Editing SSH File Transfer Protocol

{{Distinguish|Simple File Transfer Protocol|File_Transfer_Protocol#FTP_over_SSH{{!}}FTP over SSH|FTPS}}
{{short description|Network protocol that provides file management over any reliable data stream}}
{{Infobox networking protocol
| title        = SSH File Transfer Protocol
| logo         = 
| logo alt     = 
| image        = 
| image alt    = 
| caption      = 
| is stack     = No
| abbreviation = SFTP
| purpose      = [[File transfer]]
| developer    = [[Internet Engineering Task Force|IETF]] SECSH working group
| date         = {{Start date and age|1997|  |  }}
| based on     = [[Secure Shell]] (SSH)
| influenced   = 
| osilayer     = [[Application layer]] (7)
| ports        = 22/TCP
| rfcs         = 
| hardware     = 
}}
In [[computing]], the '''SSH File Transfer Protocol''', also known as '''Secure File Transfer Protocol''' ('''SFTP'''), is a [[network protocol]] that provides [[file access]], [[file transfer]], and [[file management]] over any reliable [[data stream]]. It was designed by the [[Internet Engineering Task Force]] (IETF) as an extension of the [[Secure Shell]] protocol (SSH) version 2.0 to provide secure file transfer capabilities, and is seen as a replacement of [[File Transfer Protocol]] (FTP) due to superior security.<ref>{{cite web |last=Smallcombe |first=Mark |date=September 21, 2023 |title=The What's, How's and Why's of SFTP |url=https://www.integrate.io/blog/the-whats-hows-and-whys-of-sftp/ |access-date=2025-04-28 |website=integrate.io}}</ref> The [[IETF Internet Draft]] states that, even though this protocol is described in the context of the SSH-2 protocol, it could be used in a number of different applications, such as secure file transfer over [[Transport Layer Security]] (TLS) and transfer of management information in [[VPN]] applications.

This protocol assumes that it is run over a [[secure channel]], such as SSH, that the server has already authenticated the client, and that the identity of the client user is available to the protocol.

==Capabilities==
Compared to the [[Secure copy|SCP]] protocol, which only allows file transfers, the SFTP protocol allows for a range of operations on remote files which make it more like a remote [[file system]] protocol. An SFTP [[client (computing)|client]]'s extra capabilities include resuming interrupted transfers, directory listings, and remote file removal.<ref name=Jaynor2001>{{Citation
 | last1 = Victoria | first1 =  Jaynor
 | last2 = Victoria | first2 =  Beverly
 | year = 2001
 | title = SSH, The Secure Shell: The Definitive Guide
 | isbn = 0-596-00011-1
 | publisher = O'Reilly
 | location = Cambridge
}}</ref> There is also support for all UNIX file types, including symbolic links.<ref name=draft13>{{cite web |last1=Galbraith |first1=Joseph |last2=Saarenmaa |first2=Oskari |title=SSH File Transfer Protocol |url=https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-13 |publisher=Internet Engineering Task Force |date=18 July 2006}}</ref>

SFTP attempts to be more platform-independent than SCP; with SCP, for instance, the expansion of [[wildcard character|wildcard]]s specified by the client is up to the server, whereas SFTP's design avoids this problem. While SCP is most frequently implemented on [[Unix]] platforms, SFTP servers are commonly available on most platforms. In SFTP, the file transfer can be easily terminated without terminating a session like other mechanisms do.

SFTP is not [[File Transfer Protocol|FTP]] run over [[Secure Shell|SSH]], but rather a new protocol designed from the ground up by the [[Internet Engineering Task Force|IETF]] SECSH [[working group]]. It is sometimes confused with [[Simple File Transfer Protocol]].<ref name=Barrett2001>{{Citation
 | last1 = Barrett | first1 =  Daniel
 | last2 = Silverman | first2 = Richard E.
 | year = 2001
 | title = SSH, The Secure Shell: The Definitive Guide
 | isbn = 0-596-00011-1
 | publisher = O'Reilly
 | location = Cambridge
}}</ref>

The protocol itself does not provide authentication and security; it expects the underlying protocol to secure this. SFTP is most often used as subsystem of [[Secure shell|SSH]] protocol version 2 implementations, having been designed by the same working group. It is possible, however, to run it over SSH-1 (and some implementations support this), or other data streams. However, running an SFTP server over SSH-1 is not platform-independent, as SSH-1 does not support the concept of subsystems. An SFTP client connecting to an SSH-1 server must be aware of the path to the SFTP server binary on the server side.

Uploaded files may be associated with their basic attributes, such as time stamps. This is an advantage over the common [[File Transfer Protocol|FTP]] protocol.

==History and development==
The Internet Engineering Task Force (IETF) working group "Secsh" that was responsible for the development of the [[Secure Shell]] version 2 protocol (RFC 4251) also attempted to draft an extension of that standard for secure file transfer functionality.  [[Internet Draft]]s were created that successively revised the protocol into new versions.<ref name="tools.ietf.org">{{cite web |title=Secsh Status Pages |url=http://tools.ietf.org/wg/secsh/draft-ietf-secsh-filexfer/ |archive-url=https://web.archive.org/web/20210504203353/http://tools.ietf.org/wg/secsh/draft-ietf-secsh-filexfer/ |archive-date=2021-05-04 |access-date=2012-08-20 |publisher=Tools.ietf.org}}</ref>  The software industry began to implement various versions of the protocol before the drafts were standardized.  As development work progressed, the scope of the Secsh File Transfer project expanded to include [[file access]] and [[file management]].  Eventually, development stalled as some committee members began to view SFTP as a [[file system]] protocol, not just a [[file access]] or [[file transfer]] protocol, which places it beyond the purview of the working group.<ref>{{cite web |url=http://osdir.com/ml/ietf.secsh/2006-07/msg00010.html |title=ietf.secsh—Formal consultation prior to closing the secsh working group—msg#00010—Recent Discussion |publisher=Osdir.com |date=2006-08-14 |access-date=2012-08-20 |url-status=dead |archive-url=https://web.archive.org/web/20120320214102/http://osdir.com/ml/ietf.secsh/2006-07/msg00010.html |archive-date=2012-03-20 }}</ref> After a seven-year hiatus, in 2013 an attempt was made to restart work on SFTP using the version 3 draft as the baseline.<ref>{{cite web|url=https://datatracker.ietf.org/doc/html/draft-moonesamy-secsh-filexfer-00 |title=SSH File Transfer Protocol—draft-moonesamy-secsh-filexfer-00 |publisher=Tools.ietf.org |date=2013-07-12 |last1=Moonesamy |first1=S. }}</ref>

===Versions 0–2===
Prior to the IETF's involvement, SFTP was a proprietary protocol of [[SSH Communications Security]], designed by Tatu Ylönen with assistance from Sami Lehtinen in 1997.<ref>{{Cite web | url=https://www.ietf.org/ietf-ftp/ietf-mail-archive/secsh/2010-09.mail | title=fd forwarding, take 2 | format=TXT | website=www.ietf.org}}</ref> Differences between versions 0–2 and version 3 are enumerated upon in [https://tools.ietf.org/html/draft-ietf-secsh-filexfer-02#section-10 section 10 of draft-ietf-secsh-filexfer-02].

===Version 3===
At the outset of the IETF Secure Shell File Transfer project, the Secsh group stated that its objective of SSH File Transfer Protocol was to provide a secure file transfer functionality over any reliable data stream, and to be the standard file transfer protocol for use with the SSH-2 protocol.

Drafts 00–02 of the IETF Internet Draft define successive revisions of version 3 of the SFTP protocol.
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-00 SSH File Transfer Protocol, Draft 00, January 2001]
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-01 SSH File Transfer Protocol, Draft 01, March 2001]
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-02 SSH File Transfer Protocol, Draft 02, October 2001]

===Version 4===
Drafts 03–04 of the IETF Internet Draft define version 4 of the protocol.
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-03 SSH File Transfer Protocol, Draft 03, October 2002]
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-04 SSH File Transfer Protocol, Draft 04, December 2002]

===Version 5===
Draft 05 of the IETF Internet Draft defines version 5 of the protocol.
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-05 SSH File Transfer Protocol, Draft 05, January 2004]

===Version 6===
Drafts 06–13 of the IETF Internet Draft define successive revisions of version 6 of the protocol.
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-06 SSH File Transfer Protocol, Draft 06, October 2004]
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-07 SSH File Transfer Protocol, Draft 07, March 2005]
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-08 SSH File Transfer Protocol, Draft 08, April 2005] 
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-09 SSH File Transfer Protocol, Draft 09, June 2005] &ndash; Added byte-range locks. ACL changes. Rearranged SSH_FXP_REALPATH request parameters.
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-10 SSH File Transfer Protocol, Draft 10, June 2005] &ndash; Extensions "vendor-id", "md5-hash", "space-available", "home-directory" removed. ACL changes.
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-11 SSH File Transfer Protocol, Draft 11, January 2006] &ndash; ACL transfer fully specified. Editorial changes.
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-12 SSH File Transfer Protocol, Draft 12, January 2006] &ndash; Added "IANA considerations". A size parameter is now allowed for file creation as an advisory signal.
* [https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-13 SSH File Transfer Protocol, Draft 13, July 2006] &ndash; editorial changes

=== Extensions ===
The SFTP protocol supports a generic way of indicating extended commands, along with a method of including them in version negotiation. An IANA registry is requested, but since the protocol never became an official standard, no such registry has been created.<ref name=draft13/>
* Draft 13 specifies {{tt|text-seek}}, {{tt|supported2}}, {{tt|acl-supported}}, {{tt|newline}}, {{tt|versions}}, {{tt|version-select}}, {{tt|filename-charset}}, {{tt|filename-translation-control}}.<ref name=draft13/>
* OpenSSH, the most widespread implementation, defines constants to convert {{tt|ST_NOSUID}} and {{tt|ST_RDONLY}} values across the protocol, using the {{tt|statvfs@openssh.com}} version identifier. It only implements version 3 from draft 1.<ref>{{cite web |title=openssh-portable sftp.h |url=https://github.com/openssh/openssh-portable/blob/2709809fd616a0991dc18e3a58dea10fb383c3f0/sftp.h#L38 |website=GitHub |publisher=OpenSSH |date=24 May 2023}}</ref>

==Software==

===SFTP client===

The term '''SFTP''' can also refer to [[Secure file transfer program]], a [[command-line program]] that implements the [[Client (computing)|client]] part of this protocol.  As an example, the sftp program supplied with [[OpenSSH]] implements this.<ref>{{cite web|url=https://man.openbsd.org/sftp.1#SEE_ALSO|title=OpenBSD manual page for the "sftp" command: "See Also" section |publisher=OpenBSD.org |access-date=2018-02-04}}</ref>

Some implementations of the <code>[[Secure copy#SCP program|scp]]</code> ''program'' support both the SFTP and SCP protocols to perform file transfers, depending on what the server supports. The scp program supplied with OpenSSH 9.0 and higher defaults to using SFTP.<ref name=ossh9>{{cite web |date=8 April 2022 |title=OpenSSH 9.0 |url=https://www.openssh.com/txt/release-9.0 |work=OpenSSH Release Notes}}</ref>

===SFTP server===
Some [[List of FTP server software|FTP server implementations]] implement the SFTP protocol; however, outside of dedicated file servers, SFTP protocol support is usually provided by an [[Comparison of SSH servers|SSH server implementation]], as it shares the default port of 22 with other SSH services.  SFTP implementations may include an SSH protocol implementation to leverage integration of SSH connection details with preexisting FTP server access controls, where an alternative SSH server is tolerable or where alternative ports may be used. An SSH-2 server which supports subsystems may be leveraged to keep a uniform SSH implementation while enhancing access controls with third party software, at the cost of fine-grained integration with connection details, and SSH-1 compatibility.

===SFTP proxy===
It is difficult to control SFTP transfers on security devices at the network perimeter. There are standard tools for logging [[FTP]] transactions, like TIS [[gdev]] or SUSE FTP proxy, but SFTP is encrypted, rendering traditional proxies ineffective for controlling SFTP traffic.

There are some tools that implement man-in-the-middle for SSH which also feature SFTP control. Examples of such a tool are Shell Control Box from Balabit<ref>{{cite web|url=http://www.balabit.com/network-security/scb/ |title=Record SSH/RDP/Citrix into Audit Trail—Activity Monitoring Device |publisher=Balabit.com |access-date=2012-08-20}}</ref> and CryptoAuditor from [[SSH Communications Security]]<ref>{{cite web|url=http://www.ssh.com/products/crypto-auditor |title=Privileged Access Control and Monitoring |publisher=SSH.com |access-date=2014-11-25}}</ref> (the original developer of the Secure Shell protocol) which provides functions such as SFTP transaction logging and logging of the actual data transmitted on the wire.

==See also==
* [[Comparison of SSH clients]]
* [[Comparison of SSH servers]]
* [[Cloud SFTP]]
* [[Comparison of file transfer protocols]]
* [[Files transferred over shell protocol|FISH]]
* [[FTPS]]
* [[Lsh]]—a [[GNU Project|GNU]] SSH-2 and SFTP server for [[Unix-like]] operating systems
* [[SSHFS]] and [[Rclone]]—Mounting remote filesystem using SFTP and SSH
* [[:Category:FTP clients]]
* [[:Category:SSH File Transfer Protocol clients]]

==References==
{{Reflist}}

{{DEFAULTSORT:Ssh File Transfer Protocol}}
[[Category:Network file transfer protocols]]
[[Category:Secure Shell]]