New SFTP user with limited rights

I need to set up a limited access user with SFTP access. Can someone explain to me how to do that? I need to create a new user, a second key, and restrict the access of that user to only the WordPress folders. Thank you ahead of time for your assistance. I don’t have much experience in this area so the more layman’s explanation would be great.

The entire process is going to be somewhat dependent upon your environment; OS, Hosting … look into a sftp jail implementation.

It is hosted on Digital Ocean, the environment EE4 on Ubuntu 18.04 x64. I assume you have to create a new user and put a key in that user’s key file and setup ftp for them but I am pretty lost on how to do any of that. I am looking and hopefully the info you gave me will help.

The whole setup can take long, even explaining it. Fortunately for you, I have made a Docker ssh image (demx/ssh). The image doesn’t have sudo, www-data user can’t switch to root user, and the user can’t install anything. Feel free to use it!

# Run ssh container first
docker run -d --rm \
--name ssh \
-v ssh:/home/www-data/.ssh \
--volumes-from wp-php-container \
-p 22222:22 \
demyx/ssh

# Copy your authorized_keys to container or create authorized_keys manually
docker cp "$HOME"/.ssh/authorized_keys ssh:/home/www-data/.ssh

# Restart ssh container so authorized_keys permissions are set
docker restart ssh

# SSH or SFTP
ssh -p 22222 www-data@your-domain.tld

This is what I get when I try to run this command.

Error: No such container:path: ssh:/home/www-data

You have to run the first command, the docker run one.

I assume you mean this one, which I did. The system returned the below messages.

Unable to find image 'demyx/ssh:latest' locally
latest: Pulling from demyx/ssh
921b31ab772b: Pull complete
a375d3cd6623: Pull complete
a34c15107a49: Pull complete
454d81ae21b4: Pull complete
Digest: sha256:8f8e5692a7a53a10827ed8d36616e233ffc449ee84d76cb0097a30c7ec789532
Status: Downloaded newer image for demyx/ssh:latest
docker: Error response from daemon: No such container: wp-php-container.
See 'docker run --help'.

wp-php-container is supposed to be an example, I thought that was obvious. You will have to find out the container name you want to SFTP by running docker ps, then replace wp-php-container with that name, then rerun the docker run command.

Below is what I get when I run that command. I am not sure what you are saying. I am a n00b on linux and can only really do basic stuff. I want to learn more but I am even newer to docker.

b040d755f61e        atmoz/sftp                      "/entrypoint"            12                                                                                                                                                              minutes ago      Up 12 minutes       0.0.0.0:2222->22/tcp                                                                                                                                                                                    sftp-config_sftp_1
46b07280ff29        easyengine/postfix:v4.0.0       "postfix start-fg"       7 d                                                                                                                                                             ays ago          Up 31 minutes       25/tcp                                                                                                                                                                                                  devcfimortgagecom_postfix_1
fe2cf543ecac        easyengine/nginx:v4.0.3         "/usr/bin/openresty …"   7 d                                                                                                                                                             ays ago          Up 31 minutes       80/tcp                                                                                                                                                                                                  devcfimortgagecom_nginx_1
96d083884d91        easyengine/php:v4.0.3           "docker-entrypoint.s…"   7 d                                                                                                                                                             ays ago          Up 31 minutes       9000/tcp                                                                                                                                                                                                devcfimortgagecom_php_1
d7303a20e4f0        easyengine/nginx-proxy:v4.0.3   "/app/docker-entrypo…"   7 d                                                                                                                                                             ays ago          Up 31 minutes       0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                                                                                                                                                                services_global-nginx-proxy_1
604922ea687d        easyengine/cron:v4.0.0          "/usr/bin/ofelia dae…"   5 m                                                                                                                                                             onths ago        Up 31 minutes                                                                                                                                                                                                               ee-cron-scheduler
bfc34b650226        easyengine/mariadb:v4.0.0       "docker-entrypoint.s…"   5 m                                                                                                                                                             onths ago        Up 31 minutes       3306/tcp                                                                                                                                                                                                services_global-db_1
48d0d8f1b9ee        easyengine/redis:v4.0.0         "docker-entrypoint.s…"   5 m                                                                                                                                                             onths ago        Up 31 minutes       6379/tcp                                                                                                                                                                                                services_global-redis_1

That’s the container name you gotta use.

Is this suppose to be written like docker cp ~/.ssh/authorized_keys ssh:/home/www-data/.ssh? When I got into the /home directory it is still empty. I am assuming /home/www-data/.ssh is inside the docker or something.

Correct. The authhorized_keys has to be made or copied into the SFTP container.

Well, I guess I will have to reach back out to you later because following those steps has me unable to access the server even from my root account now.

docker cp does not remove, modify, or edit authorized_keys in any way. You’ll have to check if that file exists on the host, or you accidentally removed it. I would also check if the ssh daemon is running on the host.

I am sure that is the case but I can’t currently get in so I now have a new issue to resolve before I can attempt to get your docker up and running.

If you have a VPS, you should be able to remedy simple tasks like this. I would learn some basics of running a VPS (sysadmin), Linux commands, and Docker as a whole (infrastructure).

I set up a new server to test this. I followed your instructions, I see the docker container installed and running. I attempted to copy over my auth key with docker cp "$HOME"/.ssh/authorized_keys ssh:/home/www-data/.ssh which doesn’t return any kind of error. I check the /home/www-data folder and I don’t see a .ssh folder within it nor do I see an auth key. I assume I should. I attempt to connect via SSH and I get the message Permission denied (publickey,keyboard-interactive).

If I attempt to connect via port 22, which is the port for the default SSH setup in the DigitalOcean VPS, I am able to get connected but I get a permission denied error for my www-data when trying to access the htdocs folder on the server.

This is an example without mounting volumes.

semver:~$ docker run -dit --rm --name ssh demyx/ssh
ee3f2a870e1facbbd253a8d908fb8fea36a557ecb2899e2fbf2dcdbd9601037b
semver:~$ docker cp "$HOME"/.ssh/authorized_keys ssh:/home/www-data/.ssh
semver:~$ docker exec -it ssh ls -al /home/www-data/.ssh
total 24
drwx------    1 www-data www-data      4096 Jul 10 19:29 .
drwxr-sr-x    1 www-data www-data      4096 Jul  7 22:13 ..
-rw-r--r--    1 1000     1000           192 Jul  9 08:51 authorized_keys
-rw-------    1 www-data www-data      2602 Jul 10 19:28 ssh_host_rsa_key
-rw-r--r--    1 www-data www-data       571 Jul 10 19:28 ssh_host_rsa_key.pub
semver:~$

I see, I was looking in the wrong folder. I keep forgetting that the folder structure exists inside the docker containers, but unfortunately that doesn’t fix the actual error. When I try to connect via SSH on port 2222 I get the error message Permission denied (publickey,keyboard-interactive). and if I try with Putty I get Disconnected: No supported authentication methods available (server sent: publickey, keyboard-interactive but I am using the same key as I use for root since that was copied over correct?

Did you restart the ssh container? When you restart it, the entrypoint of my image sets proper permissions to ~/.ssh and ~/.ssh/authorized_keys