I am trying to use Amazon EC2 Servers as my SFTP server where I can create authenticated users to sftp into my server. I have mounted s3 buckets onto the servers at location /mnt/buckets/{username} for each user using s3fs. Reading and writing onto the /mnt/buckets/{username} directory works with s3 as expected.

My sshd_config has the following.

ChrootDirectory /mnt/buckets/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp

When SFTP-ing I get the following response

...
debug1: Authentication succeeded (publickey).
Authenticated to ec2-54-173-113-164.compute-1.amazonaws.com ([54.173.113.164]:22).
debug2: fd 5 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
Write failed: Broken pipe
Connection closed

The mounted bucket has these permissions.

/home/ubuntu# ls -l /mnt/buckets/
total 1
drwxrwxrwx 1 root root 0 Jan  1  1970 sftptester

When I change the Chroot Directory to /mnt/buckets I am able to log into the sftp server as well as read and write into the s3 mounted bucket

Can I chroot the user into a mounted s3 bucket?

(Also if there are any tools that have this functionality already I would be interested in knowing them as well)

The issue might be that the S3 "bucket folders" that appear as user directories in the mount folder don't have the correct permissions for the SFTP users to read them.

Try adding this to your S3FS execution -o umask=022. This will add the following permissions to your SFTP user folders: drwxr-xr-x

Example: sudo s3fs bucket-name /mount/folder/ -o iam_role=role_name -o allow_other -o stat_cache_expire=10 -o enable_noobj_cache -o enable_content_md5 -o umask=022

• -o allow_other and -o umask=022 were both required for me to get this working.