Add SFTP support

SFTP support should be shipped in a separate docker image.
SFTP is served by openssh listening on port 22.
SFTP is not properly configured to chroot users in their homedir.
This allows an authenticated user to leak the list of your ftp users.

Author: aya

Dockerfile

@@ -1,44 +1,53 @@
 FROM alpine:latest
-LABEL maintainer "[email protected]"
+LABEL maintainer "[email protected]"
+ARG VERSION_S3FS=v1.83
 
-# s3fs tag to checkout
-ARG S3FS_VERSION=v1.83
-
-# Install s3fs binary
-RUN apk add --no-cache --virtual .fuse-builddeps \
+# Install s3fs-fuse and sftpserver
+RUN apk upgrade --no-cache \
+ && apk add --no-cache --virtual build-deps \
         alpine-sdk \
         automake \
         autoconf \
         curl-dev \
         fuse-dev \
+        gnutls-dev \
         libxml2-dev \
- && git clone https://github.com/s3fs-fuse/s3fs-fuse.git \
+        libgcrypt-dev \
+ && git clone https://github.com/s3fs-fuse/s3fs-fuse \
  && cd s3fs-fuse \
- && git checkout tags/${S3FS_VERSION} -b ${S3FS_VERSION} \
+ && git checkout tags/${VERSION_S3FS} -b ${VERSION_S3FS} \
  && ./autogen.sh \
- && ./configure --prefix=/usr \
- && make \
+ && ./configure --prefix=/usr --with-gnutls \
  && make install \
  && cd .. \
  && rm -rf s3fs-fuse \
- && apk del .fuse-builddeps
+ && apk del build-deps
 
 # Install vsftpd and s3fs libraries
 RUN apk add --no-cache \
         fuse \
+        gnutls \
         lftp \
         libcurl \
+        libgcrypt \
         libstdc++ \
         libxml2 \
         logrotate \
+        openssh \
         openssl \
         vsftpd
 
 RUN sed -i 's|/var/log/messages|/var/log/*.log|' /etc/logrotate.conf
 
+RUN ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' \
+ && ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ''
+
 COPY lftp-sync.sh /usr/local/bin/
 RUN chmod 755 /usr/local/bin/lftp-sync.sh
 
 COPY docker-entrypoint.sh /
 ENTRYPOINT ["/docker-entrypoint.sh"]
+EXPOSE 21/tcp
+EXPOSE 22/tcp
+EXPOSE 65000/tcp
 VOLUME ["/var/log"]

README.md

@@ -1,6 +1,6 @@
 # docker-vsftpd-s3
 
-Alpine based Dockerfile running a vsftpd server providing FTP access to an Amazon S3 bucket.
+Alpine based Dockerfile running a vsftpd server providing secure FTP access to an Amazon S3 bucket.
 This docker image can run in Amazon ECS.
 
 ## Usage
@@ -78,3 +78,9 @@ Start a docker from this image.
 $ docker run -it --device /dev/fuse --cap-add sys_admin --security-opt apparmor:unconfined -p 21:21 -p 65000:65000 -e AWS_ACCESS_KEY_ID=ABCDEFGHIJKLMNOPQRST -e AWS_SECRET_ACCESS_KEY=0123456789ABCDEF0123456789ABCDEF01234567 -e S3_BUCKET="my-s3-bucket" -e FTPD_USER="my_ftp_user" -e FTPD_PASS="my_ftp_password" vsftpd-s3
 ```
 
+## Security notes
+
+Current docker image is shipped with FTPS and SFTP support, although SFTP support should be (and will be !) shipped in a separate docker image.
+SFTP is served by openssh listening on port 22. SFTP is not properly configured to chroot users in their homedir.
+This allows an authenticated user to leak the list of your ftp users.
+

docker-entrypoint.sh

@@ -98,6 +98,19 @@ echo "${FTPD_USERS}" |sed 's/ /\n/g' |while read line; do
   done
 done
 
+# Enable SFTP
+echo "Protocol 2
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+UseDNS no
+PermitRootLogin no
+X11Forwarding no
+AllowTcpForwarding no
+Subsystem sftp internal-sftp
+ForceCommand internal-sftp -d %u
+ChrootDirectory /home
+" > /etc/ssh/sshd_config
+
 # FTP sync client
 FTP_SYNC=${FTP_SYNC:-0}
 FTP_HOST=${FTP_HOST:-localhost}
@@ -116,6 +129,6 @@ DIR_LOCAL=${DIR_LOCAL:-/home/$FTPD_USER}
 # Launch crond
 crond -L /var/log/crond.log
 
-# Launch vsftpd
-[ $# -eq 0 ] && /usr/sbin/vsftpd || exec "$@" &
+# Launch sshd && vsftpd
+[ $# -eq 0 ] && /usr/sbin/sshd -e && /usr/sbin/vsftpd || exec "$@" &
 PID=$! && wait