Skip to main content

How to Troubleshoot SFTP Authentication Issues

Austin Lowery
  • Updated

Introduction

 

The following guide explains some techniques for troubleshooting authentication issues with SFTP.

 

Procedure


Some key pieces of information to keep in mind are that SFTP makes use of SSHD to authenticate to the server, and that only linux users can connect via SFTP (i.e cPanel users).

 

That means that only users that are found in the /etc/passwd file on the server will be able to authenticate and use SFTP. Regular FTP users created in the cPanel interface will not be in the /etc/passwd file, so you may not use those users. Only the main cPanel user can use SFTP.

 

Furthermore, the users that are allowed to use SFTP can be influenced by the SSHD configuration at:

/etc/ssh/sshd_config

 

One example is the AllowUsers configuration. The following configuration would only allow the root user to use SFTP on the server:

/etc/ssh/sshd_config

AllowUsers root

 

If you would like to allow another user to to authenticate, you can edit the configuration to include that user:

AllowUsers root additionaluser

 

Then restart the SSHD server with the following command:

/scripts/restartsrv_sshd --restart

 

If you're still having difficulties with authentication, check the SSHD configuration for other directives that could be interfering. Here are a few other examples:

 

sshd_config Manual Page

  • Password authentication: Client will ask you to enter a password, will encrypt it and use it to authenticate itself to a server.
  • Public key authentication: Each client uses a key pair to authenticate itself to a server. Server should find the key in the list of allowed keys.
  • Host based authentication: This method is similar to public key authentication, but client should not only use correct key, but also must connect from correct host.
  • Keyboard authentication: Server will use client to present zero or more prompts to client PC operator and request answers from operator.
  • Challenge Response Authentication: Used to configure keyboard authentication. You should use specific backend send the challenges and check the responses.
  • GSSAPI Authentication: GSSAPI is a IETF standard for strong encrypted authentication. OpenSSH uses GSSAPI and kerberos 5 code to authenticate clients.

 

Additionally, you could also try resetting the user's password and verify that the password works when attempting to login via other interfaces such as cPanel or SSH.

 

You may also configure enabling logging to get more information about the issue. We have a guide on how to do this:

How to Enable SFTP Logging

Related articles