This error occurs when an SFTP connection is abruptly terminated by the server during transfer. Common causes include chroot directory permission issues, IP blocking from failed attempts, network timeouts, firewall restrictions, or key exchange algorithm mismatches.
The "Couldn't read packet: Connection reset by peer" error indicates that the SFTP client was unable to read incoming data because the remote SSH server forcefully closed the TCP connection. Unlike a graceful disconnect, "reset by peer" means the server terminated the connection immediately without proper shutdown handshaking. This typically happens during the SFTP session phaseβafter SSH authentication succeeds but during file operations or subsystem initialization. The error message comes from the SFTP client layer, which sits on top of SSH, and signals that the underlying SSH connection was severed unexpectedly. The "peer" in this context is the remote SSH server, and "reset" means it sent a TCP RST packet, abruptly ending the connection. This is distinct from timeouts (no response) or other errors.
Run the SFTP client with maximum verbosity to see exactly where the connection fails. This helps identify whether the issue is during authentication, subsystem initialization, or data transfer.
sftp -vvv user@hostnameLook for the last successful message before the "Couldn't read packet" error. Common failure points:
- During SSH banner exchange (network/firewall issue)
- During key exchange (algorithm mismatch)
- After SSH2_MSG_CHANNEL_OPEN_CONFIRMATION (chroot/permissions issue)
- During SFTP SSH2_FXP_INIT (server subsystem problem)
Save the output to review for the next steps:
sftp -vvv user@hostname 2>&1 | tee sftp-debug.logBefore troubleshooting SSH configuration, confirm that the network path is open.
# Test if port 22 is reachable
nc -zv hostname 22
# Or using timeout to avoid hanging
timeout 5 bash -c 'cat < /dev/null > /dev/tcp/hostname/22'If the connection is refused, check:
- SSH daemon is running on the server: sudo systemctl status ssh or service sshd status
- Firewall allows incoming port 22: sudo ufw status or sudo iptables -L -n
- Cloud security group or network ACL allows SSH (AWS, GCP, Azure, etc.)
- No intrusion prevention system (IDS) blocking the traffic
On the server, check SSH logs for clues:
sudo tail -f /var/log/auth.log # Linux
sudo log stream --predicate 'process == "sshd"' # macOSIf you have access to the server, verify your IP is not blocked by fail2ban or other blocklists.
# Check fail2ban status and banned IPs
sudo fail2ban-client status
sudo fail2ban-client status sshd
# See all banned IPs across all jails
sudo fail2ban-client bannedIf your IP is banned, unban it:
sudo fail2ban-client set sshd unbanip <YOUR_IP>Also check TCP wrappers allow your IP:
cat /etc/hosts.allow
cat /etc/hosts.denyIf your IP appears in hosts.deny, remove it or add it to hosts.allow with a more specific rule:
sshd: <YOUR_IP>If the SFTP server uses chroot (restricts users to a home directory), the directory structure must have specific ownership for the connection to work.
Verify the structure:
# Example: /home/sftpuser as home, /home/sftpuser/incoming as writable directory
ls -ld /home/sftpuser
ls -ld /home/sftpuser/incomingExpected permissions:
drwx------ root root /home/sftpuser # Root owns, mode 700
drwx------ sftpuser sftpuser /home/sftpuser/incoming # User owns, mode 700Fix if incorrect:
sudo chown root:root /home/sftpuser
sudo chmod 700 /home/sftpuser
sudo chown sftpuser:sftpuser /home/sftpuser/incoming
sudo chmod 700 /home/sftpuser/incomingCheck the SFTP subsystem configuration in SSH daemon config:
grep -i sftp /etc/ssh/sshd_configIt should look similar to:
Subsystem sftp /usr/lib/openssh/sftp-serverOr with chroot:
Match User sftpuser
ChrootDirectory /home/sftpuser
AllowTcpForwarding no
X11Forwarding no
PermitTTY no
Subsystem sftp internal-sftpAfter changes, reload the SSH service:
sudo systemctl reload sshIf the client and server have incompatible cryptographic algorithms, the connection fails during key exchange.
List available algorithms on the server:
ssh -Q kex
ssh -Q cipher
ssh -Q macTry connecting with an explicit algorithm if you know a compatible one:
sftp -o KexAlgorithms=diffie-hellman-group14-sha256 user@hostname
sftp -o Ciphers=aes128-ctr user@hostnameFor older servers with legacy algorithms, enable them client-side:
sftp -o KexAlgorithms=diffie-hellman-group1-sha1 user@hostnameOr add to ~/.ssh/config for persistent connections:
Host problematic-server
User sftpuser
KexAlgorithms diffie-hellman-group14-sha1
Ciphers aes128-cbc
HostKeyAlgorithms ssh-rsaNote: Older algorithms have security weaknesses. Update the server if possible instead of relying on legacy settings.
Network latency or server overload can cause timeouts. Increase the timeout:
sftp -o ConnectTimeout=30 -o ServerAliveInterval=60 user@hostnameOr add to ~/.ssh/config:
Host *
ServerAliveInterval 60
ServerAliveCountMax 5
ConnectTimeout 30On the server, increase connection limits in /etc/ssh/sshd_config:
# Increase max concurrent unauthenticated connections
MaxStartups 100:30:200
# Increase max sessions per connection
MaxSessions 10
# Increase max auth tries
MaxAuthTries 10
# Adjust keepalive
ClientAliveInterval 60
ClientAliveCountMax 5Reload the SSH service:
sudo systemctl reload sshThe SFTP subsystem must be correctly configured in the SSH daemon. Check if it's enabled and accessible:
grep -i "Subsystem sftp" /etc/ssh/sshd_configYou should see one of:
Subsystem sftp /usr/lib/openssh/sftp-server # Standard path
Subsystem sftp internal-sftp # Built-in (more secure)Verify the binary exists and is executable:
which sftp-server
# Or check common paths
ls -l /usr/lib/openssh/sftp-server
ls -l /usr/libexec/sftp-serverIf the subsystem is missing, install OpenSSH server:
sudo apt-get install openssh-server # Debian/Ubuntu
sudo yum install openssh-server # RHEL/CentOSIf still not found, check the correct path for your system and update sshd_config.
Also ensure the SSH service is restarted after any sshd_config changes:
sudo systemctl restart sshServer-side resource exhaustion can cause abrupt disconnections. Check:
# CPU and memory usage
top -bn1 | head -20
# Disk space
df -h
# SSH daemon status
sudo systemctl status ssh
sudo systemctl status sshd
# System logs for errors or crashes
sudo journalctl -u ssh -n 50
sudo journalctl -u sshd -n 50
sudo tail -100 /var/log/auth.logIf disk is full:
sudo du -sh /* | sort -rh | head -10 # Find large directories
df -h # Confirm free spaceClean up space and restart SSH:
# Remove old logs (be careful with this)
sudo journalctl --vacuum=time:7d
sudo systemctl restart sshRootless Docker and SFTP: If running SSH in a rootless Docker container, ensure file permissions are correctly mapped. The container's SSH daemon must have proper access to the home directory and any chroot target.
SELinux Contexts: On SELinux-enabled systems (RHEL, CentOS), incorrect SELinux contexts can block SFTP even with correct file permissions. Check: ls -Z /home/sftpuser and verify contexts are appropriate for SSH (typically user_home_dir_t or similar).
Distro Differences: The path to sftp-server varies by distribution:
- Debian/Ubuntu: /usr/lib/openssh/sftp-server
- RHEL/CentOS: /usr/libexec/sftp-server
- Alpine: /usr/lib/ssh/sftp-server
Using `internal-sftp` (Recommended): Modern SSH daemons support internal-sftp in sshd_config, which is faster and more secure than running the external binary. Use it with chroot for better isolation:
Match User sftpuser
ChrootDirectory /home/sftpuser
ForceCommand internal-sftpConnection Pooling: If your application makes many concurrent SFTP connections, consider implementing connection pooling to reduce handshake overhead and lower the risk of hitting server limits.
Proxy/Jump Hosts: If connecting through an SSH jump host, the intermediate host must also support SSH protocol 2 and have a working SFTP subsystem. Test direct connectivity first before debugging through a proxy.
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH
It is required that your private key files are NOT accessible by others.
How to fix "private key files are NOT accessible by others" in SSH