SFTP protocol
SSH protocol basics
Secure Shell (SSH), sometimes known as Secure Socket Shell, is a Unix-based command interface and protocol for securely getting access to a remote computer. It is widely used by network administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three utilities - slogin, ssh, and scp - that are secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp.
SSH also offers useful features:
- Compression - traffic may be optionally compressed at the stream level.
- Public key authentication - optionally replacing password authentication.
- Authentication of the server - making ”man-in-the-middle” attack more difficult
- Port forwarding - arbitrary TCP sessions can be forwarded over an SSH connection.
- X11 forwarding - SSH can forward your X11 sessions too.
- File transfer - the SSH protocol family includes two file transfer protocols (SFTP and SCP)
SCP and SFTP
The file transfer capabilities of SSH are provided by utilities included with most SSH products, typically, these utilities are called scp and sftp.
The scp and sftp utilities use the SCP and SFTP protocols (respectively) to provide file transfer capabilities and use the encrypted SSH tunnel to provide security.
SFTP stands for ‘Secure File Transfer Protocol’. The Secure File Transfer Protocol ensures that data are securely transferred using a private and safe data stream.
The SFTP protocol's main purpose is to transfer data, but it is also used to obtain general access to the SFTP server's file system. The SFTP protocol runs on a secure channel - no clear text passwords or file data are transferred.
Compared to the earlier SCP protocol, which allows only file transfers, the SFTP protocol allows for a range of operations on remote files – it is more like a remote file system protocol. An SFTP client's extra capabilities compared to an SCP client include resuming interrupted transfers, directory listings, and remote file removal.
Although both SCP and SFTP utilize the same SSH encryption during file transfer with the same general level of overhead, SCP is usually much faster than SFTP at transferring files especially on high latency networks. This happens because SCP implements a more efficient transfer algorithm, one which does not require waiting for packet confirmations. This leads to faster speed but comes at the expense of not being able to interrupt a transfer, so unlike SFTP, SCP transfer cannot be canceled without terminating the session.
The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.
SSH protocol security
SSH commands are encrypted and secure in several ways. Both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted.
SSH encrypts traffic in both directions, preventing traffic sniffing and password theft.
Authentication methods
(In all cases machine authentication is by a public key.)
- Password - It provides strong protection against password sniffing and third party session monitoring, better protecting your authentication credentials and privacy.
- Public key authentication - Client will check the identity of server.
Password authentication - Host key
Each server has a unique identifying code, called a host key. These keys prevent a server from forging another server’s key. If you connect to a server and you receive an unexpected host key, SSH client can warn you that the server may have been switched and that a spoofing attack might be underway.
Every SSH client records the host key for each server you connect to, in the configuration storage. Every time you connect to a server, it compares the server’s host key to the host key you received the last time you connected. If the keys differ, you will receive a warning and a chance to abandon your connection before you enter any private information such as a password.
However, when you connect to a server for the first time, SSH client has no way of telling whether the host key is the right one or not. So it gives the warning shown above, and asks you whether you want to trust this host key or not.
Whether or not to trust the host key is your choice.
Public key authentication
Secure Shell (SSH) public key authentication can be used by a client to access servers.
SSH includes an ability to authenticate users using public keys. Instead of authenticating the user with a password, the server will verify a challenge signed by the user’s private key against its copy of the user’s public key.
Setting up public key authentication requires you to generate a public/private key pair and install the public portion on the server. It is also possible to restrict what a given key is able to do and what addresses they are allowed to log in from.
This picture will show how to exchange keys in Password and/or Public key authentication:
Fingerprints
Before establishing a connection, the SFTP server sends an encrypted fingerprint of its public host keys to ensure that the SFTP connection will be exchanging data with the correct server.
The first time the connection is established, this key is not yet known to the client program and must therefore be confirmed by the user before data is exchanged for the first time. Once you have established a connection to an FTP server and are sure that it is really the correct server, you should save the fingerprint information locally. This enables you to check the fingerprint information against the data you saved every time you establish a new connection to ensure that no one is between you and the server. Different servers issue fingerprints only once. They are generated by a server's private key.
