FTP, the File Transfer Protocol, was a popular, unencrypted method of transferring files between two remote systems. As of 2022, it has been deprecated by most modern software due to a lack of security, and can mostly only be used in legacy applications.
SFTP, which stands for Secure File Transfer Protocol, is a separate protocol packaged built into SSH that can implement FTP commands over a secure connection. Typically, it can act as a drop-in replacement in any contexts where an FTP server is still needed.
In almost all cases, SFTP is preferable to FTP because of its underlying security features and ability to piggy-back on an SSH connection. FTP is an insecure protocol that should only be used in limited cases or on networks you trust.
Although SFTP is integrated into many graphical tools, this guide will demonstrate how to use it through its interactive command line interface.
By default, SFTP uses the SSH protocol to authenticate and establish a secure connection. Because of this, the same authentication methods are available that are present in SSH.
Although you can authenticate with passwords by default, we recommend you create SSH keys and transfer your public key to any system that you need to access. This is much more secure and can save you time in the long run.
Please see this guide to set up SSH keys in order to access your server if you have not done so already.
If you can connect to the machine using SSH, then you have completed all of the necessary requirements necessary to use SFTP to manage files. Test SSH access with the following command:
- ssh sammy@your_server_ip_or_remote_hostname
If that works, exit back out by typing:
- exit
Now we can establish an SFTP session by issuing the following command:
- sftp sammy@your_server_ip_or_remote_hostname
You will connect the the remote system and your prompt will change to an SFTP prompt.
If you are working on a custom SSH port (not the default port 22), then you can open an SFTP session as follows:
- sftp -oPort=custom_port sammy@your_server_ip_or_remote_hostname
This will connect you to the remote system by way of your specified port.
The most useful command to learn first is the help command. This gives you access to a summary of the other SFTP commands. You can call it by typing either of these in the prompt:
- help
or
- ?
This will display a list of the available commands:
OutputAvailable commands:
bye Quit sftp
cd path Change remote directory to 'path'
chgrp grp path Change group of file 'path' to 'grp'
chmod mode path Change permissions of file 'path' to 'mode'
chown own path Change owner of file 'path' to 'own'
df [-hi] [path] Display statistics for current directory or
filesystem containing 'path'
exit Quit sftp
get [-Ppr] remote [local] Download file
help Display this help text
lcd path Change local directory to 'path'
. . .
We will explore some of the commands you see in the following sections.
We can navigate through the remote system’s file hierarchy using a number of commands that function similarly to their shell counterparts.
First, let’s orient ourselves by finding out which directory we are in currently on the remote system. Just like in a typical shell session, we can type the following to get the current directory:
- pwd
OutputRemote working directory: /home/demouser
We can view the contents of the current directory of the remote system with another familiar command:
- ls
OutputSummary.txt info.html temp.txt testDirectory
Note that the commands available within the SFTP interface are not a 1:1 match for typical shell syntax and are not as feature-rich. However, they do implement some of the more important optional flags, such as adding -la
to ls
to view more file metadata and permissions:
- ls -la
Outputdrwxr-xr-x 5 demouser demouser 4096 Aug 13 15:11 .
drwxr-xr-x 3 root root 4096 Aug 13 15:02 ..
-rw------- 1 demouser demouser 5 Aug 13 15:04 .bash_history
-rw-r--r-- 1 demouser demouser 220 Aug 13 15:02 .bash_logout
-rw-r--r-- 1 demouser demouser 3486 Aug 13 15:02 .bashrc
drwx------ 2 demouser demouser 4096 Aug 13 15:04 .cache
-rw-r--r-- 1 demouser demouser 675 Aug 13 15:02 .profile
. . .
To get to another directory, we can issue this command:
- cd testDirectory
We can now traverse the remote file system, but what if we need to access our local file system? We can direct commands towards the local file system by preceding them with an l
for local.
All of the commands discussed so far have local equivalents. We can print the local working directory:
- lpwd
OutputLocal working directory: /Users/demouser
We can list the contents of the current directory on the local machine:
- lls
OutputDesktop local.txt test.html
Documents analysis.rtf zebra.html
We can also change the directory we want to interact with on the local system:
- lcd Desktop
If we want to download files from our remote host, we can do so using the get
command:
- get remoteFile
OutputFetching /home/demouser/remoteFile to remoteFile
/home/demouser/remoteFile 100% 37KB 36.8KB/s 00:01
As you can see, by default, the get
command downloads a remote file to a file with the same name on the local file system.
We can copy the remote file to a different name by specifying the name afterwards:
- get remoteFile localFile
The get
command also accepts some option flags. For instance, we can copy a directory and all of its contents by specifying the recursive option:
- get -r someDirectory
We can tell SFTP to maintain the appropriate permissions and access times by using the -P
or -p
flag:
- get -Pr someDirectory
Transferring files to the remote system works the same way, but with a put
command:
- put localFile
OutputUploading localFile to /home/demouser/localFile
localFile 100% 7607 7.4KB/s 00:00
The same flags that work with get
apply to put
. So to copy an entire local directory, you can run put -r
:
- put -r localDirectory
One familiar tool that is useful when downloading and uploading files is the df
command, which works similarly to the command line version. Using this, you can check that you have enough space to complete the transfers you are interested in:
- df -h
Output Size Used Avail (root) %Capacity
19.9GB 1016MB 17.9GB 18.9GB 4%
Please note, that there is no local variation of this command, but we can get around that by issuing the !
command.
The !
command drops us into a local shell, where we can run any command available on our local system. We can check disk usage by typing:
- !
and then
- df -h
OutputFilesystem Size Used Avail Capacity Mounted on
/dev/disk0s2 595Gi 52Gi 544Gi 9% /
devfs 181Ki 181Ki 0Bi 100% /dev
map -hosts 0Bi 0Bi 0Bi 100% /net
map auto_home 0Bi 0Bi 0Bi 100% /home
Any other local command will work as expected. To return to your SFTP session, type:
- exit
You should now see the SFTP prompt return.
SFTP allows you to perform some kinds of filesystem housekeeping. For instance, you can change the owner of a file on the remote system with:
- chown userID file
Notice how, unlike the system chmod
command, the SFTP command does not accept usernames, but instead uses UIDs. Unfortunately, there is no built-in way to know the appropriate UID from within the SFTP interface.
As a workaround, you can read from the /etc/passwd
file, which associates usernames with UIDs in most Linux environments:
- get /etc/passwd
- !less passwd
Outputroot:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
. . .
Notice how instead of giving the !
command by itself, we’ve used it as a prefix for a local shell command. This works to run any command available on our local machine and could have been used with the local df
command earlier.
The UID will be in the third column of the file, as delineated by colon characters.
Similarly, we can change the group owner of a file with:
- chgrp groupID file
Again, there is no built-in way to get a listing of the remote system’s groups. We can work around it with the following command:
- get /etc/group
- !less group
Outputroot:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
. . .
The third column holds the ID of the group associated with name in the first column. This is what we are looking for.
The chmod
SFTP command works as normal on the remote filesystem:
- chmod 777 publicFile
OutputChanging mode on /home/demouser/publicFile
There is no equivalent command for manipulating local file permissions, but you can set the local umask, so that any files copied to the local system will have their corresponding permissions.
That can be done with the lumask
command:
- lumask 022
OutputLocal umask: 022
Now all regular files downloaded (as long as the -p
flag is not used) will have 644 permissions.
SFTP also allows you to create directories on both local and remote systems with lmkdir
and mkdir
respectively.
The rest of the file commands target only the remote filesystem:
- ln
- rm
- rmdir
These commands replicate the core behavior of their shell equivalents. If you need to perform these actions on the local file system, remember that you can drop into a shell by issuing this command:
- !
Or execute a single command on the local system by prefacing the command with !
like so:
- !chmod 644 somefile
When you are finished with your SFTP session, use exit
or bye
to close the connection.
- bye
Although SFTP syntax is much less comprehensive than modern shell tooling, it can be useful for providing compatibility with legacy FTP syntax or for carefully limiting the functionality available to remote users of some environments.
For example, you can use SFTP to enable particular users to transfer files without SSH access. For more information on this process, check out our tutorial on How To Enable SFTP Without Shell Access.
If you are used to using FTP or SCP to accomplish your transfers, SFTP is a good way to leverage the strengths of both. While it is not appropriate for every situation, it is a flexible tool to have in your repertoire.
Need highly available block storage? Attach secure, scalable NVMe- and SSD-based Volumes Block Storage to your DigitalOcean virtual machine in seconds. We’ll make sure your data is reliably stored and secure.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
For changed ports
if sftp -oPort port_number username@server_ip_addr
doesn’t work, this should:
sftp -oPort=port_number username@server_ip_addr
@Samuel,
Sorry to steal your thunder: <a href=“https://www.digitalocean.com/community/articles/how-to-use-filezilla-to-transfer-and-manage-files-securely-on-your-vps”>How To Use Filezilla to Transfer and Manage Files Securely on your VPS</a>.
Easier to use FilaZilla - hopefully my tutorial will be here soon.
Great tutorial buddy. Really helpful The SFTP commands really working with my current web host Redserverhost .com Thanks again. Keep posting such articles. Have a great day
Awesome! I couldn’t get FileZilla to stop trying to use pubkey auth, this helped me work around it!
when i use other port ,it always refused,
port 6666: Connection refused Connection closed
, i confirm the port 6666 is free, so i want to know what are the possible reasons for it. thank you very much.I always find you’re info reliable. Thanks a lot.
Thanks for this tutorial, very helpful!
Usually readers get confused with SFTP and FTPS protocol. SFTP (SSH File Transfer Protocol/Secure File Transfer Protocol) and FTPS is FTP with SSL for security. Besides this, if you want to know how to configure VSFTPD FTPS with SSL/TLS on Ubuntu 18.04, check out this blog.
Update link at bottom
https://www.digitalocean.com/community/tutorials/how-to-enable-sftp-without-shell-access-on-ubuntu-16-04
&
https://www.digitalocean.com/community/tutorials/how-to-enable-sftp-without-shell-access-on-centos-7