skip to Main Content

I build docker image with ssh enabled by such dockerfile: docker build -t debian-ssh:v00 .

From debian
WORKDIR /
RUN apt update && apt install -y openssh-server sudo
RUN sed -i "s/UsePAM yes/UsePAM no/g" /etc/ssh/sshd_config
RUN echo "root:123456" | chpasswd
RUN echo "root   ALL=(ALL)       ALL" >> /etc/sudoers
# RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
# RUN ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
# RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
RUN mkdir /run/sshd
# RUN mkdir /var/run/sshd
EXPOSE 22
CMD ["/usr/sbin/sshd", "-D"]

After building, I start container by docker run -d --name ssh00 debian-ssh00. Then docker exec -it ssh00 bash -> ssh localhost, it give me message:

The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:sF5hbx2GTw/Fq3QhQyRJ2+YNwBFPy/Iu5c8PtgpU/ok.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
root@localhost: Permission denied (publickey,password).

I type password 123456 above. Why this happended?

I use docker for windows with latest version, i.e. docker engine v20.10.2 but still using backend hyper-V

Update:
There was an official tutorial about Dockerize an SSH service in the year 2020. But now it is discouraged.

2

Answers


  1. First, once in your Docker bash session, try and change the root password (again) with the passwd command: it will ask you for your old password (the one you put in Dockerfile).
    That way, you can double check the default container account (here root) does indeed have the password ‘123456’.

    Second, try the same ssh command in verbose mode, to see if any clues are apparent:

    ssh -vv localhost
    

    If the password for root is correct, then check you /etc/ssh/sshd_config: if it has PermitRootLogin no, it would disallow any root session.

    If this works, you would need to modify your Dockerfile in order to amend the /etc/ssh/sshd_config.

    The OP Spaceship222 confirms in the discussion:

    RUN echo "PermitRootLogin yes" >> /etc/ssh/sshd_config will make debian-based container work

    Login or Signup to reply.
  2. This is purely configuration of sshd daemon issue. By default for security reasons access to root account with password authentication is disabled so you have two options:

    1. Change the configuration of the ssh daemon and allow password authentication for root account (NOTE there is a reason why we don’t allow root access by default so I would suggest you leave it this way)
    2. Set up public/private key and set up authorized_keys file for root account in this context. I’m not sure how do you want to use this container and in general you should simply add your public key in /root/.ssh/authorized_keys file and you’ ll be fine.

    For your particular case if you really want to solve your problem with

    ssh localhost
    

    You can add one line to your Dockerfile which generates a public/private keypair and adds it to your authorized_keys for root user OR you can run this command after you first login using docker exec command.

    Your altered Dockerfile (public/private key version)

    FROM debian
    WORKDIR /
    RUN apt update && apt install -y openssh-server sudo
    RUN sed -i "s/UsePAM yes/UsePAM no/g" /etc/ssh/sshd_config
    RUN echo "root:123456" | chpasswd
    RUN echo "root   ALL=(ALL)       ALL" >> /etc/sudoers
    # RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
    # RUN ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
    # RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
    RUN ssh-keygen -b 2048 -t rsa -f /root/.ssh/id_rsa -q -N "" && cat /root/.ssh/id_rsa.pub>/root/.ssh/authorized_keys
    RUN mkdir /run/sshd
    # RUN mkdir /var/run/sshd
    EXPOSE 22
    CMD ["/usr/sbin/sshd", "-D"]
    

    OR simply run this command in container after you execute into bash

     ssh-keygen -b 2048 -t rsa -f /root/.ssh/id_rsa -q -N "" && cat /root/.ssh/id_rsa.pub>/root/.ssh/authorized_keys
    

    UPDATE:
    You are using sed but sed isn’t available so as for starter you need to add sed with apt and if you want to build this container with PermitRootLogin yes you need to use sed to change the /etc/ssh/sshd_config file.
    Your altered Dockerfile (root password login allowed)

    FROM Debian
    WORKDIR /
    RUN apt update && apt install -y openssh-server sudo sed
    RUN sed -i "s/UsePAM yes/UsePAM no/g" /etc/ssh/sshd_config && sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
    RUN echo "root:123456" | chpasswd
    RUN echo "root   ALL=(ALL)       ALL" >> /etc/sudoers
    # RUN ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
    # RUN ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
    # RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
    RUN mkdir /run/sshd
    # RUN mkdir /var/run/sshd
    EXPOSE 22
    CMD ["/usr/sbin/sshd", "-D"]
    

    I hope this solves your problem fully.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search