Docker 容器内使用 LDAP 身份验证的 SSH

Docker 容器内使用 LDAP 身份验证的 SSH

我正在尝试使用 docker 设置使用 LDAP 身份验证的 ssh jumphost。我以无根身份运行容器。

注意:目前这些都处于测试阶段,但希望听到一些关于更好做法的反馈

Dockerfile:

FROM almalinux:9-minimal

RUN microdnf update -y && microdnf install -y \
# SSH server & client
openssh-server \
openssh-clients \
# Management tools
procps \
vim \
iptables \
net-tools \
iputils \
findutils \
less \
nano \
# LDAP packages
dbus \
sssd-common \
sssd-ldap \
sssd-client \
sssd-tools \
openldap-clients \
policycoreutils-python-utils \
# Cleanup install
&& microdnf clean all

# Setup mangement account & basic sshd settings
...

# Install startup & login logging script & make them executable

COPY scripts/startup_script.sh /opt/

RUN chmod a+x /opt/startup_script.sh

# Copy sssd config to docker

COPY sssd/sssd.conf /etc/sssd
COPY sssd/password-auth-ac /etc/pam.d/
# Set correct permissions for config files
RUN chmod 644 /etc/pam.d/password-auth-ac; \ 
cp /etc/pam.d/password-auth-ac /etc/pam.d/system-auth-ac; \
chmod 600 /etc/sssd/sssd.conf; \

# Rest of the configuration
USER 1001
EXPOSE 22

ENTRYPOINT ["/bin/bash","/opt/startup_script.sh"]

启动脚本

ROOT_PASSWORD="temppass"

echo $ROOT_PASSWORD | su -c "/usr/bin/mkdir -p /log/ssh/" root
echo $ROOT_PASSWORD | su -c "/usr/bin/mkdir -p /log/sssd/" root


echo "Starting SSSD"
echo $ROOT_PASSWORD | su -c "/usr/sbin/sssd -D --logger=files" root
echo "Starting SSHD"
echo $ROOT_PASSWORD | su -c "/usr/sbin/sshd -D -E /log/ssh/sshd.log" root
#echo $ROOT_PASSWORD | su -c "dbus-daemon --fork --config-file=/usr/share/dbus-1/session.conf --print-address" root
echo $ROOT_PASSWORD | su -c "dbus-broker-launch --config-file=/usr/share/dbus-1/session.conf" root

密码验证-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

辅助

sh-5.1$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
1001         1  0.0  0.0  12276  6260 ?        Ss   13:27   0:00 /bin/bash /opt/startup_script.sh
root        17  0.0  0.0  27032  8768 ?        Ss   13:28   0:00 /usr/sbin/sssd -D --logger=files
root        18  0.0  0.0  28048 15492 ?        S    13:28   0:00 /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files
root        19  0.0  0.1  57848 46048 ?        S    13:28   0:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root        20  0.0  0.0  25076 12144 ?        S    13:28   0:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root        22  0.0  0.0  32704  6396 ?        S    13:28   0:00 su -c /usr/sbin/sshd -D -E /log/ssh/sshd.log root
root        23  0.0  0.0  24872  9604 ?        S    13:28   0:00 sshd: /usr/sbin/sshd -D -E /log/ssh/sshd.log [listener] 0 of 10-100 startups
1001        60  1.0  0.0  21580  6496 pts/0    Ss   13:49   0:00 /bin/sh
1001        66  0.0  0.0  24172  5872 pts/0    R+   13:49   0:00 ps aux

看起来我想要的所有服务(sssd 和 sshd)都成功运行了。但是当我尝试登录时,它不起作用。如果我尝试,它会起作用,ldapsearch但是例如,如果我尝试列出域,sssctl domain-list它会返回Unable to connect to system bus!

你们知道我做错了什么吗?

相关内容