How do I troubleshoot connecting to my EC2 Linux instance using an SFTP connection?

Last updated: 2021-05-04

I can't connect to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance using a Secure File Transfer Protocol (SFTP) connection. Or, I'm receiving the error "remote readdir Permission denied". How can I troubleshoot this?

Short description

There are multiple reasons why connecting to your EC2 instance through an SFTP connection might fail. The following are troubleshooting steps for common connection problems:

  • Verify that your instance meets SSH connection prerequisites.
  • Log in to the instance with verbose messaging on to identify the error.
  • Review the authentication and system logs for errors.
  • Verify that the SSHD configuration file has Subsystem for SFTP configured.
  • Resolve a Remote readdir Permission denied error.

Resolution

Verify that your instance meets SSH connection prerequisites

SFTP works on top of SSH. Verify that the instance meets all SSH connection prerequisites. For a list of prerequisites, see Connect to your Linux instance using SSH.

Log in to the instance with verbose messaging on to identify the error

The following are common connection error messages:

  • Connection timed out or Connection refused
  • Permission denied or Authentication failed
  • Server refused our key

For information on logging in to your instance with verbose messaging on and how to resolve these and other SSH-related errors, see How do I troubleshoot connecting to my Amazon EC2 Linux instance using SSH?

If you enabled EC2 Serial Console, you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without the need for a working network connection. You can access the serial console using the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).

Before using the serial console. grant access to it at the account level. Then, create AWS Identity and Access Management (IAM) policies granting access to your IAM users. Also, every instance using the serial console must include at least one password-based user. For information on configuring the EC2 Serial Console, see Configure access to the EC2 Serial Console.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Review the authentication and system logs for errors

RHEL and Fedora authentication log:

$ sudo less /var/log/secure

RHEL and Fedora generic system logs:

$ sudo less /var/log/messages

Debian and Ubuntu authentication log:

$ sudo less /var/log/auth.log

Debian and Ubuntu generic system logs:

$ sudo less /var/log/syslog

Verify that the SSHD configuration file has Subsystem for SFTP configured

Verify the SSHD configuration file has the subsystem for SFTP configured and that the shared object file for sftp-server exists in the respective directory. If the SFTP connection closes due to a missing SFTP subsystem, then the log might show that a subsystem request failed on channel 0 error.

RHEL and Fedora-based distributions:

$ sudo grep Subsystem /etc/ssh/sshd_config
Subsystem sftp    /usr/libexec/openssh/sftp-server
$ sudo ls -l /usr/libexec/openssh/sftp-server
-rwxr-xr-x. 1 root root 100784 Jun 26  2019 /usr/libexec/openssh/sftp-server

Debian and Ubuntu-based distributions:

$ sudo grep Subsystem /etc/ssh/sshd_config
Subsystem    sftp    /usr/lib/openssh/sftp-server
$ sudo ls -l /usr/lib/openssh/sftp-server
-rwxr-xr-x 1 root root 105608 Mar  4  2019 /usr/lib/openssh/sftp-server

For more information, see the Subsystem section in sshd_config on the Linux man page.

Resolve a remote readdir Permission denied error

The error remote readdir Permission denied indicates that the user attempting the SFTP connection doesn't have the correct permissions. The user must at a minimum have read and execute permission to switch to a target directory.

Use the following command to verify that the user has permission to access the target directory:

ls -ldZ /directory

Use the following command to check for access control list (ACL) permissions restricting user access:

getfacl /directory

Use the following command to verify that SELinux is enabled:

getenforce

If SELinux is enabled, then review /var/log/audit/audit.log or /var/log/audit.log for permission denied errors based on SELinux context.


Did this article help?


Do you need billing or technical support?