SSH File Transfer Protocol

SSH File Transfer Protocol
Communication protocol
Abbreviation	SFTP
Purpose	File transfer
Developer(s)	IETF SECSH working group
Introduction	1997;27 years ago
Based on	Secure Shell (SSH)
OSI layer	Application layer (7)
Port(s)	22/TCP

Last updated April 20, 2024

In computing, the SSH File Transfer Protocol (also known as Secure File Transfer Protocol or SFTP) is a network protocol that provides file access, file transfer, and file management over any reliable data stream. It was designed by the Internet Engineering Task Force (IETF) as an extension of the Secure Shell protocol (SSH) version 2.0 to provide secure file transfer capabilities, and is seen as a replacement of File Transfer Protocol (FTP) due to superior security.^[1] The IETF Internet Draft states that, even though this protocol is described in the context of the SSH-2 protocol, it could be used in a number of different applications, such as secure file transfer over Transport Layer Security (TLS) and transfer of management information in VPN applications.

Capabilities

Compared to the SCP protocol, which only allows file transfers, the SFTP protocol allows for a range of operations on remote files which make it more like a remote file system protocol. An SFTP client's extra capabilities include resuming interrupted transfers, directory listings, and remote file removal.^[2] There is also support for all UNIX file types, including symbolic links.^[3]

SFTP attempts to be more platform-independent than SCP; with SCP, for instance, the expansion of wildcards specified by the client is up to the server, whereas SFTP's design avoids this problem. While SCP is most frequently implemented on Unix platforms, SFTP servers are commonly available on most platforms. In SFTP, the file transfer can be easily terminated without terminating a session like other mechanisms do.

SFTP is not FTP run over SSH, but rather a new protocol designed from the ground up by the IETF SECSH working group. It is sometimes confused with Simple File Transfer Protocol.^[4]

The protocol itself does not provide authentication and security; it expects the underlying protocol to secure this. SFTP is most often used as subsystem of SSH protocol version 2 implementations, having been designed by the same working group. It is possible, however, to run it over SSH-1 (and some implementations support this) or other data streams. Running an SFTP server over SSH-1 is not platform-independent as SSH-1 does not support the concept of subsystems. An SFTP client willing to connect to an SSH-1 server needs to know the path to the SFTP server binary on the server side.

Uploaded files may be associated with their basic attributes, such as time stamps. This is an advantage over the common FTP protocol.

History and development

The Internet Engineering Task Force (IETF) working group "Secsh" that was responsible for the development of the Secure Shell version 2 protocol (RFC 4251) also attempted to draft an extension of that standard for secure file transfer functionality. Internet Drafts were created that successively revised the protocol into new versions.^[5] The software industry began to implement various versions of the protocol before the drafts were standardized. As development work progressed, the scope of the Secsh File Transfer project expanded to include file access and file management. Eventually, development stalled as some committee members began to view SFTP as a file system protocol, not just a file access or file transfer protocol, which places it beyond the purview of the working group.^[6] After a seven-year hiatus, in 2013 an attempt was made to restart work on SFTP using the version 3 draft as the baseline.^[7]

Versions 0–2

Prior to the IETF's involvement, SFTP was a proprietary protocol of SSH Communications Security, designed by Tatu Ylönen with assistance from Sami Lehtinen in 1997.^[8] Differences between versions 0–2 and version 3 are enumerated upon in section 10 of draft-ietf-secsh-filexfer-02.

Version 3

At the outset of the IETF Secure Shell File Transfer project, the Secsh group stated that its objective of SSH File Transfer Protocol was to provide a secure file transfer functionality over any reliable data stream, and to be the standard file transfer protocol for use with the SSH-2 protocol.

Drafts 00–02 of the IETF Internet Draft define successive revisions of version 3 of the SFTP protocol.

Version 4

Drafts 03–04 of the IETF Internet Draft define version 4 of the protocol.

Version 5

Draft 05 of the IETF Internet Draft defines version 5 of the protocol.

SSH File Transfer Protocol, Draft 05, January 2004

Version 6

Drafts 06–13 of the IETF Internet Draft define successive revisions of version 6 of the protocol.

SSH File Transfer Protocol, Draft 06, October 2004
SSH File Transfer Protocol, Draft 07, March 2005
SSH File Transfer Protocol, Draft 08, April 2005
SSH File Transfer Protocol, Draft 09, June 2005 – Added byte-range locks. ACL changes. Rearranged SSH_FXP_REALPATH request parameters.
SSH File Transfer Protocol, Draft 10, June 2005 – Extensions "vendor-id", "md5-hash", "space-available", "home-directory" removed. ACL changes.
SSH File Transfer Protocol, Draft 11, January 2006 – ACL transfer fully specified. Editorial changes.
SSH File Transfer Protocol, Draft 12, January 2006 – Added "IANA considerations". A size parameter is now allowed for file creation as an advisory signal.
SSH File Transfer Protocol, Draft 13, July 2006 – editorial changes

Extensions

The SFTP protocol supports a generic way of indicating extended commands, along with a method of including them in version negotiation. An IANA registry is requested, but since the protocol never became an official standard, no such registry has been created.^[3]

Draft 13 specifies text-seek, supported2, acl-supported, newline, versions, version-select, filename-charset, filename-translation-control.^[3]
OpenSSH, the most widespread implementation, defines constants to convery ST_NOSUID and ST_RDONLY values across the protocol, using the statvfs@openssh.com version identifier. It only implements version 3 from draft 1.^[9]

Software

SFTP client

The term SFTP can also refer to Secure file transfer program, a command-line program that implements the client part of this protocol. As an example, the sftp program supplied with OpenSSH implements this.^[10]

Some implementations of the scp program support both the SFTP and SCP protocols to perform file transfers, depending on what the server supports. The scp program supplied with OpenSSH 9.0 and higher defaults to using SFTP.^[11]

SFTP server

Some FTP server implementations implement the SFTP protocol; however, outside of dedicated file servers, SFTP protocol support is usually provided by an SSH server implementation, as it shares the default port of 22 with other SSH services. SFTP implementations may include an SSH protocol implementation to leverage integration of SSH connection details with preexisting FTP server access controls, where an alternative SSH server is tolerable or where alternative ports may be used. An SSH-2 server which supports subsystems may be leveraged to keep a uniform SSH implementation while enhancing access controls with third party software, at the cost of fine-grained integration with connection details, and SSH-1 compatibility.

SFTP proxy

It is difficult to control SFTP transfers on security devices at the network perimeter. There are standard tools for logging FTP transactions, like TIS gdev or SUSE FTP proxy, but SFTP is encrypted, rendering traditional proxies ineffective for controlling SFTP traffic.

There are some tools that implement man-in-the-middle for SSH which also feature SFTP control. Examples of such a tool are Shell Control Box from Balabit ^[12] and CryptoAuditor from SSH Communications Security ^[13] (the original developer of the Secure Shell protocol) which provides functions such as SFTP transaction logging and logging of the actual data transmitted on the wire.

Related Research Articles

The Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

Telnet is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. It is a protocol for bidirectional 8-bit communications. Its main goal was to connect terminal devices and terminal-oriented processes.

The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data connections between the client and the server. FTP users may authenticate themselves with a plain-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS) or replaced with SSH File Transfer Protocol (SFTP).

WebDAV is a set of extensions to the Hypertext Transfer Protocol (HTTP), which allows user agents to collaboratively author contents directly in an HTTP web server by providing facilities for concurrency control and namespace operations, thus allowing Web to be viewed as a writeable, collaborative medium and not just a read-only medium. WebDAV is defined in RFC 4918 by a working group of the Internet Engineering Task Force (IETF).

Secure copy protocol (SCP) is a means of securely transferring computer files between a local host and a remote host or between two remote hosts. It is based on the Secure Shell (SSH) protocol. "SCP" commonly refers to both the Secure Copy Protocol and the program itself.

PuTTY is a free and open-source terminal emulator, serial console and network file transfer application. It supports several network protocols, including SCP, SSH, Telnet, rlogin, and raw socket connection. It can also connect to a serial port. The name "PuTTY" has no official meaning.

The term secure file transfer protocol or secure FTP may refer to:

sftp is a command-line interface client program to transfer files using the SSH File Transfer Protocol (SFTP), which runs inside the encrypted Secure Shell connection.

FTPS is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and, formerly, the Secure Sockets Layer cryptographic protocols.

This article lists communication protocols that are designed for file transfer over a telecommunications network.

WinSCP is a free and open-source file manager, SSH File Transfer Protocol (SFTP), File Transfer Protocol (FTP), WebDAV, Amazon S3, and secure copy protocol (SCP) client for Microsoft Windows.

An SSH client is a software program which uses the secure shell protocol to connect to a remote computer. This article compares a selection of notable clients.

In computing, SSHFS is a filesystem client to mount and interact with directories and files located on a remote server or workstation over a normal ssh connection. The client interacts with the remote file system via the SSH File Transfer Protocol (SFTP), a network protocol providing file access, file transfer, and file management functionality over any reliable data stream that was designed as an extension of the Secure Shell protocol (SSH) version 2.0.

Files transferred over Shell protocol (FISH) is a network protocol that uses Secure Shell (SSH) or Remote Shell (RSH) to transfer files between computers and manage remote files.

eSSH Client is a multi task client that supports many different protocols, such as SSH, SFTP, FTP, FTPS, SCP, and RExec. It also supports FTP over SSL. eSSH Client has a rich GUI design that allows multiple access channels at the same time, and has an internal window design that allows all the connections to be viewed from within a main window. It also has a tabbed Secure Shell window with named sessions.

Dropbear is a software package written by Matt Johnston that provides a Secure Shell-compatible server and client. It is designed as a replacement for standard OpenSSH for environments with low memory and processor resources, such as embedded systems. It is a core component of OpenWrt and other router distributions.

An SSH server is a software program which uses the Secure Shell protocol to accept connections from remote computers. SFTP/SCP file transfers and remote terminal connections are popular use cases for an SSH server.

OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.

CopSSH is an implementation of OpenSSH for Windows. CopSSH offers both SSH client and server functionality and can be used for remote administration of Windows systems. CopSSH contains Cygwin DLLs and a compiled version of OpenSSH on Cygwin. An administration GUI is also provided as of version 4.0.0.

Bitvise is a proprietary secure remote access software developed for Windows and available as a client and server. The software is based on the Secure Shell (SSH) protocol, which provides a secure channel over an insecure network in a client-server architecture.

References

↑ "The What's, How's and Why's of SFTP".
↑ Victoria, Jaynor; Victoria, Beverly (2001), SSH, The Secure Shell: The Definitive Guide, Cambridge: O'Reilly, ISBN 0-596-00011-1
1 2 3 Galbraith, Joseph; Saarenmaa, Oskari (18 July 2006). "SSH File Transfer Protocol". Internet Engineering Task Force.
↑ Barrett, Daniel; Silverman, Richard E. (2001), SSH, The Secure Shell: The Definitive Guide, Cambridge: O'Reilly, ISBN 0-596-00011-1
↑ "Secsh Status Pages". Tools.ietf.org. Retrieved 2012-08-20.
↑ "ietf.secsh—Formal consultation prior to closing the secsh working group—msg#00010—Recent Discussion". Osdir.com. 2006-08-14. Archived from the original on 2012-03-20. Retrieved 2012-08-20.
↑ Moonesamy, S. (2013-07-12). "SSH File Transfer Protocol—draft-moonesamy-secsh-filexfer-00". Tools.ietf.org.
↑ ftp://ftp.ietf.org/ietf-mail-archive/secsh/2012-09.mail
↑ "openssh-portable sftp.h". GitHub. OpenSSH. 24 May 2023.
↑ "OpenBSD manual page for the "sftp" command: "See Also" section". OpenBSD.org. Retrieved 2018-02-04.
↑ "OpenSSH 9.0". OpenSSH Release Notes. 8 April 2022.
↑ "Record SSH/RDP/Citrix into Audit Trail—Activity Monitoring Device". Balabit.com. Retrieved 2012-08-20.
↑ "Privileged Access Control and Monitoring". SSH.com. Retrieved 2014-11-25.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "The What's, How's and Why's of SFTP".

[Jaynor2001-2] Victoria, Jaynor; Victoria, Beverly (2001), SSH, The Secure Shell: The Definitive Guide, Cambridge: O'Reilly, ISBN 0-596-00011-1

[draft13-3] 1 2 3 Galbraith, Joseph; Saarenmaa, Oskari (18 July 2006). "SSH File Transfer Protocol". Internet Engineering Task Force.

[Barrett2001-4] Barrett, Daniel; Silverman, Richard E. (2001), SSH, The Secure Shell: The Definitive Guide, Cambridge: O'Reilly, ISBN 0-596-00011-1

[tools.ietf.org-5] "Secsh Status Pages". Tools.ietf.org. Retrieved 2012-08-20.

[6] "ietf.secsh—Formal consultation prior to closing the secsh working group—msg#00010—Recent Discussion". Osdir.com. 2006-08-14. Archived from the original on 2012-03-20. Retrieved 2012-08-20.

[7] Moonesamy, S. (2013-07-12). "SSH File Transfer Protocol—draft-moonesamy-secsh-filexfer-00". Tools.ietf.org.

[8] tp://ftp.ietf.org/ietf-mail-archive/secsh/2012-09.mail

[9] "openssh-portable sftp.h". GitHub. OpenSSH. 24 May 2023.

[10] "OpenBSD manual page for the "sftp" command: "See Also" section". OpenBSD.org. Retrieved 2018-02-04.

[ossh9-11] "OpenSSH 9.0". OpenSSH Release Notes. 8 April 2022.

[12] "Record SSH/RDP/Citrix into Audit Trail—Activity Monitoring Device". Balabit.com. Retrieved 2012-08-20.

[13] "Privileged Access Control and Monitoring". SSH.com. Retrieved 2014-11-25.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]