viaprog/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-06-13 23:36:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
Page: SFTP Server
Pages
A typical step‐by‐step example AWS CLI with SeaweedFS AWS IAM CLI Actual Users Admin UI OIDC Admin UI Amazon IAM API Amazon S3 API Applications Async Backup Async Filer Metadata Backup Async Replication to Cloud Async Replication to another Filer Benchmark SeaweedFS as a GlusterFS replacement Benchmarks from jinleileiking Benchmarks Cache Remote Storage Choosing a Filer Store Client Libraries Cloud Drive Architecture Cloud Drive Benefits Cloud Drive Quick Setup Cloud Monitoring Cloud Tier Cluster Plan Day 2 Operations Cluster Plan Inventory Reference Cluster Plan Workflow Components Configure Remote Storage Cryptography and FIPS Compliance Customize Filer Store Data Backup Data Structure for Large Files Deployment to Kubernetes and Minikube Deployment with seaweed up Directories and Files Distributed POSIX Locks Distributing AI Model Files for Multi GPU Loading Docker Compose for S3 Docker Image Registry with SeaweedFS Doris Iceberg Integration Dremio Iceberg Integration DuckDB Iceberg Integration EC Bitrot Detection Environment Variables Erasure Coding for warm storage Error reporting to sentry FAQ FIO benchmark FUSE Mount Failover Master Server File Operations Quick Reference Filer Active Active cross cluster continuous synchronization Filer Cassandra Setup Filer Change Data Capture Filer Commands and Operations Filer Data Encryption Filer JWT Use Filer Metadata Events Filer Notification Webhook Filer Operation Serialization Filer Redis Setup Filer Server API Filer Setup Filer Store Replication Filer Stores Filer as a Key Large Value Store Gateway to Remote Object Storage Getting Started HDFS via S3 connector Hadoop Benchmark Hadoop Compatible File System Hardware Hobbyest Tinkerer scale on premises tutorial Home Iceberg Table Maintenance Independent Benchmarks Kafka to Kafka Gateway to SMQ to SQL Kubernetes Backups and Recovery with K8up Kubernetes ServiceAccount Authentication Lakekeeper Iceberg Integration Large File Handling Load Command Line Options from a file Master Server API Migrate Maintenance Scripts to Admin Script Plugin Migrate to Filer Store Mount Remote Storage OIDC Integration Optimization for Many Small Buckets Optimization P2P reading in weed mount POSIX Compliance Path Specific Configuration Path Specific Filer Store Plugin Worker Scheduling PostgreSQL compatible Server weed db Production Setup Pub Sub to SMQ to SQL Quick Start with weed mini Replication RisingWave Iceberg Integration Run Blob Storage on Public Internet Run Presto on SeaweedFS Rust Volume Server S3 API Audit log S3 API Benchmark S3 API FAQ S3 Bucket Policies S3 Bucket Quota S3 CORS S3 Conditional Operations S3 Configuration S3 Credentials S3 Lifecycle Architecture S3 Lifecycle Monitoring S3 Lifecycle Operator Guide S3 Lifecycle Troubleshooting S3 Lifecycle vs Volume TTL S3 Lifecycle S3 Nginx Proxy S3 Object Lock and Retention S3 Object Versioning S3 Policy Conditions S3 Policy Variables S3 Rate Limiting S3 Table Bucket Commands S3 Table Bucket S3 Tables Security SFTP Server SQL Queries on Message Queue SQL Quick Reference SRV Service Discovery Seaweed Message Queue SeaweedFS Architecture SeaweedFS Iceberg Catalog SeaweedFS Java Client SeaweedFS in Docker Swarm Security Configuration Security Overview Server Side Encryption SSE C Server Side Encryption SSE KMS Server Side Encryption Server Startup via Systemd Simplest S3 Bucket and User Setup Spark Iceberg Integration Store file with a Time To Live Structured Data Lake with SMQ and SQL Super Large Directories Supported APIs vs Minio System Metrics TUS Resumable Uploads TensorFlow with SeaweedFS Tiered Storage Trino Iceberg Integration UrBackup with SeaweedFS Use Cases Volume Files Structure Volume Management Volume Server API WebDAV Words from SeaweedFS Users Worker fstab and systemd mount nodejs with Seaweed S3 rclone with SeaweedFS restic with SeaweedFS run HBase on SeaweedFS run Spark on SeaweedFS s3cmd with SeaweedFS weed shell
Clone
2
SFTP Server
Chris Lu edited this page 2026-06-03 22:28:07 -07:00
Table of Contents

SFTP Server

SeaweedFS includes a built-in SFTP (SSH File Transfer Protocol) server that allows users to interact with the filer using standard SFTP clients. The SFTP server bridges between standard SSH/SFTP protocols and the SeaweedFS filer, enabling secure file operations over SSH.

Overview

The SFTP server provides:

  • SSH/SFTP access to your SeaweedFS filer
  • User authentication via passwords, SSH public keys, or CA-signed certificates
  • JWT integration for secure filer authentication
  • File operations including upload, download, rename, delete, and directory management
  • Home directory enforcement with chroot-like behavior for security
  • Keep-alive support for long-running connections

Quick Start

Starting the SFTP Server (Standalone)

weed sftp -filer=localhost:8888 -port=2022 -userStoreFile=/path/to/users.json

Starting SFTP with Filer

The SFTP server can run alongside the filer:

weed filer -sftp.port=2022 -sftp.userStoreFile=/path/to/users.json

Configuration

User Store File

Create a JSON file containing user credentials. Example: users.json

[
  {
    "Username": "alice",
    "Password": "secure_password_here",
    "HomeDir": "/home/alice",
    "Uid": 1000,
    "Gid": 1000
  },
  {
    "Username": "bob",
    "Password": "another_password",
    "HomeDir": "/home/bob",
    "Uid": 1001,
    "Gid": 1001
  }
]

Important Notes:

  • HomeDir: The user's root directory within the filer (e.g., /home/alice means the user sees that as their /)
  • Uid and Gid: User and group IDs for file ownership (currently must be 0 for proper functioning)
  • Password: Will be used for password-based authentication

Command-Line Options

Common Options

Flag Default Description
-filer localhost:8888 Filer server address (ip:port)
-port 2022 SFTP server listen port
-ip.bind 0.0.0.0 IP address to bind to
-userStoreFile (required) Path to JSON file with user credentials

SSH Configuration

Flag Default Description
-sshPrivateKey (empty) Path to SSH private key file for host authentication
-hostKeysFolder (empty) Path to folder with SSH private key files for multiple algorithms
-authMethods password,publickey Comma-separated auth methods: password, publickey, certificate
-trustedUserCAKeysFile (empty) Path to trusted user CA public keys (OpenSSH authorized_keys format); required when certificate is in -authMethods
-maxAuthTries 6 Maximum authentication attempts per connection
-bannerMessage SeaweedFS default Message displayed before authentication
-loginGraceTime 2m Timeout for authentication

Connection Management

Flag Default Description
-clientAliveInterval 5s Interval for sending keep-alive messages
-clientAliveCountMax 3 Max missed keep-alives before disconnect

Cluster Options

Flag Default Description
-dataCenter (empty) Prefer to read/write to volumes in this data center
-localSocket /tmp/seaweedfs-sftp-<port>.sock Unix socket for local connections (Unix only)

Complete Example

weed sftp \
  -filer=filer.example.com:8888 \
  -port=2022 \
  -ip.bind=0.0.0.0 \
  -userStoreFile=/etc/seaweedfs/sftp-users.json \
  -sshPrivateKey=/etc/seaweedfs/ssh_host_key \
  -authMethods=password,publickey \
  -maxAuthTries=5 \
  -clientAliveInterval=60s \
  -clientAliveCountMax=5 \
  -dataCenter=dc1

SSH User Certificate Authentication

Instead of registering every user's public key in the user store, the SFTP server can trust an SSH certificate authority (CA) and accept short-lived, CA-signed user certificates. This is the same model as OpenSSH's TrustedUserCAKeys directive: you sign each user a certificate with a central CA key, and the server accepts any certificate that CA vouches for. Issuing or rotating access no longer means editing the server's user store on every key change.

Enabling

Add certificate to -authMethods and point -trustedUserCAKeysFile at a file holding the trusted CA public key(s):

weed sftp \
  -authMethods=password,certificate \
  -trustedUserCAKeysFile=/etc/seaweedfs/sftp/ca_user.pub \
  -userStoreFile=/etc/seaweedfs/sftp/users.json \
  -hostKeysFolder=/etc/seaweedfs/sftp/host_keys

The CA file uses OpenSSH authorized_keys format — one CA public key per line, with blank lines and # comments ignored. Listing more than one key lets you trust several CAs at once, which is handy during a CA rotation.

Issuing certificates

# One-time: create the user CA keypair (keep ca_user private and offline)
ssh-keygen -t ed25519 -f ca_user

# Per user: sign a certificate valid for 1 hour, principal "alice"
ssh-keygen -s ca_user -I alice@host -n alice -V +1h alice.pub

-n alice sets the certificate principal. The principal must match the SSH login username, and a user with that name must still exist in the user store — the store still supplies the home directory, Uid/Gid, and permissions. The CA only vouches for identity; authorization continues to come from the user store.

Connecting

sftp -P 2022 -i alice alice@localhost

OpenSSH automatically presents alice-cert.pub when it sits next to the alice private key. You can also point at it explicitly with -o CertificateFile=alice-cert.pub.

Validation and behavior

When certificate is enabled, the server validates each presented certificate:

  • signed by one of the trusted CA keys
  • type is a user certificate (host certificates are rejected)
  • the current time is inside the ValidAfter/ValidBefore window
  • ValidPrincipals is non-empty and contains the login username
  • the login username resolves to an existing user in the store

Certificate auth takes over the public-key channel. Once certificate is in -authMethods, plain (non-certificate) public keys are rejected even if publickey is also listed — matching OpenSSH behavior. Password authentication is independent and unaffected, so -authMethods=password,certificate keeps both. The defaults stay password,publickey, so existing deployments are untouched until you opt in.

The CA can sign a certificate for any principal, which makes the CA private key as powerful as every user's key combined. Keep it offline, issue short-lived certificates with -V, and treat it like a root credential.

JWT Authentication with Filer

When your filer is configured with JWT authentication, the SFTP server automatically uses JWT tokens for secure communication. This is automatically configured - no additional settings needed!

Filer JWT Configuration

Ensure your security.toml includes JWT settings for the filer:

[jwt.filer_signing]
key = "your-filer-signing-secret-key"
expires_after_seconds = 10

[jwt.filer_signing.read]
key = "your-filer-signing-read-secret-key"
expires_after_seconds = 60

The SFTP server will:

  1. Automatically load these JWT keys from security configuration
  2. Generate temporary JWT tokens for each file operation
  3. Include tokens in requests to the filer
  4. Work seamlessly without additional configuration

This is required if your filer has JWT authentication enabled. Without it, file uploads will fail with "Failure" errors.

Troubleshooting JWT Issues

If you see upload errors like "close remote: Failure":

  1. Verify filer JWT is enabled: Check security.toml has jwt.filer_signing.key set
  2. Check JWT keys match: The SFTP server must use the same keys as the filer
  3. Verify SFTP has JWT config: Ensure security.toml is loaded when SFTP starts
  4. Check logs: Look for JWT-related errors in verbose logs (-glog.v=4)

Client Usage

Using SFTP Client

sftp -P 2022 alice@localhost

Common SFTP Commands

# List directory
ls

# Create directory
mkdir projects

# Upload file
put local-file.txt

# Download file
get remote-file.txt

# Rename file
rename old-name.txt new-name.txt

# Delete file
rm file.txt

# Change directory
cd projects

# Print working directory
pwd

Using SSH/Fuse Mount

Mount the SFTP server using SSHFS (macOS/Linux):

mkdir ~/seaweedfs-mount
sshfs -P 2022 alice@localhost:/ ~/seaweedfs-mount

File Operations

Permissions and Ownership

  • Files are created with ownership based on user Uid/Gid from the user store
  • The filer maintains file permissions and ownership through gRPC calls
  • Directory creation respects the user's home directory boundaries (chroot-like)

Home Directory

Each user's home directory is configured in the user store:

  • A user with HomeDir: "/home/alice" sees that as their root (/)
  • Attempting to escape the home directory (e.g., ../..) is blocked
  • The home directory is automatically created if it doesn't exist

File Upload with JWT

When a file is uploaded:

  1. SFTP server generates a JWT token using the filer signing key
  2. Token is included in the HTTP request to the filer
  3. Filer validates the JWT before accepting the upload
  4. File is stored in the filer with proper ownership

Production Setup

Host Keys

For production, generate proper SSH host keys:

# Generate RSA key
ssh-keygen -t rsa -N "" -f /etc/seaweedfs/ssh_host_key

# Run SFTP server
weed sftp -port=2022 -sshPrivateKey=/etc/seaweedfs/ssh_host_key ...

Or use multiple keys with -hostKeysFolder:

# Create keys folder
mkdir -p /etc/seaweedfs/ssh_keys

# Generate keys for different algorithms
ssh-keygen -t rsa -N "" -f /etc/seaweedfs/ssh_keys/ssh_host_rsa_key
ssh-keygen -t ed25519 -N "" -f /etc/seaweedfs/ssh_keys/ssh_host_ed25519_key

# Run SFTP server
weed sftp -port=2022 -hostKeysFolder=/etc/seaweedfs/ssh_keys ...

Systemd Service

Create /etc/systemd/system/seaweedfs-sftp.service:

[Unit]
Description=SeaweedFS SFTP Server
After=network.target

[Service]
Type=simple
User=seaweedfs
ExecStart=/usr/local/bin/weed sftp \
  -filer=filer.example.com:8888 \
  -port=2022 \
  -userStoreFile=/etc/seaweedfs/sftp-users.json \
  -sshPrivateKey=/etc/seaweedfs/ssh_host_key
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target

Enable and start:

systemctl enable seaweedfs-sftp
systemctl start seaweedfs-sftp
systemctl status seaweedfs-sftp

Security Considerations

User Management

  • Store user credentials securely in the user store file
  • Restrict file permissions: chmod 600 users.json
  • Use strong passwords or SSH keys
  • Regularly rotate credentials

Network Security

  • Run SFTP on a non-standard port (not 22)
  • Firewall SFTP port to trusted networks only
  • Use SSH user certificates for key-based auth in production
  • Consider running behind a VPN or bastion host

Home Directory Isolation

  • Each user sees only their home directory
  • Path traversal attempts are blocked
  • Files outside user's home dir are inaccessible

JWT Security

  • Store JWT secrets securely in security.toml
  • Use different keys for read and write operations
  • Rotate JWT keys periodically
  • Monitor JWT expiration settings to balance security and performance

Troubleshooting

Connection Refused

ssh: connect to host localhost port 2022: Connection refused

Solution: Ensure SFTP server is running and listening on the correct port:

netstat -tlnp | grep 2022
# or on macOS:
lsof -i :2022

Authentication Failed

Permission denied (password).

Solution:

  1. Verify user exists in JSON file
  2. Check password is correct
  3. Ensure file format is valid JSON
  4. Check user JSON again for syntax errors

Upload Failures

Uploading file.txt to /file.txt
close remote: Failure

Solution (with JWT enabled):

  1. Verify JWT key is configured in security.toml
  2. Check JWT key matches between SFTP and filer
  3. Enable verbose logging: -glog.v=4
  4. Check filer logs for JWT validation errors

Slow Connections

Increase keep-alive timeout:

weed sftp ... -clientAliveInterval=30s -clientAliveCountMax=10

See Also

Introduction

API

Configuration

Filer

Filer Stores

Management

Advanced Filer Configurations

FUSE Mount

WebDAV

SFTP Server

Cloud Drive

AWS S3 API

S3 Table Bucket

Iceberg Integrations

S3 Authentication & IAM

Server-Side Encryption

S3 Client Tools

Machine Learning

HDFS

Replication and Backup

Metadata Change Events

Messaging

Use Cases

Operations

Rust Volume Server

Advanced

Security

Misc Use Case Examples