Setting up an SSH Lab using Docker
Sourabh Dhingra
《Senior SDET》Python | Javascript | Java | Scala | Rest API | Microservices | Automation Innovator | Continuous Testing | Web Development | Leading with Quality
In organizations as Software Professionals we generally come across machines that we can access through remote ssh. In general in K8s environment it is advisable to ssh login to machines. We will try to set up a small SSH Lab using docker as container technology. The purpose is to know
What is SSH?
SSH stands for Secure Shell. It's a cryptographic network protocol used for secure communication over an unsecured network. SSH provides a secure way to access and manage remote devices, servers, and computers. It establishes an encrypted connection between a client and a server, allowing users to remotely log in to a system or execute commands securely over the internet.
SSH encrypts data, including passwords, login credentials, and other sensitive information, making it highly secure against eavesdropping, interception, or tampering by malicious entities. It uses public-key cryptography to authenticate the remote computer and allow secure communication, offering a higher level of security compared to traditional methods like Telnet or FTP, which transmit data in plain text.
SSH is widely used by system administrators, developers, and users who need to securely access and manage remote systems, transfer files securely, and execute commands on remote machines.
Now it is important to worth knowing about encryption that SSH uses - Public key cryptography! It is an asymmetric cryptography in which we have a key pair one is public and the other is private. Public key is shared using which senders can send data encrypted with this key. Then a user with access to private key can only decrypt the data and read the content. It is safer than symmetric cryptography in which both the keys are same. It is obvious that one would intend that a user with access to private key should only be able to read data which is a major drawback in Symmetric Cryptography.
Here's a brief explanation of how it works for asymmetric cryptography:
The use of asymmetric cryptography in SSH ensures secure key exchange and authentication between the client and server without transmitting sensitive information like passwords in plain text over the network. It provides a robust method for secure communication and remote access.
How to set up an SSH server?
Install Docker on macOS(if you are using something else you can check for instructions on website for Windows and Linux):
Create and Run an Ubuntu Container:
docker pull ubuntu
docker run -it --name ubuntu-ssh-lab ubuntu /bin/bash
Installing SSH server on Ubuntu container:
We will use OpenSSH which is an open-source project and is widely used in commercial projects and organizations.
apt-get update
apt-get install -y openssh-server
service ssh start
Tweaking the SSH installation and important tools to deal with it:
service ssh status # to check status
service ssh stop # to stop service
service ssh start # to start service
service ssh restart # to restart service
Now to check on which port ssh service is running we can use net-stat which comes with net-tools. Use below command to get an insight and confirm once:
netstat -anp | grep ssh
It would show Program name sshd running on :22 port.
Checking the installation directory for SSH configuration
领英推荐
apt-get install -y nano
Accessing the docker container from external system
docker run -it --name ubuntu-ssh-lab -p 2222:22 ubuntu /bin/bash
But in our case we already ran a container without port mapping. So we would need to stop the container, remove it, create another container and repeat the same steps. Another approach is you can commit the existing container to a new image. Remove the existing container and then create a container using docker run command with the newer image name and this time ensure the port mapping. You can also rename the container first to append -old.
docker rename ubuntu-ssh-lab ubuntu-ssh-lab-old
docker commit ubuntu-ssh-lab-old ubuntu-ssh-lab-preinstalled
docker images # output list contains ubuntu-ssh-lab-preinstalled
Now execute the docker run command again this time with port mapping using the new image.
docker run -it --name ubuntu-ssh-lab -p 2222:22 ubuntu-ssh-lab-preinstalled /bin/bash
In the interactive terminal perform below commands:
service ssh start # should start the ssh server
service ssh status # to check the status is running
netstat -anp # to check ssh server is running on 22 port
Login through the ssh client on your host
If you are using windows then you may need to install OpenSSH on windows. In general go to .ssh folder on your host machine list the directory contents. You should be able to see the filer known_hosts.
Initially there should be nothing in the file which corresponds to your ssh server i.e something starting with [localhost:2222] algorithm <public key>. Remember we talked about the SSH using public keys with a particular algo. This is what known_hosts file stores in it.
Now ubuntu-ssh-lab is having the root user having ssh server running at port 22 forwarded to host port 2222 so we should try to login using below command:
ssh root@localhost -p 2222
For the first time login since there is no entry in .ssh/known_hosts you should get the below message
The authenticity of host '[localhost]:2222 ([::1]:2222)' can't be established.
ED25519 key fingerprint is SHA256:a+RG2MM2pvyjSFkXLUfvz5+wK7AsT6caNVwF3ri1t+s.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Hit enter with yes. You should be prompted with password!
Warning: Permanently added '[localhost]:2222' (ED25519) to the list of known hosts.
root@localhost's password:
Now hitting enter without any password would not be allowed. It would say Permission denied, please try again. Three attempts are provided by default. In the end you get a message
root@localhost: Permission denied (publickey,password).
Now the host has been added to known_hosts file but further authentication cannot be completed. This is where we need to tweak with our sshd_config file or may be configure a user on container with some password.
We will aim to be able to login as root user and would configure accordingly for learning purpose.
Tweaking the sshd_config file
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
+PasswordAuthentication no
+PermitEmptyPasswords yes
ssh root@localhost -p 2222 -vvv2
//// ........ some text omitted ....... ////
debug1: Authentications that can continue: publickey
debug1: Trying private key: /Users/sourabhdhingra/.ssh/id_ed25519_sk
debug3: no such identity: /Users/sourabhdhingra/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /Users/sourabhdhingra/.ssh/id_xmss
debug3: no such identity: /Users/sourabhdhingra/.ssh/id_xmss: No such file or directory
debug1: Trying private key: /Users/sourabhdhingra/.ssh/id_dsa
debug3: no such identity: /Users/sourabhdhingra/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
root@localhost: Permission denied (publickey).
In nutshell it identifies the hosts in known_hosts and when a key is found it tries to authenticate using the corresponding public keys found. This is basically Public Key Authentication. The client generates a key pair (public key and private key), and the public key is uploaded to the server's authorized_keys file. During authentication, the server verifies the client's identity by validating the digital signature with the stored public key.
We are getting the error permission denied because of the public key.
# on your localhost machine, make sure you have public-private key # pair, public keys end with .pub extension
cat ~/.ssh/id_rsa.pub # copy the content of public key file
# then login to the ssh lab using
docker exec -it ubuntu-ssh-lab /bin/bash
# you should see root@<container_id> e.g root@142f8c5e578d
# once logged in paste the copied content to authorized_keys
echo <copied_content> > authorized_keys
# Now try to ssh login from another terminal
ssh root@localhost -p 2222 -vvv2 # use verbose to know better
You should be able to do ssh login to your ssh lab now. You may check this stackoverflow thread to resolve if any similar issues occur!