This KB article covers the error users may get when trying to use WinSCP/FileZilla (and similar SFTP Clients) to copy files to the Gateway 11 Appliance as well as an issue using the scp command from a command line.

Quick Summary:

1. Unlike previous Gateway versions (9.x and 10.x) users cannot use WinSCP/FileZilla (and similar SFTP Clients) to copy files to the Gateway 11 Debian Appliance using the ssgconfig user or /home/ssgconfig directory. Users must, instead, create a unique new user and directory and use that new user and directory to copy files.
2. User may continue using the ssgconfig account to copy files to and from the Gateway 11 /home/ssgconfig/ directory using command line scp, however, if your workstation's OpenSSH Client version is 9 or higher you may have to use the -O switch which allows a connection using the legacy scp protocol compatible with the Gateway 11 Debian Appliance. The -O switch is only available on OpenSSH Clients version 9+.

WinSCP/FileZilla (and similar SFTP Clients) Related Error:

When trying to log into a Gateway 11 Appliance via WinSCP/FileZilla (and similar SFTP Clients) is giving error: 

Received too large (1348825709 B) SFTP packet. Max supported packet size is 1024000 B.

Solution 1

The problem with sftp and the ssgconfig user is caused by the ssh_force_command_ssgconfig.sh script which is executed  from the sshd deamon.

To resolve the  sftp using ssgconfig user do the following 

Make a copy of the file /etc/ssh/ssh_force_command_ssgconfig.sh as a backup.

    # cp /etc/ssh/ssh_force_command_ssgconfig.sh /etc/ssh/ssh_force_command_ssgconfig.sh.backup

Edit the file  /etc/ssh/ssh_force_command_ssgconfig.sh

    # nano  /etc/ssh/ssh_force_command_ssgconfig.sh

change the line 

    "/opt/SecureSpan/Gateway/config/bin/ssgconfig-headless"* | "scp"* )

    to 

    "/opt/SecureSpan/Gateway/config/bin/ssgconfig-headless"* | "scp"* | "/usr/lib/openssh/sftp-server" )

save the file with CTRL-o and exit with CTRL-x 

Now ssh_force_command_ssgconfig.sh  script  allows the sftp command to be executed for ssgconfig user . 

Solution 2

Using WinSCP/FileZilla (and similar SFTP Clients):

To use WinSCP/FileZilla (and similar SFTP Clients) with Gateway 11 you must create a unique sftp user and directory on the Gateway 11 appliance.  You cannot use the users ssgconfig or ssgadmin to WinSCP/FileZilla (and similar SFTP Clients) into the Gateway 11 appliance.

Note: Please substitute sftpuser for any user you wish to create.

SSH to the Gateway 11 Appliance with ssgconfig and then drop into the Gateway 11 Privileged shell with Option 3

Create a new user to be used to login with WinSCP/FileZilla (and similar SFTP Clients) 

# useradd sftpuser
# passwd sftpuser

*Specify password

Add the new user to the ssh_allowed_users file with the nano utility.

# nano /etc/ssh/ssh_allowed_users

Add

sftpuser

ctrl+s (if needed ctrl+x)

Make a new sftpuser directory and then make the user sftpuser the owner

# mkdir /home/sftpuser
# chown -R sftpuser:sftpuser /home/sftpuser

You should now be able to use WinSCP/FileZilla (and similar SFTP Clients) with the user created above.

Note if you get a permission error if the WinSCP/FileZilla (and similar SFTP Clients) tries to access /home/ssgconfig it will fail with permissions errors. But you should be able to traverse to /home/sftpuser

Using scp command line:

You may also use the scp command line method to copy files to your Gateway 11 Appliance instead of using WinSCP/FileZilla (and similar SFTP Clients)

In this case you can use the ssgconfig account and copy files to your /home/ssgconfig directory but please be aware of the following:

Debian 11 uses an updated version of OpenSSH that defaults to the SFTP protocol instead of the legacy SCP protocol that was used by previous Linux operating systems. This poses a problem (i.e., "Received message too long" error) for Gateway version 11.0 users who use OpenSSH 9+ SSH client as the Gateway's setup is not compatible with the SFTP protocol.

In order to complete a file transfer task using command line SCP you MAY need to use the -O option in your SCP command. The -O option effectively forces the use of the legacy SCP protocol, ensuring backwards-compatibility. 

You can check your OpenSSH Client version with a command like ssh -v localhost

Examples:

Copy a file to the Gateway 11 /home/ssgconfig/ directory with the ssgconfig user on a system that is running an OpenSSH Client below 9+

scp somefile.zip ssgconfig@GatewayIP:/home/ssgconfig

Copy a file to the Gateway 11 /home/ssgconfig/ directory with the ssgconfig user on a system that is running an OpenSSH Client of 9+

scp -O somefile.zip ssgconfig@GatewayIP:/home/ssgconfig