debian-stretch
,debian
,latest
(Dockerfile)debian-jessie
(Dockerfile)alpine-3.6
,alpine
(Dockerfile)alpine-3.5
(Dockerfile)
Easy to use SFTP (SSH File Transfer Protocol) server with OpenSSH. This is an automated build linked with the debian and alpine repositories.
- Required: define users as command arguments, STDIN or mounted in
/etc/sftp/users.conf
(syntax:user:pass[:e][:uid[:gid[:dir1[,dir2]...]]]...
).- Set UID/GID manually for your users if you want them to make changes to your mounted volumes with permissions matching your host filesystem.
- Add directory names at the end, if you want to create them under the user's home directory. Perfect when you just want a fast way to upload something.
- Optional (but recommended): mount volumes.
- The users are chrooted to their home directory, so you can mount the volumes in separate directories inside the user's home directory (/home/user/mounted-directory) or just mount the whole /home directory. Just remember that the users can't create new files directly under their own home directory, so make sure there are at least one subdirectory if you want them to upload files.
- For consistent server fingerprint, mount your own host keys (i.e.
/etc/ssh/ssh_host_*
)
docker run -p 22:22 -d atmoz/sftp foo:pass:::upload
User "foo" with password "pass" can login with sftp and upload files to a folder called "upload". No mounted directories or custom UID/GID. Later you can inspect the files and use --volumes-from
to mount them somewhere else (or see next example).
Let's mount a directory and set UID (we will also provide our own hostkeys):
docker run \
-v /host/upload:/home/foo/upload \
-p 2222:22 -d atmoz/sftp \
foo:pass:1001
sftp:
image: atmoz/sftp
volumes:
- /host/upload:/home/foo/upload
ports:
- "2222:22"
command: foo:pass:1001
The OpenSSH server runs by default on port 22, and in this example, we are
forwarding the container's port 22 to the host's port 2222. To log in with the
OpenSSH client, run: sftp -P 2222 foo@<host-ip>
docker run \
-v /host/users.conf:/etc/sftp/users.conf:ro \
-v mySftpVolume:/home \
-p 2222:22 -d atmoz/sftp
/host/users.conf:
foo:123:1001:100
bar:abc:1002:100
baz:xyz:1003:100
Add :e
behind password to mark it as encrypted. Use single quotes if using terminal.
docker run \
-v /host/share:/home/foo/share \
-p 2222:22 -d atmoz/sftp \
'foo:$1$0G2g0GSt$ewU0t6GXG15.0hWoOX8X9.:e:1001'
Tip: you can use atmoz/makepasswd to generate encrypted passwords:
echo -n "your-password" | docker run -i --rm atmoz/makepasswd --crypt-md5 --clearfrom=-
Mount public keys in the user's .ssh/keys/
directory. All keys are
automatically appended to .ssh/authorized_keys
(you can't mount this file
directly, because OpenSSH requires limited file permissions). In this example,
we do not provide any password, so the user foo
can only login with his SSH
key.
docker run \
-v /host/id_rsa.pub:/home/foo/.ssh/keys/id_rsa.pub:ro \
-v /host/id_other.pub:/home/foo/.ssh/keys/id_other.pub:ro \
-v /host/share:/home/foo/share \
-p 2222:22 -d atmoz/sftp \
foo::1001
This container will generate new SSH host keys at first run. To avoid that your users get a MITM warning when you recreate your container (and the host keys changes), you can mount your own host keys.
docker run \
-v /host/ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key \
-v /host/ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key \
-v /host/share:/home/foo/share \
-p 2222:22 -d atmoz/sftp \
foo::1001
Tip: you can generate your keys with these commands:
ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null
ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key < /dev/null
Put your programs in /etc/sftp.d/
and it will automatically run when the container starts.
See next section for an example.
If you are using --volumes-from
or just want to make a custom directory
available in user's home directory, you can add a script to /etc/sftp.d/
that
bindmounts after container starts.
#!/bin/bash
# File mounted as: /etc/sftp.d/bindmount.sh
# Just an example (make your own)
function bindmount() {
if [ -d "$1" ]; then
mkdir -p "$2"
fi
mount --bind $3 "$1" "$2"
}
# Remember permissions, you may have to fix them:
# chown -R :users /data/common
bindmount /data/admin-tools /home/admin/tools
bindmount /data/common /home/dave/common
bindmount /data/common /home/peter/common
bindmount /data/docs /home/peter/docs --read-only
The biggest differences are in size and OpenSSH version. Alpine is 10 times smaller than Debian. OpenSSH version can also differ, as it's two different teams maintaining the packages. Debian is generally considered more stable and only bugfixes and security fixes are added after each Debian release (about 2 years). Alpine has a faster release cycle (about 6 months) and therefore newer versions of OpenSSH. As I'm writing this, Debian has version 7.4 while Alpine has version 7.5. Recommended reading: Comparing Debian vs Alpine for container & Docker apps
It depends on which linux distro and version you choose (see available images at the top). You can see what version you get by checking the distro's packages online. I have provided direct links below for easy access.
Note: The time when this image was last built can delay the availability of an OpenSSH release. Since this is an automated build linked with debian and alpine repos, the build will depend on how often they push changes (out of my control). Typically this can take 1-5 days, but it can also take longer. You can of course make this more predictable by cloning this repo and run your own build manually.