A few days before I stumbled upon a problem with our OpenSSH (net-misc/openssh-5.2_p1-r3) based SFTP solution. Although passwords were not changed SFTP logins did not work any longer whereas normal SSH logins with the same accounts continued working.
The concerning – now working – SSHD config looks like this (except AllowUsers):
Port 22
Protocol 2
LogLevel INFO
SyslogFacility AUTH
LoginGraceTime 60
PermitRootLogin no
PasswordAuthentication yes
KeepAlive yes
# this must be set to no and PasswordAuthentication to yes. Otherwise SFTP will not work!!!!
UsePAM no
PrintMotd no
PrintLastLog no
ClientAliveInterval 30
ClientAliveCountMax 10
Subsystem sftp internal-sftp
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
After more than one hour of trial and error I found out, that UsePAM must be set to no and PasswordAuthentication must be set to yes. All other combinations of these two options kill sftp authentication (sys-auth/pambase-20090620.1-r1 with ssh USE flag enabled).
As I am not using pam’s advanced authentication functions this deactivation is not a problem to me.
So, finally, if you encounter strange authentication issues with sftp try to disable pam auth and see if sftp authentication is working again afterwards.
Regards,
Phillip
PS If you know another solution to this problem or if I somehow messed up my config please let me know.