emberstack / docker-sftp Goto Github PK

I try to overide sftp.json for create a user able to access to other users directory.
My file:
{
"Global": {
"Chroot": {
"Directory": "%h",
"StartPath": "sftp"
},
"Directories": ["sftp"]
},
"Users": [
{
"Username": "toto",
"Password": "titi"
},
{
"Username": "master",
"Password": "password",
"Chroot": {
"Directory": "/",
"StartPath": "/"
}
}
]
}

if you have sugggestion

Hi ,

After installing emberstack/sftp helm chart , Pod is crashing with below error. Can you please helm me understand what is missing.

019-12-17 14:55:27.094 [INF] (ES.SFTP.Host.Program) Starting host
2019-12-17 14:55:27.398 [INF] (Microsoft.Hosting.Lifetime) Now listening on: http://[::]:80
2019-12-17 14:55:27.401 [DBG] (ES.SFTP.Host.HostedService) Starting
2019-12-17 14:55:27.402 [DBG] (ES.SFTP.Host.Orchestrator) Starting
2019-12-17 14:55:27.428 [FTL] (ES.SFTP.Host.Program) Host terminated unexpectedly
System.IO.FileNotFoundException: Could not find file '/app/config/sssd.conf'.
File name: '/app/config/sssd.conf'
at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirectory, Func`2 errorRewriter)
at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode)
at System.IO.FileStream.OpenHandle(FileMode mode, FileShare share, FileOptions options)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at System.IO.FileSystem.CopyFile(String sourceFullPath, String destFullPath, Boolean overwrite)
at System.IO.File.Copy(String sourceFileName, String destFileName, Boolean overwrite)
at ES.SFTP.Host.Orchestrator.ConfigureAuthentication() in /src/ES.SFTP.Host/Orchestrator.cs:line 92
at ES.SFTP.Host.Orchestrator.Start() in /src/ES.SFTP.Host/Orchestrator.cs:line 62
at ES.SFTP.Host.HostedService.StartAsync(CancellationToken cancellationToken) in /src/ES.SFTP.Host/HostedService.cs:line 25
at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
at ES.SFTP.Host.Program.Main(String[] args) in /src/ES.SFTP.Host/Program.cs:line 33

Thanks & Regards

Is it possible to set this setting ? I cant find info on the documentation.

I wonder if there is a way to not have the fingerprint change each time I restart the pod. I did specified a server private key, and I'm using a stable host name.

Hi,

I am trying to add additional volume which comes from GlusterFS with default configuration. It works.

But when I try to add custom configuration even with sample file without modifying also, it throws the error - RunContainerError.

Error msg is below
Warning Failed 25s kubelet, ip-xx-xx-xx-xx.xx-south-1.compute.internal Error: failed to start container "sftp": Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused "rootfs_linux.go:58: mounting \"/var/lib/kubelet/pods/41572663-5c97-11ea-9ad4-067a0ef083a0/volume-subpaths/sftp-json/sftp/0\" to rootfs \"/var/lib/docker/overlay2/9dc5cc60e7ffee5bd6df43b291b4ee1c4867ff98aac6ae897cd2029ea39776b4/merged\" at \"/var/lib/docker/overlay2/9dc5cc60e7ffee5bd6df43b291b4ee1c4867ff98aac6ae897cd2029ea39776b4/merged/app/config\" caused \"not a directory\""": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
Warning Failed 24s kubelet, ip-x-x-x-x.xx-south-1.compute.internal Error: failed to start container "sftp": Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused "rootfs_linux.go:58: mounting \"/var/lib/kubelet/pods/41572663-5c97-11ea-9ad4-067a0ef083a0/volume-subpaths/sftp-json/sftp/0\" to rootfs \"/var/lib/docker/overlay2/686ee2e095418bac1d040fc4d069628cd8b705514c1946266acdc9d3e62e10ca/merged\" at \"/var/lib/docker/overlay2/686ee2e095418bac1d040fc4d069628cd8b705514c1946266acdc9d3e62e10ca/merged/app/config\" caused \"not a directory\""": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
Normal Pulled 11s (x3 over 25s) kubelet, ip-xx-xx-xx-xx.xx-south-1.compute.internal Container image "emberstack/sftp:2.0.4" already present on machine
Normal Created 11s (x3 over 25s) kubelet, ip-xx-xx-xx-xx.xx-south-1.compute.internal Created container
Warning Failed 11s kubelet, ip-xx-xx-xx-xx.xx-south-1.compute.internal Error: failed to start container "sftp": Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "process_linux.go:402: container init caused "rootfs_linux.go:58: mounting \"/var/lib/kubelet/pods/41572663-5c97-11ea-9ad4-067a0ef083a0/volume-subpaths/sftp-json/sftp/0\" to rootfs \"/var/lib/docker/overlay2/6eb97b75022fa6e565b40bbef27f82f69d6f4cb167a7b2894d4e944d90abfd60/merged\" at \"/var/lib/docker/overlay2/6eb97b75022fa6e565b40bbef27f82f69d6f4cb167a7b2894d4e944d90abfd60/merged/app/config\" caused \"not a directory\""": unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type
Warning BackOff 3s (x2 over 4s) kubelet, ip-xx-xx-xx.xx.xx-south-1.compute.internal Back-off restarting failed container

Hi i wanted to discuss something with you in slack regarding the other issue #52 but the invite link is expired.

Hi. As the advanced options instructions are not ready, I am wondering if you can advise.

For a sftp user if you only want to give them read-access to a different directory mounted within that server, what is the optimal way to do this?

e.g. give access to /home/user/pictures/picture5 (and everything underneath picture5)

In this example they would NOT have their "own" sftp space either, so the above is the only data to their access.

Also, is there a way to prevent password changing (think a public distribution site for data)?

(Slowly learning Docker etc, so please "be gentle" with the reply) :)

We would like create multiple users, multiple directory and single persistency. Users should share direcotories ans inside files. But the result was different. Directories was created in every users' folder separately. Could you please help?

Our helm command:
helm install sftp
--namespace=sftp
--set image.tag=latest
--set configuration.Global.Directories="{foldera,folderb,folderc}"
--set configuration.Users[0].Username=userx
--set configuration.Users[0].Password=abkft
--set configuration.Users[0].Chroot=%h
--set configuration.Users[1].Username=usery
--set configuration.Users[1].Password=iij3j
--set configuration.Users[1].Chroot=%h
--set storage.volumes[0].name=sftp-data
--set storage.volumes[0].persistentVolumeClaim.claimName=pvc-sftp
--set storage.volumeMounts[0].name=sftp-data
--set storage.volumeMounts[0].mountPath=/home/userx
Emberstack/sftp

Hi guys,
I am bit new with Helm Charts and was giving yours a try.
Installing this chart on a Minikube running in MacOS with the following configuration in the chart values:

configuration:
  Global:
    Chroot:
      Directory: "%h"
      StartPath: "sftp"

    Directories: "sftp"

  Users:
    Username: "demo"
    Password: "demo"

Just trying to reproduce your default configuration (tried other users as well) and all seems fine apart from the fact that when typing the password the login will not work.

This is the config mounted in the container:

root@sftp-646d99b78c-wrq74:/app# cat config/sftp.json 

{
  "Global": {
    "Chroot": {
      "Directory": "%h",
      "StartPath": "sftp"
    },
    "Directories": "sftp"
  },
  "Users": {
    "Password": "demo",
    "Username": "demo"
  }

This is the log message from dmesg:

[55973.919899] audit: type=1112 audit(1590171434.045:478): pid=27807 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=login acct=28696E76616C6964207573657229 exe="/usr/sbin/sshd" hostname=? addr=172.17.0.1 terminal=sshd res=failed'
[55974.845652] audit: type=1109 audit(1590171434.971:479): pid=27807 uid=0 auid=4294967295 ses=4294967295 subj=kernel msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=172.17.0.1 addr=172.17.0.1 terminal=ssh res=failed'

Any help appreciated to understand if I am missing something stupid.

Thanks
Marco

For every failed connection attempt, there seems to be a new zombie process, which eventually kills my host, because there are no free PIDs left. For now, I'm restarting the container every day to avoid this issue, but if this could get fixed, that would be great!

This is version 2.1.14

Thanks!

Hello,
this is the problem:
When i set a custom GID (33) and i create a new file with the sftp client, that file gets created with the group 1001.
On the other hand, the custom UID works, the file gets created with the owner that is being set in the config (33)

this is my config file:

{
    "Global": {
        "Chroot": {
            "Directory": "%h",
            "StartPath": "sftp"
        },
        "Directories": ["sftp"]
    },
    "Users": [
        {
            "Username": "user",
            "Password": "pass",
            "UID": "33",
            "GID": "33"
        }
    ]
}

Hi, It's feature request..

Now when we set custom username and password in the configuration section, username and password goes in plain text. Anyway to configure as secret? If not, How to store encrypted password using configuration.Users[].PasswordIsEncrypted.

Eventhough it's sftp, why we need to keep username and password in plain text?

Docker-sftp doesn't work inside pod on Openshift 4

I have below exception during docker-sftp start on Openshift 4 (but it works fine on Openshift 3) :

2020-09-15 12:17:05.747 [INF] (ES.SFTP.Host.Program) Starting host
2020-09-15 12:17:06.091 [WRN] (Microsoft.AspNetCore.Server.Kestrel) Overriding address(es) 'http://+:80'. Binding to endpoints defined in UseKestrel() instead.
2020-09-15 12:17:06.100 [INF] (Microsoft.Hosting.Lifetime) Now listening on: http://0.0.0.0:25080
2020-09-15 12:17:06.101 [DBG] (ES.SFTP.Host.HostedService) Starting
2020-09-15 12:17:06.102 [DBG] (ES.SFTP.Host.Orchestrator) Starting
2020-09-15 12:17:06.153 [FTL] (ES.SFTP.Host.Program) Host terminated unexpectedly
System.UnauthorizedAccessException: Access to the path '/etc/sssd/sssd.conf' is denied.
---> System.IO.IOException: Permission denied
--- End of inner exception stack trace ---
at Interop.ThrowExceptionForIoErrno(ErrorInfo errorInfo, String path, Boolean isDirectory, Func`2 errorRewriter)
at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String path, OpenFlags flags, Int32 mode)
at System.IO.FileStream.OpenHandle(FileMode mode, FileShare share, FileOptions options)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options)
at System.IO.FileSystem.CopyFile(String sourceFullPath, String destFullPath, Boolean overwrite)
at System.IO.File.Copy(String sourceFileName, String destFileName, Boolean overwrite)
at ES.SFTP.Host.Orchestrator.ConfigureAuthentication() in /src/ES.SFTP.Host/Orchestrator.cs:line 93
at ES.SFTP.Host.Orchestrator.Start() in /src/ES.SFTP.Host/Orchestrator.cs:line 63
at ES.SFTP.Host.HostedService.StartAsync(CancellationToken cancellationToken) in /src/ES.SFTP.Host/HostedService.cs:line 25
at Microsoft.Extensions.Hosting.Internal.Host.StartAsync(CancellationToken cancellationToken)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
at Microsoft.Extensions.Hosting.HostingAbstractionsHostExtensions.RunAsync(IHost host, CancellationToken token)
at ES.SFTP.Host.Program.Main(String[] args) in /src/ES.SFTP.Host/Program.cs:line 33

Can I some configure docker-sftp to store all its files inside "/tmp" directory? It seems that in Openshift 4 there are rights to create and edit files only inside "/tmp" directory

Hello,

the hooks is not running on Pod startup with the last version of Helm charts

Config section on values.yaml

  Global:
    Hooks:
      - OnServerStartup:
          - onStartup.sh : |
              #!/bin/bash
              echo "SSH service startup hook completed."

startup logs

2020-12-30 12:18:02.513 [INF] (ES.SFTP.Host.Program) Starting host
2020-12-30 12:18:03.083 [WRN] (Microsoft.AspNetCore.Server.Kestrel) Overriding address(es) 'http://+:80'. Binding to endpoints defined in UseKestrel() instead.
2020-12-30 12:18:03.098 [INF] (Microsoft.Hosting.Lifetime) Now listening on: http://0.0.0.0:25080
2020-12-30 12:18:03.099 [DBG] (ES.SFTP.Host.Configuration.ConfigurationService) Starting
2020-12-30 12:18:03.103 [DBG] (ES.SFTP.Host.Configuration.ConfigurationService) Validating and updating configuration
2020-12-30 12:18:03.116 [INF] (ES.SFTP.Host.Configuration.ConfigurationService) Configuration contains '6' user(s)
2020-12-30 12:18:03.117 [INF] (ES.SFTP.Host.Configuration.ConfigurationService) Started
2020-12-30 12:18:03.119 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Starting
2020-12-30 12:18:03.119 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Stopping SSSD service
2020-12-30 12:18:03.138 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Applying SSSD configuration
2020-12-30 12:18:03.143 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Installing PAM hook
2020-12-30 12:18:03.178 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Restarting SSSD service
2020-12-30 12:18:03.286 [INF] (ES.SFTP.Host.Security.AuthenticationService) Started
2020-12-30 12:18:03.288 [DBG] (ES.SFTP.Host.Security.UserManagementService) Starting
2020-12-30 12:18:03.288 [DBG] (ES.SFTP.Host.Security.UserManagementService) Ensuring '/home' directory exists and has correct permissions
2020-12-30 12:18:03.290 [DBG] (ES.SFTP.Host.Security.UserManagementService) Ensuring group 'sftp-user-inventory' exists
2020-12-30 12:18:03.293 [INF] (ES.SFTP.Host.Security.UserManagementService) Creating group 'sftp-user-inventory'
2020-12-30 12:18:03.369 [INF] (ES.SFTP.Host.Security.UserManagementService) Synchronizing users and groups
2020-12-30 12:18:03.373 [INF] (ES.SFTP.Host.Security.UserManagementService) Processing user 'user1'
2020-12-30 12:18:03.376 [DBG] (ES.SFTP.Host.Security.UserManagementService) Creating user 'user1'
2020-12-30 12:18:03.480 [DBG] (ES.SFTP.Host.Security.UserManagementService) Adding user 'user1' to 'sftp-user-inventory'
2020-12-30 12:18:03.509 [DBG] (ES.SFTP.Host.Security.UserManagementService) Updating the password for user 'user1'
2020-12-30 12:18:03.534 [DBG] (ES.SFTP.Host.Security.UserManagementService) Updating the UID for user 'user1'
2020-12-30 12:18:03.650 [DBG] (ES.SFTP.Host.Security.UserManagementService) Creating group 'sftp-gid-1001' with GID '1001'
2020-12-30 12:18:03.678 [DBG] (ES.SFTP.Host.Security.UserManagementService) Adding user 'user1' to 'sftp-gid-1001'
2020-12-30 12:18:04.690 [INF] (ES.SFTP.Host.Security.UserManagementService) Started
2020-12-30 12:18:04.692 [DBG] (ES.SFTP.Host.SSH.SSHService) Starting
2020-12-30 12:18:04.701 [DBG] (ES.SFTP.Host.SSH.SSHService) Updating host key files
2020-12-30 12:18:04.702 [DBG] (ES.SFTP.Host.SSH.SSHService) Generating host key file '/etc/ssh/keys/ssh_host_ed25519_key'
2020-12-30 12:18:04.709 [DBG] (ES.SFTP.Host.SSH.SSHService) Generating host key file '/etc/ssh/keys/ssh_host_rsa_key'
2020-12-30 12:18:05.530 [DBG] (ES.SFTP.Host.SSH.SSHService) Copying '/etc/ssh/keys/ssh_host_ed25519_key' to '/etc/ssh/ssh_host_ed25519_key'
2020-12-30 12:18:05.534 [DBG] (ES.SFTP.Host.SSH.SSHService) Copying '/etc/ssh/keys/ssh_host_rsa_key' to '/etc/ssh/ssh_host_rsa_key'
2020-12-30 12:18:05.536 [DBG] (ES.SFTP.Host.SSH.SSHService) Copying '/etc/ssh/keys/ssh_host_ed25519_key.pub' to '/etc/ssh/ssh_host_ed25519_key.pub'
2020-12-30 12:18:05.539 [DBG] (ES.SFTP.Host.SSH.SSHService) Copying '/etc/ssh/keys/ssh_host_rsa_key.pub' to '/etc/ssh/ssh_host_rsa_key.pub'
2020-12-30 12:18:05.566 [INF] (ES.SFTP.Host.SSH.SSHService) Starting 'sshd' process
2020-12-30 12:18:05.576 [INF] (ES.SFTP.Host.SSH.SSHService) Started
2020-12-30 12:18:05.576 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Server listening on 0.0.0.0 port 22.
2020-12-30 12:18:05.576 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Server listening on :: port 22.

First of all, thank you for this useful image.

My only concern is if there is a workaround to store the password differently as it is stored in plain text on /app/config/sftp.json?

Thanks in advance,
William.

With SFTP we would like to connect to ftp server using ssh key file. Reading README.md giving us no instruction on how to config key for demo user to connect.

Please share as you know how, thank you!

Add PVC object and integrate into deployment

Due to auto-creation of UIDs and GIDs in the container, permissions could be incorrectly mapped when files are persisted on the host.

Consider this example:

Host has the following users and groups

If this container is launched with a config specifying 2 users like this:

"Users": [
        {
            "Username": "user1",
            "Password": "pass1"
        },
        {
            "Username": "user2",
            "Password": "pass2"
        }
    ]

Then the container will contain the following groups:

Files created by user1 in the container will be owned by admin1:admin_grp on the host.
Files created by user2 in the container will be owned by admin2:user_grp on the host.

At the moment the container gets a new SSH key on every creation. To reserve the SSH key, it's needed to mount /etc/ssh. As this seems to be possible, I like to see this as an official option in the documentation.

Example of the mounted ssh dir:

Is possible to set the Banner message in SFTP at login (at sftp.json)?

With the below config, I am not able to login as the user sftp-consumer-user

storage:
volumeMounts:
- name: sftp-persistent-volume
mountPath: /home/sftp-consumer-user
volumes:
- name: sftp-persistent-volume
persistentVolumeClaim:
claimName: sftp-persistent-volume-claim

It seems that the Helm package version doesn't update values and trigger pod deployment properly. I am trying to update user list through my values.yaml file. When run with '-f values.yaml' with updated user list, it does pick up the new user list when I examine with 'helm get values', but the pod was not replaced and deployed with new users. I will need to comment out my changes in the values yaml file to get the new pod created with default 'demo' user first, and than update my user list again to create all my sftp users accounts?

It is as if it only refresh the deployment when configuration/users change from 'null' but NOT on updating members? I also noticed that when I tried producing new Helm release with updated 'configuration\users', it always issues a warning of

coalesce.go:160: warning: skipped value for configuration: Not a table.

Is there something wrong with detecting changes in YAML array data type like

configuration:
Users:
- Username: demo1
Password: "demo1"
- Username: demo2
Password: "demo2"

Above should be properly indent for yaml.

Please look at my Pull Request #51 before it gets closed

We used docker-sftp helm chart and recognized that the configuration changes were not automatically applied when we deployed the helm chart.

A good solution would be to add a config checksum like described here https://helm.sh/docs/howto/charts_tips_and_tricks/

like in atmoz/sftp
it is possible to add a string of user:pass as a command to the container
can the same be possible here

looks like after a certain amount of time, sshd process in the container goes down and it's not possible to connect to stfp nor from inside the container, nor from outside

Here is my configuration file.
{
"Global": {
"Chroot": {
"Directory": "%h",
"StartPath": "sftp"
},
"Directories": ["sftp"]
},
"Users": [
{
"Username": "demo",
"Password": "demo"
},
{
"Username": "test",
"Password": "test1234",
"Chroot": {
"Directory": "/data/assets",
"StartPath": "sftp"
}
}
]
}

FYI following works:

{
"Global": {
"Chroot": {
"Directory": "%h",
"StartPath": "sftp"
},
"Directories": ["sftp"]
},
"Users": [
{
"Username": "demo",
"Password": "demo"
},
{

        "Username": "test",
        "Password": "test1234",
        "Chroot": {
            "Directory": "/data",
            "StartPath": "assets"
    }
    }
]

}

I want to make. base directory as /data/assets not /data

Running the Docker on a QNAP NAS (Container Station)

Problem is when i connect with my user from Acronis Backup and and start an backup job the backup runs a few min and after that it will fail with an network error:

either with sshd - Received signal 15; terminating
or just

2020-07-14 06:50:24.878 [WRN] (ES.SFTP.Host.SSH.SSHService) 'sshd' process has stopped. Restarting process.                                                                                                                                                                                                                
2020-07-14 06:50:24.878 [DBG] (ES.SFTP.Host.SSH.SSHService) Stopping 'sshd' process                                                                                                                                                                                                                                        
2020-07-14 06:50:24.880 [INF] (ES.SFTP.Host.SSH.SSHService) Stopped 'sshd' process    

Anyone has a hint or tipp for me ?

How can I use storageClass for persist my data? I can not find any setting about that

I need logs related sftp actions. for example: rename, delete, upload and etc.
Is there any way to get this types logs?

In service.yaml the service type NodePort can be set. However, this will assign a random port.
In order to specify a fixed port within the allowed port range it is required to set the nodePort in the values.yaml and render it in the template (see https://kubernetes.io/docs/concepts/services-networking/service/#nodeport).

values.yaml:

service:
  type: NodePort
  nodePort: 32222

service.yaml:

  ports:
    - port: {{ .Values.service.port }}
      targetPort: ssh
      protocol: TCP
      name: ssh
      {{- if .Values.service.nodePort }}
      nodePort: {{ .Values.service.nodePort }}
      {{- end }}

I'd like to use your image as a sidecar to an existing web server container which already listen to port 80.
Is there any reason to EXPOSE port 80 here :

Hello,

I'm currently trying to make atmoz/sftp containers to work which fails to work without each user having it's own Azure File share mounted into respective home directory (/home/user1, home/user2). If I try to use single share mounted as /Home then I'm getting bad ownership or modes for chroot directory component "/home/" error when trying to authorization. Is it SFTP issue and not worth trying with this implementation since it will end up with the same issue or it's doable to do this?

Is there a solution for using Azure FIles mount in AKS? Getting error below when trying to
sshd - bad ownership or modes for chroot directory component "/home/". Config is below

      containers:
        - name: sftp
          # change this
          image: emberstack/sftp:latest
          imagePullPolicy: Always
          ports:
            - containerPort: 22
          volumeMounts:
            - name: sftp-config
              mountPath: "/app/config/sftp.json"
              subPath: sftp.json
              readOnly: true
            - name: sftp
              mountPath: "/home/"
              readOnly: false
      volumes:
        - name: sftp
          azureFile:
            secretName: fileshare-secret
            shareName: sftp
            readOnly: false
        - name: sftp-config
          secret:
            defaultMode: 0600
            secretName: sftp-secret
            items:
              - key: sftp.json
                path: sftp.json

I created the user public inside sftp.json and binded the volume on docker run with this option -v /host/Public:/home/public/sftp:ro \

Please note the :ro option.

After running it, in the log of the container I find this exception

2020-05-14 22:18:38.292 [INF] (ES.SFTP.Host.Orchestrator) Processing user 'public'

2020-05-14 22:18:38.301 [DBG] (ES.SFTP.Host.Orchestrator) Creating user 'public'

2020-05-14 22:18:38.994 [DBG] (ES.SFTP.Host.Orchestrator) Adding user 'public' to 'sftp-user-inventory'

2020-05-14 22:18:39.127 [DBG] (ES.SFTP.Host.Orchestrator) Updating the password for user 'public'

2020-05-14 22:18:39.326 [WRN] (ES.SFTP.Host.Orchestrator) Exception occured while setting permissions for '/home/public/sftp' 

System.Exception: Process failed with exit code '1.

chown: changing ownership of '/home/public/sftp': Read-only file system'

   at ES.SFTP.Host.Business.Interop.ProcessUtil.QuickRun(String filename, String arguments, Boolean throwOnError) in /src/ES.SFTP.Host/Business/Interop/ProcessUtil.cs:line 42

   at ES.SFTP.Host.Orchestrator.PrepareUserForSftp(String username) in /src/ES.SFTP.Host/Orchestrator.cs:line 396

2020-05-14 22:18:39.448 [INF] (ES.SFTP.Host.Orchestrator) Starting 'sshd' process

Is there any other way to set a read only folder for a user?
Am I doing something wrong?

I am trying to mount a local directory with a structure as follows:
test/
-a/
-b/
--c/

Using the default configurations, I am starting my container like so:
docker run -p 22:22 emberstack/sftp --name sftp -v ./test:/home/demo/sftp

Everything spins up nicely but when I sftp into my demo user, the expected test/ directory structure is nowhere to be seen. What am I doing wrong?

The sftp connection succeeds randomly when the chart is used in big Kubernetes cluster. This is very reproductible. It succeeds in less than 50% of cases.

Here are the logs:

$ sftp -v -P 222 XXXXX@YYYYYY                                                                                                                                                                              
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/louisjulien/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to YYYYY port 222.
debug1: Connection established.
debug1: identity file /Users/louisjulien/.ssh/id_rsa type 0
debug1: identity file /Users/louisjulien/.ssh/id_rsa-cert type -1
debug1: identity file /Users/louisjulien/.ssh/id_dsa type -1
debug1: identity file /Users/louisjulien/.ssh/id_dsa-cert type -1
debug1: identity file /Users/louisjulien/.ssh/id_ecdsa type -1
debug1: identity file /Users/louisjulien/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/louisjulien/.ssh/id_ed25519 type -1
debug1: identity file /Users/louisjulien/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/louisjulien/.ssh/id_xmss type -1
debug1: identity file /Users/louisjulien/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1``

When it succeeds, it is followed by

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to YYYY:222 as 'XXX'
...[truncated]

When it fails, it is followed by

kex_exchange_identification: Connection closed by remote host
Connection closed

It happens when connecting from both outside and inside the docker or cluster.

It turns out it is due to the MaxStartups being too low. In fact, as the kubernetes opens lots of connections to check that the SFTP is still up. As the connection pool is quite small by default (10), new connections are rejected most of the time.
https://man7.org/linux/man-pages/man5/sshd_config.5.html
This has been confirmed by changing the MaxStartups inside the config file i the docekr and sending a SIGHUP to sshd.

Here are the logs to get an idea of the load.

2021-01-25 12:23:36.059 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.29 port 7
512
2021-01-25 12:23:36.324 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.244.17.1 port
 58670
2021-01-25 12:23:36.421 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.8 port 38
032
2021-01-25 12:23:36.476 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.31 port 2
1439
2021-01-25 12:23:36.736 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.25 port 1
420
2021-01-25 12:23:37.130 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.18 port 4
7016
2021-01-25 12:23:37.427 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.17 port 2
353
2021-01-25 12:23:37.506 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.7 port 38
729
2021-01-25 12:23:38.109 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.244.17.1 port
 32443
2021-01-25 12:23:38.241 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.32 port 8
374
2021-01-25 12:23:38.313 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.24 port 6
3714
2021-01-25 12:23:38.520 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.6 port 30
649
2021-01-25 12:23:39.422 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.19 port 3
2828
2021-01-25 12:23:39.799 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.33 port 4
8112
2021-01-25 12:23:40.471 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.22 port 2
3678
2021-01-25 12:23:40.633 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Did not receive identification string from 10.1.1.28 port 4

Could it be possible to add MaxStartups as an option to the Helm charts? It seems not to be possible currently. Maybe it is worth adding others option at the same time. Propagating environment variables could also be an option.

Hi, is it the intended behavior to let the user upload a new authorized_keys file under it's home folder?

Read-write permissions are set on the file.
https://github.com/emberstack/docker-sftp/blob/master/src/ES.SFTP.Host/Orchestrator.cs#L419

Thanks!

#13

Hi,

When I upload files in the standard configuration, the files being set to uid/gid 1000:1001. I changed the json config to use 444:444 instead, but when I upload files they get 444:1001. Why is the gid ignored, please?

My config:

cat /etc/sftp/sftpamsnor.json
{
    "Global": {
        "Chroot": {
            "Directory": "%h",
            "StartPath": "upload"
        },
        "Directories": ["upload"]
    },
    "Users": [
        {
            "Username": "amsnor",
            "Password": "xxyyzz",
            "UID": "444",
            "GID": "444"
        }
    ]
}

cat /etc/init.d/sftpamsnor.sh
#!/bin/bash
#
# Start docker container for amsnor sftp upload
#

docker run \
 -p 10328:22 \
 -d \
 --name sftpamsnor \
 -v /etc/sftp/sftpamsnor.json:/app/config/sftp.json:ro \
 -v /data/nfs/assets/amsnor:/home/amsnor/upload/assets \
 -v /data/nfs/compliance/amsnor:/home/amsnor/upload/compliance \
 -v /data/nfs/schedules/amsnor:/home/amsnor/upload/schedules \
 emberstack/sftp

Hi!

I set up emberstack/sftp as an Azure container Instance. I tried to configure public key authentication, but as soon as I set the password to "" or null I can't login anymore.
Here is my configuration:

{
  "Global": {
    "Chroot": {
      "Directory": "%h",
      "StartPath": "sftp"
    },
    "Directories": [
      "sftp"
    ],
    "HostKeys": {
      "Ed25519": "[MY HOST ED25519 PRIVATE KEY]",
      "Rsa": "[MY HOST RSA PRIVATE KEY]"
    }
  },
  "Users": [
    {
      "Username": "myuser",
      "Password": "",
      "PublicKeys": [
        "[MY USER PUBLIC KEY]"
      ]
    }
  ]
}

Log output when using sshfs:

2020-06-19 14:41:05.388 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:05.455 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Connection closed by authenticating user myuser 10.240.255.56 port 46479 [preauth]
2020-06-19 14:41:18.675 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:20.855 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:20.895 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Postponed keyboard-interactive for myuser from 10.240.255.56 port 59492 ssh2 [preauth]
2020-06-19 14:41:23.242 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - PAM: Authentication failure for myuser from 10.240.255.56
2020-06-19 14:41:23.589 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Failed none for myuser from 10.240.255.56 port 59492 ssh2
2020-06-19 14:41:24.117 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Failed password for myuser from 10.240.255.56 port 59492 ssh2
2020-06-19 14:41:24.126 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - maximum authentication attempts exceeded for myuser from 10.240.255.56 port 59492 ssh2 [preauth]
2020-06-19 14:41:24.126 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Disconnecting authenticating user myuser 10.240.255.56 port 59492: Too many authentication failures [preauth]

When I use Filezilla, more or less the same thing happens.

EDIT: shortened log

Impossible to add file because folders have been created by root in my KUBERNETES cluster

root

# Default values for sftp.
replicaCount: 1
image:
  repository: emberstack/sftp
  pullPolicy: Always

configuration:
  Users:
    - Username: "foo"
      Password: "pass"
      Chroot: "%h"
      StartPath: "IOTA"
      Directories: ["exo"]

  Global:
    #Chroot:
    #  StartPath: "IOTA"
    Directories:
      - "IOTA/IN"
      - "IOTA/OK"
      - "IOTA/KO"
      - "IOTA/LOG"

storage:
  volumeMounts:
    - name: sftp-data
      mountPath: /home/foo/IOTA
  volumes:
    - name: sftp-data
      persistentVolumeClaim:
        claimName: sftp-data-pvc
service:
  type: ClusterIP
  port: 22
resources:
  limits:
    cpu: 400m
    memory: 300Mi
  requests:
    cpu: 100m
    memory: 128Mi

Can instructions be provided for vanilla Kubernetes deployments (without Helm).

I tried so many set of config about chroot (directory/startpath + Directories) and I'm unable to match my basic requirements:

• The default folder, is also the root/jail folder
• That folder doesn't have .ssh inside
• The user can write and read file and folder in that root/jail folder.

I think more examples of config based on defined use case could help.

I have my user set : USER
I mount in the container a folder from my disk : -v /home/USER:/mnt/user/share/SFTP
My folder /mnt/user/share is also accessed locally by Samba

When I start the emberstack/docker-sftp container, it is changing the permissions of my folder /mnt/user/share/SFTP to 711 with owner root:root so it is not accessible anymore through Samba.

How can I force which user the container is running as? (so I can set it to be my Samba user)
or
How can I set the permissions to remain unchanged or force them to 777 or 755?

At the moment it is needed to mount the config file as follows:

-v /host/sftp.json:/app/config/sftp.json:ro

Problem: Docker will create an empty dir name "sftp.json/" if the file is not present.

Instead I would like to see mounting the config dir:

-v /host/config/:/app/config/:rw

And if no sftp.json is present, it should create an example of sftp.json and sssd.conf in this dir.

By that it would be easier to use this container.

Hellow discover this nice server, unfortunaly the advance configuration is not write now.

How i can add another user with different path acces ?

Hi,

I'm trying to change default login/password using Helm. I use this values file :

configuration:
Users:
- Username : toto
Password : toto

I can login but when I try to create a directory, I got :
sftp> mkdir test
Couldn't create directory: Permission denied

What stupid mistake did I do ?

Thanks

I'm trying to use scp to copy files to the container, but it fails with this error:

Is there any way to reconfigure the sshd server to allow SSH connections?

Thanks in advance.

Trying to find a good way to do a healthcheck with docker compose for this image. Anyone have a good check?

I started using docker-sftp with docker-compose last week. It works well, thanks for making it !
Although, it sometimes stop and I don't understand why. Here is the output of docker-compose logs -f :

sftp_1  | 2021-03-05 10:42:24.615 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Accepted keyboard-interactive/pam for kevin from 172.21.0.1 port 36426 ssh2
sftp_1  | 2021-03-05 10:42:24.709 [DBG] (ES.SFTP.Host.Api.PamEventsController) Received event for user 'kevin' with type 'open_session', sshd
sftp_1  | 2021-03-05 10:42:24.710 [DBG] (ES.SFTP.Host.SSH.SessionHandler) Configuring session for user 'kevin'
sftp_1  | 2021-03-05 10:42:24.724 [INF] (ES.SFTP.Host.SSH.SessionHandler) Session ready for user 'kevin'
sftp_1  | 2021-03-05 10:42:25.026 [DBG] (ES.SFTP.Host.Api.PamEventsController) Received event for user 'kevin' with type 'close_session', sshd
sftp_1  | 2021-03-05 10:42:25.661 [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Accepted keyboard-interactive/pam for kevin from 172.21.0.1 port 36432 ssh2
sftp_1  | 2021-03-05 10:42:25.748 [DBG] (ES.SFTP.Host.Api.PamEventsController) Received event for user 'kevin' with type 'open_session', sshd
sftp_1  | 2021-03-05 10:42:25.750 [DBG] (ES.SFTP.Host.SSH.SessionHandler) Configuring session for user 'kevin'
sftp_1  | 2021-03-05 10:42:25.765 [INF] (ES.SFTP.Host.SSH.SessionHandler) Session ready for user 'kevin'
sftp_1  | 2021-03-05 10:42:26.204 [DBG] (ES.SFTP.Host.Api.PamEventsController) Received event for user 'kevin' with type 'close_session', sshd
sftp_1  | 2021-03-05 14:41:02.441 [DBG] (ES.SFTP.Host.SSH.SSHService) Stopping
sftp_1  | 2021-03-05 14:41:02.441 [DBG] (ES.SFTP.Host.SSH.SSHService) Stopping 'sshd' process
sftp_1  | 2021-03-05 14:41:02.517 [INF] (ES.SFTP.Host.SSH.SSHService) Stopped 'sshd' process
sftp_1  | 2021-03-05 14:41:02.519 [INF] (ES.SFTP.Host.SSH.SSHService) Stopped
sftp_1  | 2021-03-05 14:41:02.521 [DBG] (ES.SFTP.Host.Security.UserManagementService) Stopping
sftp_1  | 2021-03-05 14:41:02.521 [INF] (ES.SFTP.Host.Security.UserManagementService) Stopped
sftp_1  | 2021-03-05 14:41:02.526 [DBG] (ES.SFTP.Host.Security.AuthenticationService) Stopping
sftp_1  | 2021-03-05 14:41:02.593 [INF] (ES.SFTP.Host.Security.AuthenticationService) Stopped
sftp_1  | 2021-03-05 14:41:02.594 [DBG] (ES.SFTP.Host.Configuration.ConfigurationService) Stopping
sftp_1  | 2021-03-05 14:41:02.597 [INF] (ES.SFTP.Host.Configuration.ConfigurationService) Stopped

The sftp.json file :

{
"Global": {
        "Chroot": {
            "Directory": "%h",
            "StartPath": "sftp"
        },
        "Directories": ["sftp"]
    },
    "Users": [
        {
            "Username": "...",
            "Password": "..."
        },
        {
            "Username": "...",
            "Password": "..."
        }
    ]
}

The docker-compose.yml file :

version: '3'
services:
  sftp:
    image: "emberstack/sftp"
    ports:
      - "2222:22"
    volumes:
      - ./config.sftp.json:/app/config/sftp.json:ro

Few things to note, we have been playing with firewall lately (some ufw reload commands have been issued), and we have a traefik container running.

This is maybe not so much of an Issue, but more like a feature request.

My problem: When running this service in docker I have a clash with another service already running on port 22. Therefore it would be neat to be able to specify which port to start the service on. If there already is a way to do this, I couldn't find any documentation for it so please advise.

From my docker-compose.yaml

    image: "emberstack/sftp"
    ports:
     - "2222:2222"
    volumes:
      - ./sftp/config.json:/app/config/sftp.json:ro
      ```

Output from docker 
```sftp_1              | [INF] (ES.SFTP.Host.SSH.SSHService) Starting 'sshd' process
sftp_1              | [INF] (ES.SFTP.Host.SSH.SSHService) Started
sftp_1              | [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Server listening on 0.0.0.0 port 22.
sftp_1              | [VRB] (ES.SFTP.Host.SSH.SSHService) sshd - Server listening on :: port 22.

Even though I specify which port I want to run it on it gets ignored.