web-dev-qa-db-fra.com

Comment devenir un invité LXD?

J'ai une machine hôte (KVM avec Kubuntu 18.04) avec un LDX invité (basé sur l'image ubuntu18.04).

Je peux passer de l'invité à l'hôte.

Mais essayer de passer de l'hôte à l'invité donne un

Autorisation refusée (publickey)

erreur

Étape pour reproduire:

  • lxc exec dans l'invité
  • connexion exec avec l'utilisateur ubuntu (pour éviter les problèmes d'autorisations root)
  • ssh to Host - SUCCESS
  • exit form user ubuntu - quitter l'invité
  • de l'hôte ssh dans ubuntu @ guest - erreur [~ # ~] [~ # ~]

Qu'est-ce que je fais mal?

Ci-dessous la transcription complète de la session

sysop@kvmneo4j:~$ lxc list
+----------+---------+-------------------+------+------------+-----------+
|   NAME   |  STATE  |       IPV4        | IPV6 |    TYPE    | SNAPSHOTS |
+----------+---------+-------------------+------+------------+-----------+
| base1804 | RUNNING | 10.0.0.205 (eth0) |      | PERSISTENT | 0         |
+----------+---------+-------------------+------+------------+-----------+
sysop@kvmneo4j:~$ lxc exec base1804 bash
root@base1804:~# exec login ubuntu
Password: 
Last login: Wed Jan  2 18:58:10 UTC 2019 on UNKNOWN
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-43-generic x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

System information as of Wed Jan  2 19:02:28 UTC 2019

System load:    1.69      Processes:           22
Usage of /home: unknown   Users logged in:     0
Memory usage:   1%        IP address for eth0: 10.0.0.205
Swap usage:     0%


Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


To run a command as administrator (user "root"), use "Sudo <command>".
See "man Sudo_root" for details.

ubuntu@base1804:~$ ssh [email protected]
[email protected]'s password: 
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-43-generic x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
    https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Wed Jan  2 19:58:42 2019 from 10.0.0.205
sysop@kvmneo4j:~$ logout
Connection to 10.0.0.1 closed.
ubuntu@base1804:~$ logout
sysop@kvmneo4j:~$ ssh -v [email protected]
OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n  7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 10.0.0.205 [10.0.0.205] port 22.
debug1: Connection established.
debug1: identity file /home/sysop/.ssh/id_rsa type 0
debug1: key_load_public: No such file or directory
debug1: identity file /home/sysop/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sysop/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sysop/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sysop/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sysop/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sysop/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/sysop/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.1
debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.0.0.205:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: Host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server Host key: ecdsa-sha2-nistp256 SHA256:i0Ezo01qJyhIue4PIRobOw/qKuvDW/7OJZzgB0X5jGM
debug1: Host '10.0.0.205' is known and matches the ECDSA Host key.
debug1: Found key in /home/sysop/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:EfYKpv5N+M8YBgCFjjy3P9M0jYt7DObq9ApoZ0G8qL4 /home/sysop/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/sysop/.ssh/id_dsa
debug1: Trying private key: /home/sysop/.ssh/id_ecdsa
debug1: Trying private key: /home/sysop/.ssh/id_ed25519
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).
sysop@kvmneo4j:~$
permissionssshkvmlxd
3
Mirto Busico

Par défaut, toutes les images Ubuntu lxd pour les conteneurs sont configurées avec PasswordAuthentication no dans leur configuration SSH.

Vous devez aller directement dans le conteneur et modifier la configuration en tant que root.

(1) lxc Shell CONTAINER-NAME vous déposera dans un shell root.

(2) nano /etc/ssh/sshd_config ouvrira l'éditeur de texte nano dans ce fichier.

(3) Trouvez la ligne PasswordAuthentication no et définissez-le sur yes.

(4) Ctrl+W pour écrire le fichier, et Ctrl+X pour fermer le fichier.

(5) Redémarrez le service SSH avec Sudo systemctl restart ssh.

Vous devriez maintenant pouvoir SSH dans le conteneur à partir du système hôte.

5
Thomas Ward

Une clé publique peut être utilisée pour l'authentification.

  1. ajoutez la clé publique aux clés autorisées sur le conteneur:
cat <public_key_file_on_Host> | lxc exec <container> -- sh -c "cat >> /home/ubuntu/.ssh/authorized_keys"
  1. redémarrez le démon ssh:
lxc exec <container> -- systemctl restart ssh
  1. ssh dans le conteneur comme ubuntu
ssh ubuntu@<container_ip>

Remarques:

  • Exemple <public_key_file_on_Host>: ~/.ssh/id_rsa.pub (ou générez-en un nouveau avec ssh-keygen -t rsa)
  • <container_ip> peut être obtenu avec lxc list
  • Pour utiliser des noms de conteneurs directement au lieu d'adresses IP, essayez
    1. Sudo systemd-resolve --interface=lxdbr0 --set-dns=`ip -f inet addr show dev lxdbr0 | grep -Po 'inet \K[\d.]+'` --set-domain=lxd
    2. ssh ubuntu@<container>.lxd
0
ricab

Essayez de l'invité:

ssh -A Host

puis de l'hôte:

ssh final-destination

Le "-A" transmet votre agent de l'invité à l'hôte.

0
Eric Mintz