SSH Tunneling to docker container

I’m trying to establish an ssh tunnel to my docker container running on my remote Virtual Server.

Basically I followed the instruction here on this post where you also find more details about what I’m trying to achieve:

  • Docker and NodeJS permission denied
  • My Docker container does not have IP address. Why?
  • Synchronizing numeric user id's between Dockerfiles and docker-compose.yml?
  • Using LOAD CSV to import a local file to Neo4j in a Docker container
  • install docker in jail
  • docker-compose scale service with independent volumes
  • Stackoverflow’s linked post: How to SSH into Docker?

    Actually I set up everything correctly but my connection is terminated every time with the following message:


    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the RSA key sent by the remote host is <rsa-key>.
    Please contact your system administrator.
    Add correct host key in /home/rico/.ssh/known_hosts to get rid of this message.
    Offending ECDSA key in /home/rico/.ssh/known_hosts:31 remove with: ssh-keygen -f "/home/rico/.ssh/known_hosts" -R [<server-ip>]:33
    RSA host key for [<server-ip>]:33 has changed and you have requested strict checking.
    Host key verification failed.
    

    I attached a screenshot here:
    https://s18.postimg.org/ivnnxj7a1/connection_closed.png

    My command line is:

    ssh -p 33 root@<server-ip>

    where ’33’ is the ssh port of the docker container.

    What I have to do in order to have the connection accepted by my Virtual Server?

    [UPDATE]

    run the command adding also -v flag and post the output:

    OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug1: Connecting to <server-ip> [<server-ip>] port 44.
    debug1: Connection established.
    debug1: identity file /home/rico/.ssh/id_rsa type 1
    debug1: identity file /home/rico/.ssh/id_rsa-cert type -1
    debug1: identity file /home/rico/.ssh/id_dsa type -1
    debug1: identity file /home/rico/.ssh/id_dsa-cert type -1
    debug1: identity file /home/rico/.ssh/id_ecdsa type -1
    debug1: identity file /home/rico/.ssh/id_ecdsa-cert type -1
    debug1: identity file /home/rico/.ssh/id_ed25519 type -1
    debug1: identity file /home/rico/.ssh/id_ed25519-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u3
    debug1: match: OpenSSH_6.7p1 Debian-5+deb8u3 pat OpenSSH* compat 0x04000000
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none
    debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none
    debug1: sending SSH2_MSG_KEX_ECDH_INIT
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ECDSA <server-mac-address>
    debug1: Host '[<server-ip>]:44' is known and matches the ECDSA host key.
    debug1: Found key in /home/rico/.ssh/known_hosts:32
    debug1: ssh_ecdsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /home/rico/.ssh/id_rsa
    debug1: Authentications that can continue: publickey,password
    debug1: Offering RSA public key: <my-email>@gmail.com
    debug1: Authentications that can continue: publickey,password
    debug1: Offering RSA public key: <my-email>@gmail.com
    debug1: Authentications that can continue: publickey,password
    debug1: Trying private key: /home/rico/.ssh/id_dsa
    debug1: Trying private key: /home/rico/.ssh/id_ecdsa 
    debug1: Trying private key: /home/rico/.ssh/id_ed25519
    debug1: Next authentication method: password
    root@<server-ip>'s password: 
    

    Even if I set up a new root password it doesn’t work

  • Rancher Docker container UI unreacheable on 8080 port
  • difference between localhost and postgres for host in docker
  • Best practice for rails docker-compose db:create db:migrate
  • iptables rules break communication between Docker containers
  • Docker: Cannot start container [8] System error: invalid argument
  • docker: having trouble running npm install after creating a new user
  • 2 Solutions collect form web for “SSH Tunneling to docker container”

    You might want to reconsider using SSH. As the comments in your linked post point out, this goes against Docker’s concept. Furthermore, running addtional SSH server(s) increases your potential attack surface.

    There are two alternatives for getting access to your containers:

    1. SSH into your VM and use docker exec, e.g. docker exec -it <yourcontainer> bash
    2. Connect your local client to the docker daemon running inside your VM. This is an advanced approach, but Docker has a good documentation how to do it securely. In a nuthshell: You configure the daemon on your VM to listen to a TCP socket, e.g. dockerd -H=0.0.0.0:2376. Then you point your local client to the corresponding IP, docker -H=$HOST:2376 version. Everyting must be secured by using signed TLS certificates.

    I hope this helps!

    You can bypass that issue by adding this to your ssh command:

    -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
    

    To solve the authentication problem, follow this guide to create an authorized_keys file and finally add it to your image using the Dockerfile:

    ADD authorized_keys /home/docker/.ssh/authorized_keys
    

    NOTE: as @stepf comments ssh is not intended way to access docker containers.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.