Can't log into SFTP server via FileZilla, Terminal is okay

Question

I'm trying to connect to SSH server using FileZilla, SSH key is okay (I've checked fingerprints and I'm sure I'm using the right one key).

In Terminal SSH with the same username&key works correctly.
FileZilla with another account (user&pass) works correctly too, there is no restriction to my ISP or something similar.

FileZilla debug report is:

Trace:          CControlSocket::SendNextCommand()
Trace:          CSftpConnectOpData::Send() in state 0
Status:         Connecting to XXX.XXX.XXX.XXX:2222...
Trace:          Going to execute /private/var/folders/j8/xxx/T/AppTranslocation/xxx/d/FileZilla.app/Contents/MacOS//fzsftp
Response:   fzSftp started, protocol_version=11
Trace:          CSftpConnectOpData::ParseResponse() in state 0
Trace:          CControlSocket::SendNextCommand()
Trace:          CSftpConnectOpData::Send() in state 2
Command:    keyfile "/Users/username/.ssh/username"
Trace:          CSftpConnectOpData::ParseResponse() in state 2
Trace:          CControlSocket::SendNextCommand()
Trace:          CSftpConnectOpData::Send() in state 3
Command:    open "username@XXX.XXX.XXX.XXX" 2222
Trace:          Looking up host "XXX.XXX.XXX.XXX" for SSH connection
Trace:          Connecting to XXX.XXX.XXX.XXX port 2222
Trace:          We claim version: SSH-2.0-FileZilla_3.60.1
Trace:          Connected to XXX.XXX.XXX.XXX
Trace:          Remote version: SSH-2.0-mod_sftp
Trace:          Using SSH protocol version 2
Trace:          Doing ECDH key exchange with curve Curve25519 and hash SHA-256 (unaccelerated)
Trace:          Server also has rsa-sha2-512/rsa-sha2-256/ssh-rsa host keys, but we don't know any of them
Trace:          Host key fingerprint is:
Trace:          ecdsa-sha2-nistp256 256 SHA256:XXXXXXXXXXXXXXXXXXXXX
Trace:          Initialised AES-256 SDCTR (AES-NI accelerated) outbound encryption
Trace:          Initialised HMAC-SHA-256 (unaccelerated) outbound MAC algorithm
Trace:          Initialised AES-256 SDCTR (AES-NI accelerated) inbound encryption
Trace:          Initialised HMAC-SHA-256 (unaccelerated) inbound MAC algorithm
Trace:          Pageant is running. Requesting keys.
Trace:          Pageant has 1 SSH-2 keys
Trace:          Successfully loaded 1 key pair from file
Status:         Using username "username". 
Trace:          Trying Pageant key #0
Trace:          Key matched loaded keyfile, remove duplicate
Trace:          Server refused our key
Command:    Pass: 
Trace:          Sent password
Trace:          Password authentication failed
Status:         Access denied 
Error:          Authentication failed.
Trace:          CControlSocket::DoClose(1030)
Trace:          CControlSocket::ResetOperation(1094)
Trace:          CSftpConnectOpData::Reset(1094) in state 3
Error:          Critical error: Could not connect to server
Trace:          CFileZillaEnginePrivate::ResetOperation(1094)

Any idea where should be problem here? The part after refusing SSH key is totally out (there is no password, I don't know why FileZilla tries empty passphrase), the point is above - why the SSH key was refused?

Thanks a lot.

Answer 1

SSH has multiple subsystems, which can be allowed and disallowed independently. SSH (shell), SCP and SFTP. It is also possible to disallow or allow stuff depending on the user or group. It might be, that the server doesn't allow sftp access for this user. There might also be a problem with the user's home directory permissions. By default SSH blocks login if they are too lax.

I recommend setting LogLevel DEBUG3 in the server configuration. On Debian based systems it is found at /etd/ssh/sshd_config. Don't forget to restart the sshd. It shouldn't disconnect you, if you're logged in from remote. To be safe keep your shell open until you tried to connect to it again, so you don't lock yourself out, when you make a mistake in the configuration. Then you should see the reason the sshd blocks the login in its logfile under /var/log (IIRC it's in auth.log)