How to ssh into a LXD guest?
Solution 1
By default, all Ubuntu lxd
images for containers are set up with PasswordAuthentication no
in their SSH configuration.
You need to go into the container directly and edit the config as root
.
(1) lxc shell CONTAINER-NAME
will drop you to a root
shell.
(2) nano /etc/ssh/sshd_config
will open the nano
text editor to that file.
(3) Find the line PasswordAuthentication no
and set it to yes
.
(4) Ctrl+W to write the file, and Ctrl+X to close the file.
(5) Restart the SSH service with systemctl restart ssh
. (if this says you don't have permissions, prepend sudo
to the command)
You should now be able to SSH into the container from the host system.
Solution 2
A public key can be used for authentication.
- add public key to authorized keys on the container:
cat <public_key_file_on_host> | lxc exec <container> -- sh -c "cat >> /home/ubuntu/.ssh/authorized_keys"
- restart the ssh daemon:
lxc exec <container> -- systemctl restart ssh
- ssh into the container as ubuntu
ssh ubuntu@<container_ip>
Notes:
- Example
<public_key_file_on_host>
:~/.ssh/id_rsa.pub
(or generate a new one withssh-keygen -t rsa
) <container_ip>
can be obtained withlxc list
- To use container names directly instead of IPs, try
sudo systemd-resolve --interface=lxdbr0 --set-dns=`ip -f inet addr show dev lxdbr0 | grep -Po 'inet \K[\d.]+'` --set-domain=lxd
ssh ubuntu@<container>.lxd
Related videos on Youtube
![Mirto Busico](https://i.stack.imgur.com/zqzgd.png?s=256&g=1)
Mirto Busico
Updated on September 18, 2022Comments
-
Mirto Busico almost 2 years
I have a host machine (KVM with Kubuntu 18.04) with a LXD guest (based on ubuntu18.04 image).
I can ssh from guest to host.
But trying to ssh from host to guest gives an
Permission denied (publickey)
error
Step to reproduce:
- lxc exec into the guest
- exec login with ubuntu user (to avoid root permissions problems)
- ssh to host - SUCCESS
- exit form user ubuntu - exit from guest
- from host ssh into ubuntu@guest - ERROR
What I'm doing wrong?
Below the complete session transcript
sysop@kvmneo4j:~$ lxc list +----------+---------+-------------------+------+------------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +----------+---------+-------------------+------+------------+-----------+ | base1804 | RUNNING | 10.0.0.205 (eth0) | | PERSISTENT | 0 | +----------+---------+-------------------+------+------------+-----------+ sysop@kvmneo4j:~$ lxc exec base1804 bash root@base1804:~# exec login ubuntu Password: Last login: Wed Jan 2 18:58:10 UTC 2019 on UNKNOWN Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-43-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Wed Jan 2 19:02:28 UTC 2019 System load: 1.69 Processes: 22 Usage of /home: unknown Users logged in: 0 Memory usage: 1% IP address for eth0: 10.0.0.205 Swap usage: 0% Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 0 packages can be updated. 0 updates are security updates. Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. ubuntu@base1804:~$ ssh [email protected] [email protected]'s password: Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-43-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Wed Jan 2 19:58:42 2019 from 10.0.0.205 sysop@kvmneo4j:~$ logout Connection to 10.0.0.1 closed. ubuntu@base1804:~$ logout sysop@kvmneo4j:~$ ssh -v [email protected] OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n 7 Dec 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to 10.0.0.205 [10.0.0.205] port 22. debug1: Connection established. debug1: identity file /home/sysop/.ssh/id_rsa type 0 debug1: key_load_public: No such file or directory debug1: identity file /home/sysop/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/sysop/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/sysop/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/sysop/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/sysop/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/sysop/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/sysop/.ssh/id_ed25519-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.6p1 Ubuntu-4ubuntu0.1 debug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 10.0.0.205:22 as 'ubuntu' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:i0Ezo01qJyhIue4PIRobOw/qKuvDW/7OJZzgB0X5jGM debug1: Host '10.0.0.205' is known and matches the ECDSA host key. debug1: Found key in /home/sysop/.ssh/known_hosts:1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:EfYKpv5N+M8YBgCFjjy3P9M0jYt7DObq9ApoZ0G8qL4 /home/sysop/.ssh/id_rsa debug1: Authentications that can continue: publickey debug1: Trying private key: /home/sysop/.ssh/id_dsa debug1: Trying private key: /home/sysop/.ssh/id_ecdsa debug1: Trying private key: /home/sysop/.ssh/id_ed25519 debug1: No more authentication methods to try. [email protected]: Permission denied (publickey). sysop@kvmneo4j:~$
-
Thomas Ward over 5 yearsThis won't work because of the container defaults which forbid password authentication.
-
Mirto Busico over 5 yearsThanks it worked. BTW what is the recommended method to interact by script with an LXD container? I mean rcp to transer files or something similar
-
Thomas Ward over 5 yearsThe standard way you would transfer data between host and container would be
scp
orrsync
- but you have to either use SSH keys or do these steps to enable password authentication. Treat the container as its own OS whne you consider file transfers to/from it -
Marius Gedminas about 4 yearsYou shouldn't need
sudo
beforesystemctl restart ssh
in a root shell.