6. Frequently Asked Questions¶
Topics
- Frequently Asked Questions
- What can I do if I have a problem?
- Some features seem not working correctly
- I can’t open symbolic link folders
- Connection refused after connection
- Why do I got random errors on download or file access?
- Why uploaded files have 0 size on the server?
- Clients do not see all folders or files on the server, why?
- Only allow MySecureShell users for SFTP connections
- How can I enforce security like blocking bruteforce attacks?
- How coud I limit the number of simultaneous unauthenticated connections?
- How can I make a passwordless connection?
- Can I use another authentication system?
6.1. What can I do if I have a problem?¶
- Be sure it’s not a miss-configuration problem first.
- Check out the FAQ to be sure the problem was not already listed.
- If the problem still persist, you can look at the list of issues to see if the problem have not already corrected.
- If not, create an issue on GitHub.
On issues, we’ll do our best to reply as soon as possible.
6.2. Some features seem not working correctly¶
For some security reasons and for official packaging approval in several Linux distributions, the setuid right on the /usr/bin/mysecureshell binary has been dropped by default.
Please check that you have the setuid with sftp-verif
tool or directly set rights:
> chmod 4755 /usr/bin/mysecureshell
6.3. I can’t open symbolic link folders¶
There are several reasons why it may not work. Check those bullet points:
- If VirtualChroot is enabled and the symbolic link is outside the chroot, it is not accessible and is this normal
- If StayAtHome is enabled, it may be the same reason.
If the problem still persist, you can use --bind
option to mount
command. For example if you need to access to an external folder (here /mnt/external) from the Home value (here /var/sftp):
> mkdir /var/sftp/external
> mount --bind /mnt/external /var/sftp/external
Then you’ll be able to access to the external folder inside the Home folder.
6.4. Connection refused after connection¶
When you have connection refused message when you’re trying to login, this is generally a problem of firewalling.
Check that you’re not behind a firewall or your SSH port (default is 22) is correctly open:
> nc -v your_sftp_server 22
Connection to localhost 22 port [tcp/ssh] succeeded!
If it’s still not ok, please check that your SSH service is properly running:
> service ssh status
6.5. Why do I got random errors on download or file access?¶
This is generally due to SFTP clients cache. Some clients like FileZilla have a cache enabled by default which can indicates wrong informations (connected even if you’re not, showing files that do not exists anymore on the server, etc…).
The solution consist in disabling the cache on the client size.
6.6. Why uploaded files have 0 size on the server?¶
When this problem occurs, it’s usually because of a disc full on the server side.
6.7. Clients do not see all folders or files on the server, why?¶
Check if the HideNoAccess
child tag is enabled. This tag hides folders and files to your users with no access to them.
If you want your users to be able to see (but do not have access) to any files or folders without having rights, you should consider disabling HideNoAccess
value.
6.8. Only allow MySecureShell users for SFTP connections¶
If you want to only allow MySecureShell users to use sftp connections on your server, you need to change/adapt this line (OpenSSH version > 4.5) in /etc/ssh/sshd_config:
Subsystem sftp /usr/bin/mysecureshell -c sftp-server
Warning
Changing this parameters will block users who do not have MySecureShell as a shell!
6.9. How can I enforce security like blocking bruteforce attacks?¶
You can use a solution called Fail2ban which will check at the authentication logs in real time. If it detects a certain amount of failed login in a given time, it will block an IP address using iptables rules.
6.10. How coud I limit the number of simultaneous unauthenticated connections?¶
If you want to limit the number of simultaneous unauthenticated connections by changing the MaxStartups
value in /etc/ssh/sshd_config file:
MaxStartups 5
In this example, we do not allow more than 5 unauthenticated connections at the same time.
6.11. How can I make a passwordless connection?¶
To get a secure connection without credentials, you can use SSH key exchange. One of the advantage of that solution is the security enforcement. To make it work, be sure that your server allow it in its configuration file /etc/ssh/sshd_config:
PubkeyAuthentication yes
If you only want to allow this user using SSH key, you can disable it’s password account:
> passwd -d useraccount
Note
Note that it will also disable local password account
6.12. Can I use another authentication system?¶
Of course you can use another authentication system like:
- OpenLDAP
- Kerberos
- …
You have to configure PAM (Pluggable Authentication Module) to be able to authenticate trought another backend. You can check that your backend connection is working fine like this:
$ getent passwd username
username:x:1000:1000:username,,,:/home/username:/usr/bin/zsh
We can see here a user called username, with id 1000. You now have to change his shell to make it work properly.