Disabled OpenSSH sftp-server but FileZilla still can access remote file system

2

1

I have disabled sftp-server on my Ubuntu computer, as below.
Edit /etc/ssh/sshd_config and comment out this line

#Subsystem sftp /usr/lib/openssh/sftp-server

On another computer, I run sftp command to connect to server. It failed to connect.

sftp user@192.168.1.2
subsystem request failed on channel 0
Connection closed

I also use FileZilla to connect to that computer. FileZilla still lists contents of folder, download file,...
Filezilla shows URL: sftp://user@192.168.1.2

Which method did Filezilla use to connect to SSH server to transfer file?

shang12

Posted 2019-01-10T04:21:17.913

Reputation: 23

Answers

0

FileZilla internally uses PuTTY PSFTP. PSFTP has a fallback mechanism to start an SFTP server, when starting it via sftp subsystem fails.

It looks for sftp-server binary in common paths like /usr/lib/sftp-server and /usr/local/lib/sftp-server and in PATH. I assume that this is how PSFTP/FileZilla (and other clients like my WinSCP - see its SFTP requirements page for details) will be able to make an SFTP connection even if you disable sftp subsystem.

With OpenSSH sftp you can achieve the same by using the -s switch:

-s subsystem | sftp_server

Specifies the SSH2 subsystem or the path for an sftp server on the remote host. A path is useful when the remote sshd does not have an sftp subsystem configured.

Example:

sftp -s /usr/lib/sftp-server user@192.168.1.2

To disallow SFTP completely, you need to get rid of sftp-server binary altogether.

Though it actually makes little sense. If you allow shell access (what you do, otherwise the fallback mechanism wouldn't work), then it makes no sense to disable SFTP, as one can do a way more (damage) using the shell access anyway.

I believe the fall back mechanism is there basically as a way to support SSH-1 servers, which didn't have the subsystem mechanism. But it kicks in even in a situation like yours.

Martin Prikryl

Posted 2019-01-10T04:21:17.913

Reputation: 13 764

Asked: 2019-01-10T04:21:17.913

Viewed: 361 times

Active: 2019-01-11T07:41:24.443