How do I troubleshoot connecting to my EC2 Linux instance using an SFTP connection?

4 minute read
0

I can't connect to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance through a Secure File Transfer Protocol (SFTP) connection. Or, I receive the error "remote readdir Permission denied".

Resolution

There are multiple reasons why you might fail to connect to your EC2 instance through an SFTP connection. To troubleshoot your connection, complete the following steps.

Verify that your instance meets SSH connection prerequisites

SFTP works on top of SSH. Verify that the instance meets all SSH connection prerequisites. For a list of prerequisites, see Connect to your Linux instance from Linux or macOS using SSH.

Log in to the instance with verbose messaging on to identify the error

You might receive one of the following common connection errors:

  • Connection timed out or Connection refused
  • Permission denied or Authentication failed
  • Server refused our key

For more information on verbose messaging and how to resolve SSH errors, see How can I troubleshoot connecting to my Amazon EC2 Linux instance using SSH?

If you turned on the EC2 Serial Console, you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without the need for a working network connection. You can access the serial console through the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).

Before you use the serial console, grant access to it at the account level. Then, create AWS Identity and Access Management (IAM) policies that grant access to your IAM users. Every instance that uses the serial console must include at least one password-based user. For more information, see Configure access to the EC2 Serial Console.

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent AWS CLI version.

Review the authentication and system logs for errors

Amazon Linux, Amazon Linux2, RHEL, and Fedora authentication log

$ sudo less /var/log/secure

Amazon Linux, Amazon Linux2, RHEL, and Fedora generic system logs

$ sudo less /var/log/messages

Debian and Ubuntu authentication log

$ sudo less /var/log/auth.log

Debian and Ubuntu generic system logs

$ sudo less /var/log/syslog

Amazon Linus 2023

Check sshd logs:

journalctl -u sshd

Check generic system logs:

journalctl -a

Verify that the SSHD configuration file has Subsystem for SFTP configured

Verify that the SSHD configuration file has the subsystem for SFTP configured and that the shared object file for sftp-server exists in the respective directory. If the SFTP connection closes because of a missing SFTP subsystem, then the log might show a subsystem request failed on channel 0 error.

RHEL and Fedora-based distributions

$ sudo grep Subsystem /etc/ssh/sshd_config
Subsystem sftp    /usr/libexec/openssh/sftp-server
$ sudo ls -l /usr/libexec/openssh/sftp-server
-rwxr-xr-x. 1 root root 100784 Jun 26  2019 /usr/libexec/openssh/sftp-server

Debian and Ubuntu-based distributions

$ sudo grep Subsystem /etc/ssh/sshd_config
Subsystem    sftp    /usr/lib/openssh/sftp-server
$ sudo ls -l /usr/lib/openssh/sftp-server
-rwxr-xr-x 1 root root 105608 Mar  4  2019 /usr/lib/openssh/sftp-server

For more information, see the Subsystem section in sshd_config on the Linux man page.

Resolve a remote readdir Permission denied error

The error remote readdir Permission denied indicates that the user doesn't have the correct permissions to connect to SFTP. The user must have at least read and execute permission to switch to a target directory.

Verify that the user has permission to access the target directory:

ls -ldZ /directory

Check for access control list (ACL) permissions restricting user access:

getfacl /directory

Verify that you activated SELinux:

getenforce

If you activated SELinux, then review /var/log/audit/audit.log or /var/log/audit.log for permission denied errors based on SELinux context.

AWS OFFICIAL
AWS OFFICIALUpdated a year ago