Search This Blog

Saturday 6 May 2017

Dockerization of an sftp service

Synopsis

As part of building a web service, I wanted to have some of the microservice dependencies dockerized for easy setup and deployment. The three applications my web service depends are:

  • mongodb
  • rabbitmq
  • sftp

This post is about dockerizing sftp. The container will provide sftp-only user accounts and the users will be restricted to their home directory. The former is done through disabling login (in the Dockerfile), the latter by chrooting to the user's home directory (in the sshd_config file).


FROM ubuntu:latest

 The latest version of ubuntu is our starting point.


RUN apt-get update && \
    apt-get -y install openssh-server

Sftp (SSH File Transfer Protocol) is a separate protocol packaged with SSH, so we install the ssh server.
RUN mkdir /var/run/sshd

Privilege separation directory, /var/run/sshd, must be present, otherwise the container will exit immediately after starting.


COPY sshd_config /etc/ssh/sshd_config

 The default ssh configuration is adjusted for sftp purposes (https://github.com/tamarakaufler/go_loyalty_scheme_service/tree/master/dockerized/sftp).


RUN groupadd sftpusers

All sftp users will be part of this group.
 
 
RUN adduser  --quiet --disabled-password sftp_loyalty

When creating a new sftp user, the --disabled-password option is provided not to have problems with the following command to change the password.


 RUN echo "sftp_loyalty:BIGSeCrEt" | chpasswd sftp_loyalty

RUN usermod -g sftpusers sftp_loyalty && \
    usermod -s /bin/nologin sftp_loyalty && \
    chown root:sftp_loyalty /home/sftp_loyalty && \
    chmod 755 /home/sftp_loyalty

This assigns the sftp user to the correct group and disables normal login.


RUN mkdir /home/sftp_loyalty/uploads && \
    chown sftp_loyalty:sftp_loyalty /home/sftp_loyalty/uploads && \
    chmod 755 /home/sftp_loyalty/uploads

EXPOSE 22

CMD ["/usr/sbin/sshd", "-D"]

Starts the ssh server. I originally tried using:   service sshd start
but that did not work, preventing the container from starting.

Update:  Providing the full path:

             /usr/sbin/service sshs start

works

-----------------------------------------------------------------------------------------------------------------
sshd_config (based on the default /etc/ssh/sshd_config)

  1. Deleted the original line:
    1. Subsystem sftp /usr/lib/openssh/sftp-server
  2. Added at the end of the default sshd_config file:
    1. Subsystem sftp internal-sftp
      Match Group sftpusers
             ChrootDirectory %h #set the home directory
             ForceCommand internal-sftp
             X11Forwarding no
             AllowTCPForwarding no
              PasswordAuthentication yes


https://github.com/tamarakaufler/go_loyalty_scheme_service (when it becomes public)


References


https://www.vultr.com/docs/setup-sftp-only-user-accounts-on-ubuntu-14
https://github.com/atmoz/sftp
https://docs.docker.com/engine/examples/running_ssh_service/
Posted by at
Labels: , , ,

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)