SSH File Transfer Protocol 101: What it is and when to use it

SSH File Transfer Protocol (SFTP) is a secure file transfer method used to ensure the confidentiality and integrity of data transfers over the internet. It relies on SSH for secure connections and offers multiple security features, including encryption, client and host authentication, and data integrity verification.
  1. Blog

When it comes to securely transferring files over the internet, the SSH File Transfer Protocol (SFTP) stands out as one of the most trusted and reliable solutions available. Its core security features make it extremely popular among organizations that handle sensitive data. Many of our customers, spanning diverse sectors such as financial services, healthcare, retail, manufacturing, logistics, defense, research, aerospace and e-commerce, rely on SFTP to ensure the confidentiality and integrity of their data transfers.

If you’re still in the initial stages of finding a file transfer solution for your business, we encourage you to read this post. The information you’ll find in the succeeding sections will give you a solid introduction to SFTP and help you determine if it’s the right solution for your organization.

What is SSH File Transfer Protocol?

The SSH File Transfer Protocol, also known as Secure File Transfer Protocol, is a Secure Shell (SSH) subsystem that focuses on secure file transfer and file sharing functionality. It enables you to establish a secure connection with a remote server and then lets you download files stored on that server or upload files to it. 

In the illustration shown below, one user uploads files to a remote server using SFTP, and another user downloads copies of those files, again using SFTP. So, in this particular scenario, SFTP is used to share files between two users. 

uploads files using SFTP

Every SFTP session is protected by multiple security controls that include host authentication, user authentication, data-in-motion encryption and data integrity. Don’t worry if you’re unfamiliar with these terms. We’ll discuss them in more detail and provide links to relevant content later in this post. All of these data security features are derived from an underlying protocol known as SSH. 

What is Secure Shell?

SSH is an open source network protocol built with cryptographic algorithms to enable secure connections with a remote host. Once a connection is established, the SSH protocol allows the entity (i.e., a user or an application) that initiated the connection to execute commands on the remote file system. 

SSH provides commands for:

  • Switching or changing current directories
  • Listing files
  • Copying files
  • Moving files
  • Displaying the current path
  • Deleting files and directories
  • Creating directories
  • Creating files
  • Opening files
  • Renaming files
  • Downloading files
  • Uploading files
  • And many others

Since SFTP runs over SSH, you can also use those commands in an SFTP file transfer session. 

Operating systems that support SSH file transfer protocol

One of the reasons why the SSH file transfer protocol is so popular is because all major operating systems readily support SSH. Most Linux and Mac devices already have SSH installed by default. Microsoft Windows devices and UNIX boxes also allow SSH to be installed on them. Once you have SSH installed, you can then perform SFTP file transfers. 

To carry out an SFTP file transfer, you’ll need an SFTP client and an SFTP server. 

What is an SFTP client?

An SFTP client is a software application that initiates a connection with an SFTP server through the SSH file transfer protocol. While this application can be controlled by a user, some SFTP clients can also function without human intervention, as in the case of those used in automated workflows. 

SFTP clients that require human intervention to function offer either a character user interface (CUI), which is also known as a terminal-based UI, or a graphical user interface (GUI). Some of the most commonly used terminal-based SFTP clients include:

  • PSFTP: The SFTP client of PuTTY, a free SSH client built for Windows.
  • OpenSSH SFTP client: The SFTP client you see in macOS and in most SSH-equipped Linux distributions.

SSH SFTP client

A terminal-based SFTP client

Some of the popular GUI-based clients include:

  • WinSCP: A Windows-based multi-protocol file transfer client designed for Windows.
  • FileZilla: A free multi-protocol file transfer client that runs on Windows, macOS and Linux.
  • AnyClient by Redwood: Tet another free multi-protocol file transfer client that you can install on all major operating systems.

AnyClient

A GUI-based SFTP client

Recommended read: A Guide To Transferring Files Using A Windows SFTP Client

What is an SFTP server?

An SFTP server is a remote server that SFTP clients connect to and then responds to file transfer requests issued by those clients. A single SFTP server can support multiple SFTP clients. When you say that a user uploads files through an SFTP client, those files are always stored on an SFTP server. Similarly, when you say that a user downloads files through an SFTP client, those files are always downloaded from an SFTP server. 

Some of the most widely used SFTP servers include:

  • OpenSSH SFTP server: Since OpenSSH is pre-installed in many Linux distributions, the OpenSSH SFTP server is arguably the most widely used SFTP server on the planet.
  • Cerberus FTP Server by Redwood: Although known as an FTP server, Cerberus FTP Server also supports SFTP, along with other file transfer protocols.
  • JSCAPE MFT Server by Redwood: A highly advanced managed file transfer (MFT) server that supports SFTP, along with several other file transfer protocols. 

When do you use Secure File Transfer Protocol?

You can use any file transfer protocol to transfer non-sensitive files. However, if your files contain sensitive data, you’ll want to limit your choices to secure protocols that are capable of protecting your data from cyber threats. SFTP comes with a set of security features that can mitigate certain types of threats. For example, SFTP can encrypt data to prevent attackers from eavesdropping on your SFTP connections. 

That’s just one security feature though. In the following section, we’ll elaborate more on that functionality along with other security features found in SFTP. 

SSH File Transfer Protocol security features

Data-in-motion encryption

As you already know by now, SFTP encrypts data as the data is transmitted across a network. Encryption transforms readable text (also known as plaintext) into ciphertext, which are sequences of jumbled characters that are meaningless unless decrypted. Files are encrypted as soon as you send them out through your SFTP client and are only decrypted upon arrival at your SFTP server. 

To encrypt and decrypt files, SFTP relies on a combination of symmetric and asymmetric cryptographic algorithms. If you need to send highly confidential information securely across the internet, SFTP has the capability to meet that need. The protocol enables you to employ strong cryptographic algorithms like AES-256, which are impossible to crack with current technology. 

Client or user authentication

Before an SFTP server grants an SFTP client access, the client must first authenticate with that server. Client authentication, which is also known as user authentication if the client is controlled by a user, ensures that only clients with valid accounts on the server are granted access. 

In SFTP, you can implement client authentication using either password-based authentication or public key authentication. 

Password-based authentication

When you use password-based authentication, your users must submit a valid password that corresponds to a user ID registered on your SFTP server. You normally use password-based authentication if the clients connecting to your server are controlled by users.

SFTP public key authentication

Public key authentication is a method of authentication that involves a private key that’s mathematically associated with a public key. Private keys, which are also known as SSH keys or SFTP keys, are kept on the client side, while public keys are kept on the server side. 

When you implement public key authentication, only clients that can present a private key that matches a public key on your server are granted access. As with password authentication, that public key must likewise be associated with a registered user ID on your SFTP server. Although public key authentication can also be used by user-controlled clients, this method is usually associated with automated SFTP clients. 

Two-factor authentication

SSH and, consequently, SFTP even allow you to combine password authentication and public key authentication. This combination is already considered two-factor authentication (2FA), which is significantly stronger than either of the two authentication methods discussed earlier and greatly reduces the risk of unauthorized access. 

Host authentication

In addition to client authentication, SFTP supports host or server authentication. This means not only does SFTP allow your server to authenticate inbound users and clients, but it also allows those users and clients to authenticate the host or server they’re connecting to. 

This capability prevents your clients from unintentionally connecting to a malicious server impersonating a legitimate one. If your users are duped into connecting with a malicious server, those users could end up uploading sensitive data to that server or downloading malware from it. 

Data integrity

Files you receive via SFTP are protected by data integrity mechanisms like hashing, checksums and Message Authentication Code (MAC) that check whether the files have been altered along the way. If any unexpected alterations are detected, built-in countermeasures are called into play. The specific countermeasures depend on how the SFTP protocol is implemented in your environment. Some of these countermeasures include:

  • Rejection of affected packets
  • Termination of the SFTP session
  • Generation of error notifications
  • Retransmission of affected packets

Data integrity mechanisms are crucial to business transactions. It goes without saying that you wouldn’t want your business processes to incorporate unintentionally modified or, worse, tampered data. 

free trialSFTP vs. SCP

SFTP isn’t the only file transfer subsystem you’ll find in SSH. SSH also supports Secure Copy Protocol (SCP), a generally faster but less feature-rich protocol. Like SFTP, SCP can also transfer files. In fact, because SCP doesn’t require packet acknowledgment while SFTP does, SCP transfers files at a faster rate. That said, SCP lacks file management capabilities like directory listings, directory creation, directory deletion and so on. 

For a more detailed comparison between the two, read our article on SCP vs. SFTP

Key differences between SFTP, FTP and FTPS

Many users confuse SFTP with FTPS, the secure version of plain File Transfer Protocol (FTP). That’s because not only do the two protocols have identical security capabilities, but their acronyms just look like a typo of the other. FTPS actually stands for File Transfer Protocol Secure and derives its security functionality from the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic protocols. 

The following table briefly compares the differences between the three protocols. For a more detailed discussion on the subject, read our blog post “Understanding Key Differences Between FTP, FTPS And SFTP.”



Protocol

Built-in security

Cryptographic protocol

Server port number

SFTP

Yes

SSH

22

FTPS

Yes

SSL/TLS

21, 20 or random port

FTP

No

None

21, 20 or random port

In case you haven’t noticed, both an FTP server and an FTPS server listen on more than one port. Not only that, the specific ports used depend on what data connection mode the FTP/S client chooses when it initiates a connection with the FTP/S server. These port-related complications often cause firewall connection issues and are one of the main reasons why businesses prefer SFTP over FTPS. 

Using SFTP on the command line

One major advantage of using a terminal-based SFTP client instead of a GUI-based client is that you gain full access to the commands offered by the SFTP protocol. In a GUI-based client, the commands you’re allowed to execute are limited by whatever is supported by the graphical interface. 

When you connect to an SFTP server through a terminal-based client, you enter into what’s known as interactive mode. In this mode, you can execute SFTP commands on the command line and receive responses from the SFTP server in real-time.

Here’s a sample interactive SFTP session wherein the user:

  1. Connects to an SFTP server using the server’s IP address
  2. Checks the current directory using the “pwd” command
  3. Creates a remote directory using the “mkdir” command
  4. Verifies the directory creation by executing the “ls” command
  5. Navigates to the new directory using the “cd” command
  6. Verifies the current location, again by using the “pwd” command 
  7. Uploads a file to the new directory
  8. Confirms the upload by listing the directory using the “ls” command
  9. And exits the SFTP session

$ sftp user@192.168.1.10

user@192.168.1.10's password: 

Connected to 192.168.1.10.

sftp> pwd

Remote working directory: /home/user

sftp> mkdir new_directory

sftp> ls

Documents  Downloads  Music  Pictures  Videos  new_directory

sftp> cd new_directory

sftp> pwd

Remote working directory: /home/user/new_directory

sftp> put /path/to/localfile.txt

Uploading /path/to/localfile.txt to /home/user/new_directory/localfile.txt

/path/to/localfile.txt                                    100%    1KB    1.1KB/s    00:00

sftp> ls

Localfile.txt

sftp> quit

SFTP limitations

While SFTP offers a handful of functionality to facilitate secure data transfers, today’s business environments require additional capabilities beyond what the protocol is designed for. For instance, the Payment Card Industry Data Security Standard (PCI DSS) requires covered entities to encrypt certain credit card information during data storage. SFTP only encrypts data in transit. So, when it reaches your server, you’ll need to employ a separate solution to encrypt that data while stored.

That’s just one of many PCI DSS requirements you can’t even hope to address if you rely solely on SFTP for your file transfer workflows. Other data protection laws and regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the EU General Data Protection Regulation (GDPR) impose other onerous requirements to file transfer workflows as well. 

Data security isn’t the only area of concern when you conduct business file transfers. Efficiency is another one. To improve efficiency, many businesses turn to automation. Unfortunately, standalone SFTP server applications don’t have built-in support for automation. To automate an SFTP-based file transfer, you’d have to write complex scripts — an undertaking that requires specialized skills. To meet that requirement, you might have to hire additional talent. 

Why deliver SFTP through MFT?

To overcome SFTP limitations without abandoning the protocol, our customers have turned to MFT. MFT solutions like JSCAPE MFT Server enable you to conduct SFTP file transfers while augmenting SFTP capabilities with additional security and automation features.  

JSCAPE MFT supports an extensive set of security features that include: 

Moreover, it offers no-code/low-code automation features that enable you to automate file transfer workflows without writing a single line of code or script. MFT Server also comes with integration features, such as a robust API and a set of connectors, that enable you to connect JSCAPE MFT with the rest of your IT infrastructure and streamline your business process automation initiatives. 

Want to learn more about the capabilities of JSCAPE MFT and how it enhances SFTP file transfers? Schedule a quick demo now