File Transfer Protocol (FTP) was once the most widely used protocol for transferring files between computers. However, because FTP sends authentication information and file contents over the wire unencrypted, it’s not a secure way to communicate. Secure Copy (SCP) and the more robust SSH File Transfer Protocol (SFTP) address this security concern by providing data transfer over a fully encrypted channel. You can use these alternatives for transferring files securely over the Internet or any other untrusted network.
Both SCP and SFTP rely on Secure Shell (SSH) as their underlying protocol. SSH establishes a secure and encrypted channel of communication between computers using authentication and encryption based on Public Key Infrastructure. SSH uses encryption for the authentication data exchanged to set up the session and the subsequent data transfer.
SSH server and client software ships with most modern operating systems. Clients for SCP and SFTP are available as part of the OpenSSH suite on most Linux systems. Apart from SCP and SFTP, SSH functions as a suitable platform for setting up remote shell and remote GUI desktop connections, tunneling between computers, setting up a SOCKS proxy for secure browsing, and port forwarding.
SCP and SFTP
SCP is a descendant of Remote Copy (RCP). Unlike in FTP, with SCP you can specify that the modification times, access times, and modes from the original file should be preserved. Also, unlike RCP, SCP can prompt for passwords when needed. Apart from copying files between your computer and a remote host, SCP can also transfer files between two remote hosts.
SCP is a handy command-line tool for batch processing. However, SCP works over SSH1, an older, deprecated version of SSH, so you’re better off using alternatives like SFTP that work over SSH2.
SFTP is a full-fledged file transfer protocol that implements all the operations found in FTP, including ones SCP doesn’t handle, such as renaming and deleting remote files.
SFTP runs as an SSH subsystem and works on standard SSH port 22 by default. It alleviates the need to open multiple additional ports on the firewall as in the case of FTP, where ports 20 and 21 need to be opened up for control and data traffic. An SFTP client called sftp is available in OpenSSH suite that ships with most Linux systems.
When using password-based authentication (you can avoid the need to supply passwords if the remote host allows password-less SSH authentication), this is how you would start an SFTP session:
sftp prompts for a password, and on successful authentication, presents a shell with an
sftp> prompt. Once in the sftp shell, you can run commands similar to those available on FTP, such as
rmdir. You can end the session by typing
exit at the prompt.
The OpenSSH suite is the most popular open source implementation of SSH. Its server is called sshd. You need sshd running on the server to listen on the SSH port and accept incoming connections. To enable or disable SFTP, you can edit the main sshd configuration file, which is at /etc/ssh/sshd_config by default. SFTP is enabled by default; you can comment out the following line to disable it:
Subsystem sftp /usr/libexec/openssh/sftp-server
You can restrict access to SCP and SFTP, along with rest of SSH functionality, based on the IP address of the connecting host by editing hosts.deny file to include a line like this:
To block an entire network, you can specify the network and subnet address:
GUI clients for SFTP
In addition to command-line clients from the OpenSSH suite, the file browsers in popular desktop environments like GNOME and KDE have SFTP client capabilities. In Nautilus on GNOME or Konqueror on KDE, you can type the following in the location field:
The file browser prompts for your password, and on successful authentication lists the files from the remote server in the file browser. You can drag and drop these files to copy them, and also right-click on files to change properties like name and permissions. You can double-click on files to open them in a suitable editor or viewer. You can also bookmark any SFTP-based directory so that you can quickly access it next time.
There are also other interesting developments in this area like a new filesystem called SSH File System implemented on top of an SFTP client, making it possible to mount remote file systems seamlessly and securely.