How do I troubleshoot connecting to my EC2 Linux instance using an SFTP connection?

Last updated: 2020-12-09

I can't connect to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance using a Secure File Transfer Protocol (SFTP) connection. Or, I'm receiving the error "remote readdir Permission denied". How can I troubleshoot this?

Short description

There are multiple reasons why connecting to your EC2 instance through an SFTP connection might fail. The following are troubleshooting steps for common connection problems:

  • Verify that your instance meets SSH connection prerequisites.
  • Log in to the instance with verbose messaging on to identify the error.
  • Review the authentication and system logs for errors.
  • Verify that the SSHD configuration file has Subsystem for SFTP configured.
  • Resolve a Remote readdir Permission denied error.

Resolution

Verify that your instance meets SSH connection prerequisites

SFTP works on top of SSH. Verify that the instance meets all SSH connection prerequisites. For a list of prerequisites, see Connecting to your Linux instance using SSH.

Log in to the instance with verbose messaging on to identify the error

The following are common connection error messages:

  • Connection timed out or Connection refused
  • Permission denied or Authentication failed
  • Server refused our key

For information on logging in to your instance with verbose messaging on and how to resolve these and other SSH-related errors, see How do I troubleshoot connecting to my Amazon EC2 Linux instance using SSH?

Review the authentication and system logs for errors

RHEL and Fedora authentication log:

$ sudo less /var/log/secure

RHEL and Fedora generic system logs:

$ sudo less /var/log/messages

Debian and Ubuntu authentication log:

$ sudo less /var/log/auth.log

Debian and Ubuntu generic system logs:

$ sudo less /var/log/syslog

Verify that the SSHD configuration file has Subsystem for SFTP configured

Verify the SSHD configuration file has the subsystem for SFTP configured and that the shared object file for sftp-server exists in the respective directory. If the SFTP connection closes due to a missing SFTP subsystem, the log might show that a subsystem request failed on channel 0 error.

RHEL and Fedora-based distributions:

$ sudo grep Subsystem /etc/ssh/sshd_config
Subsystem sftp    /usr/libexec/openssh/sftp-server
$ sudo ls -l /usr/libexec/openssh/sftp-server
-rwxr-xr-x. 1 root root 100784 Jun 26  2019 /usr/libexec/openssh/sftp-server

Debian and Ubuntu-based distributions:

$ sudo grep Subsystem /etc/ssh/sshd_config
Subsystem    sftp    /usr/lib/openssh/sftp-server
$ sudo ls -l /usr/lib/openssh/sftp-server
-rwxr-xr-x 1 root root 105608 Mar  4  2019 /usr/lib/openssh/sftp-server

For more information see the Subsystem section in sshd_config on the Linux man page.

Resolve a remote readdir Permission denied error

The error remote readdir Permission denied indicates that the user attempting the SFTP connection doesn't have the correct permissions. The user must at a minimum have read and execute permission to switch to a target directory.

Use the following command to verify that the user has permission to access the target directory:

ls -ldZ /directory

Use the following command to check for access control list (ACL) permissions restricting user access:

getfacl /directory

Use the following command to verify that SELinux is enabled:

getenforce

If SELinux is enabled, then review /var/log/audit/audit.log or /var/log/audit.log for permission denied errors based on SELinux context.

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support