6. Frequently Asked Questions

6.1. What can I do if I have a problem?

  1. Be sure it’s not a miss-configuration problem first.
  2. Check out the FAQ to be sure the problem was not already listed.
  3. If the problem still persist, you can look at the list of issues to see if the problem have not already corrected.
  4. If not, create an issue on GitHub.

On issues, we’ll do our best to reply as soon as possible.

6.2. Some features seem not working correctly

For some security reasons and for official packaging approval in several Linux distributions, the setuid right on the /usr/bin/mysecureshell binary has been dropped by default.

Please check that you have the setuid with sftp-verif tool or directly set rights:

> chmod 4755 /usr/bin/mysecureshell

6.4. Connection refused after connection

When you have connection refused message when you’re trying to login, this is generally a problem of firewalling.

Check that you’re not behind a firewall or your SSH port (default is 22) is correctly open:

> nc -v your_sftp_server 22
Connection to localhost 22 port [tcp/ssh] succeeded!

If it’s still not ok, please check that your SSH service is properly running:

> service ssh status

6.5. Why do I got random errors on download or file access?

This is generally due to SFTP clients cache. Some clients like FileZilla have a cache enabled by default which can indicates wrong informations (connected even if you’re not, showing files that do not exists anymore on the server, etc…).

The solution consist in disabling the cache on the client size.

6.6. Why uploaded files have 0 size on the server?

When this problem occurs, it’s usually because of a disc full on the server side.

6.7. Clients do not see all folders or files on the server, why?

Check if the HideNoAccess child tag is enabled. This tag hides folders and files to your users with no access to them.

If you want your users to be able to see (but do not have access) to any files or folders without having rights, you should consider disabling HideNoAccess value.

6.8. Only allow MySecureShell users for SFTP connections

If you want to only allow MySecureShell users to use sftp connections on your server, you need to change/adapt this line (OpenSSH version > 4.5) in /etc/ssh/sshd_config:

Subsystem sftp /usr/bin/mysecureshell -c sftp-server

Warning

Changing this parameters will block users who do not have MySecureShell as a shell!

6.9. How can I enforce security like blocking bruteforce attacks?

You can use a solution called Fail2ban which will check at the authentication logs in real time. If it detects a certain amount of failed login in a given time, it will block an IP address using iptables rules.

6.10. How coud I limit the number of simultaneous unauthenticated connections?

If you want to limit the number of simultaneous unauthenticated connections by changing the MaxStartups value in /etc/ssh/sshd_config file:

MaxStartups 5

In this example, we do not allow more than 5 unauthenticated connections at the same time.

6.11. How can I make a passwordless connection?

To get a secure connection without credentials, you can use SSH key exchange. One of the advantage of that solution is the security enforcement. To make it work, be sure that your server allow it in its configuration file /etc/ssh/sshd_config:

PubkeyAuthentication yes

If you only want to allow this user using SSH key, you can disable it’s password account:

> passwd -d useraccount

Note

Note that it will also disable local password account

6.12. Can I use another authentication system?

Of course you can use another authentication system like:

  • OpenLDAP
  • Kerberos

You have to configure PAM (Pluggable Authentication Module) to be able to authenticate trought another backend. You can check that your backend connection is working fine like this:

$ getent passwd username
username:x:1000:1000:username,,,:/home/username:/usr/bin/zsh

We can see here a user called username, with id 1000. You now have to change his shell to make it work properly.