Troubleshooting an SFTP Server using SSH-MiTM

[jubeormk1]

Hi there,

Thanks so much for creating and supporting this tool. Also a discussion platform in Github is great: keeps everything in one place. Now let's get to business.

I need to look into the packets sent and received in an SFTP session while troubleshooting my implementation of the protocol but when I try to open a connection I get the error ERROR error creating sftp client - no ssh client!. Am I missing some steps? Do I need to configure a ssh client? Has anybody find the same issue?

I looked for issues and discussions including terms such as "sftp", "no ssh client" but I haven't found any information about this. I looked at the documentation and in particular ssh-file-transfer-protocol

My setup is simple:

• OS: WSL2 (Linux ROG-WIN 6.6.87.2-microsoft-standard-WSL2 #1 SMP PREEMPT_DYNAMIC Thu Jun 5 18:30:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux)
• Network: tap interface where localhost is 192.168.69.100 and the target server running on 192.168.69.2:22
• Server: The server is a debug session of my program that admits none authentication
• SSH-MiTM cmd: ssh-mitm server --session-log-dir ssh-mitm/log --enable-none-auth --remote-host 192.168.69.2
• Client connection cmd: sftp -o PubkeyAuthentication=no -o PasswordAuthentication=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -P 10022 any@localhost

SSH-MiTM Output:

────────────────────────── SSH-MITM - ssh audits made simple ──────────────────────────
Documentation: https://docs.ssh-mitm.at
Issues: https://github.com/ssh-mitm/ssh-mitm/issues
──────────────────────────────────── Configuration ────────────────────────────────────
🔑 SSH-Host-Keys:
   generated temporary RSAKey key with 2048 bit length
   MD5:a1:27:10:b7:3a:bb:81:af:36:ac:0d:ee:46:42:27:31
   SHA256:wme1BByDU2o3/BRuUhrjt4vTsXm0z19TjvVHlQQMVtw
   SHA512:mwwLMgtpXWReTK4ON2eocEotfWLEHfNaWzMxLxnMUeysh8xH/O0GRWLFYapkVJqqDiCK+3Xnzg7HJLGH+9QFcg
.......................................................................................
💻 listen interfaces :: on port 10022
─────────────────────────────── waiting for connections ───────────────────────────────
[11/06/25 14:20:18] INFO     ℹ session
                             156199d2-7ee8-4caa-9b26-dc52b3050815
                             created
                    INFO     ℹ client information:
                               - client version: ssh-2.0-openssh_8.9p1
                             ubuntu-3ubuntu0.13
                               - product name: OpenSSH
                               - vendor url:  https://www.openssh.com/
                              - client address: ip=::ffff:127.0.0.1 port=45668
                             ⚠ CVEs detected by client version string:
                               * CVE-2023-51767:
                             https://nvd.nist.gov/vuln/detail/CVE-2023-51767
                               * CVE-2023-51385:
                             https://nvd.nist.gov/vuln/detail/CVE-2023-51385
                               * CVE-2023-51384:
                             https://nvd.nist.gov/vuln/detail/CVE-2023-51384
                               * CVE-2023-48795:
                             https://nvd.nist.gov/vuln/detail/CVE-2023-48795
                               * CVE-2023-38408:
                             https://nvd.nist.gov/vuln/detail/CVE-2023-38408
                               * CVE-2023-28531:
                             https://nvd.nist.gov/vuln/detail/CVE-2023-28531
                               * CVE-2020-14145:
                             https://docs.ssh-mitm.at/vulnerabilities/CVE-2020-14145.ht
                             ml
                             ⚠ detected vulnerabilities by active tests:
                                 CVE-2020-14145 - Fingerprint information
                             leak
                                   * client connecting for the first time or
                             using default key order!
                                   * Preferred server host key algorithm:
                             [email protected]
                                 CVE-2023-48795 - Terrapin-Attack
                                   * ChaCha20-Poly1305 support:   True
                                   * CBC-EtM support:             False
                                   * Strict key exchange support: True
                                   * Mitigation status:           mitigated
                    ERROR    error creating sftp client - no ssh client!
                    INFO     ℹ 156199d2-7ee8-4caa-9b26-dc52b3050815 -
                             local port forwarding
                             SOCKS port: 44645
                               SOCKS4:
                                 * socat: socat TCP-LISTEN:LISTEN_PORT,fork
                             socks4:127.0.0.1:DESTINATION_ADDR:DESTINATION_PORT,sockspo
                             rt=44645
                                 * netcat: nc -X 4 -x localhost:44645
                             address port
                               SOCKS5:
                                 * netcat: nc -X 5 -x localhost:44645
                             address port
[11/06/25 14:20:19] ERROR    ❗ ssh agent not forwarded. Login to remote
                             host not possible with publickey authentication.
                             ℹ To intercept clients without a forwarded
                             agent, you can provide credentials for a honeypot.
                    WARNING  (('::ffff:127.0.0.1', 45668, 0, 0)->('::ffff:127.0.0.1',
                             10022, 0, 0)) session not started
                    INFO     ℹ session
                             156199d2-7ee8-4caa-9b26-dc52b3050815 closed

Running a direct connection to the listening server with the same parameters gets me an SFTP session:

jubeor@ROG-WIN:~/repos/XXXXX/demo/sftp/std/testing$ sftp -o PubkeyAuthentication=no -o PasswordAuthentication=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR -P 22 [email protected]
Connected to 192.168.69.2.
sftp> pwd
Remote working directory: ./demo/sftp/std/testing/out/
sftp> 

[manfred-kaiser]

Hello,

you are using sftp with -o PubkeyAuthentication=no -o PasswordAuthentication=no.
At the moment SSH-MITM only supports publickey or password authentication.

You can use none authentication, but this was only implemented to check if clients can be forced to login and to use the trivial authentication exploit (https://docs.ssh-mitm.at/user_guide/trivialauth.html)

Depending on your openssh client version you have 2 options. If you are using a recent openssh version you can forward your ssh agent. This can be done with the argument -A - even for scp and sftp.

The second option, which will also work on older openssh clients, where sftp does not support agent forwarding, you can provide credentials for the remote host.

  --auth-username AUTH_USERNAME
                        username for remote authentication
  --auth-password AUTH_PASSWORD
                        password for remote authentication
  --auth-key AUTH_KEY   ssh private key for remote authentication

You can also configure fallback credentials. In this case SSH-MITM tries to authenticate with provided credentials (password, ssh-agent). If the authentication does not work, the fallback credentials are used. You can also redirect the connection to a different server.

AuthenticationFallback:
  Options for the authentication fallback to a honey pot

  --enable-auth-fallback
                        enabled the fallback to a hoenypot when authentication not possible
  --fallback-host FALLBACK_HOST
                        fallback host for the honeypot
  --fallback-port FALLBACK_PORT
                        fallback port for the honeypot
  --fallback-username FALLBACK_USERNAME
                        username for the honeypot
  --fallback-password FALLBACK_PASSWORD
                        password for the honeypot

[jubeormk1]

Thanks for the answer. I see all the options that I have