SSH 錯誤：在具有 Alpine Linux 的容器中使用除 root 以外的任何其他使用者時無法綁定任何地址

我希望能夠以 root 以外的使用者身份啟動 Docker 容器，並能夠通過 ssh 進入它。當我以 root 身份啟動 sshd 時，我可以登錄它。當我將其切換為以另一個使用者身份啟動容器，然後嘗試以該使用者身份登錄時，我收到錯誤“無法綁定任何地址”。和“綁定到埠 22 上 :: failed: Permission denied.”。

我已將另一個使用者設置為具有 root 權限，但它仍然無法正常工作。

請注意，我試圖讓它在 Alpine Linux 中工作並將其用作 Fargate 任務 - 當 Fargate 最初連接到容器時，會立即傳入一個公鑰，該公鑰會被放入幕後的授權密鑰文件中。我還確保在 Fargate ssh 失敗時將其作為另一個使用者。在下面的實例中，我將其設置為 ernie。當我在下面的文件中將使用者設置為 root 並將 Fargate 程式碼更改為使用 root 作為使用者時，我可以很好地進入容器。將 ernie 設置為我收到錯誤的使用者是很麻煩的。

我的 Dockerfile ：

FROM alpine:latest

# Set the name of the user we want to use
ENV LOGINUSER="ernie"

# --------------------------------------------------------------------------------#
# Install and configure sshd.3                                                                    #
# https://www.cyberciti.biz/faq/how-to-install-openssh-server-on-alpine-linux-including-docker/   # 
# https://docs.docker.com/engine/examples/running_ssh_service for reference.                      #
# --------------------------------------------------------------------------------#
RUN apk add --no-cache openssh-server bash shadow sudo\
   && mkdir -p /var/run/sshd

RUN adduser --disabled-password --gecos "" $LOGINUSER
# https://ostechnix.com/add-delete-and-grant-sudo-privileges-to-users-in-alpine-linux/
RUN echo '%wheel ALL=(ALL) ALL' > /etc/sudoers.d/wheel
RUN adduser $LOGINUSER wheel

RUN cat /etc/ssh/sshd_config && echo "AllowUsers $LOGINUSER" >> /etc/ssh/sshd_config
RUN echo "$LOGINUSER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/$LOGINUSER
RUN chmod 0440 /etc/sudoers.d
#RUN echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config

RUN echo 'root:dummy_passwd'|chpasswd

EXPOSE 22

# change ownership of /etc/ssh to the user we want to use
RUN sudo chown -R $LOGINUSER /etc/ssh
RUN sudo chown -R $LOGINUSER /run

####################CREATE CUSTOM SSHD CONFIG ###########################
RUN mkdir /opt/custom_ssh
RUN chmod -R 777 /opt/custom_ssh/

# Need to chown to allow ernie access - remove for root to work again
RUN chown -R $LOGINUSER:$LOGINUSER /opt/custom_ssh

USER $LOGINUSER
RUN ssh-keygen -f /opt/custom_ssh/ssh_host_rsa_key -N '' -t rsa
RUN ssh-keygen -f /opt/custom_ssh/ssh_host_dsa_key -N '' -t dsa

# This creates the keys in 
RUN ssh-keygen -A

RUN echo 'Port 22' >> opt/custom_ssh/sshd_config
RUN echo 'AuthorizedKeysFile  /opt/custom_ssh/authorized_keys' >> /opt/custom_ssh/sshd_config
RUN echo 'Subsystem       sftp    /usr/lib/ssh/sftp-server' >> /opt/custom_ssh/sshd_config
RUN echo 'X11Forwarding no' >> /opt/custom_ssh/sshd_config
RUN echo 'GatewayPorts no' >> /opt/custom_ssh/sshd_config
RUN echo 'AllowTcpForwarding no' >> /opt/custom_ssh/sshd_config
RUN echo 'StrictModes no'  >> /opt/custom_ssh/sshd_config
RUN echo 'PubkeyAcceptedKeyTypes +ssh-rsa'  >> /opt/custom_ssh/sshd_config
RUN echo 'PubkeyAuthentication yes'  >> /opt/custom_ssh/sshd_config

RUN chmod 644 /opt/custom_ssh/sshd_config

USER $LOGINUSER

ENTRYPOINT ["/docker-entrypoint.sh"]

我的 docker-entrypoint.sh 文件

#!/bin/sh

# Needed for Fargate connection
setUpSSH() {
   echo "DEBUG - I am in the setUpSSh function"
   echo "DEBUG - the public key passed in is $$SSH_PUBLIC_KEY"
   # Block the container to start without an SSH public key.
   if [ -z "$SSH_PUBLIC_KEY" ]; then
       echo 'Need your SSH public key as the SSH_PUBLIC_KEY environment variable.'
       exit 1
   fi

   # Create a folder to store user's SSH keys if it does not exist.
   USER_SSH_KEYS_FOLDER=/opt/custom_ssh
   [ ! -d ${USER_SSH_KEYS_FOLDER} ] && mkdir -p ${USER_SSH_KEYS_FOLDER}

   # Copy contents from the `SSH_PUBLIC_KEY` environment variable
   # to the `$USER_SSH_KEYS_FOLDER/authorized_keys` file.
   # The environment variable must be set when the container starts.
   echo ${SSH_PUBLIC_KEY} > ${USER_SSH_KEYS_FOLDER}/authorized_keys
   echo " DEBUG - cat ${USER_SSH_KEYS_FOLDER}/authorized_key"
   # Clear the `SSH_PUBLIC_KEY` environment variable.
   unset SSH_PUBLIC_KEY
}

setUpSSH


/usr/sbin/sshd -D -e -f /opt/custom_ssh/sshd_config
# Start the SSH daemon

#exec "$@"

只有 root 可以綁定到小於 1024 的埠。但是您的 ssh 守護程序沒有理由必須偵聽埠 22。您可以將其配置為偵聽任何其他大於 1024 的埠（在此案例中，2222 對於 SSH 很常見）。

如果您的客戶端確實必須連接到埠 22，那麼您只需在 ECS 任務定義中將外部埠 22 映射到內部埠 2222。請參閱此處的“埠映射”：https ://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html

引用自：https://unix.stackexchange.com/questions/679445