Bananian

SFTP (via ssh)

9 6112
koev36  
Hi,

on all raspberry pi s and linux machines I ever used I could always connect to via sftp (ssh) if ssh was working.

On bananian it doesn't work. What packages do I need to install?

Regards
This should work, even when it is for Ubuntu:
http://askubuntu.com/questions/4 ... -ubuntu-sftp-server

sftp is enabled and working by default. Just make sure your client is up to date.
Just tested with WinSCP 5.5.2 which is working fine.

tkaiser  
Bananian implements a hardened SSH configuration: https://www.bananian.org/details#configuration_details

You might want to check the settings your SFTP-client uses (command line clients and eg the ssh command itself can be forced by the '-v' switch to be more verbose, eg "ssh -vvv banana.pi')

I have the same problem.
My openssh-server package is the following:

  1. # apt-cache policy openssh-server
  2. openssh-server:
  3.   Installiert:           1:6.0p1-4+deb7u2
  4.   Installationskandidat: 1:6.0p1-4+deb7u2
  5.   Versionstabelle:
  6. *** 1:6.0p1-4+deb7u2 0
  7.         500 http://ftp.de.debian.org/debian/ wheezy/main armhf Packages
  8.         100 /var/lib/dpkg/status
  9.      1:6.0p1-4+deb7u1 0
  10.         500 http://security.debian.org/ wheezy/updates/main armhf Packages
Copy the Code
  1. cat /etc/ssh/sshd_config
  2. # Package generated configuration file
  3. # See the sshd_config(5) manpage for details

  4. # What ports, IPs and protocols we listen for
  5. Port xxxxx
  6. # Use these options to restrict which interfaces/protocols sshd will bind to
  7. #ListenAddress ::
  8. #ListenAddress 0.0.0.0
  9. Protocol 2
  10. # HostKeys for protocol version 2
  11. HostKey /etc/ssh/ssh_host_rsa_key

  12. # https://bettercrypto.org/ 20140809
  13. #HostKey /etc/ssh/ssh_host_dsa_key
  14. #HostKey /etc/ssh/ssh_host_ecdsa_key

  15. #Privilege Separation is turned on for security
  16. UsePrivilegeSeparation yes


  17. # Lifetime and size of ephemeral version 1 server key
  18. KeyRegenerationInterval 3600
  19. ServerKeyBits 768

  20. # Logging
  21. SyslogFacility AUTH
  22. LogLevel INFO

  23. # Authentication:
  24. LoginGraceTime 120
  25. PermitRootLogin yes
  26. StrictModes yes

  27. RSAAuthentication yes
  28. PubkeyAuthentication yes
  29. #AuthorizedKeysFile     %h/.ssh/authorized_keys

  30. # Don't read the user's ~/.rhosts and ~/.shosts files
  31. IgnoreRhosts yes
  32. # For this to work you will also need host keys in /etc/ssh_known_hosts
  33. RhostsRSAAuthentication no
  34. # similar for protocol version 2
  35. HostbasedAuthentication no
  36. # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
  37. #IgnoreUserKnownHosts yes

  38. # To enable empty passwords, change to yes (NOT RECOMMENDED)
  39. PermitEmptyPasswords no

  40. # Change to yes to enable challenge-response passwords (beware issues with
  41. # some PAM modules and threads)
  42. ChallengeResponseAuthentication no

  43. # Change to no to disable tunnelled clear text passwords
  44. #PasswordAuthentication yes

  45. # Kerberos options
  46. #KerberosAuthentication no
  47. #KerberosGetAFSToken no
  48. #KerberosOrLocalPasswd yes
  49. #KerberosTicketCleanup yes

  50. # GSSAPI options
  51. #GSSAPIAuthentication no
  52. #GSSAPICleanupCredentials yes

  53. X11Forwarding yes
  54. X11DisplayOffset 10
  55. PrintMotd no
  56. PrintLastLog yes
  57. TCPKeepAlive yes
  58. #UseLogin no

  59. #MaxStartups 10:30:60
  60. #Banner /etc/issue.net

  61. # Allow client to pass locale environment variables
  62. AcceptEnv LANG LC_*

  63. Subsystem sftp /usr/lib/openssh/sftp-server

  64. # Set this to 'yes' to enable PAM authentication, account processing,
  65. # and session processing. If this is enabled, PAM authentication will
  66. # be allowed through the ChallengeResponseAuthentication and
  67. # PasswordAuthentication.  Depending on your PAM configuration,
  68. # PAM authentication via ChallengeResponseAuthentication may bypass
  69. # the setting of "PermitRootLogin without-password".
  70. # If you just want the PAM account and session checks to run without
  71. # PAM authentication, then enable this but set PasswordAuthentication
  72. # and ChallengeResponseAuthentication to 'no'.
  73. UsePAM yes

  74. UseDNS no

  75. # https://bettercrypto.org/ 20140809
  76. Ciphers aes256-ctr,aes128-ctr
  77. MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
  78. KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
Copy the Code

herrmeier replied at Wed Jan 28, 2015 16:16
I have the same problem.
My openssh-server package is the following:

Which client are you using to connect? something like filezilla or winscp? Make sure you specify to connect on port 22 or else it will try 21 by default and not work.

Edited by herrmeier at Thu Jan 29, 2015 05:28

Hi AnythingGeek, thank you for your comment.
Yes I use filezilla. As stated above my PC runs on ubuntu. Therefore winscp is not my favorite GUI-sftp-client.
I also use the configured and crossed-out port in line 6 of /etc/ssh/sshd_config, which I usually reconfigure individually and restart the server afterwards.
By the way scp, rsync and ssh work perfectly. There just seems to be a problem with sftp-settings of the openssh-server or with filezilla.

Actually I use filezilla with various servers on a daily basis with ubuntu, suse, debian and red hat servers.

I never had that problem anywhere else. So it must be the hardened ssh-server.
In order to find the differences between my normal configurations and the bananian one I used diff, but
could not find a difference that seemed to matter.

  1. $ apt-cache policy filezilla
  2. filezilla:
  3.   Installiert:           3.7.3-1ubuntu1
  4.   Installationskandidat: 3.7.3-1ubuntu1
  5.   Versionstabelle:
  6. *** 3.7.3-1ubuntu1 0
  7.         500 http://de.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
  8.         100 /var/lib/dpkg/status
Copy the Code
Any further ideas?

gbi  
Hi,

there is a detailled guide regarding SSHD hardening on https://stribika.github.io/2015/01/04/secure-secure-shell.html

I have never used filezilla, so I do not know if it supports some kind of debugging like mentioned above in posting #4

I guess the prob is one of the restrictions in Ciphers, MACs or KexAlgorithms

HtH

I prefer https://bettercrypto.org

It is online for about one year and I personally trust those guys.

BTW: That is why you find this comment in your sshd_config: "# https://bettercrypto.org/ 20140809"

herrmeier replied at Thu Jan 29, 2015 05:27
Hi AnythingGeek, thank you for your comment.
Yes I use filezilla. As stated above my PC runs on ubun ...

I had same problem with winscp... I updated to a new copy and everythinh worked fine

You have to log in before you can reply Login | Sign Up

Points Rules