轩辕镜像 官方专业版
轩辕镜像
专业版
轩辕镜像 官方专业版
轩辕镜像
专业版
首页个人中心搜索镜像
交易
充值流量¥7起我的订单
文档
工具
提交工单页面收录
simple-sftp-server

pacnpal/simple-sftp-server

pacnpal

下载次数: 0状态:社区镜像维护者:pacnpal仓库类型:镜像最近更新:4 个月前
让 AI 帮你使用轩辕镜像? · 展开查看说明 · 点击收起说明

如果你使用 DeepSeek、元宝 AI、Copilot、ChatGPT 等 AI 工具,协助配置轩辕镜像、编写 docker pull 命令、修改 Docker Compose 镜像地址、配置镜像加速、排查镜像拉取失败、分析报错日志等问题,请先让 AI 阅读并遵守轩辕镜像的规则文档。

只需在 AI 对话中先发送下面这句话即可:

请先完整阅读并严格遵守以下文档中的全部规则与要求:

https://xuanyuan.cloud/agents.md

在未充分阅读并理解该文档前,不要生成任何命令、配置、修改建议、故障排查方案或技术回答。后续所有输出都必须严格以该文档中的规范为最高优先级执行。

查看 agents.md 用法指南与完整示范。国内用户首推 元宝 AI、DeepSeek 的深度思考模式,不推荐豆包 AI;Cursor 等编辑器可在对话 @ 该链接,或加入 User Rules。 若 AI 无法访问外链,可 打开说明文档 复制全文粘贴。文档会随站点更新,复制内容可能过期,建议定期检查。

镜像简介
下载命令
镜像标签列表与下载命令
轩辕镜像,不浪费每一次拉取。
点击查看

Simple SFTP Server

https://img.shields.io/badge/GitHub-Source-blue?logo=github](https://github.com/pacnpal/simple-sftp-server) https://img.shields.io/badge/GHCR-Package-blue?logo=github](https://ghcr.io/pacnpal/simple-sftp-server) https://img.shields.io/badge/Docker%20Hub-Image-blue?logo=docker](https://hub.docker.com/r/pacnpal/simple-sftp-server)

A dead simple SFTP server in Docker. Nothing else. No shell, no tunneling, no forwarding. Just SFTP.


Get the Image

These are pre-built and hosted. Pick one — they're the same image:

pacnpal/simple-sftp-server
ghcr.io/pacnpal/simple-sftp-server

Quick Start

Create host directories first (recommended):

bash
mkdir -p /home/user/.ssh_keys/simple-sftp /home/user/.ssh_keys/simple-sftp-host /home/user/sftp_data
chmod 700 /home/user/.ssh_keys /home/user/.ssh_keys/simple-sftp /home/user/.ssh_keys/simple-sftp-host
bash
docker run -d --name simple-sftp-server \
  --user "$(id -u):$(id -g)" \
  --cap-add SYS_CHROOT \
  -p 2222:2022 \
  -e PUID="$(id -u)" \
  -e PGID="$(id -g)" \
  -e SSH_KEY_DIR=/keys \
  -e HOST_KEY_DIR=/host_keys \
  -e SFTP_CHROOT=true \
  -v /home/user/.ssh_keys/simple-sftp:/keys \
  -v /home/user/.ssh_keys/simple-sftp-host:/host_keys \
  -v /home/user/sftp_data:/home/sftpuser/data \
  pacnpal/simple-sftp-server

Recommended mode is jailed (SFTP_CHROOT=true). Chroot mode confines authenticated users to /home/sftpuser, which reduces accidental exposure of unrelated mounted paths. Chroot mode requires SYS_CHROOT capability at runtime. This project is provided as-is, without warranty or support. Operators are responsible for secure deployment.

This image intentionally stores generated client keys on the host for convenience. You are responsible for securing /home/user/.ssh_keys/simple-sftp. Use non-overlapping host directories for /keys, /host_keys, and /home/sftpuser/data.

Get Your Login Key

On first start, a keypair is generated. The private key is already on your host:

bash
cp /home/user/.ssh_keys/simple-sftp/sftpuser_key ./sftp_key && chmod 600 ./sftp_key

Windows users: The chmod command doesn't exist on Windows. Instead, right-click the file > Properties > Security > make sure only your user has access.

Connect

bash
sftp -i sftp_key -P 2222 sftpuser@localhost

You should see:

Connected to sftpuser@localhost.
sftp>

You're in. Type ls to look around, put myfile.txt to upload, get myfile.txt to download, or quit to disconnect.

Stop / Start / Remove

bash
# Stop the server
docker stop simple-sftp-server

# Start it back up (your files and keys are still there)
docker start simple-sftp-server

# Remove it completely
docker rm -f simple-sftp-server

Your files and keys are stored on the host filesystem, so they persist across stop, start, and even docker rm + recreate. They only go away if you explicitly delete the directories:

bash
# WARNING: This deletes all generated keys, host keys, and uploaded files
rm -rf /home/user/.ssh_keys/simple-sftp /home/user/.ssh_keys/simple-sftp-host /home/user/sftp_data

Using Docker Compose (Alternative)

If you prefer Docker Compose, create a file called docker-compose.yml:

yaml
services:
  sftp:
    image: pacnpal/simple-sftp-server:latest
    user: "${PUID:-1000}:${PGID:-1000}"
    cap_add:
      - SYS_CHROOT
    ports:
      - "${SFTP_HOST_PORT:-2222}:2022"
    environment:
      - PUID=1000
      - PGID=1000
      - SSH_KEY_DIR=/keys
      - HOST_KEY_DIR=/host_keys
      - SFTP_CHROOT=true
    volumes:
      - /home/user/.ssh_keys/simple-sftp:/keys
      - /home/user/.ssh_keys/simple-sftp-host:/host_keys
      - /home/user/sftp_data:/home/sftpuser/data

Then run:

bash
docker compose up -d

Everything else is the same — get the key and connect as described above.


Bring Your Own Keys

If you already have SSH keys and an authorized_keys file, you can skip the auto-generated key. Put authorized_keys inside a host directory, then mount that directory as SSH_KEY_DIR.

bash
docker run -d --name simple-sftp-server \
  --user "$(id -u):$(id -g)" \
  --cap-add SYS_CHROOT \
  -p 2222:2022 \
  -e PUID="$(id -u)" \
  -e PGID="$(id -g)" \
  -e SSH_KEY_DIR=/keys \
  -e HOST_KEY_DIR=/host_keys \
  -e SFTP_CHROOT=true \
  -v /path/to/your/keydir:/keys \
  -v /home/user/.ssh_keys/simple-sftp-host:/host_keys \
  -v /home/user/sftp_data:/home/sftpuser/data \
  pacnpal/simple-sftp-server

Replace /path/to/your/keydir with the directory containing authorized_keys.


Key Handling (No Silent Rotation)

  • authorized_keys is copied at startup to /tmp/simple-sftp-runtime/authorized_keys with strict runtime permissions.
  • New keys are generated only on true first run (no existing key files).
  • If persisted key state is unreadable, e***y, or inconsistent, startup fails with a clear error instead of rotating keys.
  • Host keys are persisted in HOST_KEY_DIR (/host_keys by default). Missing host key types are auto-generated on startup.
  • BYO authorized_keys can be mounted read-only; write access is only required for first-run key generation.
  • If a legacy root-owned host-key volume is unreadable in rootless mode, startup falls back to runtime-only host keys and logs migration guidance.

SSHD Configuration

  • The image ships a managed sshd template at build time (see sshd_config.template in this repo).
  • Startup renders a concrete config from that template and starts sshd with: sshd -D -e -f /tmp/simple-sftp-runtime/sshd_config.runtime
  • AuthorizedKeysFile is pinned to /tmp/simple-sftp-runtime/authorized_keys to avoid host mount permission edge cases.
  • Internal SFTP listen port is fixed at 2022; change only the host publish port (-p <host_port>:2022).
  • The container runs rootless by default.
  • SFTP_CHROOT=true (default/recommended): enables ChrootDirectory /home/sftpuser.
  • SFTP_CHROOT=false: disables filesystem jail.
  • Chroot mode requires CAP_SYS_CHROOT (--cap-add SYS_CHROOT / Compose cap_add: [SYS_CHROOT]).
  • No chroot means authenticated users can traverse readable paths outside /home/sftpuser.
  • Non-chroot mode is operator responsibility and is provided without warranty or support.

Troubleshooting

Permission denied with matching key fingerprint

If this fails even with the right private key:

bash
sftp -o IdentitiesOnly=yes -o IdentityAgent=none -i sftp_key -P 2222 sftpuser@localhost

Verify the runtime sshd view:

bash
docker exec <container_name> sh -lc 'sshd -T -C user=sftpuser,host=localhost,addr=127.0.0.1 | grep authorizedkeysfile'
docker exec <container_name> sh -lc 'ssh-keygen -lf /tmp/simple-sftp-runtime/authorized_keys'
ssh-keygen -y -f sftp_key | ssh-keygen -lf -

The authorizedkeysfile path should be /tmp/simple-sftp-runtime/authorized_keys, and the two fingerprints should match.

server lacks privileges to chroot to ChrootDirectory

This means SFTP_CHROOT=true but the container does not have CAP_SYS_CHROOT.

Fix:

  • docker run: add --cap-add SYS_CHROOT
  • Compose: add
yaml
cap_add:
  - SYS_CHROOT

If your runtime policy does not allow this capability, set SFTP_CHROOT=false and accept the no-chroot risk model.

Host key keeps changing

If clients warn about host key changes, your host-key mount is not persisting stable key files.

bash
docker inspect <container_name> --format '{{range .Mounts}}{{.Destination}} <- {{.Source}}{{println}}{{end}}'
ls -l /home/user/.ssh_keys/simple-sftp-host/ssh_host_*

Keep /host_keys mounted to a stable host directory and avoid overlapping it under an SFTP-exposed parent mount.

Permission denied reading or writing key directories

If logs include errors like:

text
cp: can't open '/host_keys/ssh_host_rsa_key': Permission denied

the mounted key directories are not readable/writable by the container.

  • Ensure HOST_KEY_DIR and SSH_KEY_DIR mounts are readable/writable during startup.
  • Ensure any mounted SFTP data directories are writable by your selected PUID/PGID.

Environment Variables

You can customize behavior with these:

VariableDefaultWhat it does
SFTP_PATHS/dataComma-separated directories to create (accessible over SFTP)
SSH_KEY_DIR/keysWhere user keys are stored inside the container
HOST_KEY_DIR/host_keysWhere SSH host keys are persisted inside the container
PUIDSFTP_UID (1000 by default)Runtime UID to run the container as
PGIDSFTP_GID (1000 by default)Runtime GID to run the container as
SFTP_CHROOTtruetrue enables filesystem jail (ChrootDirectory)

SSH_KEY_DIR and HOST_KEY_DIR should be absolute paths. For backward compatibility, relative values like keys are interpreted as /keys.

UID/GID Customization (Runtime)

To match host filesystem ownership, pass PUID and PGID at container startup:

bash
docker run -d --name simple-sftp-server \
  --user "$(id -u):$(id -g)" \
  --cap-add SYS_CHROOT \
  -p 2222:2022 \
  -e PUID="$(id -u)" \
  -e PGID="$(id -g)" \
  -e SSH_KEY_DIR=/keys \
  -e HOST_KEY_DIR=/host_keys \
  -e SFTP_CHROOT=true \
  -v /home/user/.ssh_keys/simple-sftp:/keys \
  -v /home/user/.ssh_keys/simple-sftp-host:/host_keys \
  -v /home/user/sftp_data:/home/sftpuser/data \
  pacnpal/simple-sftp-server

PUID/PGID must match the container runtime user (user: / --user).

Example — serve multiple directories:

bash
docker run -d --name simple-sftp-server \
  --user "$(id -u):$(id -g)" \
  --cap-add SYS_CHROOT \
  -p 2222:2022 \
  -e PUID="$(id -u)" \
  -e PGID="$(id -g)" \
  -e SSH_KEY_DIR=/keys \
  -e HOST_KEY_DIR=/host_keys \
  -e SFTP_CHROOT=true \
  -e SFTP_PATHS=/data,/uploads,/backups \
  -v /home/user/.ssh_keys/simple-sftp:/keys \
  -v /home/user/.ssh_keys/simple-sftp-host:/host_keys \
  -v /home/user/sftp_data:/home/sftpuser/data \
  -v /home/user/sftp_uploads:/home/sftpuser/uploads \
  -v /home/user/sftp_backups:/home/sftpuser/backups \
  pacnpal/simple-sftp-server

No-Chroot Opt-Out

Use this only when you intentionally accept a wider filesystem access model for authenticated users.

bash
docker run -d --name simple-sftp-server \
  --user "$(id -u):$(id -g)" \
  -p 2222:2022 \
  -e PUID="$(id -u)" \
  -e PGID="$(id -g)" \
  -e SSH_KEY_DIR=/keys \
  -e HOST_KEY_DIR=/host_keys \
  -e SFTP_CHROOT=false \
  -v /home/user/.ssh_keys/simple-sftp:/keys \
  -v /home/user/.ssh_keys/simple-sftp-host:/host_keys \
  -v /home/user/sftp_data:/home/sftpuser/data \
  pacnpal/simple-sftp-server

Compose equivalent:

yaml
services:
  sftp:
    image: pacnpal/simple-sftp-server:latest
    user: "${PUID:-1000}:${PGID:-1000}"
    environment:
      - SFTP_CHROOT=false

No-Chroot Risk Notice

If you run with SFTP_CHROOT=false, this image does not isolate the SFTP user to /home/sftpuser.

  • No-chroot mode does not provide a filesystem boundary for authenticated users.
  • Any user with valid credentials can access files permitted by container Unix permissions.
  • Readable secrets in mounted paths are exposed to authenticated users.
  • Writable key paths allow authenticated users to modify key material and preserve access.
  • If you need confinement, set SFTP_CHROOT=true and add SYS_CHROOT.
  • If this risk model is not acceptable, do not deploy no-chroot mode.
  • This mode is provided without warranty or support.

Building from Source

Only needed if you want to modify the server yourself:

bash
git clone https://github.com/pacnpal/simple-sftp-server.git
cd simple-sftp-server
docker build -t simple-sftp-server .

Then use simple-sftp-server instead of pacnpal/simple-sftp-server in the commands above.


Security

  • SFTP only — no shell access, no SCP
  • Key auth only — password authentication is disabled
  • Rootless by default — run with user: "${PUID}:${PGID}" / --user "${PUID}:${PGID}"
  • Runtime UID/GID via env — PUID/PGID must match container runtime uid/gid
  • Recommended default mode — filesystem jail enabled (SFTP_CHROOT=true)
  • Chroot requirement — add cap_add: [SYS_CHROOT] / --cap-add SYS_CHROOT
  • Risk model — no chroot means authenticated users can traverse readable paths in the container/mounts
  • No-chroot policy — operator-managed risk; provided without warranty or support
  • All forwarding disabled (TCP, agent, X11, tunneling)
  • Generated client keys are host-persisted by design for convenience. Secure your host client-key directory.
  • Host keys are generated at first start, not baked into the image (each container gets unique keys)
  • Invalid/unreadable persisted key state causes startup to fail instead of silently rotating keys

License

MIT — see https://github.com/pacnpal/simple-sftp-server/blob/main/LICENSE.

镜像拉取方式

您可以使用以下命令拉取该镜像。请将 <标签> 替换为具体的标签版本。如需查看所有可用标签版本,请访问 标签列表页面。

轩辕镜像加速拉取命令点我查看更多 simple-sftp-server 镜像标签

docker pull docker.xuanyuan.run/pacnpal/simple-sftp-server:<标签>

使用方法:

  • 登录认证方式
  • 免认证方式

DockerHub 原生拉取命令

docker pull pacnpal/simple-sftp-server:<标签>

轩辕镜像配置手册

按平台快速找到配置文档

一键安装

一键安装 Docker

Linux Docker 一键安装

AI

用 AI 使用轩辕镜像

agents.md · AI 对话 · 提示词

Docker

登录仓库拉取

登录认证 · 私有仓库

专属域名拉取

免登录 · 高速拉取

Linux

Docker 镜像配置

Windows / Mac

Docker Desktop 配置

MacOS OrbStack

OrbStack 容器

Apple Container

macOS 原生容器

Docker Compose

Compose 项目配置

NAS

群晖

Synology 配置

飞牛

fnOS 镜像配置

绿联

绿联 NAS

威联通

QNAP 配置

极空间

极空间 NAS

Unraid

Unraid NAS

企业仓库

其他仓库

ghcr · Quay · nvcr

Harbor 镜像源

Proxy Repository 对接

Portainer 镜像源

Registries 配置

Nexus 镜像源

Docker Proxy 缓存

开发工具

Dev Containers

VS Code 开发容器

Podman

Podman 配置指南

Singularity / Apptainer

HPC 科学计算容器

Kubernetes

K8s Containerd

Kubernetes · Containerd

K3s

轻量级集群

面板 / 网络

爱快路由

iKuai 镜像加速

宝塔面板

一键配置镜像源

需要其他帮助?请查看我们的 常见问题Docker 镜像访问常见问题解答 或 提交工单

镜像拉取常见问题

功能

版本功能对比

功能对比 · 版本选择

支持的镜像仓库

Docker Hub · GCR · GHCR

新手拉取配置

登录 · 专属域名 · 配置

docker search 限制

专属域名 · Hub 搜索

不支持 push

仅支持 pull · 不支持

拉取速度原因

带宽 · 缓存 · 冷热镜像

错误码

402 与流量用尽

402 · 流量包 · 充值

401 认证失败

401 · docker login

manifest unknown

标签错误 · 镜像不存在

410 Gone 排查

410 · Docker 升级

429 限流

免费版 · 专业版 · 企业版 · 请求频率

其他报错

DNS 超时

DNS 解析 · 网络超时

TLS 证书失败

no matching manifest(架构)

账号

失败是否计费

manifest · blob · 计费

申请开发票(企业 / 个人)

企业 · 个人 · 工单

修改登录密码

网站 · 仓库 · 重置

注销账户

工单 · 数据 · 注销

原理

mirrors 不生效

daemon.json · 重启

去掉域名前缀

docker tag · 重命名

指定架构拉取

ARM64 · AMD64 · 多架构

latest 与「最新」

digest · 版本号 · 标签

查看全部问题→

用户好评

来自真实用户的反馈,见证轩辕镜像的优质服务

用户头像

oldzhang

运维工程师

Linux服务器

5

"Docker访问体验非常流畅,大镜像也能快速完成下载。"

轩辕镜像
镜像详情
...
pacnpal/simple-sftp-server
定价查看流量套餐与价格
博客Docker 镜像公告与技术博客
专业版 · 高速稳定拉取镜像
高速镜像下载·在线技术支持·99.95% SLA 保障·付费会员免广告
50GB 仅 ¥7/年
专业版 · 高速稳定拉取镜像
50GB 仅 ¥7/年
高速镜像下载·在线技术支持·99.95% SLA 保障·付费会员免广告
用户协议·隐私政策·增值电信业务经营许可证:浙B2-20261007·©2024-2026 源码跳动©2024-2026 杭州源码跳动科技有限公司·商务合作:点击复制邮箱

更多 simple-sftp-server 镜像推荐

linuxserver/code-server logo

linuxserver/code-server

LinuxServer.io 社区镜像
linuxserver/code-server是VS Code服务器版Docker镜像,可在浏览器中运行完整VS Code开发环境,无需本地安装即可跨设备访问。支持全部VS Code扩展、代码同步与终端功能,适配远程开发、团队协作或低配置设备场景。镜像经linuxserver优化,兼容ARM/AMD架构,内置持久化存储与安全配置,开箱即用,轻松打造云端IDE,提升开发灵活性与效率。
739 次收藏5000万+ 次下载
4 天前更新
linuxserver/openssh-server logo

linuxserver/openssh-server

LinuxServer.io 社区镜像
提供OpenSSH服务器服务,支持远程登录与服务器管理,具备易于部署、配置灵活的特点,适用于各类需要安全远程访问的场景。
146 次收藏1000万+ 次下载
9 天前更新
mailserver/docker-mailserver logo

mailserver/docker-mailserver

mailserver
一个全栈且简单易用的邮件服务器,支持SMTP、IMAP协议,集成LDAP、反垃圾邮件及反病毒等功能。
265 次收藏1000万+ 次下载
4 天前更新
airbyte/source-sftp-bulk logo

airbyte/source-sftp-bulk

airbyte
暂无描述
10万+ 次下载
3 个月前更新
airbyte/source-sftp logo

airbyte/source-sftp

airbyte
暂无描述
5万+ 次下载
12 个月前更新
linuxserver/sonarr logo

linuxserver/sonarr

LinuxServer.io 社区镜像
由LinuxServer.io提供的Sonarr容器,是一款专为电视节目集管理设计的自动化工具,能够监控指定剧集的更新信息、自动从索引器获取下载链接并通过下载客户端(如Deluge、qBittorrent等)完成资源下载,同时支持按自定义规则整理文件结构、重命名剧集文件以保持媒体库整洁有序;LinuxServer.io作为专注于提供高质量容器化应用的团队,其构建的Sonarr容器基于轻量级Linux系统,优化了资源占用与运行稳定性,适合家庭媒体服务器或个人影视库的自动化管理场景使用。
2.1千 次收藏10亿+ 次下载
3 天前更新

查看更多 simple-sftp-server 相关镜像