docker sshd image problem, session required pam_loginuid.so, cann't login

在使用sshd docker 镜像时, 发现一个比较诡异的问题, 有些启动的容器可以连接, 有些不能.

例如 : 

启动2个容器(这两个容器都有问题) :  

[root@localhost ~]# docker run -d --name di digoal/sshd_ceph:giant
[root@localhost ~]# docker run -d --name da digoal/sshd

这两个容器的CMD如下 :  

[root@localhost ~]# docker inspect -f '{{.Config.Cmd}}' da
[/usr/sbin/sshd -D]
[root@localhost ~]# docker inspect -f '{{.Config.Cmd}}' di
[/usr/sbin/sshd -D]

查看他们的IP 

[root@localhost ~]# docker inspect -f '{{.NetworkSettings.IPAddress}}' di
172.17.0.7
[root@localhost ~]# docker inspect -f '{{.NetworkSettings.IPAddress}}' da
172.17.0.8

使用ssh客户端连接, 被拒绝. 

[root@localhost ~]# ssh 172.17.0.8
root@172.17.0.8's password:
Last login: Tue Dec 16 20:22:12 2014 from 172.17.42.1
Connection to 172.17.0.8 closed.

[root@localhost ~]# ssh 172.17.0.7
root@172.17.0.7's password:
Last login: Tue Dec 16 20:21:58 2014 from 172.17.42.1
Connection to 172.17.0.7 closed.

排错, 先删除这两个容器 :  

[root@localhost ~]# docker stop di
di
[root@localhost ~]# docker stop da
da
[root@localhost ~]# docker rm da
da
[root@localhost ~]# docker rm di
di

排错时, 使用交互模式打开容器, 使用/bin/bash覆盖/usr/sbin/sshd -D. 并将sshd日志输出到挂载在宿主机的/tmp目录. 

[root@localhost ~]# docker run --rm -t -i --name=da --volume=/tmp:/data01 digoal/sshd_ceph:giant /bin/bash
[root@f563c0940d2b /]# /usr/sbin/sshd -D -E /data01/sshd.log

查看容器IP 

[root@localhost tmp]# docker inspect -f '{{.NetworkSettings.IPAddress}}' da
172.17.0.11

使用SSH客户端连接这个容器, 同样被退出. 

[root@localhost tmp]# ssh 172.17.0.11
The authenticity of host '172.17.0.11 (172.17.0.11)' can't be established.
ECDSA key fingerprint is db:5c:6b:2a:bc:9e:3e:31:24:1b:c0:8d:5f:96:f2:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.11' (ECDSA) to the list of known hosts.
root@172.17.0.11's password:
Last login: Tue Dec  9 15:20:36 2014 from 172.17.42.1
Connection to 172.17.0.11 closed.

查看容器的sshd日志如下, 原因找到了. :  

[root@localhost tmp]# cat /tmp/sshd.log
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
Accepted password for root from 172.17.42.1 port 41153 ssh2
PAM: pam_open_session(): Cannot make/remove an entry for the specified session
Received disconnect from 172.17.42.1: 11: disconnected by user

解决办法1, 修改/etc/pam.d/sshd  :  

[root@f563c0940d2b /]# /usr/sbin/sshd -D -E /data01/sshd.log
^C
    注释如下
[root@f563c0940d2b /]# vi /etc/pam.d/sshd
#session    required     pam_loginuid.so
    现在可以连接了
[root@localhost tmp]# ssh 172.17.0.11
root@172.17.0.11's password:
Last login: Tue Dec 16 20:28:15 2014 from 172.17.42.1
[root@f563c0940d2b ~]#

解决办法2, 使用超级权限启动容器 :  

[root@f563c0940d2b /]# exit
exit
[root@localhost ~]# docker run --rm -t -i --name=da --privileged=true --volume=/tmp:/data01 digoal/sshd_ceph:giant /bin/bash
[root@44e686983f3a /]# /usr/sbin/sshd -D -E /data01/sshd.log

[root@localhost tmp]# docker inspect -f '{{.NetworkSettings.IPAddress}}' da
172.17.0.13
    正常连接 :
[root@localhost tmp]# ssh 172.17.0.13
The authenticity of host '172.17.0.13 (172.17.0.13)' can't be established.
ECDSA key fingerprint is db:5c:6b:2a:bc:9e:3e:31:24:1b:c0:8d:5f:96:f2:e0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.13' (ECDSA) to the list of known hosts.
root@172.17.0.13's password:
Last login: Tue Dec  9 15:20:36 2014 from 172.17.42.1
[root@44e686983f3a ~]#
[root@44e686983f3a ~]# cat /etc/pam.d/sshd |grep pam_loginuid
session    required     pam_loginuid.so

最后, 建议在创建sshd镜像时, 就将session    required     pam_loginuid.so注释掉. 

那么以后使用这个镜像启动容器, 就不会出现文章开头的问题了.

[参考]
1. man docker-run

     --privileged=true|false Give extended privileges to this container.  By default,  Docker  containers  are  “unprivileged”
       (=false)  and  cannot,  for  example, run a Docker daemon inside the Docker container.  This is because by default a con‐
       tainer is not allowed to access any devices.  A “privileged” container is given access to all devices.

       When the operator executes docker run --privileged, Docker will enable access to all devices on the host as well  as  set
       some configuration in AppArmor to allow the container nearly all the same access to the host as processes running outside
       of a container on the host.

2. man sshd_config 

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
#UsePAM no
UsePAM yes

     UsePAM  Enables the Pluggable Authentication Module interface.  If set to “yes” this will enable PAM authentication using
             ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing
             for all authentication types.

             Because PAM challenge-response authentication usually serves an equivalent role to password authentication, you
             should disable either PasswordAuthentication or ChallengeResponseAuthentication.

             If UsePAM is enabled, you will not be able to run sshd(8) as a non-root user.  The default is “no”.
时间: 2024-11-08 20:47:32

docker sshd image problem, session required pam_loginuid.so, cann't login的相关文章

dockerizing a sshd daemon based on Centos7

docker 有一个sshd服务是比较容易用来测试的, 所以有必要做一个sshd镜像. docker文档里面有一篇是基于ubuntu : 14.04来制作sshd镜像的. 因为本人习惯了使用centos, 本文将基于centos7来制作一个sshd镜像. 先列出ubuntu制作sshd镜像的Dockerfile :  # sshd # # VERSION 0.0.2 FROM ubuntu:14.04 MAINTAINER Sven Dowideit <SvenDowideit@docker.c

docker build

file_dockerfile # Tomcat # Version 0.0.1 # GET_IMAGE FROM 192.168.0.216:5000/centos # MAINTAINER_INFO MAINTAINER hongxue hongxue@showjoy.com # YUM #RUN rpm -ivh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm #RUN yum

CentOS6下 Docker的镜像管理的例子

镜像是Docker的灵魂 Docker的镜像是Docker容器运行的基础.学习Docker很重要的一点是镜像的使用. 使用默认docker命令下载的镜像是外部制作好的,而我希望从头做一个镜像,并自己管理. 本文在CentOS 6下使用Docker制作镜像,对这个过程做详细的记录. 理解镜像和容器 镜像(image)和容器(container)是什么关系? 镜像是静态的,容器是动态的 容器是镜像运行起来后的体现 镜像常用命令 查看镜像 docker images 将镜像保存为tar包 docker

dockerfile 创建 ssh 镜像

一.编辑Dockerfile vim Dockerfile # SSH # Version 0.0.1 # IMAGES FROM 192.168.0.216:5000/centos # MAINTAINER MAINTAINER hongxue hongxue@showjoy.com # YUM RUN yum -y update RUN yum -y install vim net-tools openssh-server # SSH RUN ssh-keygen -t dsa -f /et

Linux中如何使用PAM锁定多次登陆失败的用户

Linux有一个pam_tally2.so的PAM模块,来限定用户的登录失败次数,如果次数达到设置的阈值,则锁定用户. 编译PAM的配置文件 # vim /etc/pam.d/login #%PAM-1.0 auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10 auth [user_unknown=ignore success=ok ignoreignore=ignore defau

CentOS使用PAM锁定多次登陆失败的用户

  CentOS使用PAM锁定多次登陆失败的用户           Linux有一个pam_tally2.so的PAM模块,来限定用户的登录失败次数,如果次数达到设置的阈值,则锁定用户. 编译PAM的配置文件 # vim /etc/pam.d/login ? 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 #%PAM-1.0 auth required pam_tally2.so deny=3lock_time=300 even_deny_root root_unloc

解决linux下set

  自从使用php-syslog-ng监控日志信息后,经常发现一些过去会忽略的报错信息,目前正逐一解决中.其中一个报错发生在,我使用密钥通过ssh登陆到服务器的时候,日志信息显示: Nov 19 10:32:20 printserver auth 10:32:20 pam_loginuid[9691]: set_loginuid failed opening loginuid Nov 19 10:32:20 printserver auth 10:32:20 remote(pam_unix)[9

Linux 安全配置杂文

SSH 配置 vim /etc/ssh/sshd_config <<VIM > /dev/null 2>&1 :s/#LoginGraceTime 2m/LoginGraceTime 2m/ :s/#PermitRootLogin yes/PermitRootLogin no/ :s/#MaxAuthTries 6/MaxAuthTries 3/ :%s$#AuthorizedKeysFile$AuthorizedKeysFile /dev/null$ :%s/GSSAPI

centos配置安装LDAP基础知识

LDAP 伺服端基本说明 389--Centos5 OPENLDAP 相关程式 slapd:openLDAP 的 daemon slurpd:多个 LDAP 伺服器进行?写时所用的程式 相关档案及目录 /etc/openldap:openldap 的主要目录 /etc/openldap/slapd.conf:伺服器设定档 /etc/openldap/cacerts:为一目录,存放凭证相关资料 /etc/openldap/DB_CONFIG.example:资料库设定档范例 /etc/openld