How do I troubleshoot connecting to my EC2 Linux instance using an SFTP connection?
Last updated: 2021-05-04
I can't connect to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance using a Secure File Transfer Protocol (SFTP) connection. Or, I'm receiving the error "remote readdir Permission denied". How can I troubleshoot this?
There are multiple reasons why connecting to your EC2 instance through an SFTP connection might fail. The following are troubleshooting steps for common connection problems:
- Verify that your instance meets SSH connection prerequisites.
- Log in to the instance with verbose messaging on to identify the error.
- Review the authentication and system logs for errors.
- Verify that the SSHD configuration file has Subsystem for SFTP configured.
- Resolve a Remote readdir Permission denied error.
Verify that your instance meets SSH connection prerequisites
SFTP works on top of SSH. Verify that the instance meets all SSH connection prerequisites. For a list of prerequisites, see Connect to your Linux instance using SSH.
Log in to the instance with verbose messaging on to identify the error
The following are common connection error messages:
- Connection timed out or Connection refused
- Permission denied or Authentication failed
- Server refused our key
For information on logging in to your instance with verbose messaging on and how to resolve these and other SSH-related errors, see How do I troubleshoot connecting to my Amazon EC2 Linux instance using SSH?
If you enabled EC2 Serial Console, you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without the need for a working network connection. You can access the serial console using the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).
Before using the serial console. grant access to it at the account level. Then, create AWS Identity and Access Management (IAM) policies granting access to your IAM users. Also, every instance using the serial console must include at least one password-based user. For information on configuring the EC2 Serial Console, see Configure access to the EC2 Serial Console.
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
Review the authentication and system logs for errors
RHEL and Fedora authentication log:
$ sudo less /var/log/secure
RHEL and Fedora generic system logs:
$ sudo less /var/log/messages
Debian and Ubuntu authentication log:
$ sudo less /var/log/auth.log
Debian and Ubuntu generic system logs:
$ sudo less /var/log/syslog
Verify that the SSHD configuration file has Subsystem for SFTP configured
Verify the SSHD configuration file has the subsystem for SFTP configured and that the shared object file for sftp-server exists in the respective directory. If the SFTP connection closes due to a missing SFTP subsystem, then the log might show that a subsystem request failed on channel 0 error.
RHEL and Fedora-based distributions:
$ sudo grep Subsystem /etc/ssh/sshd_config Subsystem sftp /usr/libexec/openssh/sftp-server $ sudo ls -l /usr/libexec/openssh/sftp-server -rwxr-xr-x. 1 root root 100784 Jun 26 2019 /usr/libexec/openssh/sftp-server
Debian and Ubuntu-based distributions:
$ sudo grep Subsystem /etc/ssh/sshd_config Subsystem sftp /usr/lib/openssh/sftp-server $ sudo ls -l /usr/lib/openssh/sftp-server -rwxr-xr-x 1 root root 105608 Mar 4 2019 /usr/lib/openssh/sftp-server
For more information, see the Subsystem section in sshd_config on the Linux man page.
Resolve a remote readdir Permission denied error
The error remote readdir Permission denied indicates that the user attempting the SFTP connection doesn't have the correct permissions. The user must at a minimum have read and execute permission to switch to a target directory.
Use the following command to verify that the user has permission to access the target directory:
ls -ldZ /directory
Use the following command to check for access control list (ACL) permissions restricting user access:
Use the following command to verify that SELinux is enabled:
If SELinux is enabled, then review /var/log/audit/audit.log or /var/log/audit.log for permission denied errors based on SELinux context.