Given this docker-compose.yml file:

version: '2'

services:
  sftp:
    image: atmoz/sftp:latest
    volumes:
      - assets:/home/mi/assets
    command: "mi:pass"
    ports:
      - "2222:22"

volumes:
  assets: {}

I would expect to be able to upload a file to my mounted subdirectory like this:

sftp -P 2222 mi@localhost:/assets
mi@localhost's password: pass
Connected to localhost.
Changing to: /assets
sftp> put Readme.md 
Uploading Readme.md to /assets/Readme.md

but it fails with this:

remote open("/assets/Readme.md"): Permission denied

I'm pretty sure the problem is that the directory I'm uploading is owned by root (uid 0) and not by the user who's trying to upload (mi (uid 1000))...

root@2eac25e867f1:/# ls -an /home/mi/assets/
total 8
drwxr-xr-x 2 0 0 4096 Apr  1 01:29 .
drwxr-xr-x 3 0 0 4096 Apr  1 01:35 ..

root@2eac25e867f1:/# id mi
uid=1000(mi) gid=100(users) groups=100(users)

Problem statement

My question/problem is: How do I get my docker-compose up to start things up so that they work out of the box?

I understand how the user's home directory needs to owned by root for the chroot jail to work and that you have to make docker mount volumes in separate directories inside the user's home directory.

What I don't understand is who the owner of those subdirectories is supposed to be or how you're supposed to get them to be owned by the right person so that things work out of the box.

I know I could mount a host directory as a volume like in the Readme examples and manually change the owner of that host directory.

But,

1. This should be possible with normal, named volumes. (I shouldn't have to mount a specific directory from the host as a volume to get this working.)
2. I shouldn't have to manually change/set the owner of anything on the host in order to be able to use a docker image

I want to be able to just give someone a docker-compose.yml file (like the one above) and have them be able to just docker-compose up (or docker run) and immediately be able to start uploading, without any special config on the host. In other words, have it "just work" out of the box. :) Is this possible?

I'm hoping this can be fixed or the documentation can be updated to show how this is possible.

Further details

docker volumes are all owned by root. I'm not sure that there's any (safe) way to change that (?)...

docker volume inspect project_assets
[
    {
        "Name": "project_assets",
        "Driver": "local",
        "Mountpoint": "/var/lib/docker/volumes/project_assets/_data"
    }
]
sudo ls -nd /var/lib/docker/volumes/project_assets/_data
drwxr-xr-x 2 0 0 4096 Mar 31 18:29 /var/lib/docker/volumes/project_assets/_data

Things I've tried: using uid 0 for sftp user

I saw this in the documentation:

You must set custom UID for your users if you want them to make changes to your mounted volumes with permissions matching your host filesystem.

So I tried this:

    command: "mi:pass:0"

and /etc/password showed this (as if it had worked):

mi:x:0:100::/home/mi:/bin/sh

but I was unable to log in when I did that:

sftp -P 2222 mi@localhost:/assets
mi@localhost's password: pass
Permission denied, please try again.

How i can set the user/password with docker-compose.yml file?

Hy,

I have the same permission problem as in #37 and #16. I know exactly what the problem is and how to fix it, but I would like to fix it in a automatic way (without changing folder permissions in the container manually). The two workaround stated in these issues would work, but for some reason my scripts don't get executed on startup of the container. If I enter the container and launch them manually, they work perfectly fine.
Does this not work with the current version?

is there a way to force user to use ssh keys
PasswordAuthentication no in sshd_config?

on alpine, when using sftp from compose like this:

  sftp:
    command: sftp::323:1000

container fails with groupadd: '1000' is not a valid group name
because of entrypoint line 53:

groupadd --gid $gid $gid

I think there should be a parameter with group name as well.

From inside the container:

# cat /etc/sftp-users.conf
master:XXXX

From outside:

$ sftp [email protected]
[email protected]'s password:
Connected to 1.2.3.4.
sftp> put file.txt
Uploading file.txt to /file.txt
remote open("/file.txt"): Permission denied
sftp> cd share
sftp> put file.txt
Uploading file.txt to /share/file.txt
remote open("/share/file.txt"): Permission denied

Also, scp gives me

This service allows sftp connections only.

which is very unfortunate.

Thank you for your ideas on this.

Hi there,

I'm running the simple example from the website (CentOS 7 host, all updates, latest docker). I've tried both the latest and alpine variants of the image, but can't seem to get the SSHD service to be up and listening.

I'm using the container arguments foo:pass:::upload (without the quotes), and on startup I get:

19/10/2016 22:36:22Creating mailbox file: No such file or directory
19/10/2016 22:36:22Creating and/or setting permissions on /home/foo/upload
19/10/2016 22:36:22Generating public/private ed25519 key pair.

However, SSHD doesnt seem to be running after startup. Specifically if I exec into a bash prompt and trying any of:

• sftp
• ssh (ssh root@localhost / ssh [email protected])

All end up with port 22 connection refused errors. Manually trying to invoke SSHD from /usr/sbin/sshd gives:

• Could not load host key: /etc/ssh/ssh_host_ed25519_key
• Could not load host key: /etc/ssh/ssh_host_rsa_key
• Disabling protocol version 2. Could not load host key
• sshd: no hostkeys available -- exiting.

Any ideas what I've done specifically wrong?

Is it possible to change the location where data is stored from /home/user to some other directory?

This would allow to use the container with a data volume container and run it with --volumes-from. When your share data between containers with a data container it is much easier to keep the data at a defined directory like /mydata.

I've read this bit of the read me:

You must set custom UID for your users if you want them to make changes to your mounted volumes with permissions matching your host filesystem.

I'm still very lost and confused on what exactly this means and how I create a user who has write permissions.

I am attempting to write new files to the server. Any help would be appreciated. Thanks.

When the container is created it will use the sshd private keys from the docker hub image. This breaks the security of this image since anyone can obtain those private keys from the Docker hub.

According to #28, the keys seem to refresh when the docker registry re-builds the image. The problem is that everyone still uses this exact same image. The keys need to be generated when the container is started the first time, e.g. as in https://github.com/phusion/baseimage-docker/blob/9adbd423d071f6b4b0bd8fc7dc92c0654d05812f/image/services/sshd/00_regen_ssh_host_keys.sh .

Reason being that if one is using a volume driver, then I'm bound to creating a volume just for the ssh keys which is a bit overkill in my use case. For instance I use rexray as a driver which creates an Amazon EBS volume regardless of whether I want it to or not, since I want to have the sftp home dir in aws and docker only supports one volume driver per container.

If someone wants to mount in ssh keys they still can, or they can even just override your image.

It seems the SSH mode no longer runs after the recent update -

➜  ~  docker run -v id_rsa.pub:/home/user/.ssh/keys/id_rsa.pub:ro -v share:/home/user/share -p 2222:22 -d atmoz/sftp user::1001
acabcee60c790f25b6a4e7e23e104b31fd9694bab556ce6571ba1268bbc3eb05
➜  ~
➜  ~  docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

When try to do the same in interactive mode it always asks for a password -

➜  ~  docker run -v id_rsa.pub:/home/user/.ssh/keys/id_rsa.pub:ro -v share:/home/user/share -p 2222:22 -i atmoz/sftp user::1001
You must at least provide a username and a password.
Syntax: user:pass[:e][:[uid][:gid]]...
Use --readme for information and examples.

Does this sftp server works on windows server? Or its only for *nix servers?

The problem described here also applies when using atmoz/sftp

the only server-side solution seems to be increasing MaxAuthTries, but i don't think that couldn't be decided commnly. maybe it could be set via an environment variable.

propably it's best to at least have a short paragraph on that issue in the README.md.

unfortunatley setting the identity-file explicitly (sftp -i id_rsa …) doesn't help either. so far i could only manage it by moving all id-files out of ~/.ssh. didn't evaluate another workaround yet.

Would be nice to have tag builds to avoid breaking deploys.

I assume that Debian / openssh-server regularly gets security updates. Right now I’m not sure whether my server will run those when I use your image (although I’d like to, since it looks super-friendly.)

Do you monitor security updates to update the sftp image accordingly? If so, it might be good to mention that in the README. If not, do you have ideas how to do so? One step could already be to make a repository link to the Debian build, so that atmoz/sftp gets updated when the Debian image is updated. But I’m not sure that accounts for updates to openssh-server.

Perhaps an external script could be used to mount --bind specific volumes to subdirs in a user home?

I'm not that familiar with docker files yet, trying to automate the mount --bind to subdirs is proving to be harder then it should be.

Hi,

When container starts, it creates ssh host keys, by asking a passphrase first.
This is a nuance on autodeployment scenarios.

¿Can this be skipped someway?

Thanks

Consider the following:

# cat users.conf
foo2:123:1001
foo:abc:1002

# docker run -v /root/users.conf:/etc/sftp-users.conf:ro -p 2223:22 -d atmoz/sftp`
FATAL: User "foo" already exists.

The check for username uniqueness does not work for substring usernames.

It looks like there currently isn't a license on this project. I'd love to see a permissive license if possible (like the MIT, FPL, etc.), but any license would be great. Cheers!

Not a bug necessarily, but a difficult-to-diagnose pitfall.

If /etc/sftp-users.conf contains any blank lines, container startup fails with the error:
FATAL: You must at least provide a username.

It would be cool if the config script ignored or warned on invalid lines in sftp-users.conf.

Aside from that, thanks for the awesome image! Saved me a ton of time. :)

Thanks for this image. We're using it for functional testing and it's working well. One snag is that connections take a long time. This can be resolved by adding "UseDNS no" to sshd_config.

I appreciate you might not want to hard code this option in sshd_config, but it would be nice if there was a way to specify custom settings. Maybe there is and I'm missing it?

sftp rename fails to move a file from between two folders in the same account. I can create, rename and delete files in both folders in isolation, but cannot move a file from one to another.

sftp> put package.json downloads
Uploading package.json to /downloads/package.json
package.json                                                                                                                                                                                     100% 1440     1.4KB/s   00:00    
sftp> rename downloads/package.json archive/package.json
Couldn't rename file "/downloads/package.json" to "/archive/package.json": Failure
sftp> 

Any ideas?

Hi

when i login to none root user, they can access to all sub folder!
How can i limit this access?

Thanks

Whenever a new version of this image is released and I restart with it, my fingerprint changes for the SFTP host. Is there a way I can keep the fingerprint from changing?

I want to use this with rsync to sync directories. Rsync needs a shell to run a copy on the server, as explained here.

Please consider adding a flag that allows shell in the chroot environment, so Rsync can be used.

Thank you.

I login correctly to container with the command sftp -P 2222 user@ip_container
To sftp shell i get this error:

sftp> put file.sh 
Uploading file.sh to /file.sh
remote open("/file.sh"): Permission denied

I have run the container with docker-compose:

sftp:
 image: atmoz/sftp
 volumes:
  - /host/sftpdata:/home/sftp/share
 ports:
  - "2222:22"
 command: sftp:password:1001

Is there any logging that takes place with this image? I'd like to know who is connecting and trying to connect.

It would be nice to suggest to users that they may want to mount a named volume on /etc/ssh/ to avoid the host key changing every image rebuild.

According to this section of the README, the following should start up a container that allows user foo to log in with password pass and upload files to an upload directory within the container:

Cedar:~ rusterholz$ docker run -d -p 2222:22 atmoz/sftp:alpine foo:pass:::upload
67f7acb1371f3c2006c04c950da6593b6309d2022f4e685af2fd8cf3876b4a13
Cedar:~ rusterholz$ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                  NAMES
67f7acb1371f        atmoz/sftp:alpine   "/entrypoint foo:pass"   28 seconds ago      Up 26 seconds       0.0.0.0:2222->22/tcp   big_williams
Cedar:~ rusterholz$

However, the user/pass combination of foo and pass does not work as advertised:

Cedar:~ rusterholz$ sftp foo@localhost:2222
Password:
Password:
Password:
Permission denied (publickey,keyboard-interactive).
Connection closed
Cedar:~ rusterholz$

(Obviously you will just have to take my word for it that I've typed "pass" at each of those three password prompts. Before you ask: yes, I've checked caps lock. 😉)

If this is intended to work as I've used it above, then there is some issue with the entrypoint script not correctly setting up user accounts. If the way I've used this image above is not how this is intended to work, then there is an issue with the README not providing accurate usage information. Either way, this issue is currently making this repository a non-starter for me. How can this be resolved?

I keep getting errors when trying to launch the container with the following commands:

root@localhost ~]# mkdir /mnt/share

root@localhost ~]# mount /dev/sdb1 /mnt/share

[root@localhost ~]# ls -lah /mnt/share/
total 24K
drwxr-xr-x. 3 root root 4.0K Dec 20 12:38 .
drwxr-xr-x. 4 root root 41 Dec 20 13:21 ..
-rw-r--r--. 1 root root 9 Dec 20 12:38 Data-Disk.info
drwx------. 2 root root 16K Dec 20 12:38 lost+found

docker run --name johndoe-sftp
-v /mnt/share:/home/johndoe/share
-p 2222:22
-d atmoz/sftp
'johndoe:pass123:1005:1005'

The container exits immediately.

[root@localhost ~]# docker logs johndoe-sftp
/entrypoint: line 68: /home/johndoe/.ssh/authorized_keys: No such file or directory

If I start the container to inspect the filesystem, I see....

[root@localhost ~]# docker start johndoe-sftp
johndoe-sftp

[root@localhost ~]# docker exec -ti johndoe-sftp ls -lah /home/johndoe
total 12K
drwxr-xr-x. 3 root root 4.0K Dec 20 21:24 .
drwxr-xr-x. 3 root root 4.0K Dec 20 21:24 ..
drwxr-xr-x. 3 root root 4.0K Dec 20 20:38 share

I notice I dont see the hidden ".ssh" folder that is referenced on line 68

[root@localhost ~]# docker exec -ti johndoe-sftp ls -lah /home/johndoe/share
total 28K
drwxr-xr-x. 3 root root 4.0K Dec 20 20:38 .
drwxr-xr-x. 3 root root 4.0K Dec 20 21:24 ..
-rw-r--r--. 1 root root 9 Dec 20 20:38 Data-Disk.info
drwx------. 2 root root 16K Dec 20 20:38 lost+found

[root@localhost ~]# docker exec -ti johndoe-sftp id johndoe
uid=1005(john doe) gid=1005(1005) groups=1005(1005)

[root@localhost ~]# docker exec -ti johndoe-sftp cat /etc/passwd | grep -i "johndoe"
john doe:x:1005:1005::/home/johndoe:/bin/sh

[root@localhost ~]# docker exec -ti johndoe-sftp cat /run/sftp-users.conf
john doe:pass123:1005:1005

What might be going wrong? I am sure this same container worked in the past when I used it last.

Thanks!

Hi we've set up a docker SFTP based on this image and try to login using keypair without password. However, it seems that the public key mapped into the authorized_keys file does not work (I used the interactive CLI to get into the container and the key does exist in the authorized_keys file). Here is what we do -

bash-3.2$ ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/eddiewu/.ssh/id_rsa): id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
79:bc:ef:56:fc:09:30:75:46:ca:fa:c2:f4:0d:37:68 [email protected]
The key's randomart image is:

+--[ RSA 2048]----+
|              .. |
|            ...o |
|            .oo  |
|         o o. .  |
|        S oooE o |
|         .o.+.* .|
|          .o +.o.|
|           .o  ..|
|           oo    |
+-----------------+

bash-3.2$ docker run -v /Users/eddiewu/Docker/ssh/id_rsa.pub:/home/user/.ssh/authorized_keys:ro  -v 
/Users/eddiewu/Docker/share:/home/user/share  -p 2222:22 -d atmoz/sftp user::1001

9d2940d83fe17f43bd9cc6e49f0a6af50722ed00a83b8b32cc60740d9049e48c

bash-3.2$ sftp -P 2222 -i /Users/eddiewu/Docker/ssh/id_rsa [email protected]

The authenticity of host '[192.168.59.103]:2222 ([192.168.59.103]:2222)' can't be established.
RSA key fingerprint is 5b:25:a3:fd:b9:da:5b:31:ab:f8:7a:6d:54:c4:d4:a0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.59.103]:2222' (RSA) to the list of known hosts.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
Permission denied (publickey,password,keyboard-interactive).
Connection closed

Thanks for the container! I wonder if you could add a way to pass SSH key using Docker command line without mounting a file?

Hi, I am looking for log files.
I expected to find a file: /var/log/auth.log, but this file doesn't exists.
Any idea where to see some successful/failure login attempts?

thx

Hi,

Thanks a lot for all your work, your dockerfile just saved me hours of configuring an sftp server!
I use it as part of a bigger pile of dockers, and I'm trying to make my build repeatable by locking the versions I pull for each container.

But I realized you only publish "floating" tags on the docker hub which won't help me "lock" my builds :(

Would you be willing to publish some fixed versions (like 1.2.3) once in a while? Can I assist in any way?

Thanks again,

I'm migrating from an existing sftp solution, and I have permissions the way I want them. I'm bringing in /home wholesale from a docker volume map. I don't want entrypoint to adjust permissions or ownership on any existing directories.

I'll do a quick hotpatch and pull request--take it or leave it, I'm happy to stay forked if your design pattern doesn't agree with my use case. :)

Hi

Are you support SSH?
I want connect to SSH with putty but reject my connection!

This error printed:
This service allows sftp connections only.

Thanks

Hello,

When I ran docker run --rm --name=sftp -p 2222:22 atmoz/sftp foo:pass:::upload on my unRAID server, which comes with Docker 1.7.1, I get the following error:

Accepted password for foo from 192.168.1.22 port 64288 ssh2
bad ownership or modes for chroot directory component "/"

Which is weird, is that this command works on my mac with Docker 1.12.1.

So, no idea if this is docker related. Any idea what's going on here?

Thanks

Hi,

Great image and so useful for us. Thanks! I'm using docker-compose to mount a Wordpress directory trough sftp. I'm trying volumes-from on docker-compose.yml but nothing is appearing on filezilla.

I looked at your instructions about volumes-from and bindmounts. When I execute a shell on sftp container I cannot find /etc/sftp.d/ and I don't know how to add a script there. I tried to mount somewhere on my host /etc/sft.d/ with no luck.

Could you help pointing out, how I can achieve this?

Thanks

Running this container results for me in a segfault when I try to log in:

sshd[7981]: segfault at 0 ip 00000000f746ab84 sp 00000000fffe1b54 error 4 in libc-2.17.so[f7403000+117000]

I ran it like so:

docker run -p 3333:22 atmoz/sftp foo:bar:123

And the client side looks like this:

[srankin@srankin-mac ~ ]$ sftp foo@dockerhost:3333
foo@dockerhost's password:
Connection closed by 192.168.59.103
Connection closed

Docker-compose becoming industry standart tool to run containers.
It would be nice to add docker-compose.yml config to run container in common way

$ docker run \
--name foo-sftp \
-v /var/local/ssh/public/foo.pub:/home/foo/.ssh/keys/foo.pub:ro \
-v /var/local/docker/mnt/foo:/home/foo \
-p 2222:22 -d atmoz/sftp \
'foo:$1$saRoBINg$3dwTxT.mlE03wdkMqoOMu0:e:11001:11000'
504c50bbac66d1108107d95fbe8355e49ccea6240f030e74a63b0fc9e1ac7abe

$ docker restart foo-sftp

$ docker logs foo-sftp
useradd: user 'foo' already exists

Container is stopped because it would again run the "useradd"?

I worked around this by setting:

securityContext: privileged: true

in the Kubernetes container spec to enable docker --privileged, can you comment on the security implications of doing this and are there any other workarounds for mount --bind that don't require --privileged?

Thanks

Hi,

Looking at entrypoint script, when one does not provide the password for a user, his password is autogenerated. It's clever, but it's not what the "correct" behaviour.

¿Can this be replaced with a password locked (I use keys, but having an open password is not security compilant)?

Thanks

Is there a way to add new user to /etc/sftp-users.confonce the container already exists?
It seems that users are created only at first run:
https://github.com/atmoz/sftp/blob/master/entrypoint#L87-L121

We could imagine that users are created on each container start:

• if user does not exist, it creates & configure it
• if user already exists, it does nothing

So just got this up and running on one of my production sites for a customer.

Only issue I've seen is that the gui token doesn't seem to have any effect on the effective gui of the user. Seems to default to 1000?

Otherwise things work great!

when i run the command
docker run -p 10022:22 -d atmoz/sftp foo:pass:::upload
the container has run, but how can i use ftp client to connect the ftp server?
please show some shell scripts to connect.

Actually it is not easy to check if i use the latest release. To update i must manually delete the container to force docker to pull image again.

It would be more easier to change the tag in my compose file.