在国产化openeuler22.03平台上容器化openssh默认为8.8p1,为进行安全加固,我们将其升级到了9.3了,但部分应用的sftp客户端版本老旧,无法连接到新版服务器,所以要在国产开源操作系统搭建老版本的openssh服务器。
如需使用dockerhub上打包的成品sftp容器,可参见本人写的另一篇文章:
在openeuler22.03平台上基于atmoz/sftp容器运行老版本的openssh服务器
本文系在老旧centos版本容器底包上运行openssh服务器,解决老旧服务器sftp不能访问的问题。
一、服务器现状
# cat /etc/os-release
NAME="openEuler"
VERSION="22.03 LTS"
ID="openEuler"
VERSION_ID="22.03"
PRETTY_NAME="openEuler 22.03 LTS"
ANSI_COLOR="0;31"
# rpm -qa|grep openssh
openssh-clients-9.3p1-1.x86_64
openssh-server-9.3p1-1.x86_64
openssh-9.3p1-1.x86_64
# sshd -V
OpenSSH_9.3, OpenSSL 1.1.1m 14 Dec 2021
二、构建容器环境
1、安装docker引擎
# dnf install docker
Last metadata expiration check: 0:08:09 ago on 2023年02月14日 星期二 11时15分49秒.
Dependencies resolved.
=========================================================================================================================================================
Package Architecture Version Repository Size
=========================================================================================================================================================
Installing:
docker-engine x86_64 18.09.0-300.oe2203 OS 37 M
Installing dependencies:
libcgroup x86_64 0.42.2-1.oe2203 OS 97 k
...
Installed:
docker-engine-18.09.0-300.oe2203.x86_64 libcgroup-0.42.2-1.oe2203.x86_64
Complete!
2、检查容器引擎版本
# rpm -qa |grep docker
docker-engine-18.09.0-300.oe2203.x86_64
3、在可以连网的服务器上获取centos6.10容器
# docker pull quay.io/centos/centos:centos6.10
centos6.10: Pulling from centos/centos
06a11a3d840d: Pull complete
Digest: sha256:7e53308393264c34359fbdf6d15d5c8c4985b8c2a58ee0ad4f7d5cc2e3c1577a
Status: Downloaded newer image for quay.io/centos/centos:centos6.10
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/centos/centos centos6.10 48650444e419 4 years ago 194MB
4、在可以连网的服务器上保存容器镜像
# docker save -o centos-6.10.tar quay.io/centos/centos:centos6.10
# ls -al centos-6.10.tar
-rw-------. 1 root root 201543168 6月 5 16:06 centos-6.10.tar
5、在生产服务器上导入容器镜像
# docker load -i centos-6.10.tar
8088cb617267: Loading layer [==================================================>] 201.5MB/201.5MB
Loaded image: quay.io/centos/centos:centos6.10
[root@localhost tmp]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/centos/centos centos6.10 48650444e419 4 years ago 194MB
三、部署openssh容器
1、启动容器
# docker run -itd --privileged --name opensshsrv quay.io/centos/centos:centos6.10 /bin/bash
e5f33bdbe305259dc4e3c55349ba1e89f1c7e6c0b2b91743687239ebc1e63d22
2、配置yum源为本地源(以yum服务器为172.0.0.18为例)
# docker exec -it opensshsrv /bin/bash
# cat /etc/redhat-release
CentOS release 6.10 (Final)
[root@e5f33bdbe305 /]# rm /etc/yum.repos.d/* -rf
[root@e5f33bdbe305 /]# vi /etc/yum.repos.d/http.repo
[root@e5f33bdbe305 /]# cat /etc/yum.repos.d/http.repo
[OS]
name=OS
baseurl=http://172.0.0.18/CentOS_YUM/CentOS_6.10/
enabled=1
gpgcheck=0
[root@e5f33bdbe305 /]# yum repolist
Loaded plugins: fastestmirror, ovl
OS | 4.0 kB 00:00
OS/primary_db | 4.7 MB 00:00
repo id repo name status
OS OS 6713
repolist: 6713
3、安装openssh服务
[root@e5f33bdbe305 /]# yum install openssh-server
Loaded plugins: fastestmirror, ovl
Setting up Install Process
Determining fastest mirrors
Resolving Dependencies
--> Running transaction check
---> Package openssh-server.x86_64 0:5.3p1-123.el6_9 will be installed
...
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================
Installing:
openssh-server x86_64 5.3p1-123.el6_9 OS 329 k
Installing for dependencies:
dbus-glib x86_64 0.86-6.el6 OS 170 k
...
util-linux-ng x86_64 2.17.2-12.28.el6_9.2 OS 1.6 M
Transaction Summary
============================================================================================================================================================
Install 20 Package(s)
Total download size: 21 M
Installed size: 42 M
Is this ok [y/N]: y
Downloading Packages:
(1/20): plymouth-0.8.3-29.el6.centos.x86_64.rpm | 89 kB 00:00
... | 386 kB 00:00
(20/20): fipscheck-lib-1.2.0-7.el6.x86_64.rpm | 8.3 kB 00:00
------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 13 MB/s | 21 MB 00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : sysvinit-tools-2.87-6.dsf.el6.x86_64 1/20
Installing : hwdata-0.233-20.1.el6.noarch ... 19/20
Verifying : fipscheck-lib-1.2.0-7.el6.x86_64 20/20
Installed:
openssh-server.x86_64 0:5.3p1-123.el6_9
Dependency Installed:
dbus-glib.x86_64 0:0.86-6.el6 fipscheck.x86_64 0:1.2.0-7.el6 fipscheck-lib.x86_64 0:1.2.0-7.el6
hwdata.noarch 0:0.233-20.1.el6 initscripts.x86_64 0:9.03.61-1.el6.centos iproute.x86_64 0:2.6.32-57.el6
iptables.x86_64 0:1.4.7-19.el6 iputils.x86_64 0:20071127-24.el6 libdrm.x86_64 0:2.4.65-2.el6
libpciaccess.x86_64 0:0.13.4-1.el6 openssh.x86_64 0:5.3p1-123.el6_9 plymouth.x86_64 0:0.8.3-29.el6.centos
policycoreutils.x86_64 0:2.0.83-30.1.el6_8 redhat-logos.noarch 0:60.0.14-12.el6.centos sysvinit-tools.x86_64 0:2.87-6.dsf.el6
tcp_wrappers-libs.x86_64 0:7.6-58.el6 udev.x86_64 0:147-2.73.el6_8.2 upstart.x86_64 0:0.6.5-17.el6
util-linux-ng.x86_64 0:2.17.2-12.28.el6_9.2
Complete!
[root@e5f33bdbe305 /]# sshd -V
sshd: illegal option -- V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
[-f config_file] [-g login_grace_time] [-h host_key_file]
[-k key_gen_time] [-o option] [-p port] [-u len]
[root@e5f33bdbe305 /]#
4、启动ssh服务
[root@e5f33bdbe305 /]# cd /etc/ssh
[root@e5f33bdbe305 ssh]# ll
total 128
-rw------- 1 root root 125811 Aug 31 2017 moduli
-rw------- 1 root root 3879 Aug 31 2017 sshd_config
[root@e5f33bdbe305 ssh]# service sshd start
Generating SSH2 RSA host key: [ OK ]
Generating SSH1 RSA host key: [ OK ]
Generating SSH2 DSA host key: [ OK ]
Starting sshd: [ OK ]
[root@e5f33bdbe305 ssh]# ll
total 152
-rw------- 1 root root 125811 Aug 31 2017 moduli
-rw------- 1 root root 3879 Aug 31 2017 sshd_config
-rw------- 1 root root 668 Jun 5 08:32 ssh_host_dsa_key
-rw-r--r-- 1 root root 590 Jun 5 08:32 ssh_host_dsa_key.pub
-rw------- 1 root root 963 Jun 5 08:32 ssh_host_key
-rw-r--r-- 1 root root 627 Jun 5 08:32 ssh_host_key.pub
-rw------- 1 root root 1675 Jun 5 08:32 ssh_host_rsa_key
-rw-r--r-- 1 root root 382 Jun 5 08:32 ssh_host_rsa_key.pub
5、检查侦听状态
[root@e5f33bdbe305 ssh]# ss -an |grep 22
LISTEN 0 128 :::22 :::*
LISTEN 0 128 *:22 *:*
6、创建用户帐号
[root@e5f33bdbe305 ssh]# useradd record
[root@e5f33bdbe305 ssh]# cd /home
[root@e5f33bdbe305 home]# ll
total 0
drwx------ 2 record record 62 Jun 5 08:37 record
[root@e5f33bdbe305 home]# passwd record
Changing password for user record.
New password:
Retype new password:
7、重新封装镜像
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e5f33bdbe305 quay.io/centos/centos:centos6.10 "/bin/bash" 32 minutes ago Up 32 minutes opensshsrv
# docker commit -m "openssh5.3" -a "daijianbing" e5f33bdbe305 centos710-openssh5.3
sha256:fa4a3081ee09b6ed519c481f516968fdeaa4576cc5bc198cfb58163ed013c7c4
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
centos710-openssh5.3 latest fa4a3081ee09 6 seconds ago 281MB
quay.io/centos/centos centos6.10 48650444e419 4 years ago 194MB
8、重新生成容器并进行连接测试
# docker rm -f opensshsrv
opensshsrv
# docker run -itd --privileged --name opensshsrv -p 4433:22 centos710-openssh5.3 /bin/bash
6f96ec3211cd45bbee8a6d8318a2d65079b7d2e518f193ca1e7ab6b918bcfb34
[root@localhost tmp]# docker exec -it opensshsrv /bin/bash
[root@6f96ec3211cd /]# service sshd start
Starting sshd: [ OK ]
[root@6f96ec3211cd /]# exit
exit
[root@localhost tmp]# ssh record@127.0.0.1 -p 4433
The authenticity of host '[127.0.0.1]:4433 ([127.0.0.1]:4433)' can't be established.
RSA key fingerprint is SHA256:aSHCjMS/93Jt257Qi1ZwgQcgnCT05H14SWR79mYfSoU.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[127.0.0.1]:4433' (RSA) to the list of known hosts.
record@127.0.0.1's password:
[record@6f96ec3211cd ~]$ cat /etc/passwd |grep record
record:x:500:500::/home/record:/bin/bash
[record@6f96ec3211cd ~]$ cat /etc/redhat-release
CentOS release 6.10 (Final)
9、查看opensshd版本
[root@6f96ec3211cd /]# sshd -V
sshd: illegal option -- V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
至此,任务完成。