New SFTP user with limited rights


#1

I need to set up a limited access user with SFTP access. Can someone explain to me how to do that? I need to create a new user, a second key, and restrict the access of that user to only the WordPress folders. Thank you ahead of time for your assistance. I don’t have much experience in this area so the more layman’s explanation would be great.


#2

The entire process is going to be somewhat dependent upon your environment; OS, Hosting … look into a sftp jail implementation.


#3

It is hosted on Digital Ocean, the environment EE4 on Ubuntu 18.04 x64. I assume you have to create a new user and put a key in that user’s key file and setup ftp for them but I am pretty lost on how to do any of that. I am looking and hopefully the info you gave me will help.


#4

The whole setup can take long, even explaining it. Fortunately for you, I have made a Docker ssh image (demx/ssh). The image doesn’t have sudo, www-data user can’t switch to root user, and the user can’t install anything. Feel free to use it!

# Run ssh container first
docker run -d --rm \
--name ssh \
-v ssh:/home/www-data/.ssh \
--volumes-from wp-php-container \
-p 22222:22 \
demyx/ssh

# Copy your authorized_keys to container or create authorized_keys manually
docker cp "$HOME"/.ssh/authorized_keys ssh:/home/www-data/.ssh

# Restart ssh container so authorized_keys permissions are set
docker restart ssh

# SSH or SFTP
ssh -p 22222 www-data@your-domain.tld

Configure SFTP on EE4 server
#5

This is what I get when I try to run this command.

Error: No such container:path: ssh:/home/www-data

#6

You have to run the first command, the docker run one.


#7

I assume you mean this one, which I did. The system returned the below messages.

Unable to find image 'demyx/ssh:latest' locally
latest: Pulling from demyx/ssh
921b31ab772b: Pull complete
a375d3cd6623: Pull complete
a34c15107a49: Pull complete
454d81ae21b4: Pull complete
Digest: sha256:8f8e5692a7a53a10827ed8d36616e233ffc449ee84d76cb0097a30c7ec789532
Status: Downloaded newer image for demyx/ssh:latest
docker: Error response from daemon: No such container: wp-php-container.
See 'docker run --help'.

#8

wp-php-container is supposed to be an example, I thought that was obvious. You will have to find out the container name you want to SFTP by running docker ps, then replace wp-php-container with that name, then rerun the docker run command.


#9

Below is what I get when I run that command. I am not sure what you are saying. I am a n00b on linux and can only really do basic stuff. I want to learn more but I am even newer to docker.

b040d755f61e        atmoz/sftp                      "/entrypoint"            12                                                                                                                                                              minutes ago      Up 12 minutes       0.0.0.0:2222->22/tcp                                                                                                                                                                                    sftp-config_sftp_1
46b07280ff29        easyengine/postfix:v4.0.0       "postfix start-fg"       7 d                                                                                                                                                             ays ago          Up 31 minutes       25/tcp                                                                                                                                                                                                  devcfimortgagecom_postfix_1
fe2cf543ecac        easyengine/nginx:v4.0.3         "/usr/bin/openresty …"   7 d                                                                                                                                                             ays ago          Up 31 minutes       80/tcp                                                                                                                                                                                                  devcfimortgagecom_nginx_1
96d083884d91        easyengine/php:v4.0.3           "docker-entrypoint.s…"   7 d                                                                                                                                                             ays ago          Up 31 minutes       9000/tcp                                                                                                                                                                                                devcfimortgagecom_php_1
d7303a20e4f0        easyengine/nginx-proxy:v4.0.3   "/app/docker-entrypo…"   7 d                                                                                                                                                             ays ago          Up 31 minutes       0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp                                                                                                                                                                services_global-nginx-proxy_1
604922ea687d        easyengine/cron:v4.0.0          "/usr/bin/ofelia dae…"   5 m                                                                                                                                                             onths ago        Up 31 minutes                                                                                                                                                                                                               ee-cron-scheduler
bfc34b650226        easyengine/mariadb:v4.0.0       "docker-entrypoint.s…"   5 m                                                                                                                                                             onths ago        Up 31 minutes       3306/tcp                                                                                                                                                                                                services_global-db_1
48d0d8f1b9ee        easyengine/redis:v4.0.0         "docker-entrypoint.s…"   5 m                                                                                                                                                             onths ago        Up 31 minutes       6379/tcp                                                                                                                                                                                                services_global-redis_1

#10

That’s the container name you gotta use.


#11

Is this suppose to be written like docker cp ~/.ssh/authorized_keys ssh:/home/www-data/.ssh? When I got into the /home directory it is still empty. I am assuming /home/www-data/.ssh is inside the docker or something.


#12

Correct. The authhorized_keys has to be made or copied into the SFTP container.


#13

Well, I guess I will have to reach back out to you later because following those steps has me unable to access the server even from my root account now.


#14

docker cp does not remove, modify, or edit authorized_keys in any way. You’ll have to check if that file exists on the host, or you accidentally removed it. I would also check if the ssh daemon is running on the host.


#15

I am sure that is the case but I can’t currently get in so I now have a new issue to resolve before I can attempt to get your docker up and running.


#16

If you have a VPS, you should be able to remedy simple tasks like this. I would learn some basics of running a VPS (sysadmin), Linux commands, and Docker as a whole (infrastructure).


#17

I set up a new server to test this. I followed your instructions, I see the docker container installed and running. I attempted to copy over my auth key with docker cp "$HOME"/.ssh/authorized_keys ssh:/home/www-data/.ssh which doesn’t return any kind of error. I check the /home/www-data folder and I don’t see a .ssh folder within it nor do I see an auth key. I assume I should. I attempt to connect via SSH and I get the message Permission denied (publickey,keyboard-interactive).

If I attempt to connect via port 22, which is the port for the default SSH setup in the DigitalOcean VPS, I am able to get connected but I get a permission denied error for my www-data when trying to access the htdocs folder on the server.


#18

This is an example without mounting volumes.

semver:~$ docker run -dit --rm --name ssh demyx/ssh
ee3f2a870e1facbbd253a8d908fb8fea36a557ecb2899e2fbf2dcdbd9601037b
semver:~$ docker cp "$HOME"/.ssh/authorized_keys ssh:/home/www-data/.ssh
semver:~$ docker exec -it ssh ls -al /home/www-data/.ssh
total 24
drwx------    1 www-data www-data      4096 Jul 10 19:29 .
drwxr-sr-x    1 www-data www-data      4096 Jul  7 22:13 ..
-rw-r--r--    1 1000     1000           192 Jul  9 08:51 authorized_keys
-rw-------    1 www-data www-data      2602 Jul 10 19:28 ssh_host_rsa_key
-rw-r--r--    1 www-data www-data       571 Jul 10 19:28 ssh_host_rsa_key.pub
semver:~$

#19

I see, I was looking in the wrong folder. I keep forgetting that the folder structure exists inside the docker containers, but unfortunately that doesn’t fix the actual error. When I try to connect via SSH on port 2222 I get the error message Permission denied (publickey,keyboard-interactive). and if I try with Putty I get Disconnected: No supported authentication methods available (server sent: publickey, keyboard-interactive but I am using the same key as I use for root since that was copied over correct?


#20

Did you restart the ssh container? When you restart it, the entrypoint of my image sets proper permissions to ~/.ssh and ~/.ssh/authorized_keys