Although SFTP is an easy-to-use and secure file transfer protocol, many people frequently face one of the most infamous SFTP errors, the “SFTP permission denied.”
As the error output reads, this issue is due to the lack of permissions to access a file or directory. Generally, you would still have access to the SFTP server via SSH, but you won't be able to change a specific file or directory. Another similar error message is the “SFTP permission denied (public key),” where you won’t even be able to access the server via SFTP or SSH.
In this post, we’ll go through the two cases. First, we’ll learn to check and update the user/group file/folder permissions, and second, we’ll figure out why we are getting authentication/access permission denied due to the public key.
To illustrate a clearer picture of the “sftp permission denied” error scenario, we’ll use an AWS EC2, Ubuntu (Focal-20.04-amd64-server). We will use the default user “ubuntu” and add a new sftp01 user. By default, AWS doesn’t grant “root” SSH access to the EC2 instances due to security’s best practices.
1. The “SFTP permission denied” error
Regardless of which SFTP client you use, when you SFTP into a server and try to replace, edit, delete, or overwrite a file or directory, you get “an SFTP permission denied” error message.
|Cannot create remote file 'ver'.|
|Error code: 3|
|Error message from server: Permission denied|
In Windows, while using an SFTP client, like WinSCP or FileZilla, the message looks like this:
Generally, you are successfully connecting via SFTP or SSH with the same user, but you can’t modify, change, or overwrite the file via SFTP. But if you cannot even connect via SFTP or SSH, you might be getting a similar error message that reads “SFTP permission denied (public key)”.
The reason for these error messages is generally due to incorrect or lack of permissions. For example, you might have read, write, execute permissions on your local file (or folder), but the remote folder (or file) might not be accepting your actions (read, write, or execute).
File permissions 101
Since this error is most likely related to incorrect permissions, you’ll have to figure out why you don’t have the authorization to edit, change, or upload a file or directory.
- Log in to the SFTP server using SSH and use the command “$ whoami” to see your username.
- Suppose the user logged in to the SFTP server does not have the necessary permissions (such as read command, “ls”) to a specific directory or file. In that case, you’ll get a message like: “ls: cannot open directory ‘/root': Permission denied”.
For security reasons, some cloud providers like AWS separate root access from other users. In this case, my “ubuntu” user does not have access to the root user’s folder. This is simply because both users belong to different groups with different permissions.
- Use “$ls -l” to get a long detailed list of files, directories, and permissions. This command will help you see whether your user (within a group) has the correct permissions to a file. The below screenshot shows the output of this command.
- The relevant output columns:
- (1)-Permission level The first character, (l or d), represents a symbolic link or directory, while (-) represents a regular file. The next set of three characters (rwx, where: r=read, w=write, x=execute, and – = no permission) represent user permissions, the next three represent group permissions, and the last three characters are “others” permissions.
- (2, 3)-User and group The next column (2 and 3) represents the file or directory owner and the group.
- (4) – Name of the file, directory, or symbolic link.
So, what we can get from the output is that the file (-) “test.txt” belongs to the user/group (ubuntu/ubuntu). As for the permission level, “-rw-rw-r—” the “user” and “group” can both read and write, while all others can only read.
- To troubleshoot the SFTP permission denied, you’ll need to determine if your “other” user belongs to the group with read and write (rw) permissions (for instance, “ubuntu” in this case).
- Use the “$ groups” command to see the group your current user is associated with. So, in this example, the user “ubuntu” does not belong to the “root” group, so it does not have access to /root folder, as initially stated. The “sudo” group is the one granting elevated privileges.
Solutions: How to fix the SFTP permission denied?
So now that we know how to check users, groups, and their file/folder permissions, let’s solve the “SFTP permission denied” error. Bear in mind that the majority of commands here require higher privilege to execute.
The command (ls -l) is handy to let you see the permissions of the target directory or file. If the file or directory belongs to another user, group or it does not allow either writing (for instance, drwxr-xr-x) for the group and other users, you’ll need to grant the right set of permissions.
Solution 1. Assign the user without permission to a group with permissions to the file or directory
Use the (ls- l) command to see the owner and group a file belongs to. If it belongs to a different group your user does not belong to, you’ll need to assign your user to this group.
Use the following command to assign your user to the group permission instead of reading and writing (rw). After doing this, try SFTP again.
- $ sudo usermod -a -G [target group] $USER
Solution 2. Use the (chown) command to change ownership of the single file or directory
Rather than assign a new group to your user, you can change the ownership of a file or directory. For example, let’s say the “sftp01” user gets an SFTP permission denied every time it wants to edit or overwrite the “test01.txt” file. To see who owns this specific file, go to the folder where you are getting the sftp permission denied and do a (ls -l), then use (chown) to change the ownership.
- $ sudo chown [user] [file]
NOTE: If you are working under an admin or root role, be careful not to change the entire ownership of a directory and subdirectory with -R recursive ownership, as this can affect access and authentication to the SFTP server (we’ll get to this later).
Solution 3. Grant the appropriate permission
Use the “chmod” command to change the file or directory permissions. The suggested permission levels when using the chmod are 755 for file and 644 for directory permission.
- chmod 755: Read and execute access for everyone. Read, write, and execute access for the owner of the file. For example, when you do a “$chmod 755 examplefile”, you allow everyone to read and perform the file, while only the owner is entitled to read, write, and execute the file.
- chmod 777: Use the chmod 777 (-rwxrwxrwx) if you want to allow everyone, including the owner, group, and others, to read, write, and execute. Granting this level of “openness” is not a good security practice, but you can use it for testing purposes.
- chmod 644: The user (or owner) can read, write but can’t execute. The group and others can read but can’t write and execute. This command is suggested for directories.
The “$sudo chmod 775 [filename]” command will change the permission structure of the file. As mentioned above, with (-rwxrwxr-x) (775), the file will be readable and executable by everyone (r-x) “others”.
Use Recursive to add permission subdirectories as well
You can use the “sudo chmod -R [mode] [file or directory]”. The [-R] changes files and directories recursively, so use this with care. It allowss the user to read, write, or execute to all sub-directories and files.
Solution 4. Permission denied due to failed authentication
Another variation for the SFTP permission denied is due to authentication. You can’t even access your SFTP server from the SFTP client. If you get the “Permission denied (public key),” you won't be able to access and authenticate to the server via SSH.
To solve this issue, try the following:
- Check your username You might be using the incorrect username, but correct public key and thus get the permission denied error. Check whether you are using the correct username in your SFTP client. But still, if the username is correct but is not authorized to use the key, you’ll also get permission denied (public key).
- Permissions at the server are incorrect This is because the permission to the files under the home directory changed. Users might be locked out if the “authorized_keys” (under /.ssh/authorized_keys, for Linux Ubuntu) file permission or ownership changed. An admin has to log in with root access or connect via the serial console to adjust the home directory file permissions. As mentioned earlier, applying “chmod -R” incorrectly can affect all home directory subdirectories, including .ssh and authorized_keys files.
- Check the SSH public key (.pub) on the local computer Make sure you are using the correct public key in the authorized_keys file. To add a new public key to an SFTP client with FileZilla. Go to Settings > Connection > SFTP > click on “Add key file…” Browse through your local files and import the right key.
Configuring permissions with alternative SFTP server tools
The Solarwinds SFTP/SCP server is a free tool for reliable and secure file transfers. It is easy to use, light and runs as a Windows service. In addition, SFTP provides advanced SFTP features such as concurrent transfers from multiple devices or limits access by authorizing a specific or range of IPs.
This tool pushes OS images, configuration files, updates, backup files, or transfer files up to 4GB. In addition, this SFTP server provides primary authentication access to the server and only allows one folder for all users.
Website Link: https://www.solarwinds.com/free-tools/free-sftp-server
The SolarWinds Serv-U FTP/MFT Server is a more advanced SFTP server that lets you handle large and multiple file transfers. It supports up to 250 users, 100 concurrent sessions, up to 3 domains and allows a fine-grained access control over those resources.
With Serv-U, you can easily change and update user and folder access and permissions. In addition, it provides a directory access rule-based control that allows you to change permissions on files and directories.
The “SFTP permission denied” error message occurs when your SFTP server doesn’t allow your user (within a group) to modify or overwrite a file or directory. To solve this, you’ll have to SSH into the SFTP server, find the file/directory and identify its current permission mode and ownership. Then, you’ll have to change the permissions as specified in this post. The second SFTP permission denied (public key) message occurs when you are logging with an incorrect user, public key, or the user doesn’t have the necessary permission to access the key file in the server.
Alternatively, you can use an SFTP server such as SolarWinds Serv-U FTP/MFT Server, which gives you more flexibility when configuring permissions. This tool will help you avoid the “SFTP permission denied” and fix it for all the SFTP users.