How To Use SFTP to Securely Transfer Files with a Remote Server

Introduction

FTP, the File Transfer Protocol, was a popular, unencrypted method of transferring files between two remote systems. As of 2022, it has been deprecated by most modern software due to a lack of security, and can mostly only be used in legacy applications.

SFTP, which stands for Secure File Transfer Protocol, is a separate protocol packaged built into SSH that can implement FTP commands over a secure connection. Typically, it can act as a drop-in replacement in any contexts where an FTP server is still needed.

In almost all cases, SFTP is preferable to FTP because of its underlying security features and ability to piggy-back on an SSH connection. FTP is an insecure protocol that should only be used in limited cases or on networks you trust.

Although SFTP is integrated into many graphical tools, this guide will demonstrate how to use it through its interactive command line interface.

How to Connect with SFTP

By default, SFTP uses the SSH protocol to authenticate and establish a secure connection. Because of this, the same authentication methods are available that are present in SSH.

Although you can authenticate with passwords by default, we recommend you create SSH keys and transfer your public key to any system that you need to access. This is much more secure and can save you time in the long run.

Please see this guide to set up SSH keys in order to access your server if you have not done so already.

If you can connect to the machine using SSH, then you have completed all of the necessary requirements necessary to use SFTP to manage files. Test SSH access with the following command:

ssh sammy@your_server_ip_or_remote_hostname

If that works, exit back out by typing:

exit

Now we can establish an SFTP session by issuing the following command:

sftp sammy@your_server_ip_or_remote_hostname

You will connect the the remote system and your prompt will change to an SFTP prompt.

If you are working on a custom SSH port (not the default port 22), then you can open an SFTP session as follows:

sftp -oPort=custom_port sammy@your_server_ip_or_remote_hostname

This will connect you to the remote system by way of your specified port.

Getting Help in SFTP

The most useful command to learn first is the help command. This gives you access to a summary of the other SFTP commands. You can call it by typing either of these in the prompt:

help

or

?

This will display a list of the available commands:

Output
Available commands:
bye                                Quit sftp
cd path                            Change remote directory to 'path'
chgrp grp path                     Change group of file 'path' to 'grp'
chmod mode path                    Change permissions of file 'path' to 'mode'
chown own path                     Change owner of file 'path' to 'own'
df [-hi] [path]                    Display statistics for current directory or
                                   filesystem containing 'path'
exit                               Quit sftp
get [-Ppr] remote [local]          Download file
help                               Display this help text
lcd path                           Change local directory to 'path'
. . .

We will explore some of the commands you see in the following sections.

Navigating with SFTP

We can navigate through the remote system’s file hierarchy using a number of commands that function similarly to their shell counterparts.

First, let’s orient ourselves by finding out which directory we are in currently on the remote system. Just like in a typical shell session, we can type the following to get the current directory:

pwd

Output
Remote working directory: /home/demouser

We can view the contents of the current directory of the remote system with another familiar command:

ls

Output
Summary.txt     info.html       temp.txt        testDirectory

Note that the commands available within the SFTP interface are not a 1:1 match for typical shell syntax and are not as feature-rich. However, they do implement some of the more important optional flags, such as adding -la to ls to view more file metadata and permissions:

ls -la

Output
drwxr-xr-x    5 demouser   demouser       4096 Aug 13 15:11 .
drwxr-xr-x    3 root     root         4096 Aug 13 15:02 ..
-rw-------    1 demouser   demouser          5 Aug 13 15:04 .bash_history
-rw-r--r--    1 demouser   demouser        220 Aug 13 15:02 .bash_logout
-rw-r--r--    1 demouser   demouser       3486 Aug 13 15:02 .bashrc
drwx------    2 demouser   demouser       4096 Aug 13 15:04 .cache
-rw-r--r--    1 demouser   demouser        675 Aug 13 15:02 .profile
. . .

To get to another directory, we can issue this command:

cd testDirectory

We can now traverse the remote file system, but what if we need to access our local file system? We can direct commands towards the local file system by preceding them with an l for local.

All of the commands discussed so far have local equivalents. We can print the local working directory:

lpwd

Output
Local working directory: /Users/demouser

We can list the contents of the current directory on the local machine:

lls

Output
Desktop   local.txt  test.html
Documents  analysis.rtf  zebra.html

We can also change the directory we want to interact with on the local system:

lcd Desktop

Transferring Files with SFTP

If we want to download files from our remote host, we can do so using the get command:

get remoteFile

Output
Fetching /home/demouser/remoteFile to remoteFile
/home/demouser/remoteFile                       100%   37KB  36.8KB/s   00:01

As you can see, by default, the get command downloads a remote file to a file with the same name on the local file system.

We can copy the remote file to a different name by specifying the name afterwards:

get remoteFile localFile

The get command also accepts some option flags. For instance, we can copy a directory and all of its contents by specifying the recursive option:

get -r someDirectory

We can tell SFTP to maintain the appropriate permissions and access times by using the -P or -p flag:

get -Pr someDirectory

Transferring Local Files to the Remote System

Transferring files to the remote system works the same way, but with a put command:

put localFile

Output
Uploading localFile to /home/demouser/localFile
localFile                                     100% 7607     7.4KB/s   00:00

The same flags that work with get apply to put. So to copy an entire local directory, you can run put -r:

put -r localDirectory

One familiar tool that is useful when downloading and uploading files is the df command, which works similarly to the command line version. Using this, you can check that you have enough space to complete the transfers you are interested in:

df -h

Output
    Size     Used    Avail   (root)    %Capacity
  19.9GB   1016MB   17.9GB   18.9GB           4%

Please note, that there is no local variation of this command, but we can get around that by issuing the ! command.

The ! command drops us into a local shell, where we can run any command available on our local system. We can check disk usage by typing:

!

and then

df -h

Output
Filesystem      Size   Used  Avail Capacity  Mounted on
/dev/disk0s2   595Gi   52Gi  544Gi     9%    /
devfs          181Ki  181Ki    0Bi   100%    /dev
map -hosts       0Bi    0Bi    0Bi   100%    /net
map auto_home    0Bi    0Bi    0Bi   100%    /home

Any other local command will work as expected. To return to your SFTP session, type:

exit

You should now see the SFTP prompt return.

Simple File Manipulations with SFTP

SFTP allows you to perform some kinds of filesystem housekeeping. For instance, you can change the owner of a file on the remote system with:

chown userID file

Notice how, unlike the system chmod command, the SFTP command does not accept usernames, but instead uses UIDs. Unfortunately, there is no built-in way to know the appropriate UID from within the SFTP interface.

As a workaround, you can read from the /etc/passwd file, which associates usernames with UIDs in most Linux environments:

get /etc/passwd
!less passwd

Output
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
. . .

Notice how instead of giving the ! command by itself, we’ve used it as a prefix for a local shell command. This works to run any command available on our local machine and could have been used with the local df command earlier.

The UID will be in the third column of the file, as delineated by colon characters.

Similarly, we can change the group owner of a file with:

chgrp groupID file

Again, there is no built-in way to get a listing of the remote system’s groups. We can work around it with the following command:

get /etc/group
!less group

Output
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
. . .

The third column holds the ID of the group associated with name in the first column. This is what we are looking for.

The chmod SFTP command works as normal on the remote filesystem:

chmod 777 publicFile

Output
Changing mode on /home/demouser/publicFile

There is no equivalent command for manipulating local file permissions, but you can set the local umask, so that any files copied to the local system will have their corresponding permissions.

That can be done with the lumask command:

lumask 022

Output
Local umask: 022

Now all regular files downloaded (as long as the -p flag is not used) will have 644 permissions.

SFTP also allows you to create directories on both local and remote systems with lmkdir and mkdir respectively.

The rest of the file commands target only the remote filesystem:

ln
rm
rmdir

These commands replicate the core behavior of their shell equivalents. If you need to perform these actions on the local file system, remember that you can drop into a shell by issuing this command:

!

Or execute a single command on the local system by prefacing the command with ! like so:

!chmod 644 somefile

When you are finished with your SFTP session, use exit or bye to close the connection.

bye

Using SFTP with Different Linux Distros

SFTP can be used across various Linux distributions with some differences in setup procedures:

Ubuntu/Debian

# Install OpenSSH server
sudo apt update
sudo apt install openssh-server

# Configure SFTP in sshd_config
sudo nano /etc/ssh/sshd_config
# Ensure this line is uncommented:
# Subsystem sftp /usr/lib/openssh/sftp-server

# Restart SSH service
sudo systemctl restart ssh

CentOS/RHEL

# Install OpenSSH server
sudo yum install openssh-server

# Configure SFTP
sudo vi /etc/ssh/sshd_config
# Ensure this line is uncommented:
# Subsystem sftp /usr/libexec/openssh/sftp-server

# Start and enable SSH service
sudo systemctl start sshd
sudo systemctl enable sshd

Fedora

# Install OpenSSH server
sudo dnf install openssh-server

# Configure SFTP
sudo nano /etc/ssh/sshd_config
# Ensure SFTP subsystem is enabled

# Restart SSH service
sudo systemctl restart sshd

Ensure that the SSH service is running on all distributions, as SFTP relies on it for secure file transfers.

How to Set Up a Basic SFTP Server

1. Install SSH Server: On Ubuntu, use sudo apt install openssh-server. On CentOS, use sudo yum install openssh-server.
2. Configure SSH for SFTP: Edit the /etc/ssh/sshd_config file to allow SFTP connections. Add or uncomment Subsystem sftp /usr/lib/openssh/sftp-server.
3. Restart SSH Service: Apply the changes by restarting the SSH service with sudo systemctl restart sshd.
4. Create SFTP User: Add a user with restricted SFTP access using adduser sftpuser, and assign them to a specific directory.

Integrating SFTP into CI/CD Pipelines

Integrating SFTP with CI/CD pipelines allows for secure deployment of files to remote servers. Use tools like Jenkins or GitLab CI/CD with plugins or scripts that support SFTP to automate file transfers.

Common Errors and Debugging

Permission Denied on Upload

When attempting to upload files via SFTP, you may encounter a “Permission Denied” error. This error occurs when the user does not have the necessary permissions to write to the target directory on the remote server. To resolve this issue, you need to adjust the file permissions and ownership of the target directory.

Solution:

1. Check permissions: Use the ls -ld command to check the current permissions of the target directory. For example: ls -ld /path/to/directory.
2. Change ownership: Use the chown command to change the ownership of the directory to the user who needs to upload files. For example: sudo chown user:group /path/to/directory.
3. Adjust permissions: Use the chmod command to adjust the permissions of the directory to allow writing. For example: sudo chmod 755 /path/to/directory.

Connection Refused or Timed Out

A “Connection Refused” or “Timed Out” error can occur when attempting to connect to the SFTP server. This error is often indicative of a network connectivity issue or a problem with the SSH service on the server.

Solution:

1. Check SSH service: Ensure that the SSH service is running on the server. You can do this by running sudo systemctl status sshd (on CentOS/RHEL) or sudo systemctl status ssh (on Ubuntu).
2. Verify IP and port: Double-check that you are using the correct IP address and port number for the SFTP server.
3. Network diagnostics: Use ping to verify network connectivity to the server. For example: ping server_ip. If ping fails, use telnet to test the connection to the SSH port (usually 22). For example: telnet server_ip 22.

Host Key Verification Failed

A “Host Key Verification Failed” error occurs when the client’s known hosts file contains an outdated or incorrect host key for the SFTP server.

Solution:

1. Remove old host key: Open the ~/.ssh/known_hosts file and remove the line containing the old host key for the SFTP server.
2. Reconnect: Attempt to reconnect to the SFTP server. This will prompt the client to update the host key in the ~/.ssh/known_hosts file.

Fixing “Command Not Found”

A “Command Not Found” error can occur when the SFTP subsystem is not correctly configured on the server.

Solution:

1. Check SSH configuration: Ensure that the SFTP subsystem is enabled in the SSH configuration file. For example, on CentOS/RHEL, check /etc/ssh/sshd_config for the line Subsystem sftp /usr/libexec/openssh/sftp-server.
2. Verify path: Verify that the path to sftp-server is correct and the file exists.

SSH Key Authentication Errors

SSH key authentication errors can occur when the public key is not correctly placed or has incorrect permissions on the server.

Solution:

1. Check authorized_keys: Ensure that the public key is correctly placed in the server’s ~/.ssh/authorized_keys file.
2. Permissions: Ensure that the ~/.ssh directory has permissions set to 700 and the authorized_keys file has permissions set to 600. Use chmod to adjust permissions if necessary.

FAQs

1. What is SFTP and how does it work?

SFTP, or Secure File Transfer Protocol, is a secure protocol used for transferring files over a network. It is built into SSH (Secure Shell) and provides a secure way to access, manage, and transfer files over a network. SFTP works by establishing a secure connection between a client and a server, allowing for the transfer of files between them. This connection is encrypted, ensuring that data is protected from unauthorized access.

2. How do I connect to an SFTP server?

To connect to an SFTP server, you need to use an SFTP client. The command to connect to an SFTP server is similar to SSH:

sftp user@remote_server

Replace user with your username and remote_server with the hostname or IP address of the server you want to connect to. You will be prompted to enter your password to authenticate.

3. How do I upload files using SFTP?

To upload files using SFTP, you can use the put command. The basic syntax is:

put local_file remote_file

Replace local_file with the path to the file you want to upload and remote_file with the path where you want to upload the file on the remote server.

4. Can I automate file transfers with SFTP?

Yes, you can automate file transfers with SFTP using scripts or tools that support SFTP. For example, you can use a tool like lftp to automate file transfers. You can also use scripting languages like Python or Bash to automate SFTP transfers.

5. How is SFTP different from FTP and SCP?

SFTP is different from FTP (File Transfer Protocol) in that it provides a secure connection for transferring files, whereas FTP does not encrypt the data being transferred. SFTP is also different from SCP (Secure Copy) in that SCP is designed for copying files between hosts on a network, whereas SFTP provides a more comprehensive set of file management features, such as the ability to list directories, delete files, and create directories.

6. What port does SFTP use by default?

SFTP uses port 22 by default, which is the same port used by SSH.

7. How do I fix SFTP permission errors?

To fix SFTP permission errors, you need to ensure that the user has the necessary permissions to read or write files on the remote server. This may involve changing the ownership or permissions of the files or directories in question. You can use the chown and chmod commands to change ownership and permissions, respectively. For example:

chown user:group file
chmod 755 file

Replace user and group with the desired ownership and file with the path to the file you want to modify.

Conclusion

Although SFTP syntax is much less comprehensive than modern shell tooling, it can be useful for providing compatibility with legacy FTP syntax or for carefully limiting the functionality available to remote users of some environments.

For example, you can use SFTP to enable particular users to transfer files without SSH access. For more information on this process, check out our tutorial on How To Enable SFTP Without Shell Access.

If you are used to using FTP or SCP to accomplish your transfers, SFTP is a good way to leverage the strengths of both. While it is not appropriate for every situation, it is a flexible tool to have in your repertoire.

To further expand your knowledge on secure file transfers and remote access, consider following these additional tutorials:

• How To Enable SFTP Without Shell Access
• How To Use SSHFS to Mount Remote File Systems Over SSH
• How To Use SSH to Connect to a Remote Server

These tutorials will provide you with a comprehensive understanding of secure file transfer protocols and remote access methods, enabling you to manage your files and servers with confidence.