search

atmoz / sftp

Securely share your files
https://hub.docker.com/r/atmoz/sftp/
MIT License
1.64k stars 829 forks source link

Can't provide my own SSH host key with docker-compose and Windows host #259

Open xfrancois opened 3 years ago

xfrancois commented 3 years ago

Hello, I'm trying to provide my own ssh keys as recommended here. My host machine is on Windows 10 with Docker Desktop, and I use docker-compose to mount the volume

sftp:
    image: atmoz/sftp:alpine
    volumes:
      - "./input/data/:/home/login/data"
      - "./input/data/.ssh/id_rsa.pub:/home/login/.ssh/keys/id_rsa.pub:ro"
      - "./input/data/.ssh/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key"
    restart: always
    environment:
      TZ: UTC
    command: login:pass:1001
    ports:
      - "2223:22"

Unfortunately, it doesn't work, I have a permission error because of the ssh_host_rsa_key. This is because all the files are mounted with chmod 755, and therefore openssh can't start because it expects chmod 600 for the file.

I found a solution by using the scripts that are executed at the start. I mounted the ssh_host_rsa_key to an authorized location, and mounted a script which copy this file to /etc/ssh/ and give it the rights permissions

sftp:
    image: atmoz/sftp:alpine
    volumes:
      - "./input/data/:/home/login/data"
      - "./input/data/.ssh/id_rsa.pub:/home/login/.ssh/keys/id_rsa.pub:ro"
      - "./input/data/server_keys/ssh_host_rsa_key:/home/login/.ssh/server_keys/ssh_host_rsa_key"
      - "./input/data/scripts:/etc/sftp.d/"
    restart: always
    environment:
      TZ: UTC
    command: login:pass:1001
    ports:
      - "2223:22"
#!/bin/bash
cp /home/login/.ssh/server_keys/* /etc/ssh/
chmod 600 /etc/ssh/ssh_host_*

It works but it's not very elegant. Why can't we have a dedicated folder - like for public keys that are appended to authorized_keys - which will be in charge to copy the server keys to /etc/ssh and so avoid these permissions issues on Windows hosts ?

ngbrown commented 2 months ago

While the work-around seems to work, it relies on mounting the public key separately than the otherwise the key pairs get generated before the startup script runs to copy in the mounted keys.

Instead I relied on Docker populating a new volume with the existing container contents:

sftp:
    image: atmoz/sftp:alpine
    volumes:
      - "./input/data/:/home/login/data"
      - sftp-ssh:/etc/ssh
    restart: always
    environment:
      TZ: UTC
    command: login:pass:1001
    ports:
      - "2223:22"
volumes:
  sftp-ssh:

The sftp-ssh volume can then be backed up, etc. The drawback is that if the sftp container updates the /etc/ssh contents (e.g. ssh_config) in the future, the volume won't be updated.