) is anetwork protocolthat providesfile accessfile transfer, andfile managementover any reliabledata stream. It was designed by theInternet Engineering Task Force(IETF) as an extension of theSecure Shellprotocol (SSH) version 2.0 to provide secure file transfer capabilities. The IETFInternet Draftstates that, even though this protocol is described in the context of the SSH-2 protocol, it could be used in a number of different applications, such as secure file transfer overTransport Layer Security(TLS) and transfer of management information inVPNapplications.
This protocol assumes that it is run over asecure channel, such as SSH, that the server has already authenticated the client, and that the identity of the client user is available to the protocol.
Compared to theSCPprotocol, which only allows file transfers, the SFTP protocol allows for a range of operations on remote files which make it more like a remotefile systemprotocol. An SFTPclients extra capabilities include resuming interrupted transfers, directory listings, and remote file removal.
SFTP attempts to be more platform-independent than SCP; with SCP, for instance, the expansion ofwildcardsspecified by the client is up to the server, whereas SFTPs design avoids this problem. While SCP is most frequently implemented onUnixplatforms, SFTP servers are commonly available on most platforms.
SFTP is notFTPrun overSSH, but rather a new protocol designed from the ground up by theIETFSECSHworking group. It is sometimes confused withSimple File Transfer Protocol.
The protocol itself does not provide authentication and security; it expects the underlying protocol to secure this. SFTP is most often used as subsystem ofSSHprotocol version 2 implementations, having been designed by the same working group. It is possible, however, to run it over SSH-1 (and some implementations support this) or other data streams. Running an SFTP server over SSH-1 is not platform-independent as SSH-1 does not support the concept of subsystems. An SFTP client willing to connect to an SSH-1 server needs to know the path to the SFTP server binary on the server side.
Uploaded files may be associated with their basic attributes, such as time stamps. This is an advantage over the commonFTPprotocol.
The Internet Engineering Task Force (IETF) working group Secsh that was responsible for the development of theSecure Shellversion 2 protocol (RFC 4251) also attempted to draft an extension of that standard for secure file transfer ternet Draftswere created that successively revised the protocol into new versions.The software industry began to implement various versions of the protocol before the drafts were standardized. As development work progressed, the scope of the Secsh File Transfer project expanded to includefile accessandfile management. Eventually, development stalled as some committee members began to view SFTP as afile systemprotocol, not just afile accessorfile transferprotocol, which places it beyond the purview of the working group.After a seven-year hiatus, in 2013 an attempt was made to restart work on SFTP using the version 3 draft as the baseline.
Prior to the IETFs involvement, SFTP was a proprietary protocol ofSSH Communications Security, designed by Tatu Ylönen with assistance from Sami Lehtinen in 1997.Differences between versions 02 and version 3 are enumerated upon insection 10 of draft-ietf-secsh-filexfer-02.
At the outset of the IETF Secure Shell File Transfer project, the Secsh group stated that its objective of SSH File Transfer Protocol was to provide a secure file transfer functionality over any reliable data stream, and to be the standard file transfer protocol for use with the SSH-2 protocol.
Drafts 00 – 02 of the IETF Internet Draft define successive revisions of version 3 of the SFTP protocol.
SSH File Transfer Protocol, Draft 00, January 2001
SSH File Transfer Protocol, Draft 01, March 2001
SSH File Transfer Protocol, Draft 02, October 2001
Drafts 03 – 04 of the IETF Internet Draft define version 4 of the protocol.
Draft 05 of the IETF Internet Draft defines version 5 of the protocol.
Drafts 06 – 13 of the IETF Internet Draft define successive revisions of version 6 of the protocol.
SSH File Transfer Protocol, Draft 06, October 2004
SSH File Transfer Protocol, Draft 07, March 2005
SSH File Transfer Protocol, Draft 08, April 2005
SSH File Transfer Protocol, Draft 09, June 2005
SSH File Transfer Protocol, Draft 10, June 2005
SSH File Transfer Protocol, Draft 11, January 2006
SSH File Transfer Protocol, Draft 12, January 2006
SSH File Transfer Protocol, Draft 13, July 2006
The termSFTPcan also refer toSecure file transfer program, athat implements theclientpart of this protocol. As an example, the sftp program supplied withOpenSSHimplements this.
Some implementations of thescpprogramsupport both the SFTP and SCP protocols to perform file transfers, depending on what the server supports.
SomeFTP server implementationsimplement the SFTP protocol; however, outside of dedicated file servers, SFTP protocol support is usually provided by anSSH server implementation, as it shares the default port of 22 with other SSH services. SFTP implementations may include an SSH protocol implementation to leverage integration of SSH connection details with preexisting FTP server access controls, where an alternative SSH server is tolerable or where alternative ports may be used. An SSH2 server which supports subsystems may be leveraged to keep a uniform SSH implementation while enhancing access controls with third party software, at the cost of fine-grained integration with connection details, and SSH1 compatibility.
It is difficult to control SFTP transfers on security devices at the network perimeter. There are standard tools for loggingFTPtransactions, like TISfwtkor SUSE FTP proxy, but SFTP is encrypted, rendering traditional proxies ineffective for controlling SFTP traffic.
There are some tools that implement man-in-the-middle for SSH which also feature SFTP control. Examples of such a tool are Shell Control Box fromBalabitand CryptoAuditor fromSSH Communications Security(the original developer of the Secure Shell protocol) which provides functions such as SFTP transaction logging and logging of the actual data transmitted on the wire.
Lsh- aGNUSSH-2 and SFTP server forUnix-likeOSes
SSHFS- Mounting remote filesystem using SFTP and SSH
Barrett, Daniel; Silverman, Richard E. (2001),
SSH, The Secure Shell: The Definitive Guide
, Cambridge: OReilly,ISBN0-596-00011-1
ietf.secsh – Formal consultation prior to closing the secsh working group – msg00010 – Recent Discussion. . 2006-08-14
SSH File Transfer Protocol – draft-moonesamy-secsh-filexfer-00. Gmane.org. 2013-07-12.
OpenBSD man page for the sftp command: See Also section. OpenBSD.org
Record SSH/RDP/Citrix into Audit Trail – Activity Monitoring Device. Balabit.com
Privileged Access Control and Monitoring. SSH.com
Chrooted SFTP with Public Key Authentication Integrating SFTP into FreeBSD production servers using the public key cryptography approach
User-based chrooted SFTP in GNU/Linux
This page was last edited on 14 December 2017, at 20:52.