Debugging AWS SFTP User logins
… to verify that a new user can log in and has the correct home directory.
The AWS Transfer for SFTP service is a great way to move many GiB of data from a vendor or customer’s infrastructure and into your own. The AWS Transfer for SFTP managed service allows SFTP transfers to land in an S3 bucket that you control.
Setting up vendor or customer logins is fairly straight-forward; however, it’s important to sanity check a login before providing credentials and server details to the vendor or customer. The last thing you want is to get into a technical support situation after the fact.
I was able to verify SFTP login by adding an existing administrative SSH public key to the user’s account. This allows me as the administrator to authenticate as the user as long as I’ve provided the corresponding private key.
Here are the commands that were used to accomplish this:
Get the Server’s ServerId
Before you can get the User’s UserName, you’ll have to capture the Server’s ID:
> aws transfer list-servers \
--region $AWS_DEFAULT_REGION \
--query 'Servers[].ServerId'
[
"${SERVER_ID}"
]
Get the User’s UserName
In order to import the SSH public key, you’ll need to know the user’s UserName:
> aws transfer list-users \
--region $AWS_DEFAULT_REGION \
--server-id $SERVER_ID \
--query 'Users[].UserName'
[
"demo"
]
Import SSH Public Key
Once the public key is imported, the user can authenticate:
> aws transfer import-ssh-public-key \
--region $AWS_DEFAULT_REGION \
--server-id $SERVER_ID --user-name demo \
--ssh-public-key-body file://~/.ssh/awssftp.pub
{
"ServerId": "${SERVER_ID}",
"SshPublicKeyId": "${PUBLIC_KEY_ID}",
"UserName": "demo"
}
Login to the Server with the SFTP CLI
Verify that the user account can authenticate using the private key associated with the imported public key:
> sftp -i ~/.ssh/awssftp demo@$SERVER_HOSTNAME
Connected to demo@$SERVER_HOSTNAME.
sftp>
sftp> pwd
Remote working directory: /${HOME}/demo
Delete Public Key
The most secure practice would be to delete the public key from the user’s account when verification is complete:
> aws transfer delete-ssh-public-key \
--region $AWS_DEFAULT_REGION \
--server-id $SERVER_ID \
--user-name demo \
--ssh-public-key-id $PUBLIC_KEY_ID