SFTP and SCP

B. P. Blackshaw
Enterprise Distributed Technologies

SFTP is an abbreviation for SSH File Transfer Protocol, and is exactly that – a protocol for transfering files over an SSH connection.

SFTP is not the standard FTP protocol running over SSH. Although SFTP has similar capabilities and even similar commands to standard FTP, these similarities are purely superficial. The protocol is completely different and incompatible with FTP and its secure extension, FTPS.

SCP is also a file transfer protocol that runs over SSH connections. It is a precursor to SFTP, and allows the copying of files and directories over SSH.

In order to understand SFTP and SCP, it is helpful to have a basic understanding of SSH.

SSH – Secure Shell

SSH is a standard designed to allow logging in and execution of commands on a remote computer in a manner similar to telnet, rlogin, and rsh.  Unlike these protocols, it does this through an encrypted network connection  thus offering a much higher level of security.

The first version of the standard, SSH-1, was designed in 1995 by Tatu Ylönen.  The second version, SSH-2, is being standardized by the IETF SECSH working group.  It offers a higher level of security than its predecessor.

In order for a computer to be able to accept SSH connections, it must be running an SSH server, such as sshd, on a publicly accessible port (usually port 22).  The client computer must have an SSH client, such as CompleteFTP, and be known to the server.

Private/public key-pairs in SSH typically use either the DSA or RSA asymmetric key algorithms. Most SSH servers support both.

Clients perform server validation in SSH via a known hosts file. The client maintains a file containing the hostname (or IP address) of the SSH server, together with the server’s public key. When clients connect to the server, they are sent a copy of the server’s public key which they can compare with their own record of the server’s public key.

The server authenticates clients who connect to it. The client must be previously set up as an SSH user (or in some cases as a user on the server machine). In password authentication, the client supplies their password which the server authenticates as belonging to that user. In public key authentication, the client uses its private key to sign some data, and sends the signature to the server. The server uses the client’s public key to verify the signature. In this case the client’s public key must be available on the server.

SCP – Secure Copy

Since the early days of SSH, file transfers have been supported through a command called SCP. This command simply securely copies files or directories between remote computers. It provides no other file operations such as listing, deleting, renaming, and directory navigation.
SCP itself does not provide authentication and security – it relies on the underlying protocol, usually SSH.
CompleteFTP offers full support for SCP.

SFTP – SSH File Transfer Protocol

SFTP is an abbreviation for SSH File Transfer Protocol, and is exactly that – a protocol for transfering files over an SSH connection.

SFTP is not the standard FTP protocol running over SSH. Although SFTP has similar capabilities and even similar commands to standard FTP, these similarities are purely superficial. The protocol is completely different and incompatible with FTP and its secure extension, FTPS.

SCP is also a file transfer protocol that runs over SSH connections. It is a precursor to SFTP, and allows the copying of files and directories over SSH.

In order to understand SFTP and SCP, it is helpful to have a basic understanding of SSH.

Comparison of FTPS and SFTP

While FTPS and SFTP are completely different protocols, they offer the same basic feature – secure file transfers.  It is therefore common to be faced with the choice of one or the other. This section provides some pros and cons of these two protocols.

Security

Under ideal conditions SFTP and FTPS are able to offer comparable levels of security, but many SFTP deployments suffer from a vulnerability that is an artifact of SFTP’s close relationship with SSH.  The problem arises when you want to allow client SFTP access on a server but not SSH access. This is generally not a problem for pure SFTP servers (such as CompleteFTP), but for SSH/SFTP servers such as OpenSSH it can be quite complex and error-prone. So if you are not very careful when you set up your servers, users on machines with the SFTP client installed will be able to use an SSH client to log into the server and execute commands. This is not a problem with FTPS since this is purely a file transfer protocol and not a remote console protocol.

Upgrading

FTPS is a straight-forward extension to an existing FTP infrastructure. It is supported by most commercial servers and many open source servers (e.g. wu-ftpd and proftpd), so enabling FTPS on a server is usually just a matter of adding a few configuration options. There is no need to run additional servers since FTPS servers invariably also support FTP. There is also no need to open additional ports in firewalls since FTPS uses the same ports as FTP. It is important to note that data-transfer problems can sometimes arise when changing from FTP to FTPS – see “Firewalls” section below.

Certificates

SFTP uses keys rather than certificates. This means that it can’t take advantage of the “chains of trust” paradigm facilitated through Certificate Authorities. This paradigm makes it possible for two entities to establish a trust relationship without directly exchanging security information, which is important for some applications. FTPS uses certificates and therefore can take advantage of this paradigm. SFTP clients must install keys on the server.

Firewalls

SFTP often works better through some firewalls since it does not rely on multiple connections like FTP does.  As explained in an earlier chapter, FTP and FTPS both use a control channel to send commands, and a new data connection for each file transfer.  While the control channel is usually easily connected, it is common to experience firewall-related problems when connecting data-channels.  This is particularly so in FTPS where the FTP-specific features of most firewalls are ineffective due to encryption.  Since SFTP relies on a single network connection, it does not suffer from these problems.