Configure SFTP on EE4 server

This article describes how to setup SFTP on a EE4 server. We will accomplish it by running SFTP daemon in it’s own lightweight container. We won’t be installing SFTP daemon in a site’s PHP container as it’s not recommended to run more than one daemon process per container.

First of all we would need to create a directory on server to store SFTP config and related files data.

Note: This article assumes you have logged in as root

mkdir ~/.sftp-config

Now we’ll need to create the a SSH key pair which will be used by our SFTP container.

ssh-keygen -t ed25519 -f ~/.sftp-config/ssh_host_ed25519_key < /dev/null
ssh-keygen -t rsa -b 4096 -f ~/.sftp-config/ssh_host_rsa_key < /dev/null

Now we need to create file at ~/.sftp-config/users.conf and add username password for each SFTP user that we want to create.

foo:123:1001
bar:abc:1002:100
baz:xyz:1003:100

The format of this file is – user:password:uid:gid. Where UID and GID are user and group ID of user on your machine that you want to assign to the SFTP user. You can find UID and GID of a particular user by using the id command. i.e.

id www-data

Now create a file at ~/.sftp-config/docker-compose.yml with following contents

sftp:
    image: atmoz/sftp
    restart: on-failure
    volumes:
        - /opt/easyengine/sites/example.com/app/htdocs/:/home/<sftp-user>/upload
        - ./ssh_host_ed25519_key:/etc/ssh/ssh_host_ed25519_key
        - ./ssh_host_rsa_key:/etc/ssh/ssh_host_rsa_key
        - ./users.conf:/etc/sftp/users.conf:ro
    ports:
        - "2222:22"

You might need to repeat the first line in volumes: for each user defined in user.conf

Now start the container:

cd ~/.sftp-config/ && docker-compose up -d

Updating users.conf

If you want to add/update/remove users, after making changes in users.conf file, run following command to ensure the changes are updated:

cd ~/.sftp-config/ && docker-compose down && docker-compose up -d

Using Encrypted Passwords

If you look at our users.conf file, all passwords are unencrypted. To increase security, you can even use encrypted passwords. To generate an encrypted password, use the following command:

echo -n "your-password" | docker run -i --rm atmoz/makepasswd --crypt-md5 --clearfrom=- | awk '{print $2":e"}'

Use the above command for each user in user.conf. And replace the plaintext password with encrypted one. Now the user.conf looks like:

foo:$1$oc7STwA.$CyNcLjDQ0Oh8nLznURifv.:e:1001:100
bar:$1$ezqvUJEE$4c2r1HvoTMJ.Aw2tPp1Nw1:e:1002:100
baz:$1$bcRtbHbO$l0155yF6.lvaJxog3hS9D.:e:1003:100

After updating the file, restart the SFTP container as described here.