Although SFTP is an easy-to-utilize and secure file transfer protocol, many people frequently face one of the most infamous SFTP errors, the "SFTP permission denied."

Equally the error output reads, this result is due to the lack of permissions to access a file or directory. Generally, y'all would still have access to the SFTP server via SSH, but y'all won't be able to modify a specific file or directory. Some other similar error message is the "SFTP permission denied (public key)," where y'all won't even be able to access the server via SFTP or SSH.

In this post, we'll get through the 2 cases. First, nosotros'll learn to cheque and update the user/group file/binder permissions, and second, we'll effigy out why we are getting hallmark/access permission denied due to the public key.

To illustrate a clearer motion picture of the "sftp permission denied" error scenario, we'll employ an AWS EC2, Ubuntu (Focal-20.04-amd64-server). We will use the default user "ubuntu" and add a new sftp01 user. Past default, AWS doesn't grant "root" SSH admission to the EC2 instances due to security'due south best practices.

1. The "SFTP permission denied" error

Regardless of which SFTP customer you use, when you SFTP into a server and endeavour to replace, edit, delete, or overwrite a file or directory, yous become "an SFTP permission denied" error message.

An example:

Cannot create remote file 'ver'.
Permission denied.
Error code: 3
Error message from server: Permission denied

In Windows, while using an SFTP client, like WinSCP or FileZilla, the message looks like this:

Error Message: SFTP permission denied

Mostly, you lot are successfully connecting via SFTP or SSH with the same user, just you can't change, change, or overwrite the file via SFTP. But if yous cannot fifty-fifty connect via SFTP or SSH, you might be getting a similar error message that reads "SFTP permission denied (public key)".

The reason for these mistake messages is generally due to incorrect or lack of permissions. For instance, you might have read, write, execute permissions on your local file (or folder), but the remote folder (or file) might not be accepting your actions (read, write, or execute).

File permissions 101

Since this error is most likely related to wrong permissions, you'll have to figure out why you don't have the authorisation to edit, change, or upload a file or directory.

  • Log in to the SFTP server using SSH and use the control "$ whoami" to see your username.
  • Suppose the user logged in to the SFTP server does not have the necessary permissions (such as read command, "ls") to a specific directory or file. In that case, you'll get a message like: "ls: cannot open directory '/root': Permission denied".

For security reasons, some deject providers like AWS separate root access from other users. In this instance, my "ubuntu" user does not have access to the root user'south folder. This is simply because both users vest to different groups with different permissions.

ubuntu Permission denied

  • Use "$ls -l" to get a long detailed list of files, directories, and permissions. This command will help you meet whether your user (within a group) has the correct permissions to a file. The below screenshot shows the output of this command.

Output of $ls -l command

  • The relevant output columns:
    • (one)-Permission level The beginning character, (l or d), represents a symbolic link or directory, while (-) represents a regular file. The next set of three characters (rwx, where: r=read, w=write, x=execute, and – = no permission) correspond user permissions, the side by side three represent group permissions, and the last three characters are "others" permissions.
    • (2, 3)-User and group The side by side column (2 and iii) represents the file or directory possessor and the group.
    • (4) – Name of the file, directory, or symbolic link.

So, what we tin get from the output is that the file (-) "test.txt" belongs to the user/grouping (ubuntu/ubuntu). As for the permission level, "-rw-rw-r—" the "user" and "group" tin both read and write, while all others can only read.

  • To troubleshoot the SFTP permission denied, you'll demand to determine if your "other" user belongs to the group with read and write (rw) permissions (for instance, "ubuntu" in this case).
  • Utilize the "$ groups" command to see the group your current user is associated with. So, in this example, the user "ubuntu" does not belong to the "root" grouping, then it does not have admission to /root folder, as initially stated. The "sudo" group is the 1 granting elevated privileges.

$ groups command

Solutions: How to set up the SFTP permission denied?

And then now that we know how to bank check users, groups, and their file/folder permissions, let'south solve the "SFTP permission denied" mistake. Bear in mind that the bulk of commands here require higher privilege to execute.

The command (ls -l) is handy to permit you see the permissions of the target directory or file. If the file or directory belongs to another user, group or it does not allow either writing (for instance, drwxr-xr-x) for the group and other users, you'll demand to grant the correct set up of permissions.

Solution ane. Assign the user without permission to a grouping with permissions to the file or directory

Apply the (ls- l) control to see the owner and group a file belongs to. If it belongs to a dissimilar grouping your user does not belong to, you'll need to assign your user to this group.

Use the following command to assign your user to the grouping permission instead of reading and writing (rw). After doing this, endeavor SFTP once more.

  • $ sudo usermod -a -G [target group] $USER

Solution 2. Employ the (chown) command to change ownership of the single file or directory

Rather than assign a new group to your user, you can change the ownership of a file or directory. For example, let's say the "sftp01" user gets an SFTP permission denied every time information technology wants to edit or overwrite the "test01.txt" file. To see who owns this specific file, go to the folder where you are getting the sftp permission denied and practice a (ls -l), so use (chown) to change the ownership.

  • $ sudo chown [user] [file]

chown command to change ownership of the single file or directory

NOTE: If you are working under an admin or root role, be careful not to change the unabridged ownership of a directory and subdirectory with -R recursive buying, as this can affect access and authentication to the SFTP server (we'll get to this later).

Solution 3. Grant the advisable permission

Use the "chmod" command to modify the file or directory permissions. The suggested permission levels when using the chmod are 755 for file and 644 for directory permission.

  • chmod 755: Read and execute access for everyone. Read, write, and execute access for the owner of the file. For example, when you lot do a "$chmod 755 examplefile", yous let everyone to read and perform the file, while merely the owner is entitled to read, write, and execute the file.
  • chmod 777: Use the chmod 777 (-rwxrwxrwx) if you lot want to allow everyone, including the owner, group, and others, to read, write, and execute. Granting this level of "openness" is not a skillful security practice, only you can employ information technology for testing purposes.
  • chmod 644: The user (or owner) can read, write but can't execute. The group and others can read but can't write and execute. This command is suggested for directories.

The "$sudo chmod 775 [filename]" command volition alter the permission structure of the file. As mentioned to a higher place, with (-rwxrwxr-10) (775), the file will be readable and executable by anybody (r-x) "others".

$sudo chmod 775 [filename] command

Use Recursive to add permission subdirectories likewise

You tin can apply the "sudo chmod -R [mode] [file or directory]". The [-R] changes files and directories recursively, so use this with care.  Information technology allowss the user to read, write, or execute to all sub-directories and files.

Solution 4. Permission denied due to failed hallmark

Another variation for the SFTP permission denied is due to hallmark. You tin can't even admission your SFTP server from the SFTP client. If you lot get the "Permission denied (public key)," you lot won't be able to access and authenticate to the server via SSH.

Permission denied due to failed authentication

To solve this issue, effort the following:

  • Cheque your username You lot might be using the incorrect username, merely correct public key and thus get the permission denied error. Bank check whether you are using the correct username in your SFTP client. But still, if the username is right but is not authorized to use the cardinal, you'll likewise become permission denied (public key).
  • Permissions at the server are incorrect This is because the permission to the files under the home directory changed. Users might be locked out if the "authorized_keys" (under /.ssh/authorized_keys, for Linux Ubuntu) file permission or ownership inverse. An admin has to log in with root admission or connect via the serial panel to adapt the domicile directory file permissions. Equally mentioned earlier, applying "chmod -R" incorrectly can touch on all home directory subdirectories, including .ssh and authorized_keys files.
  • Check the SSH public fundamental (.pub) on the local computer Make sure you are using the correct public key in the authorized_keys file. To add together a new public key to an SFTP customer with FileZilla. Go to Settings > Connexion > SFTP > click on "Add together cardinal file…" Scan through your local files and import the right key.

import the right key

Configuring permissions with alternative SFTP server tools

1. SolarWinds SFTP/SCP Server – FREE TOOL

Solarwinds SFTP/SCP server

The Solarwinds SFTP/SCP server is a free tool for reliable and secure file transfers. Information technology is like shooting fish in a barrel to utilize, light and runs as a Windows service. In add-on, SFTP provides avant-garde SFTP features such as concurrent transfers from multiple devices or limits access by authorizing a specific or range of IPs.

This tool pushes OS images, configuration files, updates, backup files, or transfer files up to 4GB. In addition, this SFTP server provides primary authentication admission to the server and only allows i folder for all users.

Website Link: https://www.solarwinds.com/free-tools/free-sftp-server

Free Download!

ii. SolarWinds Serv-U FTP/MFT Server – FREE TRIAL

SolarWinds Serv-U-FTP-MFT-Server

The SolarWinds Serv-U FTP/MFT Server is a more advanced SFTP server that lets you handle large and multiple file transfers. It supports up to 250 users, 100 concurrent sessions, upward to 3 domains and allows a fine-grained access control over those resources.

With Serv-U, you tin easily change and update user and folder access and permissions. In addition, information technology provides a directory access dominion-based control that allows you to alter permissions on files and directories.

SolarWinds Serv-U FTP/MFT Server

Website Link: https://world wide web.solarwinds.com/serv-u-managed-file-transfer-server

Download 14-mean solar day Complimentary Trial!

Final Words

The "SFTP permission denied" error message occurs when your SFTP server doesn't allow your user (within a group) to modify or overwrite a file or directory. To solve this, you'll have to SSH into the SFTP server, find the file/directory and identify its current permission style and ownership. Then, you'll have to change the permissions equally specified in this postal service. The second SFTP permission denied (public key) message occurs when you lot are logging with an incorrect user, public key, or the user doesn't take the necessary permission to access the key file in the server.

Alternatively, y'all can utilise an SFTP server such as SolarWinds Serv-U FTP/MFT Server, which gives y'all more flexibility when configuring permissions. This tool will assist you lot avoid the "SFTP permission denied" and fix it for all the SFTP users.