SFTP (SSH File Transfer Protocol)
- Secure file transfer protocol that operates over SSH (Secure Shell) connection on port 22
- Provides encrypted file transfers unlike traditional FTP which sends credentials and data in plaintext
- Uses SSH’s authentication methods (password, public key, certificates) for secure access
- Full session encryption protects both commands and data during transfer
How SFTP Works
- Establishes SSH connection first, then negotiates SFTP subsystem
- All file operations (upload, download, directory listing) occur within encrypted SSH tunnel
- Supports resume functionality for interrupted transfers (unlike basic FTP)
- Provides file integrity checking through SSH’s built-in mechanisms
Key Advantages Over FTP
- Single port operation (port 22) - easier for firewall configuration than FTP’s multiple ports
- No separate data channel required (FTP uses ports 20/21 plus dynamic ports for data)
- Built-in compression available through SSH connection
- Strong authentication options beyond simple username/password
SFTP vs Other File Transfer Protocols
| Protocol | Port(s) | Encryption | Authentication | Firewall Friendly |
|---|---|---|---|---|
| FTP | 20, 21 + dynamic | None | Basic (plaintext) | No |
| FTPS | 21, 990 + dynamic | SSL/TLS | Certificate + basic | No |
| SFTP | 22 | SSH encryption | SSH methods | Yes |
| SCP | 22 | SSH encryption | SSH methods | Yes |
Vocabulary
SSH Subsystem: Protocol framework that allows SSH to carry other protocols (SFTP runs as SSH subsystem)
Public Key Authentication: Uses cryptographic key pairs instead of passwords for authentication
Port Forwarding: SSH feature that can tunnel other protocols through encrypted connection
Common SFTP Implementations
Network Device Management
- Used for transferring IOS images to Cisco routers/switches
- Backup and restore of configuration files
- For example:
copy sftp://user@server/ios-image.bin bootflash:
Server Administration
- Secure alternative to FTP for web content updates
- Log file collection from remote systems
- Automated backup scripts using key-based authentication
Enterprise File Sharing
- B2B file exchanges requiring security compliance
- Used when organizations need audit trails and encryption
- Integration with existing SSH infrastructure
Notes
- SFTP is not “FTP over SSH” - it’s a completely different protocol that happens to use SSH transport
- Requires SSH server with SFTP subsystem enabled (most modern SSH servers include this)
- Performance may be slower than FTP due to encryption overhead, but security benefits outweigh cost
- Key-based authentication recommended for automated transfers (avoids password storage)
- Some older network devices may not support SFTP - verify capability before implementation
- SFTP commands differ from FTP commands (though many clients hide this difference)
- Always verify SFTP is actually being used - some “secure FTP” solutions actually use FTPS instead