Forked from atmoz to make it easier to setup on kubernetes and share a volume to a group of people. adds fail2ban from this pr. merges in a number of PRs to fix a number of issues
- Supported tags and respective
Dockerfilelinks - Quickstart Example
- Summary
- Volume DATAMOUNT env
- User Credentials
- Providing server SSH host keys (recommended)
- Execute custom scripts or applications
- Bindmount dirs from another location
- Kubernetes
- debian:buster-slim
latest(Dockerfile)
Securely share your files
Easy to use SFTP (SSH File Transfer Protocol) server with OpenSSH. This is an automated build linked with the debian repositories.
To run the opionionated example in this project ./examples/docker/docker-run.sh
See README there for more info
-
Define users in (1) command arguments, (2)
SFTP_USERSenvironment variable or (3) in file mounted as/etc/sftp/users.conf(syntax:user:pass[:e][:uid[:gid[:dir1[,dir2]...]]] ..., see below for examples)- Set UID/GID manually for your users if you want them to make changes to your mounted volumes with permissions matching your host filesystem.
- If uid is not specified then it will be automatically created starting at 1000
- If GID is not specified then it will default to 100:users
- Directory names at the end will be created under user's home directory with write permission, if they aren't already present.
- if a dir is not specified then it defaults to
/home/:user/data
-
Fail2Ban is configured with intelligent defaults and the logs for both var/log/auth.log and /var/log/ fail2ban.conf is tailed to the output for docker and kubernetes
-
to disable it set env var
-e FAIL2BAN=false -
for fail2ban to work it needs the
--cap-add=NET_ADMINpermissions added to Docker. if your running into issues then, while not recomended, you can brute force it with--privileged -
in kubernetes the container should use
hostPortto bypass the kub-proxy, otherwise it doesn't see the originating ip adress and will ban the internal one. Using a loadbalancer not tested and will require some special configuration to pass through originating ip. Test and keep an eye on logs# generally will want to force pod to run on a specific node when using hostPort nodeName: kub-node-1 containers: - name: sftp image: yakworks/sftp:latest ports: - name: ssh containerPort: 22 # map to the node host's port to skip kub-proxy so fail2ban can see ip hostPort: 9922 securityContext: privileged: true # nuclear option if mount is not working with capabilities below capabilities: add: ["SYS_ADMIN", "NET_ADMIN", "NET_BIND_SERVICE"]
-
docker run -p 2222:22 -d yakworks/sftp foo:pass
The OpenSSH server runs by default on port 22, and in this example, we are forwarding the container's port 22 to the host's port 2222. To log in with the OpenSSH client, run: sftp -P 2222 foo@127.0.0.1
User "foo" with password "pass" can login with sftp and upload files to the default folder called "data". No mounted directories or custom UID/GID. Later you can inspect the files and use --volumes-from to mount them somewhere else (or see next example).
NOTE: in this example Fail2Ban will probably fail as it needs the NET_ADMIN capability
Opinionated defaults. This sets users and groups in a number of ways that attempt to make sharing files cleaner across multiple users
set the DATA_MOUNT environment var to the dir that was mounted in volumes.
- if the data volume is mounted then it will create a "home"
/data/users/:userfor each user - users group: a
usersor100group is considered limited in visibility, ex:foo:pass::useruserswill have the home/data/users/:userbind mounted to their chroot/home/:user/homeand read/write be limited to that dir
- staff/owner group: a
staffor50group is considered an owner, ex:foo:pass::staff.staffwill also have the home/data/users/:userbind mounted to their chroot/home/:user/home- staff will also have the
/$DATA_MOUNTbind mounted in their chroot/home/:user/dataand will have full rw access to the whole dir. - staff will have primary group of
usersand will also have staff group as secondary
- any directories in the user definition are additional bind mounts in users base dir in addition to
homeanddata. This can be used to give user access to dirs in/data --cap-add=SYS_ADMINis needed for the mounting. see kubernetes example for adding securityContext.capabilities
Let's mount a directory and make a user and staf owner with UIDs as well.
mkdir -p target/sftp-vol/private
mkdir -p target/sftp-vol/public
docker run --cap-add=NET_ADMIN --cap-add=SYS_ADMIN \
-e DATA_MOUNT=/sftp-data \
-v $(pwd)/target/sftp-vol:/sftp-data \
-p 2222:22 -d yakworks/sftp \
owner1:pass::staff user1:pass::users:/sftp-data/public
this will create a
Both users will have a home dir in their root dir when they login. This will point to the
target/yakbox-sftp/home/:user that was created for them.
In this example when they owner1 user sftp's in they will have a sftp-data dir that is
essentially mapped to the target/sftp-vol dir via the DATA_MOUNT share and can see every thing.
The user1 will end up having a home dir and because of the user config will also be able to
see sftp-data/public that is mapped to target/sftp-vol/public
Also, go ahead and try out fail2ban. enter 5 bad logins and see what happens.
echo "
owner:123:1001:staff
bar:abc:1006:100
baz:xyz:1098:users
" >> target/users.conf
docker run --cap-add=NET_ADMIN --cap-add=SYS_ADMIN \
-v $(pwd)/target/users.conf:/etc/sftp/users.conf:ro \
-v $(pwd)/store/onebox-sftp:/data \
-p 2222:22 -d yakworks/sftp
note: 100 is the users group so either id will work or name
In this example it will create
Add :e behind password to mark it as encrypted. Use single quotes if using terminal.
docker run --cap-add=NET_ADMIN --cap-add=SYS_ADMIN \
-v /host/share:/home/foo/share \
-p 2222:22 -d yakworks/sftp \
'foo:$1$0G2g0GSt$ewU0t6GXG15.0hWoOX8X9.:e:1001'
Tip: you can use atmoz/makepasswd to generate encrypted passwords:
echo -n "your-password" | docker run -i --rm atmoz/makepasswd --crypt-md5 --clearfrom=-
Option 1 - volume mapping each user key
Mount public keys in the user's .ssh/keys/ directory. All keys are automatically appended to .ssh/authorized_keys (you can't mount this file directly, because OpenSSH requires limited file permissions). In this example, we do not provide any password, so the user foo can only login with his SSH key.
docker run --cap-add=NET_ADMIN --cap-add=SYS_ADMIN \
-v /host/id_rsa.pub:/home/foo/.ssh/keys/id_rsa.pub:ro \
-v /host/id_other.pub:/home/foo/.ssh/keys/id_other.pub:ro \
-v /host/share:/home/foo/share \
-p 2222:22 -d atmoz/sftp \
foo::1001
Option 2 - mapping volume with all keys
This is best option for kubernetes as you can easily create a secret configmap with each users public key and map to that secret as a volume
create a volume mapping to /etc/sftp/authorized_keys.d. On start the container will spin through all pub files in that directory and add automatically appended to /home/:user/.ssh/authorized_keys. format should be :user_rsa.pub.
For example, if you have a directory called secure/ssh-user-keys with the key files ziggy_rsa.pub and bob_rsa.pub
docker run --cap-add=NET_ADMIN --cap-add=SYS_ADMIN \
-v secure/ssh-user-keys:/etc/sftp/authorized_keys.d \
-p 2222:22 -d atmoz/sftp \
ziggy::1001 bob::1002
The examples/docker shows this in action
For consistent server fingerprint, mount /etc/sftp/host_keys.d with your
ssh_host_ed25519_key and ssh_host_rsa_key host keys. OpenSSH seems to requires limited file permissions on these as well so in init it will copy the files from host_keys.d to etc/ssh.
If not then this container will generate new SSH host keys at first run. To avoid that your users get a MITM warning when you recreate your container (and the host keys changes), you can mount your own host keys.
Tip: you can generate your keys with these commands:
ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null
or using this docker image itself
mkdir keys
# runs the image and copies the keys out to use then exits
docker run -it --rm -v $(pwd):/workdir yakworks/sftp \
cp /etc/ssh/ssh_host_ed25519_key* /etc/ssh/ssh_host_rsa_key* /workdir/keys
Put your programs in /etc/sftp.d/ and it will automatically run when the container starts.
See next section for an example.
- Users are chrooted to their home directory, so you can mount the volumes in separate directories inside the user's home directory (/home/user/mounted-directory) or just mount the whole /home directory. Just remember that the users can't create new files directly under their own home directory, so make sure there are at least one subdirectory if you want them to upload files.
If you are using --volumes-from or just want to make a custom directory available in user's home directory, you can add a script to /etc/sftp.d/ that bindmounts after container starts.
#!/bin/bash
# File mounted as: /etc/sftp.d/bindmount.sh
# Just an example (make your own)
function bindmount() {
if [ -d "$1" ]; then
mkdir -p "$2"
fi
mount --bind $3 "$1" "$2"
}
# Remember permissions, you may have to fix them:
# chown -R :users /data/common
bindmount /data/admin-tools /home/admin/tools
bindmount /data/common /home/dave/common
bindmount /data/common /home/peter/common
bindmount /data/docs /home/peter/docs --read-only
NOTE: Using mount requires that your container runs with the CAP_SYS_ADMIN capability turned on. See this answer for more information.
See the example in kubernetes dir examples/kubernetes/README.md
One way to keep this straight forward is to map secrets and their keys as volume files. Then users and the ssh keys can be mapped per the examples
We setup a share with nfs and map volume to that
We label a node for the sftp for fail-to-ban, doesn't really matter which one so just pick one and use that IP.
-
kubectl label nodes node123 sftp=someName -
Add an entry to the DNS to point ninebox.9ci.dev or whatever name we use to the node's external ip. we do this so its straight through and fail2ban can pick up the ips and do its thing
If haven't set on up yet then
-
run
./keygen.sh. This ran the docker to generate the keys and copies the secret-host-keys.yml and secret-user-conf.yml into keys dir. The keys dir should be in .gitignore and should not be checked in to github. -
Edited keys/secret-user-conf.yml to add or update users and set to initial secure passwords.
NOTE: UPDATE THE pAsWoRd to something secure, DO NOT RUN IT AS IS! This is just a githuib checked in example
-
Edit keys/secret-host-keys.yml to copy from the generated key files ssh_host_ed25519_key, ssh_host_ed25519_key.pub, ssh_host_rsa_key, ssh_host_rsa_key.pub into the stringData section of the yml
-
create keys/secret-user-keys.yml with our ssh keys so they are already there and we dont need to login
-
edit the sftp-deploy so nodeSelector to a specific node as we will create a dns entry for its ip. again, if we dont let straight in then we can take advantage of the fail2ban thats in the sftp image, which prevent the onslaught of login attempts.
- run
make secrets.decrypt.sftpto decrypt secret-conf-keys - modify sftp-deploy.yml and change
nodeName: lke31075-46747-60e7dce17c1bto whatever the node is in the cluster where you attached the label. - Make sure you assigned label to node above and did the DNS entry
- see above for descrypting secret-conf-keys
- modify secret-conf-keys.yml and change the sftp-user-keys section with current information.
- Test the key before committing (see below)
- run
make secrets.encrypt.sftpto encrypt the secret files. - Commit, push and pull request.
To test the key before committing,
- Locate the pod (dev-barn->storage->resources->secrets->sftp-user-keys)
- Edit the sftp-user-keys (3 dots, edit)
- Add or remove as necessary
- save
- go to resources->workloads
- redeploy the sftp server.
- When the new pod becomes available, look at its public ip address
sftp -P 9922 foo@122.34.56.78- If you get in without a password, it worked.
Fail-to-ban is built into this. In order for it to work is has to know the IP of the user. If we let it go through a general load balancer it proxys the IP and cant know the ip to ban, so we assign a specific node with nodeSelector and then route the DNS entry to it so fail-to-ban can do it stuff and block the cockroaches. We do this so traffic can get pushed to fail-to-ban. If it goes through the router/balancer then it mask the ip and defeats the purpose of failtobam, see readme in sftp.