0

I need to create a docker image with ProFTPD and use it as SFTP server.
Obviously I need SSH host keys for this to work but I don't want to create new keys every time I build the image.
If I create SSH host keys with:

ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa

inside a running container without providing passphrase works perfectly.
I can simply start my SFTP server with proftpd command.

However keys generated exactly the same way on my host and then copied to the docker image with COPY directive in Dockerfile cause the following error when trying to start ProFTPD in a container:

Wrong passphrase for this key.  Please try again.

Wrong passphrase for this key.  Please try again.

Wrong passphrase for this key.  Please try again.
2018-11-13 11:48:21,196 2771999b0891 proftpd[53924] 2771999b0891: mod_sftp/1.0.0: error reading passphrase for SFTPHostKey '/etc/ssh/ssh_host_rsa_key': (unknown)
2018-11-13 11:48:21,197 2771999b0891 proftpd[53924] 2771999b0891: mod_sftp/1.0.0: unable to use key in SFTPHostKey '/etc/ssh/ssh_host_rsa_key', exiting

What am I missing here?

EDIT: Dockerfile as requested:

FROM alpine:latest

COPY etc/apk/repositories /etc/apk/repositories

COPY etc/ssh/ /etc/ssh/

COPY etc/proftpd/ /etc/proftpd/

RUN apk upgrade --no-cache

RUN apk add --no-cache \
    proftpd \
    proftpd-mod_sql_postgres \
    proftpd-mod_sftp_sql

ENTRYPOINT proftpd

And the contents of /etc/ssh inside the container:

>>ls -la /etc/ssh
total 28
drwxr-xr-x    1 root     root          4096 Nov 13 13:47 .
drwxr-xr-x    1 root     root          4096 Nov 13 13:46 ..
-rw-------    1 root     root          1393 Nov 13 13:57 ssh_host_dsa_key
-rw-r--r--    1 root     root           609 Nov 13 10:11 ssh_host_dsa_key.pub
-rw-------    1 root     root          1831 Nov 13 13:57 ssh_host_rsa_key
-rw-r--r--    1 root     root           401 Nov 13 10:11 ssh_host_rsa_key.pub
-rw-r--r--    1 root     root          3177 Nov  7 18:21 sshd_config
ElmoVanKielmo
  • 3
  • 1
  • 6
  • Please show the relevant parts of your Dockerfile. – Michael Hampton Nov 13 '18 at 13:36
  • @MichaelHampton I've added it now – ElmoVanKielmo Nov 13 '18 at 14:03
  • Huh? I don't see anything in that Dockerfile that creates ssh host keys. How did you actually create them, then? – Michael Hampton Nov 13 '18 at 14:17
  • @MichaelHampton `ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa` and `ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa` - it was in the question from the very beginning. Well, ok, the only difference was that I used path relative to my project root - so `ssh-keygen -f etc/ssh/ssh_host_rsa_key -N '' -t rsa` and `ssh-keygen -f etc/ssh/ssh_host_dsa_key -N '' -t dsa`. Then `COPY etc/ssh/ /etc/ssh/` copies them into the docker image. – ElmoVanKielmo Nov 13 '18 at 14:39
  • What is the OS, version, and distro of the Docker container? – mdpc Nov 13 '18 at 20:50
  • @mdpc it's alpine:latest as you can see in my Dockerfile – ElmoVanKielmo Nov 13 '18 at 21:24
  • Well I googled it, basically it is an enchanced busybox image...interesting. – mdpc Nov 13 '18 at 21:40
  • @MichaelHampton I was able to find a workaround and indirect reason for the problem - please take a look at my answer - maybe you know something more about it and can provide a decent solution. – ElmoVanKielmo Nov 15 '18 at 15:30

2 Answers2

0

It turns out that for whatever reason keys generated on MacOS host were causing this issue.
But keys generated on a Linux host work as expected - no problem with unexpectedly requested passphrase.

I'm not sure why this happens but it's reproducible. I thought DSA and RSA keys are compatible no matter the operating system.

I'd appreciate if someone could find a more complete explanation but for me the problem is solved - despite the solution being only a workaround without proper understanding of the issue.

ElmoVanKielmo
  • 3
  • 1
  • 6
  • There appears to have been a change to the format used by MacOS Mojave (due to using `OpenSSH_7.9p1`). Adding `-m PEM` to the `ssh-keygen` command fixed it for me. More details: https://superuser.com/a/1404243 – Doug Jun 26 '19 at 15:58
0

I belive that it may be in the fact that the default encryption levels are differant. If you had declaired the bytes in all instances, I think the problem would not have arisen.

Like say:

ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa -b 1024
vs
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa -b 2048
vs
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa -b 4096
Michael Prokopec
  • 289
  • 1
  • 4