在openeuler22.03平台上基于atmoz/sftp容器运行老版本的openssh服务器

在国产化openeuler22.03平台上容器化openssh默认为8.8p1，为进行安全加固，我们将其升级到了9.3了，但部分应用的sftp客户端版本老旧，无法连接到新版服务器，故本文尝试在国产开源操作系统搭建老版本的openssh服务器。

如果要指定运行centos版本的openssh服务器，请参照以下链接：

openeuler22.03平台上容器化运行老旧centos版本的openssh服务器

本文系使用atmoz/sftp容器来完成任务。

一、服务器现状

# cat /etc/os-release 
NAME="openEuler"
VERSION="22.03 LTS"
ID="openEuler"
VERSION_ID="22.03"
PRETTY_NAME="openEuler 22.03 LTS"
ANSI_COLOR="0;31"

# rpm -qa|grep openssh
openssh-clients-9.3p1-1.x86_64
openssh-server-9.3p1-1.x86_64
openssh-9.3p1-1.x86_64

# sshd -V
OpenSSH_9.3, OpenSSL 1.1.1m  14 Dec 2021

二、构建容器环境

1、安装docker引擎

# dnf install docker
Last metadata expiration check: 0:08:09 ago on 2023年02月14日 星期二 11时15分49秒.
Dependencies resolved.
=========================================================================================================================================================
 Package                                Architecture                    Version                                        Repository                   Size
=========================================================================================================================================================
Installing:
 docker-engine                          x86_64                          18.09.0-300.oe2203                             OS                           37 M
Installing dependencies:
 libcgroup                              x86_64                          0.42.2-1.oe2203                                OS                           97 k
...
Installed:
  docker-engine-18.09.0-300.oe2203.x86_64                                        libcgroup-0.42.2-1.oe2203.x86_64                                       

Complete!

2、检查容器引擎版本

# rpm -qa |grep docker
docker-engine-18.09.0-300.oe2203.x86_64

3、在可以连网的服务器上获取atmoz/sftp老旧版本的容器（版本为：SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4）

# docker pull atmoz/sftp:debian-stretch
debian-stretch: Pulling from atmoz/sftp
54f7e8ac135a: Pull complete 
3f52a8d01159: Pull complete 
14856b27d9af: Pull complete 
cb94deffb242: Pull complete 
ed5edd71d2af: Pull complete 
Digest: sha256:f9e17ac7177b720dce6f77155355475d508ee8f686cc82587173d1270a14301c
Status: Downloaded newer image for atmoz/sftp:debian-stretch

4、在可以连网的服务器上保存容器镜像

# docker save -o atmoz-sftp-ds-V7.4.tar atmoz/sftp:debian-stretch
[root@localhost ~]# ll atmoz-sftp-ds-V7.4.tar 
-rw-------. 1 root root 190M  6月  6 16:59 atmoz-sftp-ds-V7.4.tar

5、在生产服务器上导入容器镜像

# docker load -i atmoz-sftp-ds-V7.4.tar 
90d1009ce6fe: Loading layer [==================================================>]  105.5MB/105.5MB
f9d6f5e92f50: Loading layer [==================================================>]  93.39MB/93.39MB
db6201dba5fd: Loading layer [==================================================>]  3.072kB/3.072kB
174767356650: Loading layer [==================================================>]  6.144kB/6.144kB
f449765b47f7: Loading layer [==================================================>]  4.608kB/4.608kB
Loaded image: atmoz/sftp:debian-stretch
# docker images
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
atmoz/sftp              debian-stretch      11a2da94f61d        4 years ago         190MB

三、部署openssh容器

1、生成用户密码加密密钥（将“用户密码”替换为真实的用户登录密码），此处需记录最末后面的字串，本例为“$1$oZKRHpZE$oB2UIVwI5y.EOdaL.EPy/.”，多个用户的密码可以多次生成：

# echo -n "用户密码" | docker run -i --rm atmoz/makepasswd --crypt-md5 --clearfrom=-               
Unable to find image 'atmoz/makepasswd:latest' locally
latest: Pulling from atmoz/makepasswd
f49cf87b52c1: Pull complete 
0083cfd11360: Pull complete 
Digest: sha256:81545975533c4bc662f2686582b7c1588acf08f9232ae77572804876f306c914
Status: Downloaded newer image for atmoz/makepasswd:latest
WARNING: IPv4 forwarding is disabled. Networking will not work.
用户密码   $1$oZKRHpZE$oB2UIVwI5y.EOdaL.EPy/.

2、编辑用户帐号文件(本例建了两个sftp用户sftpuser1、sftpuser1，密码相同，配置文件为/data/docker-files/users.conf，注意加密密码文件在密码字串后需添加:e)。

小技巧：此处的容器用户id建议与属主机上的要使用文件的用户id一致，这样容器用户上传的文件，属主机上显示文件属主就是目标用户，用户名是否一致不重要。

# vi users.conf
# cat users.conf
sftpuser1:$1$oZKRHpZE$oB2UIVwI5y.EOdaL.EPy/.:e:1001
sftpuser2:$1$oZKRHpZE$oB2UIVwI5y.EOdaL.EPy/.:e:1002

3、编写容器生成命令（本例指定容器对外开放的ssh服务端口为1122）

# vi 1-docker-init.sh
# cat 1-docker-init.sh
docker run --name sftpsrv -v /data/docker-files/users.conf:/etc/sftp/users.conf:ro -v /data/testuser1:/home/testuser1 -v /data/testuser2:/home/testuser2 -p 1122:22 -d atmoz/sftp:debian-stretch

4、生成容器sftpsrv

[root@localhost docker-files]# sh 1-docker-init.sh            
3e5c9eaae457b843bb68f3b83eb1a6e95179784ba8a32a553e8176b349ff3a08
[root@localhost docker-files]# docker exec  -it sftpsrv /bin/bash
root@3e5c9eaae457:/# ls
bin  boot  data  dev  entrypoint  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@3e5c9eaae457:/# exit
exit
[root@localhost docker-files]# docker ps 
CONTAINER ID        IMAGE                       COMMAND             CREATED             STATUS              PORTS                  NAMES
3e5c9eaae457        atmoz/sftp:debian-stretch   "/entrypoint"       7 minutes ago       Up 7 minutes        0.0.0.0:1122->22/tcp   sftpsrv

5、检查容器服务端口，可以看到端口能正常连接，版本也正确

# telnet 127.0.0.1 1122
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u4
Connection closed by foreign host

6、测试sftp连接

# sftp -P 1122 testuser1@127.0.0.1
The authenticity of host '[127.0.0.1]:1122 ([127.0.0.1]:1122)' can't be established.
ED25519 key fingerprint is SHA256:utZncdAeTPcG16xcakcAMwuLjrbO9PnE+B2nc0t2TWQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[127.0.0.1]:1122' (ED25519) to the list of known hosts.
testuser1@127.0.0.1's password: 
Connected to 127.0.0.1.
sftp> ls
data  
sftp> pwd
Remote working directory: /
sftp> exit

可见，容器已正常运行。