我正在尝试使用 docker 设置使用 LDAP 身份验证的 ssh jumphost。我以无根身份运行容器。
注意:目前这些都处于测试阶段,但希望听到一些关于更好做法的反馈
Dockerfile:
FROM almalinux:9-minimal
RUN microdnf update -y && microdnf install -y \
# SSH server & client
openssh-server \
openssh-clients \
# Management tools
procps \
vim \
iptables \
net-tools \
iputils \
findutils \
less \
nano \
# LDAP packages
dbus \
sssd-common \
sssd-ldap \
sssd-client \
sssd-tools \
openldap-clients \
policycoreutils-python-utils \
# Cleanup install
&& microdnf clean all
# Setup mangement account & basic sshd settings
...
# Install startup & login logging script & make them executable
COPY scripts/startup_script.sh /opt/
RUN chmod a+x /opt/startup_script.sh
# Copy sssd config to docker
COPY sssd/sssd.conf /etc/sssd
COPY sssd/password-auth-ac /etc/pam.d/
# Set correct permissions for config files
RUN chmod 644 /etc/pam.d/password-auth-ac; \
cp /etc/pam.d/password-auth-ac /etc/pam.d/system-auth-ac; \
chmod 600 /etc/sssd/sssd.conf; \
# Rest of the configuration
USER 1001
EXPOSE 22
ENTRYPOINT ["/bin/bash","/opt/startup_script.sh"]
启动脚本
ROOT_PASSWORD="temppass"
echo $ROOT_PASSWORD | su -c "/usr/bin/mkdir -p /log/ssh/" root
echo $ROOT_PASSWORD | su -c "/usr/bin/mkdir -p /log/sssd/" root
echo "Starting SSSD"
echo $ROOT_PASSWORD | su -c "/usr/sbin/sssd -D --logger=files" root
echo "Starting SSHD"
echo $ROOT_PASSWORD | su -c "/usr/sbin/sshd -D -E /log/ssh/sshd.log" root
#echo $ROOT_PASSWORD | su -c "dbus-daemon --fork --config-file=/usr/share/dbus-1/session.conf --print-address" root
echo $ROOT_PASSWORD | su -c "dbus-broker-launch --config-file=/usr/share/dbus-1/session.conf" root
密码验证-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
辅助
sh-5.1$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
1001 1 0.0 0.0 12276 6260 ? Ss 13:27 0:00 /bin/bash /opt/startup_script.sh
root 17 0.0 0.0 27032 8768 ? Ss 13:28 0:00 /usr/sbin/sssd -D --logger=files
root 18 0.0 0.0 28048 15492 ? S 13:28 0:00 /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files
root 19 0.0 0.1 57848 46048 ? S 13:28 0:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 20 0.0 0.0 25076 12144 ? S 13:28 0:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root 22 0.0 0.0 32704 6396 ? S 13:28 0:00 su -c /usr/sbin/sshd -D -E /log/ssh/sshd.log root
root 23 0.0 0.0 24872 9604 ? S 13:28 0:00 sshd: /usr/sbin/sshd -D -E /log/ssh/sshd.log [listener] 0 of 10-100 startups
1001 60 1.0 0.0 21580 6496 pts/0 Ss 13:49 0:00 /bin/sh
1001 66 0.0 0.0 24172 5872 pts/0 R+ 13:49 0:00 ps aux
看起来我想要的所有服务(sssd 和 sshd)都成功运行了。但是当我尝试登录时,它不起作用。如果我尝试,它会起作用,ldapsearch但是例如,如果我尝试列出域,sssctl domain-list它会返回Unable to connect to system bus!
你们知道我做错了什么吗?