    echo "root:$(openssl rand 96 | openssl enc -A -base64)" | chpasswd
Lagas answered 17/12, 2020 at 20:46 Comment(3)
I tried this Dockerfile verbatim, and I get "Permission denied" when I ssh in as root with the password root. I might not be clear on what you are doing with the key you've linked with ln -s. Otherwise, are there additional settings needed to ssh into the server?Detention
@Detention the default configuration of the SSH daemon is PermitRootLogin prohibit-password. So, that is what prevents you to login with a user/password when you would be able to do it with a SSH key. This is actually the reason why I am using this key in /root/.ssh/authorized_keys. To use it, I have a volume that exposes the private key so I can, from my host or from another container, login with that SSH key.Oscillation
If you do really want a user/password login, you could have a line In the RUN statement that would read echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config. But mind that this should never ever be used in any sort of production setup.Oscillation

© 2022 - 2024 — McMap. All rights reserved.