Although SFTP is an easy-to-utilise and secure file transfer protocol, many people ofttimes face one of the nearly infamous SFTP errors, the "SFTP permission denied."

As the fault output reads, this consequence is due to the lack of permissions to access a file or directory. More often than not, you would still have admission to the SFTP server via SSH, only you won't be able to change a specific file or directory. Another similar mistake message is the "SFTP permission denied (public key)," where you won't fifty-fifty exist able to access the server via SFTP or SSH.

In this postal service, we'll go through the two cases. First, we'll larn to bank check and update the user/group file/binder permissions, and 2d, we'll figure out why we are getting hallmark/access permission denied due to the public key.

To illustrate a clearer picture of the "sftp permission denied" error scenario, we'll use an AWS EC2, Ubuntu (Focal-20.04-amd64-server). We will utilize the default user "ubuntu" and add together a new sftp01 user. By default, AWS doesn't grant "root" SSH admission to the EC2 instances due to security's best practices.

1. The "SFTP permission denied" error

Regardless of which SFTP client yous utilize, when you SFTP into a server and endeavor to replace, edit, delete, or overwrite a file or directory, you go "an SFTP permission denied" error message.

An instance:

Cannot create remote file 'ver'.
Permission denied.
Error lawmaking: 3
Mistake message from server: Permission denied

In Windows, while using an SFTP customer, like WinSCP or FileZilla, the message looks like this:

Error Message: SFTP permission denied

Generally, you are successfully connecting via SFTP or SSH with the same user, but y'all tin can't modify, change, or overwrite the file via SFTP. Just if you cannot even connect via SFTP or SSH, y'all might be getting a similar fault message that reads "SFTP permission denied (public central)".

The reason for these fault messages is generally due to wrong or lack of permissions. For example, you might have read, write, execute permissions on your local file (or folder), but the remote folder (or file) might not be accepting your actions (read, write, or execute).

File permissions 101

Since this mistake is most probable related to incorrect permissions, you lot'll have to figure out why you don't have the potency to edit, change, or upload a file or directory.

  • Log in to the SFTP server using SSH and use the control "$ whoami" to see your username.
  • Suppose the user logged in to the SFTP server does non have the necessary permissions (such equally read command, "ls") to a specific directory or file. In that case, you'll become a message like: "ls: cannot open directory '/root': Permission denied".

For security reasons, some cloud providers like AWS separate root access from other users. In this case, my "ubuntu" user does not have access to the root user'south binder. This is simply considering both users vest to different groups with different permissions.

ubuntu Permission denied

  • Use "$ls -fifty" to become a long detailed list of files, directories, and permissions. This control volition aid you run across whether your user (within a grouping) has the right permissions to a file. The below screenshot shows the output of this command.

Output of $ls -l command

  • The relevant output columns:
    • (one)-Permission level The kickoff grapheme, (l or d), represents a symbolic link or directory, while (-) represents a regular file. The side by side gear up of iii characters (rwx, where: r=read, w=write, x=execute, and – = no permission) correspond user permissions, the next 3 represent grouping permissions, and the last three characters are "others" permissions.
    • (2, three)-User and grouping The next column (ii and iii) represents the file or directory owner and the group.
    • (4) – Name of the file, directory, or symbolic link.

And then, what we tin can go from the output is that the file (-) "examination.txt" belongs to the user/grouping (ubuntu/ubuntu). As for the permission level, "-rw-rw-r—" the "user" and "group" can both read and write, while all others can only read.

  • To troubleshoot the SFTP permission denied, you'll need to determine if your "other" user belongs to the group with read and write (rw) permissions (for instance, "ubuntu" in this case).
  • Use the "$ groups" command to see the grouping your current user is associated with. And then, in this example, the user "ubuntu" does not belong to the "root" grouping, so it does not have access to /root folder, as initially stated. The "sudo" grouping is the i granting elevated privileges.

$ groups command

Solutions: How to ready the SFTP permission denied?

Then now that we know how to check users, groups, and their file/folder permissions, let'southward solve the "SFTP permission denied" error. Bear in heed that the majority of commands here require higher privilege to execute.

The command (ls -l) is handy to let y'all come across the permissions of the target directory or file. If the file or directory belongs to another user, group or it does non allow either writing (for instance, drwxr-xr-x) for the group and other users, you lot'll need to grant the right set of permissions.

Solution 1. Assign the user without permission to a group with permissions to the file or directory

Use the (ls- l) command to see the owner and group a file belongs to. If it belongs to a unlike group your user does not vest to, you'll demand to assign your user to this group.

Employ the following control to assign your user to the group permission instead of reading and writing (rw). Afterward doing this, try SFTP again.

  • $ sudo usermod -a -G [target group] $USER

Solution 2. Use the (chown) control to modify ownership of the single file or directory

Rather than assign a new grouping to your user, you lot can change the ownership of a file or directory. For example, let's say the "sftp01" user gets an SFTP permission denied every time it wants to edit or overwrite the "test01.txt" file. To see who owns this specific file, become to the folder where y'all are getting the sftp permission denied and do a (ls -l), then use (chown) to change the buying.

  • $ sudo chown [user] [file]

chown command to change ownership of the single file or directory

NOTE: If you are working under an admin or root office, be careful not to change the entire buying of a directory and subdirectory with -R recursive ownership, as this can affect access and hallmark to the SFTP server (we'll go to this later on).

Solution 3. Grant the appropriate permission

Use the "chmod" command to modify the file or directory permissions. The suggested permission levels when using the chmod are 755 for file and 644 for directory permission.

  • chmod 755: Read and execute access for everyone. Read, write, and execute access for the owner of the file. For example, when you practice a "$chmod 755 examplefile", you allow everyone to read and perform the file, while only the owner is entitled to read, write, and execute the file.
  • chmod 777: Use the chmod 777 (-rwxrwxrwx) if yous want to allow everyone, including the possessor, group, and others, to read, write, and execute. Granting this level of "openness" is not a good security practice, but you can use it for testing purposes.
  • chmod 644: The user (or possessor) can read, write but can't execute. The group and others can read simply can't write and execute. This command is suggested for directories.

The "$sudo chmod 775 [filename]" command will change the permission structure of the file. As mentioned above, with (-rwxrwxr-10) (775), the file will be readable and executable past anybody (r-x) "others".

$sudo chmod 775 [filename] command

Use Recursive to add permission subdirectories every bit well

You tin use the "sudo chmod -R [mode] [file or directory]". The [-R] changes files and directories recursively, and so use this with care.  It allowss the user to read, write, or execute to all sub-directories and files.

Solution 4. Permission denied due to failed hallmark

Another variation for the SFTP permission denied is due to authentication. You tin can't even access your SFTP server from the SFTP client. If you get the "Permission denied (public cardinal)," y'all won't be able to access and cosign to the server via SSH.

Permission denied due to failed authentication

To solve this event, try the post-obit:

  • Check your username You might be using the wrong username, but right public key and thus become the permission denied fault. Check whether you are using the correct username in your SFTP client. Only even so, if the username is correct merely is not authorized to use the key, you'll as well become permission denied (public primal).
  • Permissions at the server are incorrect This is because the permission to the files under the dwelling directory inverse. Users might be locked out if the "authorized_keys" (nether /.ssh/authorized_keys, for Linux Ubuntu) file permission or ownership changed. An admin has to log in with root access or connect via the series console to accommodate the home directory file permissions. As mentioned earlier, applying "chmod -R" incorrectly can bear upon all domicile directory subdirectories, including .ssh and authorized_keys files.
  • Bank check the SSH public key (.pub) on the local estimator Make sure you are using the correct public key in the authorized_keys file. To add a new public primal to an SFTP client with FileZilla. Get to Settings > Connectedness > SFTP > click on "Add central file…" Browse through your local files and import the right cardinal.

import the right key

Configuring permissions with alternative SFTP server tools

ane. SolarWinds SFTP/SCP Server – FREE TOOL

Solarwinds SFTP/SCP server

The Solarwinds SFTP/SCP server is a complimentary tool for reliable and secure file transfers. It is easy to use, light and runs as a Windows service. In add-on, SFTP provides avant-garde SFTP features such as concurrent transfers from multiple devices or limits access by authorizing a specific or range of IPs.

This tool pushes Os images, configuration files, updates, fill-in files, or transfer files upward to 4GB. In addition, this SFTP server provides primary hallmark admission to the server and merely allows one folder for all users.

Website Link: https://www.solarwinds.com/complimentary-tools/free-sftp-server

Free Download!

2. SolarWinds Serv-U FTP/MFT Server – FREE TRIAL

SolarWinds Serv-U-FTP-MFT-Server

The SolarWinds Serv-U FTP/MFT Server is a more advanced SFTP server that lets you handle large and multiple file transfers. Information technology supports upwardly to 250 users, 100 concurrent sessions, up to three domains and allows a fine-grained access control over those resource.

With Serv-U, you lot tin can easily change and update user and binder admission and permissions. In addition, it provides a directory access rule-based control that allows you lot to change permissions on files and directories.

SolarWinds Serv-U FTP/MFT Server

Website Link: https://world wide web.solarwinds.com/serv-u-managed-file-transfer-server

Download 14-day Free Trial!

Concluding Words

The "SFTP permission denied" fault bulletin occurs when your SFTP server doesn't permit your user (within a group) to modify or overwrite a file or directory. To solve this, yous'll take to SSH into the SFTP server, observe the file/directory and identify its current permission manner and ownership. And so, you'll have to change the permissions equally specified in this postal service. The second SFTP permission denied (public key) bulletin occurs when yous are logging with an wrong user, public primal, or the user doesn't have the necessary permission to admission the key file in the server.

Alternatively, you tin can use an SFTP server such as SolarWinds Serv-U FTP/MFT Server, which gives you more flexibility when configuring permissions. This tool will help you avoid the "SFTP permission denied" and set it for all the SFTP users.