Open in app

Sign in

Write

Sign in

Debugging AWS SFTP User logins

Wil Moore III
2 min readAug 15, 2022

… to verify that a new user can log in and has the correct home directory.

Photo by Markus Winkler

The AWS Transfer for SFTP service is a great way to move many GiB of data from a vendor or customer’s infrastructure and into your own. The AWS Transfer for SFTP managed service allows SFTP transfers to land in an S3 bucket that you control.

Setting up vendor or customer logins is fairly straight-forward; however, it’s important to sanity check a login before providing credentials and server details to the vendor or customer. The last thing you want is to get into a technical support situation after the fact.

I was able to verify SFTP login by adding an existing administrative SSH public key to the user’s account. This allows me as the administrator to authenticate as the user as long as I’ve provided the corresponding private key.

Here are the commands that were used to accomplish this:

Get the Server’s ServerId

Before you can get the User’s UserName, you’ll have to capture the Server’s ID:

> aws transfer list-servers \
  --region $AWS_DEFAULT_REGION \
  --query 'Servers[].ServerId'

[
    "${SERVER_ID}"
]

Get the User’s UserName

In order to import the SSH public key, you’ll need to know the user’s UserName:

> aws transfer list-users \
  --region $AWS_DEFAULT_REGION \
  --server-id $SERVER_ID \
  --query 'Users[].UserName'

[
    "demo"
]

Import SSH Public Key

Once the public key is imported, the user can authenticate:

> aws transfer import-ssh-public-key \
  --region $AWS_DEFAULT_REGION \
  --server-id $SERVER_ID --user-name demo \
  --ssh-public-key-body file://~/.ssh/awssftp.pub

{
    "ServerId": "${SERVER_ID}",
    "SshPublicKeyId": "${PUBLIC_KEY_ID}",
    "UserName": "demo"
}

Login to the Server with the SFTP CLI

Verify that the user account can authenticate using the private key associated with the imported public key:

> sftp -i ~/.ssh/awssftp demo@$SERVER_HOSTNAME

Connected to demo@$SERVER_HOSTNAME.
sftp>
sftp> pwd
Remote working directory: /${HOME}/demo

Delete Public Key

The most secure practice would be to delete the public key from the user’s account when verification is complete:

> aws transfer delete-ssh-public-key \
  --region $AWS_DEFAULT_REGION \
  --server-id $SERVER_ID \
  --user-name demo \
  --ssh-public-key-id $PUBLIC_KEY_ID
Sftp
Public Key
Private Key
AWS
Aws S3

--

--

Wil Moore III

Written by Wil Moore III

305 Followers

Author & Speaker

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams