SSH Port Forwarding

SSH is typically used for logging into remote servers so you have shell access to do maintenance, read your email, restart services, or whatever administration you require. SSH also offers some other native services, such as file copy (using scp and sftp) and remote command execution (using ssh with a command on the command line after the hostname).

Whenever we SSH from one machine to another, we establish a secure encrypted session. This first article in this SSH series at properly verifying a server's host key, so that we can be sure that no attacker is able to perform a man-in-the-middle attack and gain access to read or manipulate what we do in that session. Other articles in this series looked at removing the need for static passwords using SSH user identities, and then using ssh-agent to automate the task of typing passphrases.

SSH also has a wonderful feature called SSH Port Forwarding, sometimes called SSH Tunneling, which allows you to establish a secure SSH session and then tunnel arbitrary TCP connections through it. Tunnels can be created at any time, with almost no effort and no programming, which makes them very appealing. In this article we look at SSH Port Forwarding in detail, as it is a very useful but often misunderstood technology. SSH Port Forwarding can be used for secure communications in a myriad of different ways.

SSH Tunnel Diagram

Hand drawn Diagram about SSH tunneling

SSH - file transfer protocol

SFTP client

The term SFTP can also refer to Secure file transfer program, a command-line program that implements the client part of this protocol, such as that supplied with OpenSSH.

The sftp program provides an interactive interface similar to that of traditional FTP clients.

Some implementations of the scp program actually use the SFTP protocol to perform file transfers; however, some such implementations are still able to fallback to the SCP protocol if the server does not provide SFTP service.

SFTP server

There are numerous SFTP server implementations both for UNIX and Windows. The most widely known is perhaps OpenSSH, but there are also proprietary implementations.

SFTP proxy

The adoption of SFTP is hindered somewhat because it is difficult to control SFTP transfers on security devices at the network perimeter. There are standard tools for logging FTP transactions, like TIS fwtk or SUSE FTP proxy, but SFTP is encrypted, rendering traditional proxies ineffective for controlling SFTP traffic.

There are some tools that implement man-in-the-middle for SSH which also feature SFTP control: such a tool is Shell Control Box from BalaBit. These provide SFTP transaction logging as well as logging the actual data transmitted on the wire.

SSH file transfer protocol

In computing, the SSH File Transfer Protocol (sometimes called Secure File Transfer Protocol or SFTP) is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with version two of the SSH protocol (TCP port 22) to provide secure file transfer, but is intended to be usable with other protocols as well.

Capabilities

Compared to the earlier SCP protocol, which allows only file transfers, the SFTP protocol allows for a range of operations on remote files – it is more like a remote file system protocol. An SFTP client's extra capabilities compared to an SCP client include resuming interrupted transfers, directory listings, and remote file removal. For these reasons it is relatively simple to implement a GUI SFTP client compared with a GUI SCP client.

SFTP attempts to be more platform-independent than SCP; for instance, with SCP, the expansion of wildcards specified by the client is up to the server, whereas SFTP's design avoids this problem. While SCP is most frequently implemented on Unix platforms, there exists SFTP servers for most platforms.

SFTP is not FTP run over SSH, but rather a new protocol designed from the ground up by the IETF SECSH working group. It is sometimes confused with Simple File Transfer Protocol.

The protocol itself does not provide authentication and security; it expects the underlying protocol to secure this. SFTP is most often used as subsystem of SSH protocol version 2 implementations, having been designed by the same working group. However, it is possible to run it over SSH-1 (and some implementations support this) or other data streams. Running SFTP server over SSH-1 is not platform independent as SSH-1 does not support the concept of subsystems. An SFTP client willing to connect to an SSH-1 server needs to know the path to the SFTP server binary on the server side.

The Secure Internet Live Conferencing (SILC) protocol defines the SFTP as its default file transfer protocol. In SILC the SFTP data is not protected with SSH but SILC's secure packet protocol is used to encapsulate the SFTP data into SILC packet and to deliver it peer-to-peer. This is possible as SFTP is designed to be protocol independent.

For uploads, the transferred files may be associated with their basic attributes, such as timestamps. This is an advantage over the common FTP protocol, which does not have provision for uploads to include the original date/timestamp attribute.

Standardization

The protocol is not yet an Internet standard. The latest specification is an expired Internet Draft, which defines version 6 of the protocol. Currently the most widely used version is 3, implemented by the popular OpenSSH SFTP server. Many Microsoft Windows-based SFTP implementations use version 4 of the protocol, which lessened its ties with the Unix platform.

The Internet Engineering Task Force (IETF) "Secsh Status Pages" search tool contains links to all versions of the Internet draft-ietf-secsh-filexfer which describes this protocol.

Simple File Transfer Protocol

Simple File Transfer Protocol, as defined by RFC 913, was proposed as an (unsecured) file transfer protocol with a level of complexity intermediate between TFTP and FTP.

It was never widely accepted on the Internet, and is now assigned Historic status by the IETF.

It is sometimes confused with SSH file transfer protocol, a secured file transfer protocol.

It runs through port 115, and often receives the acronym of SFTP. It has a command set of 11 commands and support three types of data transmission: ASCII, BINARY and CONTINUOUS. For systems which have "WORD SIZE" which are multiples of 8 bits, the implementation of BINARY and CONTINUOUS is the same.

The protocol supports the following:

1. User id based login (User-id/Password combination)
2. Hierarchical folders
3. File Management (Rename, Delete, Upload, Download, Download with overwrite, Download with append)

The protocol does not support random access inside a file (required for resuming interrupted transfers).

SFTP may refer to:

Relating to file transfer:

* SSH file transfer protocol, a network protocol designed by the IETF to provide secure file transfer and manipulation facilities over the secure shell (SSH) protocol. This is typically meant in context of file transfer.
* FTP over SSH, the practice of running an FTP session over SSH, sometimes called Secure FTP. Rarely used, because FTP's normal 2-channel nature makes such tunneling hard.
* Simple File Transfer Protocol, an unsecured and rarely-used file transfer protocol from the early days of the Internet.
* Serial File Transfer Protocol, a protocol used to transfer files between a PC and an embedded device using RS-232 or similar serial protocols.

SFTP may also refer to:

* Screened fully-shielded twisted pair, a kind of network cable, in contrast to FTP and STP
* Science for the People, a U.S. left-wing organization and magazine
* Six Flags Theme Parks, chain of amusement parks and theme parks.