I need to set up a limited access user with SFTP access. Can someone explain to me how to do that? I need to create a new user, a second key, and restrict the access of that user to only the WordPress folders. Thank you ahead of time for your assistance. I don’t have much experience in this area so the more layman’s explanation would be great.
The entire process is going to be somewhat dependent upon your environment; OS, Hosting … look into a sftp jail implementation.
It is hosted on Digital Ocean, the environment EE4 on Ubuntu 18.04 x64. I assume you have to create a new user and put a key in that user’s key file and setup ftp for them but I am pretty lost on how to do any of that. I am looking and hopefully the info you gave me will help.
The whole setup can take long, even explaining it. Fortunately for you, I have made a Docker ssh image (demx/ssh). The image doesn’t have sudo, www-data user can’t switch to root user, and the user can’t install anything. Feel free to use it!
# Run ssh container first docker run -d --rm \ --name ssh \ -v ssh:/home/www-data/.ssh \ --volumes-from wp-php-container \ -p 22222:22 \ demyx/ssh # Copy your authorized_keys to container or create authorized_keys manually docker cp "$HOME"/.ssh/authorized_keys ssh:/home/www-data/.ssh # Restart ssh container so authorized_keys permissions are set docker restart ssh # SSH or SFTP ssh -p 22222 email@example.com
This is what I get when I try to run this command.
Error: No such container:path: ssh:/home/www-data
You have to run the first command, the docker run one.
I assume you mean this one, which I did. The system returned the below messages.
Unable to find image 'demyx/ssh:latest' locally latest: Pulling from demyx/ssh 921b31ab772b: Pull complete a375d3cd6623: Pull complete a34c15107a49: Pull complete 454d81ae21b4: Pull complete Digest: sha256:8f8e5692a7a53a10827ed8d36616e233ffc449ee84d76cb0097a30c7ec789532 Status: Downloaded newer image for demyx/ssh:latest docker: Error response from daemon: No such container: wp-php-container. See 'docker run --help'.
wp-php-container is supposed to be an example, I thought that was obvious. You will have to find out the container name you want to SFTP by running
docker ps, then replace
wp-php-container with that name, then rerun the
docker run command.
Below is what I get when I run that command. I am not sure what you are saying. I am a n00b on linux and can only really do basic stuff. I want to learn more but I am even newer to docker.
b040d755f61e atmoz/sftp "/entrypoint" 12 minutes ago Up 12 minutes 0.0.0.0:2222->22/tcp sftp-config_sftp_1 46b07280ff29 easyengine/postfix:v4.0.0 "postfix start-fg" 7 d ays ago Up 31 minutes 25/tcp devcfimortgagecom_postfix_1 fe2cf543ecac easyengine/nginx:v4.0.3 "/usr/bin/openresty …" 7 d ays ago Up 31 minutes 80/tcp devcfimortgagecom_nginx_1 96d083884d91 easyengine/php:v4.0.3 "docker-entrypoint.s…" 7 d ays ago Up 31 minutes 9000/tcp devcfimortgagecom_php_1 d7303a20e4f0 easyengine/nginx-proxy:v4.0.3 "/app/docker-entrypo…" 7 d ays ago Up 31 minutes 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp services_global-nginx-proxy_1 604922ea687d easyengine/cron:v4.0.0 "/usr/bin/ofelia dae…" 5 m onths ago Up 31 minutes ee-cron-scheduler bfc34b650226 easyengine/mariadb:v4.0.0 "docker-entrypoint.s…" 5 m onths ago Up 31 minutes 3306/tcp services_global-db_1 48d0d8f1b9ee easyengine/redis:v4.0.0 "docker-entrypoint.s…" 5 m onths ago Up 31 minutes 6379/tcp services_global-redis_1
That’s the container name you gotta use.
Is this suppose to be written like
docker cp ~/.ssh/authorized_keys ssh:/home/www-data/.ssh? When I got into the /home directory it is still empty. I am assuming /home/www-data/.ssh is inside the docker or something.
authhorized_keys has to be made or copied into the SFTP container.
Well, I guess I will have to reach back out to you later because following those steps has me unable to access the server even from my root account now.
docker cp does not remove, modify, or edit authorized_keys in any way. You’ll have to check if that file exists on the host, or you accidentally removed it. I would also check if the ssh daemon is running on the host.
I am sure that is the case but I can’t currently get in so I now have a new issue to resolve before I can attempt to get your docker up and running.
If you have a VPS, you should be able to remedy simple tasks like this. I would learn some basics of running a VPS (sysadmin), Linux commands, and Docker as a whole (infrastructure).
I set up a new server to test this. I followed your instructions, I see the docker container installed and running. I attempted to copy over my auth key with
docker cp "$HOME"/.ssh/authorized_keys ssh:/home/www-data/.ssh which doesn’t return any kind of error. I check the /home/www-data folder and I don’t see a .ssh folder within it nor do I see an auth key. I assume I should. I attempt to connect via SSH and I get the message
Permission denied (publickey,keyboard-interactive).
If I attempt to connect via port 22, which is the port for the default SSH setup in the DigitalOcean VPS, I am able to get connected but I get a permission denied error for my www-data when trying to access the htdocs folder on the server.
This is an example without mounting volumes.
semver:~$ docker run -dit --rm --name ssh demyx/ssh ee3f2a870e1facbbd253a8d908fb8fea36a557ecb2899e2fbf2dcdbd9601037b semver:~$ docker cp "$HOME"/.ssh/authorized_keys ssh:/home/www-data/.ssh semver:~$ docker exec -it ssh ls -al /home/www-data/.ssh total 24 drwx------ 1 www-data www-data 4096 Jul 10 19:29 . drwxr-sr-x 1 www-data www-data 4096 Jul 7 22:13 .. -rw-r--r-- 1 1000 1000 192 Jul 9 08:51 authorized_keys -rw------- 1 www-data www-data 2602 Jul 10 19:28 ssh_host_rsa_key -rw-r--r-- 1 www-data www-data 571 Jul 10 19:28 ssh_host_rsa_key.pub semver:~$
I see, I was looking in the wrong folder. I keep forgetting that the folder structure exists inside the docker containers, but unfortunately that doesn’t fix the actual error. When I try to connect via SSH on port 2222 I get the error message
Permission denied (publickey,keyboard-interactive). and if I try with Putty I get
Disconnected: No supported authentication methods available (server sent: publickey, keyboard-interactive but I am using the same key as I use for root since that was copied over correct?
Did you restart the ssh container? When you restart it, the entrypoint of my image sets proper permissions to ~/.ssh and ~/.ssh/authorized_keys