I can't connect to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance through a Secure File Transfer Protocol (SFTP) connection. Or, I receive the error "remote readdir Permission denied".
Resolution
There are multiple reasons why you might fail to connect to your EC2 instance through an SFTP connection. To troubleshoot your connection, complete the following steps.
Verify that your instance meets SSH connection prerequisites
SFTP works on top of SSH. Verify that the instance meets all SSH connection prerequisites. For a list of prerequisites, see Connect to your Linux instance from Linux or macOS using SSH.
Log in to the instance with verbose messaging on to identify the error
You might receive one of the following common connection errors:
- Connection timed out or Connection refused
- Permission denied or Authentication failed
- Server refused our key
For more information on verbose messaging and how to resolve SSH errors, see How can I troubleshoot connecting to my Amazon EC2 Linux instance using SSH?
If you turned on the EC2 Serial Console, you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without the need for a working network connection. You can access the serial console through the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).
Before you use the serial console, grant access to it at the account level. Then, create AWS Identity and Access Management (IAM) policies that grant access to your IAM users. Every instance that uses the serial console must include at least one password-based user. For more information, see Configure access to the EC2 Serial Console.
Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent AWS CLI version.
Review the authentication and system logs for errors
Amazon Linux, Amazon Linux2, RHEL, and Fedora authentication log
$ sudo less /var/log/secure
Amazon Linux, Amazon Linux2, RHEL, and Fedora generic system logs
$ sudo less /var/log/messages
Debian and Ubuntu authentication log
$ sudo less /var/log/auth.log
Debian and Ubuntu generic system logs
$ sudo less /var/log/syslog
Amazon Linus 2023
Check sshd logs:
journalctl -u sshd
Check generic system logs:
journalctl -a
Verify that the SSHD configuration file has Subsystem for SFTP configured
Verify that the SSHD configuration file has the subsystem for SFTP configured and that the shared object file for sftp-server exists in the respective directory. If the SFTP connection closes because of a missing SFTP subsystem, then the log might show a subsystem request failed on channel 0 error.
RHEL and Fedora-based distributions
$ sudo grep Subsystem /etc/ssh/sshd_config
Subsystem sftp /usr/libexec/openssh/sftp-server
$ sudo ls -l /usr/libexec/openssh/sftp-server
-rwxr-xr-x. 1 root root 100784 Jun 26 2019 /usr/libexec/openssh/sftp-server
Debian and Ubuntu-based distributions
$ sudo grep Subsystem /etc/ssh/sshd_config
Subsystem sftp /usr/lib/openssh/sftp-server
$ sudo ls -l /usr/lib/openssh/sftp-server
-rwxr-xr-x 1 root root 105608 Mar 4 2019 /usr/lib/openssh/sftp-server
For more information, see the Subsystem section in sshd_config on the Linux man page.
Resolve a remote readdir Permission denied error
The error remote readdir Permission denied indicates that the user doesn't have the correct permissions to connect to SFTP. The user must have at least read and execute permission to switch to a target directory.
Verify that the user has permission to access the target directory:
ls -ldZ /directory
Check for access control list (ACL) permissions restricting user access:
getfacl /directory
Verify that you activated SELinux:
getenforce
If you activated SELinux, then review /var/log/audit/audit.log or /var/log/audit.log for permission denied errors based on SELinux context.