SFTP (SSH File Transfer Protocol) is a secure file transfer protocol. It runs on top of the SSH protocol. It supports full SSH security and authentication functionality.
SFTP has virtually replaced legacy FTP as a file transfer protocol, and is rapidly replacing FTP/S. It provides all the functionality these protocols offer, but more securely and reliably, with simpler setup. Basically, there is no longer any reason to use legacy protocols.
SFTP also protects against password tracking and man-in-the-middle attacks. It protects data integrity through cryptographic and encryption hashing, and authenticates both the server and the user.
SFTP port number is SSH port 22 (follow the link to see how you got that number). It’s basically just an SSH server. Only once the user has logged in to the server using SSH can the SFTP protocol be started. There is no separate SFTP port exposed on the servers. There is no need to configure another hole in the firewalls.
for Windows and Mac
There are many SFTP client implementations available. Many SSH clients support SFTP.
SSH Client Cyberduck
Server for Linux, Windows and Mac
The SFTP server usually comes as part of an SSH implementation. Most organizations use Tectia SSH or OpenSSH as a server; both come with out-of-the-box SFTP server deployments.
Tectia SSH Server for Windows
Tectia SSH Server
IBM z/OS OpenSSH mainframes
FileZilla – a free sftp server for Windows
– open source server for Linux
The scp command is a file transfer program for SFTP on Linux. The scp command-line interface was designed after the old rcp command in BSD Unix. The scp also usually comes with the OpenSSH package.
Its typical use is:
scp file [-r] … [user@]host:[path]
Basically, this copies one or more files to the given host. If user is provided, it is copied to that account on the host. If no user is provided, the same user name as on the client side is assumed. If the path is provided, the files are copied to that directory (relative to the given user’s home directory). If no path is provided, the files are copied to the user’s home directory. If the -r option is provided, then the files can be directories, and the given directory and all its subdirectories and files in them (recursively) are copied.
It can also be copied in the reverse direction
: scp [-r] [user@]host:
file path Commonly, the path would be ., that is, the current directory.
SFTP command on Linux The sftp command
is a client program for SFTP. The sftp command line interface was designed to be similar to the ftp command. The sftp command is usually part of the OpenSSH package.
SSHFS and using
SFTP to share files
SFTP can also be used for file sharing, similar to Windows and Linux NFS file sharing. The main difference is that SFTP is secure and can be used reliably through network address translation (NAT) and the public Internet.
Sshfs is a network file system for Linux that runs on top of the SFTP protocol. You can use any SSH server as a server and use remote files over the network as if they were local files. The remote file system can be mounted and unmounted as desired. It is the most convenient way to mount ad hoc remote files, without the need for any configuration by the server administrator. SSH keys can even fully automate the establishment of the connection to the server. Basically, anyone who can log on to the server can mount their file system, with access to the files that the user has access to.
Other file sharing implementations that use SFTP include:
Expandrive (Windows and Mac)
Apache Commons VFS
Interactive and automated
secure file transfers Like SSH, SFTP is a client-server protocol. SFTP clients are included in quality SSH clients, and full enterprise-grade SSH implementations provide SFTP client and server functionality. Some SSH clients, such as Tectia SSH, also provide graphical views of the file manager on remote file systems.
On Linux, SFTP is often used as a command-line utility that supports interactive and automated file transfers. Public key authentication can be used to fully automate logins for automated file transfers. However, proper lifecycle management of SSH keys is important to keep access under control.
Common use cases for automated file transfers include nightly system backups, copying data to disaster recovery systems, distributing configuration data, and moving transaction logs to file systems. Many organizations have thousands of SSH transfers daily. In some cases, we’ve seen over 5 million automated SSH logins daily.
Business File Transfer
Some business file transfer products that support SFTP are as follows. Nothing on this page should be taken as an endorsement of any product or solution.
IBM MQ Managed File Transfer
IPSwitch MOVEit Complete
Solarwinds Managed File Transfer
Axway Secure MFT: SecureTransport
Stonebranch Universal Data Mover
Tibco Managed File
Redwood Managed File Transfer
Managed File Transfer
MFT Server Gateway
Coviant Diplomat Managed File Transfer
Managed File Transfer Secure
SFTP libraries for developers
There are many open source SSH libraries available for various programming languages.
Rebex protocol SFTP is an implementation of .NET (C#)
codeignioter-sftp is an
phpseclib is another implementation of PHP
ActiveX component JCraft
is another implementation of Java
Comparison of Commons VFS, SSHJ and JSch libraries for
is an implementation of Python
is another implementation of Python
sftp is an implementation of the Go language libssh is a C implementation of the
protocol is another C implementation of
implementation of PHP
JSch is an implementation of Java SSHJ
List of client libraries SFTP
SFTP support SFTP protocol The
protocol it runs on top of the SSH protocol as a subsystem. It was originally designed by Tatu Ylonen for SSH 2.0 in 1997-1998. There is no separate SFTP port; uses the normal SSH port.
Full documentation of the SFTP protocol can be found at Internet-Draft draft-ietf-secsh-filexfer-02
The protocol supports multiple simultaneous operations. Each operation is identified by a unique number assigned by the client, and the response from the servers contains the same identification number. The server can process requests asynchronously and can return out-of-order responses. For performance reasons, file transfer clients often send multiple requests before stopping to wait for responses.
Operations or packet types supported by the protocol include
client version numbers and extensions to the server
VERSION: returns the version number of the server and extensions to the client
OPEN: opens or creates a file, returning
a file handle
a file handle READ: reads data from a
WRITE file : writes data
to a file
OPENDIR: opens a directory to
read, returning a directory identifier
READDIR: reads file names and attributes
of a directory identifier
: deletes a directory REMOVE
: deletes a file RENAME: renames a
– returns file attributes given a path, following symbolic links LSTAT – returns file attributes given a path, without following symbolic
links FSTAT: returns file attributes given a file identifier SETSTAT: modifies file attributes given a path
attributes given a
READLINK file identifier : reads the value
of a symbolic link
SYMLINK: creates a symbolic
REALPATH : canonicalizes the relative path of the server size to an absolute path
The server returns the following response packets
STATUS: indicates the success or failure of an operation
HANDLE: returns an identifier
of file when successful DATA: returns data when successful
ATTRS: Returns file attributes when
There is also an extension mechanism for vendor-specific arbitrary extensions. Supported extensions are negotiated using the INIT and VERSION packages.
: Sends a provider-specific request from client to server
EXTENDED_REPLY: Sends a provider-specific response from server to client
. SFTP vs. FTPS People often want to compare
SFTP vs. FTPS. FTPS
is basically the old ftp protocol run over SSL (Secure Sockets Layer) or TLS (Transport Layer Security).
The benefits of SFTP
over FTPS include:
SFTP runs over SSH on the standard SSH port. Therefore, there is no need to open additional ports on the server and no need to maintain any additional authentication. This simplifies configuration and reduces the likelihood of configuration errors.
FTPS needs complicated firewall configuration and may not work over NAT. Ports 989 and 990 must be open. In addition, FTPS supports both active and passive modes (see FTP), which further complicates firewall configurations and is prone to problems.
FTPS requires an X.509 certificate for the server, typically from a public certification authority. SSH works without any centralized infrastructure. SFTP can use any certification method or host key distribution that is in use for SSH, without the need for additional work and ongoing maintenance.
FTPS is basically FTP, which means it has ASCII mode, which can corrupt files if the mode is not configured correctly. Some implementations use ASCII mode by default.
FTPS cannot be used as a file system. (This doesn’t improve security, since you can still read the same files.)
FTPS requires an additional server software package to be installed and patched, while SFTP usually comes with SSH with the system.