sftp quit working after turning on TLS

[sschwie]

We are attempting to get TLS working so we can use ftps after we got sftp working using CO:Z SFTP. I can connect with ftps, but now I've lost SFTP capability. Is this expected, or is there a configuration setting I'm missing. I can't find anything in the documentation that would indicate we can use one or the other, but not both. Please advise.

[dovetail]

FTP TLS should have nothing to do with SFTP.

What are you having trouble with, the Co:Z SFTP client or the sftp server? If the server, can you sign in to SSHD with Putty or another ssh client? Perhaps your SSHD server is not running.

[sschwie]

This is the SFTP server. I tried connecting using putty, and the connection is refused. SSHD appears to be running. I thought there should be no connection between TLS and SSHD, but I wanted to verify. Thanks for the information, and I will update the post when I find out what went wrong.

[sschwie]

Update...I misspoke when I said the connection was refused for putty. It's allowing telnet connections via SSH, so that piece of the server is working. It's only sftp commands that receive the connection refused

[dovetail]

If SSHD is running ( and accepting ssh interactive sessions) but sftp server is not workimg, then perhaps there is a problem with the file system that contains the Co:Z binaries?

When you installed Co:Z SFTP server, your /etc/ssh/sshd_config file was updated to have the "Subsystem sftp" line point to <COZ_HOME>/bin/sftp-server.sh. Is that file available?

[sschwie]

The file is there. If I bring up the ftp server without TLS defined, everything works fine.

[dovetail]

I cannot understand why ssh terminal sessions work but sftp-server sessions get "connection refused", since they use the same connection.

I also can't understand why FTP configuration has anything to do with SSH and SFTP. So, I'm a little baffled.

If you update /etc/ssh/sshd_config back to the IBM default, then you won't be configured to use Co:Z SFTP.

If you do that, does the IBM sftp-server work? If not, then you may want to contact IBM for support - there is something messed up in your SSH configuration.

Once you get IBM Ported Tools SSH and IBM's sftp server working in your environment, then we can help you to get Co:Z SFTP working.

[sschwie]

The OPENSSH version of sftp works fine.

I'm having difficulty with locating the trace information that dovetail server writes. Here's my sftp-server.rc file:
export SFTP_LOGFILE="/tmp/sftp_logfile"
export SFTP_SERVER_OPTIONS="-e -l debug3"
export COZ_LOG="F"
export USE=COZ=SFTP=true
#export SFTP_ZOS_OPTIONS="mode=text"

[dovetail]

Give this script, it should write it to /tmp/sftp_logfile.
Is this script in $HOME/.ssh/sftp-server.rc? Is it executable by your userid?

If you can't find the problem, send me a note at info@dovetail.com with your contact info and we can setup a call to help you hopefully debug the problem.

[sschwie]

I found a problem...My sftp-server.rc file resides in /etc/ssh/ directory and could not be read. I moved it to my $HOME/.ssh directory and now everything seems to be fine. I still would like to know how to get logging corrected, as this probably would have been easily fixed if I knew where the trace information was going.

[sschwie]

And now I found the trace information as well. It appears I had a rogue sftp-server.rc file out there and I wasn't getting the server loaded at all. When I put the sftp-server.rc file in my home directory, trace information went to the tmp directory, as I would have expected. I would say this case can be closed. Thanks for all your help in diagnosing the problem.