[SOLVED] Cannot connect via sftp

BryceB · 09-11-2020, 06:51 PM

I am using Linux Mint 20, and I followed this tutorial on setting up sftp: https://linuxconfig.org/how-to-setup...al-fossa-linux

The last step is to check to make sure everything works by connecting to via the terminal. So I attempt to do so:

Code:

~$ sftp sftpuser@127.0.0.1

It prompts me for the password, and I type it in. I'm immediately given this as output:

Code:

client_loop: send disconnect: Broken pipe
Connection closed

I have also tried to connect via other ftp clients, and all get the same result.

Any thoughts as to what I might have configured wrong?

scasey · 09-11-2020, 07:13 PM

My guess is that sshd is not configured to listen on 127.0.0.1 There's certainly nothing in that tutorial about the ListenAddress in sshd_config. Another possibility is that sshd is not running.

What does

Code:

netstat -tnlp

return?

Interesting that that tutorial says you need to have set up vsftpd first. That's certainly not true. You don't an ftp server to use sftp.

[Oops. Pasted wrong command...fixed now]

berndbausch · 09-11-2020, 10:18 PM

Add the -v option for more verbose error messages. With ssh, you can add it several times, e.g. -vvv for even more detail; I guess sftp allows this as well.

EDIT: This is a strange tutorial. Why do you need vsftpd? You can set up an ftp service with sshd alone. Adding unnecessary services to your computer creates opportunities for breaking in.

BryceB · 09-14-2020, 11:42 AM

Quote:

Originally Posted by scasey

My guess is that sshd is not configured to listen on 127.0.0.1 There's certainly nothing in that tutorial about the ListenAddress in sshd_config. Another possibility is that sshd is not running.

What does

Code:

netstat -tnlp

return?

Interesting that that tutorial says you need to have set up vsftpd first. That's certainly not true. You don't an ftp server to use sftp.

[Oops. Pasted wrong command...fixed now]

Here's what I get back. And to be honest I did not set up vsftp first as the tutorial mentions in the first step, since I thought the same thing.

Code:

 netstat -tnlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:2019          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 ::1:3350                :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:631                 :::*                    LISTEN      -                   
tcp6       0      0 :::443                  :::*                    LISTEN      -                   
tcp6       0      0 :::3389                 :::*                    LISTEN      -                   
tcp6       0      0 :::2016                 :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -

So it looked like you were right, it wasn't listening on 127.0.0.1, so I added:

Code:

ListenAddress 127.0.0.1

And then restarted ssd with:

Code:

sudo systemctl restart ssd

Now when I run the netstat command, I get:

Code:

netstat -tnlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:22            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:2019          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 ::1:3350                :::*                    LISTEN      -                   
tcp6       0      0 ::1:631                 :::*                    LISTEN      -                   
tcp6       0      0 :::443                  :::*                    LISTEN      -                   
tcp6       0      0 :::3389                 :::*                    LISTEN      -                   
tcp6       0      0 :::2016                 :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -

However, I am still instantly getting the same message when I try to connect:

Code:

client_loop: send disconnect: Broken pipe
Connection closed

michaelk · 09-14-2020, 05:59 PM

Code:

Typical sshd_config

#ListenAddress 0.0.0.0
#ListenAddress ::

Code:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -   
tcp6       0      0 :::22                   :::*                    LISTEN      -

FYI, the sshd_config default setting is to listen to all addresses i.e. 0.0.0.0 is all IPV4 and :: is all IPV6. The output of the netstat confirms ssh is working as expected. By configuring to listen to localhost only you will not be able to access the computer from any other computer. However, that is not your problem.

I agree with everyone else the tutorial is a bit confusing. The tutorial is configuring a user with what is known as a jailed environment. Once logged in the sftp user can not change to a directory outside of their home (/home/username) as stated at the end of step 3. If you want to deny login via ssh that requires some addition settings.

There are many tutorials on sftp chroot jail and unfortunately not all the same. I think it is a permission issue since the user does not have access to /home itself. %h will jail the user in their /home/username directory which I think is what you want. Make sure you restart ssh.

Code:

Match Group sftponly
   ChrootDirectory %h 
   ForceCommand internal-sftp
   AllowTcpForwarding no
   X11Forwarding no

Maybe this one is better.
https://www.techrepublic.com/article...a-chroot-jail/

BryceB · 09-15-2020, 01:07 PM

Quote:

Originally Posted by michaelk

...
There are many tutorials on sftp chroot jail and unfortunately not all the same. I think it is a permission issue since the user does not have access to /home itself. %h will jail the user in their /home/username directory which I think is what you want. Make sure you restart ssh.
...
Maybe this one is better.
https://www.techrepublic.com/article...a-chroot-jail/

It was indeed a permissions issue. I went through that tutorial you linked and triple checked ownership and permissions on everything, now i can connect and move files as I hoped I could. Thanks!