New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Host Key getting changed #3
Comments
Hi! In order to do this, you'll need to customise the container image that is being deployed, as the one from Docker Hub generates a new host key each time using this script Specifically: # Generate unique ssh keys for this container, if needed
if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ''
fi
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -N ''
fi You'll also need to remove a line from the Dockerfile that cleans up the generated host keys. |
I've got a sample for deploying this with a custom container image here: https://github.com/bhummerstone/azure-templates/blob/master/compute/sftp/sftp-custom-image.json |
Hello Ben,
Thank you for your response.
If I understood the solution correctly, I need to deploy the solution again after modifying the template with the recommended changes and there is no way I can modify the template in existing solution. Is that correct?
Regards,
Akshay Kayande
From: Ben Hummerstone <notifications@github.com>
Sent: 11 July 2019 14:58
To: Azure-Samples/sftp-creation-template <sftp-creation-template@noreply.github.com>
Cc: Akshay Kayande <akshay.kayande@outlook.com>; Author <author@noreply.github.com>
Subject: Re: [Azure-Samples/sftp-creation-template] Host Key getting changed (#3)
I've got a sample for deploying this with a custom container image here: https://github.com/bhummerstone/azure-templates/blob/master/compute/sftp/sftp-custom-image.json
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#3?email_source=notifications&email_token=ALUDQYMMLDJD5VLVHBXTPYLP634LZA5CNFSM4H7NMVUKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZWDO2Y#issuecomment-510408555>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ALUDQYIAWLDSQ73C523FHBTP634LZANCNFSM4H7NMVUA>.
|
You would need to modify the original container image that is being used for the solution: at the moment it is using the atmoz/sftp image on Docker Hub: https://hub.docker.com/r/atmoz/sftp |
Let me know if you need some more detailed steps and I can put something together :) |
Hi @bhummerstone can you please update some steps regarding this? thanks in advance |
Thank You Ben!!!
If you can list down the steps, that would be much appreciated!!
Regards,
Akshay Kayande
From: Ben Hummerstone <notifications@github.com>
Sent: 24 July 2019 02:46
To: Azure-Samples/sftp-creation-template <sftp-creation-template@noreply.github.com>
Cc: Akshay Kayande <akshay.kayande@outlook.com>; Author <author@noreply.github.com>
Subject: Re: [Azure-Samples/sftp-creation-template] Host Key getting changed (#3)
Let me know if you need some more detailed steps and I can put something together :)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#3?email_source=notifications&email_token=ALUDQYMI7SHK6PNBV7EOGD3QA5YH3A5CNFSM4H7NMVUKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2UOWUA#issuecomment-514386768>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ALUDQYMUJJTAIIFLVNXUAMLQA5YH3ANCNFSM4H7NMVUA>.
|
Sure, some steps would be:
Give that a try and see if it works for you :) |
Hi Ben, We created an Azure Container Instance and the corresponding file storage to be used as SFTP. We did this by the custom deployment template (uploaded). We were able to connect and upload files not problem. However, after a few days we noticed the host key was changed (probably after Azure did some regular maintenance). See screenshot uploaded. Can anyone guide us how to make the host key from changing? Can the custom deployment template be modified to specify a constant host key? |
Heya! Yes, you would need to create a custom container image using the steps I outlined above: this would ensure that your container always had the same host key, otherwise it gets regenerated every time the ACI restarts:
|
Gotcha, thanks for the background. The message you are getting there is due to the default quota for ACI being 10 cores: you can raise a support ticket to increase that if you'd like. That said, it sounds like this may not be the best solution for you as running 10 different ACIs 24/7 will definitely be more expensive than one or two VMs. In your case, I'd probably recommend having a look at the Azure Marketplace and seeing if there is an SFTP solution there that might meet your requirements: https://azuremarketplace.microsoft.com/en-us/marketplace/apps?search=sftp&page=1 |
Thanks Ben. I took your advise and looked for a SFTP solution in Azure marketplace and we've decide to go with FileMage. |
Thanks for these steps @bhummerstone. I've followed them and created a new image. It's creating the the sftp server but I can't connect to it. If I check the logs on the container it says.
Is there anything I'm missing? Thanks Matt |
Could you share your Dockerfile, please? |
Isn't there an option to use an existing key? Per Atmoz' documentation (see below). Is there a way to do this within Azure? Providing your own SSH host key (recommended) docker run ssh-keygen -t ed25519 -f ssh_host_ed25519_key < /dev/null |
Hello, |
@voidsstr in theory, this would work but unfortunately the mounting of Azure Files into the ACI resets the permissions to 777, whereas Linux needs it to be 600 (iirc); I've provided this feedback to the Azure Files and ACI teams to see if we can sort this out, and hopefully the introduction of NFS on Azure Files might be a step towards this: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-how-to-mount-nfs-shares |
For ease, here is a sample Dockerfile that I've used:
You'll also need to edit the entrypoint script from the original image to remove lines 67 - 73, as this generates the new host key each time. |
You don't need to change the original Dockerfile or entrypoint script at all. You can just add another layer on top of the original! Something like this (not tested, try it out yourself):
|
Removed the section that generates the new host key each time in Entrypoint file Also removed this section in Dockerfile rm -f /etc/ssh/ssh_host_*key* (Azure-Samples/sftp-creation-template#3)
Thanks @bhummerstone It worked well. My repo alone with minor change to arm template |
@bhummerstone I have tried the basic arm template, the link which you posted above. I'm able to login through private key. But the .ssh/keys folder is also visible in SFTP client. I want to hide the .ssh folders from users whosoever are going to access the SFTP. Is it possible to do? I have gone through secret volume for container group but not able to crack it. Is there anyway to hide or control the access of .ssh folder? |
The .ssh folder belongs to the user, so it will always be visible in their home directory as they need permission to read it; it is their public key after all! Note that it is only visible to that particular user, not anyone else... although it's a public key, so worthless without the corresponding private key |
@bhummerstone Thanks for your prompt response. One question here, Do we still need to delete the lines which you've mentioned in previous comment. Can't we just add the ssh keys in file share and point to that location in arm template and use the private key to login. Do you see any issue by going with this approach? |
I got this working in the end by just removing this line from the docker file I am also pushing the image into my own repository from Azure Devops and using that from my ARM template pointing it to a specific build tag. That has stopped the host keys changing |
@asif2017 unfortunately that approach currently doesn't work: when mounting an Azure Files share into an ACI it resets the permissions and so breaks the SSH process |
Closing this issue as it has been idle for a while |
Remove fork as suggested from Azure-Samples/sftp-creation-template#3
Where do I add this code? And after changing the code, Do I need to build a docker file and host it on the container registry and modify ARM? Or if anyone can help to fix this issue, with the keeping host keys static. |
This link was broken after the re-structuring the files. Here is the new link for the sample: https://github.com/bhummerstone/azure-templates/blob/master/arm/compute/sftp/sftp-custom-image.json |
Based on this, step 6 is not pulling the docker image, I have created the issue below for it. Please see if anyone help me with the issue. |
This issue is for a: (mark with an
x
)Minimal steps to reproduce
to create the SFTP. Some clients fail to connect since the finger print is getting changed.
I need to know if host key can be set to static do it does not change
Any log messages given by the failure
Expected/desired behavior
OS and Version?
Versions
Mention any other details that might be useful
The text was updated successfully, but these errors were encountered: