SSH Tunneling to docker container
Basically I followed the instruction here on this post where you also find more details about what I’m trying to achieve:
Stackoverflow’s linked post: How to SSH into Docker?
Actually I set up everything correctly but my connection is terminated every time with the following message:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is <rsa-key>. Please contact your system administrator. Add correct host key in /home/rico/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/rico/.ssh/known_hosts:31 remove with: ssh-keygen -f "/home/rico/.ssh/known_hosts" -R [<server-ip>]:33 RSA host key for [<server-ip>]:33 has changed and you have requested strict checking. Host key verification failed.
I attached a screenshot here:
My command line is:
ssh -p 33 root@<server-ip>
where ’33’ is the ssh port of the docker container.
What I have to do in order to have the connection accepted by my Virtual Server?
run the command adding also -v flag and post the output:
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to <server-ip> [<server-ip>] port 44. debug1: Connection established. debug1: identity file /home/rico/.ssh/id_rsa type 1 debug1: identity file /home/rico/.ssh/id_rsa-cert type -1 debug1: identity file /home/rico/.ssh/id_dsa type -1 debug1: identity file /home/rico/.ssh/id_dsa-cert type -1 debug1: identity file /home/rico/.ssh/id_ecdsa type -1 debug1: identity file /home/rico/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/rico/.ssh/id_ed25519 type -1 debug1: identity file /home/rico/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3 debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr firstname.lastname@example.org none debug1: kex: client->server aes128-ctr email@example.com none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA <server-mac-address> debug1: Host '[<server-ip>]:44' is known and matches the ECDSA host key. debug1: Found key in /home/rico/.ssh/known_hosts:32 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/rico/.ssh/id_rsa debug1: Authentications that can continue: publickey,password debug1: Offering RSA public key: <my-email>@gmail.com debug1: Authentications that can continue: publickey,password debug1: Offering RSA public key: <my-email>@gmail.com debug1: Authentications that can continue: publickey,password debug1: Trying private key: /home/rico/.ssh/id_dsa debug1: Trying private key: /home/rico/.ssh/id_ecdsa debug1: Trying private key: /home/rico/.ssh/id_ed25519 debug1: Next authentication method: password root@<server-ip>'s password:
Even if I set up a new root password it doesn’t work
2 Solutions collect form web for “SSH Tunneling to docker container”
You might want to reconsider using SSH. As the comments in your linked post point out, this goes against Docker’s concept. Furthermore, running addtional SSH server(s) increases your potential attack surface.
There are two alternatives for getting access to your containers:
- SSH into your VM and use
docker exec, e.g.
docker exec -it <yourcontainer> bash
- Connect your local client to the docker daemon running inside your VM. This is an advanced approach, but Docker has a good documentation how to do it securely. In a nuthshell: You configure the daemon on your VM to listen to a TCP socket, e.g.
dockerd -H=0.0.0.0:2376. Then you point your local client to the corresponding IP,
docker -H=$HOST:2376 version. Everyting must be secured by using signed TLS certificates.
I hope this helps!
You can bypass that issue by adding this to your
-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
To solve the authentication problem, follow this guide to create an
authorized_keys file and finally add it to your image using the
ADD authorized_keys /home/docker/.ssh/authorized_keys
NOTE: as @stepf comments
ssh is not intended way to access docker containers.