SSHの公開鍵による認証を試す

SSHサーバー用イメージの準備・起動

docker pull testcontainers/sshd:1.3.0
docker run -d --name server testcontainers/sshd:1.3.0

SSHクライアント用イメージの準備

Alpineをベースにしてopenssh-clientをインストールしたイメージを作成。

# Dockerfile作成
cat <<EOF>Dockerfile
FROM alpine:latest

RUN apk add --no-cache openssh-client
EOF

# イメージのビルド
docker build -t ssh-client .

SSHサーバーのIP確認

172.17.0.2

$ docker exec -it server ifconfig

eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02  
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1735 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1628 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:189746 (185.2 KiB)  TX bytes:184638 (180.3 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

SSH接続 - パスワード認証

まずは普通にパスワード認証で接続してみる。

# SSHクライアントを起動してシェルを取得
$ docker run --rm --name client -it ssh-client ash
# SSHサーバーへ接続
# Are you sure you want to continue connecting (yes/no/[fingerprint])?はyes
# rootのパスワードはroot
$ ssh root@172.17.0.2

The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:FZig6IVRte6eR9g34cdexVGYaK8qrJbvPEJ4S/HNCtA.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
root@172.17.0.2's password: 
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <https://wiki.alpinelinux.org/>.

You can setup the system with the command: setup-alpine

You may change this message by editing /etc/motd.

3b6bc5001a55:~# 

MEMO - rootのパスワード確認

https://hub.docker.com/layers/testcontainers/sshd/1.3.0/images/sha256-7dc5a534990619c4c785003dc19352ad651a40fb910ea69d24c24b1a93c3e6bc


SSHクライアントで秘密鍵、公開鍵の作成

次に公開鍵による接続のため、秘密鍵、公開鍵を作成する。 パスフレーズは入力しない。

ホームディレクトリ配下の.sshディレクトリに秘密鍵id_ed25519、公開鍵はid_ed25519.pubで作成される。
ed25519はデフォルトの暗号化方式名。オプションでrsaなども指定できる。

$ ssh-keygen

Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): 
Enter passphrase for "/root/.ssh/id_ed25519" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_ed25519
Your public key has been saved in /root/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:xOgvB1YSXw4tBSsqEHjEuTHQThe4O+Zd9hXNtIQ4x68 root@8c430b883d4c
The key's randomart image is:
+--[ED25519 256]--+
|+=.o... o*o.     |
|..X .  =+== o    |
|.+ *  + *+.* .   |
| .+  o =  . =    |
|  ... + S  o     |
|  +. .oo  E      |
| o o o..o.       |
|  . .  o.        |
|                 |
+----[SHA256]-----+

SSHクライアントで作成した公開鍵をSSHサーバーへ登録

# 鍵の名前やパスはデフォルトで作成したので指定しなくて良い。
$ ssh-copy-id root@172.17.0.2

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
expr: warning: '^ERROR: ': using '^' as the first character
of a basic regular expression is not portable; it is ignored
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.17.0.2's password: 

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'root@172.17.0.2'"
and check to make sure that only the key(s) you wanted were added.

公開鍵で接続

SSHクライアントからSSH接続するとパスワードを求められずに接続できる。

ssh root@172.17.0.2

Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <https://wiki.alpinelinux.org/>.

You can setup the system with the command: setup-alpine

You may change this message by editing /etc/motd.

622fd82e0aca:~# 

MEMO

SSHサーバーに登録した公開鍵はホームディレクトリ配下の.ssh/authorized_keysに登録される。

cat .ssh/authorized_keys 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUex5dAF1irFy2VWvLcbjXhAgdL13NaIkpFrZu6Kx4f root@9e1dcdb08e8b

後片付け

docker rm -f server

0 コメント

コメントを投稿

Post a Comment (0)