No sftp in new server

Smedby · March 17, 2023, 9:06am

SYSTEM INFORMATION
OS type and version	Debian 11
Webmin version	2.013
Virtualmin version	7.5
Related packages	SUGGESTED

I have moved some domains to a new Debian 11.
After that sftp doesn’t work anymore.
FileZilla displays:

Status: Connecting to new-server.com:2222…
Status: Using username “domain.com”.
Status: Access denied
Error: Could not connect to server
Status: Waiting to retry…
Status: Connecting to new-server.com:2222…
Response: fzSftp started, protocol_version=11
Command: open “domain.com@new-server.com” 2222
Command: Trust new Hostkey: Once
Status: Using username “domain.com”.
Command: Pass: ********
Status: Access denied
Error: Could not connect to server

In the old server it shows:

Status: Connecting to old-server:2248…
Status: Using username “domain.com”.
Status: Connected to old-server.com
Status: Retrieving directory listing of “/public_html”…
Status: Listing directory /public_html
Status: Directory listing of “/public_html” successful

It applies to the same domain with the same password.
Thanks for any help.

stefan1959 · March 17, 2023, 9:13am

Is it enable in Features and Plugins?

Smedby · March 17, 2023, 10:02am

Yes it is. But now I tried with a different domain. It could connect ok.

So I suspect it could be related to Quota.
I changed it to Unlimited for the domain with problems. No use. Same problem.

The drive is big enough. Is there an over all limit for the server?
Where can I find it?

stefan1959 · March 17, 2023, 9:05pm

Did you check the ftp logs to see if there is a error there that can help?
Maybe backup that domain and then delete it. Create new server for that domain and see if ftp works.
I’m thinking it maybe folder permissions. Unless you see the logs in VM its hard to say.

cyberndt · March 17, 2023, 9:13pm

Are the passive ports open in the firewall?

PassivePorts 49152 65535

Joe · March 18, 2023, 1:50am

There is nothing to enable in Features and Plugins related to this. FTP and SFTP are always enabled for all users, unless you stop/disable ProFTPd.

The only FTP feature in Features and Plugins is IP-based Virtual FTP which should not be enabled by 99.99% of people.

Joe · March 18, 2023, 1:51am

I don’t see how it could be related to quota.

I would guess it’s wrong username or password, if another user works.

But, you could also check what shell each user has. ← Edit: It turned out to be this. User had a shell that is not allowed.

stefan1959 · March 18, 2023, 1:54am

Thanks, just notice its not on any domain.

Smedby · March 18, 2023, 6:18am

Sorry. I,ve posted that before.
Could it be related to “Trust new Hostkey: Once”

jimr1 · March 18, 2023, 7:36am

I have this situation as well … I don’t use filezilla, instead I use the command line so if I use

ssh <username>@<domain> -P <port>

no need to add -P option if your using port 22, the user logs in correctly, so we know the password is right and ssh is working
I then tried

sftp -P<port> <username@<domain>

and it fails this does not affect all users, some created since vmin 7 work others do not … so I guess there must be something in the way the domain is setup but to date I have looked in the ftp server setup & can find nothing away from standard …

Joe · March 18, 2023, 5:49pm

This points at shell being not accepted by ProFTPd as one that is allowed to use FTP.

I don’t think anyone has compared shells between working users and non-working users…I believe that’s the next step.

We also probably need to see the actual log, not what the client sees. (ProFTPd logs to auth.log or secure, probably, but maybe also something in the journal.)

jimr1 · March 18, 2023, 6:25pm

log for bad user

Mar 18 18:16:36 server systemd: pam_unix(systemd-user:session): session closed for user phporyx.com
Mar 18 18:16:50 server sshd[3806327]: Accepted keyboard-interactive/pam for joe-phporyx.co.uk from 31.48.132.51 port 53306 ssh2
Mar 18 18:16:50 server sshd[3806327]: pam_unix(sshd:session): session opened for user joe-phporyx.co.uk by (uid=0)
Mar 18 18:16:50 server systemd-logind[663]: New session 76209 of user joe@phporyx.co.uk.
Mar 18 18:16:50 server systemd: pam_unix(systemd-user:session): session opened for user joe@phporyx.co.uk by (uid=0)
Mar 18 18:16:51 server sshd[3806390]: Received disconnect from 31.48.132.51 port 53306:11: disconnected by user
Mar 18 18:16:51 server sshd[3806390]: Disconnected from user joe-phporyx.co.uk 31.48.132.51 port 53306
Mar 18 18:16:51 server sshd[3806327]: pam_unix(sshd:session): session closed for user joe-phporyx.co.uk
Mar 18 18:16:51 server systemd-logind[663]: Session 76209 logged out. Waiting for processes to exit.
Mar 18 18:16:51 server systemd-logind[663]: Removed session 76209.

for a good user

Mar 18 18:19:07 server sshd[3806955]: Authentication refused: bad ownership or modes for directory /home/jamie
Mar 18 18:19:13 server sshd[3806955]: Accepted keyboard-interactive/pam for jamie from 31.48.132.51 port 48826 ssh2
Mar 18 18:19:13 server sshd[3806955]: pam_unix(sshd:session): session opened for user jamie by (uid=0)
Mar 18 18:19:13 server systemd-logind[663]: New session 76218 of user jamie.
Mar 18 18:19:13 server systemd: pam_unix(systemd-user:session): session opened for user jamie by (uid=0)
Mar 18 18:19:17 server sshd[3807012]: Received disconnect from 31.48.132.51 port 48826:11: disconnected by user
Mar 18 18:19:17 server sshd[3807012]: Disconnected from user jamie 31.48.132.51 port 48826
Mar 18 18:19:17 server sshd[3806955]: pam_unix(sshd:session): session closed for user jamie
Mar 18 18:19:17 server systemd-logind[663]: Session 76218 logged out. Waiting for processes to exit.
Mar 18 18:19:17 server systemd-logind[663]: Removed session 76218

as you can see the good user is a very old style name, where the bad user is user@domain. but I doubt there is anything in that
N.B both logins were done via the same shell

Joe · March 18, 2023, 6:55pm

I don’t know if ProFTPd supports user@domain.tld usernames. I never use ProFTPd.

Looks like the user-domain.tld variant worked, right? So…that kinda lends credence to that theory. But, I’m not super confident about it.

I’ll also repeat that y’all should see what shell a user that works has vs. what shell a user that doesn’t work has.

jimr1 · March 18, 2023, 7:01pm

not quite I tried to log in with the following

sftp -P2222 joe-phporyx.co.uk@phporyx.co.uk

for some reason it appears to opening a session for

joe@phporyx.co.uk

then it throws it’s dollies out of the pram

Smedby · March 18, 2023, 8:41pm

In our case I think I’ve found the problem.
The bad domain had shell /usr/lib/sftp-server
I don’t know why.

One more thing: I would like to use a different port, but it seems to be locked to 2222.

Is it possible?

Joe · March 18, 2023, 8:58pm

What do you mean by “locked”? It’s a configuration option in ProFTPd, you can change it to whatever you want. We don’t “lock” anything. It’s your system, do whatever you want.

You just can’t use 22 because ssh lives there. (Which also supports sftp, but won’t respect the config option to lock users into their home, unless you’re also chrooting your users.)

Smedby · March 18, 2023, 9:39pm

I tried 2144 but then it won’t work.
/etc/proftpd/conf.d/virtualmin.conf

And also opened the corresponding port 2144

Joe · March 18, 2023, 10:18pm

If you’ve restarted the proftpd service, and also made sure firewalld is allowing that port, then it should work.

If not, check the logs for clues about why. If the problem persists, feel free to open a new topic about changing the ProFTPd sftp port. (New problem, new topic!)

Smedby · March 19, 2023, 5:54am

Thanks @Joe

All ok now.

system · March 27, 2023, 5:54am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.