5

I try to configure SFTP on Centos 7, on my first server it works perfectly, but on my second server when I try to connect me with :

sftp USERNAME@serveripaddress

I have this error :

Could not read packet: Connection reset by peer

I use this method :

adduser USERNAME
passwd USERNAME
groupadd sftp_only
usermod -aG sftp_only USERNAME

Configure SSH chroot :

vi /etc/ssh/sshd_config

Add a comment :

#Subsystem Sftp /usr/libexec/openssh/sftp-server

Add the line after :

Subsystem sftp internal-sftp

Add at the end of the file :

Group sftp_only Match
ChrootDirectory /var/www
ForceCommand internal-sftp
X11Forwarding No
AllowTcpForwarding No

Restart SSH :

service sshd restart

I have the same iptables rules on my 2 servers and I try with iptables disabled.

Maybe I need to install an FTP server like VSFTPD ?

Thank you to help me because I'm completely blocked since several hours.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Olaf
  • 89
  • 2
  • 3
  • 7

6 Answers6

11

cat /var/log/auth.log

May 10 17:08:32 machine sshd[31902]: fatal: bad ownership or modes for chroot directory component "/var/www/html/nextcloud/"

that was my problem

After we can follow this one bad ownership or modes for chroot directory component

BTW I end up using bind solution Need help - limit access to sftp user to other users home->subfolder

Sérgio
  • 251
  • 2
  • 5
3

You could use proftpd which offers a SFTP frontend. This way you can unite SFTP, FTP and FTP/S in one daemon. However you cannot use port 22 for SFTP or you'll have to give up on SSH on that port since proftpd and sshd cannot bind the same ports for SFTP.

fen
  • 415
  • 4
  • 8
  • 1
    To hunt down on your error start the ssh daemon with debug options and see what it outputs (put LogLevel DEBUG into sshd_config, restart sshd an watch /var/log/secure while connecting with your client) – fen Mar 02 '15 at 17:06
  • Thank you for your help, I have try to connect me with SFTP in debug mode, I have check the logs in /var/log/secure and finaly it's simple chown problem. – Olaf Mar 02 '15 at 18:12
  • 2
    Um wrong! You can absolutely use SFTP over SSH port 22. It actually works over a SSH tunnel and makes a subsystem call for SFTP. –  Apr 13 '15 at 20:31
  • Does this really work in conjunction with proftpd? – fen Apr 14 '15 at 22:59
1

Change PasswordAuthentication no to PasswordAuthentication yes in /etc/ssh/sshd_config file and restart with service sshd restart command.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Thrinadh Kumpatla
  • 11
  • 1
0

Just to add to the diverse root causes of the error

Couldn't read packet: Connection reset by peer

The IP address I was using the sftp command from was banned by fail2ban on the server, due to 3 failed login attempts earlier. I've unbanned the IP, re-configured to allow more failed attempts and now everything works again.

Saaru Lindestøkke
  • 115
  • 4
0

I've got the same message from a client (Linux) who was trying to connect to our sftp (Windows/ad hoc soft). The client IP was in our SFTP's black list(for some reason the client reached the max failures allowed). Remove the IP from the black list and we were happy.

Mbrd
  • 1
0

Make sure that home folder is owned by root and default folder is own by sftp user. For example, when you want to make incoming as home directory for user 'guestuser', you should create folder with user /guestuser/incoming. The guestuser folder should be owned by root and incoming should be owned by guestuser.

Senthil Kumar Vaithiyanathan
  • 101