This article lists the most common support issues we've been seeing for SFTP Gateway v3.
1. There's a banner but no command prompt when I connect using SSH
On SFTP Gateway version 3, the SSH protocol has been moved from the default port
So the syntax to connect would be:
ssh -i private.key azure-user@<ip-address> -p 2222
We introduced a Java service to implement the SFTP protocol on port
This Java service denies the SSH protocol. This is why you see the login banner, but
have no command prompt.
For more information on how to SSH into a VM running SFTP Gateway, see this article.
2. Connection timed out after 20 seconds of inactivity (FileZilla)
If you get a connection timeout with FileZilla, there are a few possible causes.
2a. Check your Network Security Group (NSG) rules
Make sure that your SFTP client is able to connect to the VM over port
Otherwise, FileZilla will not receive any response when trying to connect.
2b. Check your default Cloud Connection
A Cloud Connection is a set of options for connecting to Blob storage. SFTP Gateway uses Blob storage as the underlying file system. So, a connection timeout could result from the SFTP user having no file system to work with.
Here is an example of expected syntax when filling out the fields for an Azure Cloud Connection:
Note: Make sure each field is configured correctly. For example, the Container Name cannot contain uppercase letters.
If your default Cloud Connection already exists, look for a Test Connection button on the details page. Make sure it gives you three green check marks.
2c. If you're on
v3.1.0, make sure the Storage Account is not configured with HNS
On SFTP Gateway
v3.1.0, we had a bug where SFTP users would time out when trying to connect to HNS-enabled Storage Accounts.
The error would not show up at first, but only after a subfolder was created.
This issue has since been resolved on SFTP Gateway
To find out if your storage account has hierarchical namespace enabled, go to: Overview -> Properties -> Data Lake Storage.
3. How to share folders between SFTP users
This is more of a configuration question rather than a troubleshooting issue. But, figuring out how to configure sharing is a commonly asked question.
Below are two examples of sharing scenarios.
3a. External vendor scenario: grant an internal SFTP user read/write access to multiple external SFTP users
The external vendor scenario is where you have a user, perhaps an internal manager, accessing other users' files/folders.
First, configure external SFTP accounts with the default Home Directory location, which is the user's name under the
/users/ folder. For example:
/ |--users/ |--vendor1/ <-- vendor1 is chrooted here
Then, configure an
internal-manager SFTP user, and point it to the parent
The folder structure will look like this:
/ |--users/ <-- internal-manager is chrooted here |--vendor1/ |--vendor2/
internal-manager will have read/write access to the
and everything in it (including the vendor chroot directories).
For additional information on the External Vendor scenario, see this article.
3b. Group drive scenario: mount a shared folder inside the chroot directories of multiple SFTP users
In the Group Drive scenario, you create a shared folder, and then mount it within the chroot directory of each SFTP user.
First, you create a new Cloud Connection that points to a specific Blob storage container.
Then, within each SFTP user's chroot directory, you create a Folder that points to the Cloud Connection.
The folder structure will look like this:
/ |--users/ |--user1/ |--Shared-Folder --> points to the Shared Cloud Connection |--user2/ |--Shared-Folder --> points to the Shared Cloud Connection
Each SFTP user will see a subfolder named
And any changes they make in that folder will be seen by other SFTP users.
For more information on shared Cloud Connections look at this article.
4. Supporting legacy SFTP clients
Some SFTP client software may require the use of legacy encryption algorithms. By default, these are not enabled on SFTP Gateway.
SFTP Gateway has a setting named
sftp.security-level where you can reduce the security baseline
to improve compatibility.
For more detailed information on Security Level Configuration, view this article.
5. Reset the Web Admin Password
On first launch, you create a web admin user in the web admin portal. If you forget these credentials, you will need to reset them via the command line.
Here are the steps to reset your admin password.
Step 1. SSH into the VM, and elevate your privileges to root:
Step 2. Change directories to
Step 3. Run the script to remove all web admin users:
If all goes well, you should see the word
Step 4. Refresh your browser, and the web admin portal should take you back to the first launch screen where you can create a new admin user.
For information on the contents of the script visit this article.