Sftp File Transfer Protocol

Reading the release notes for “9.4” I see that the command “scp” is nolonger possible and sftp is now the recommended means of secure file transfer. I read the man page for sftp but there are no usage examples. I have not used ftp at the command line since the 90’s and thus have forgotten all I knew.
Do I assume to transfer a file between machines on the same network that the command would be something like this:

cd <to folder with data to transfer>
sftp <some  file> user@machine:<path to destination>

I don’t do transfers outside my tiny lan.

I’m not sure where you’re seeing it’s no longer possible. The sftp protocol is now used for scp in 9. You can still use scp without any issues.

man scp and scroll down to history.

Since OpenSSH 8.8 (8.7 in Red Hat/Fedora builds),
scp has use the SFTP protocol for transfers by default.

Chapter 10. Deprecated functionality Red Hat Enterprise Linux 9 | Red Hat Customer Portal says “deprecated”, not removed.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/known-issues#known-issues-security tells that some scp syntax can wipe a file (when it should be a no-op).


Personally, I’d recommend rsync. It is versatile and does use ssh for transfer.

The deprecated notice has been around for a while, but scp still seems to work. If scp really is using the sftp protcol behind the scenes, I wonder why they say it’s deprecated.

sftp is good for developers who want to upload huge complicated websites, e.g. from Windows/Mac.

rsync is good for synchronising huge directory structures, and making backups.

scp is handy when you want to quickly copy a single file.

I don’t see it easier than:

rsync -av <folder_with_data_to_transfer>/<some_file> user@machine:<path_to_destination>

I’ve used rsync to transfer files between machines I just don’t know that it is any more secure than scp.

If you use the command like @jlehtone posted, it’s rsync over ssh. So it’s just as secure as scp/sftp. Now if you do rsync over rsyncd with port 873, then that is a different matter entirely.

man scp writes:

CAVEATS
The original scp protocol (selected by the -O flag) requires execution of the remote user’s shell to perform glob(3) pattern matching. This requires careful quoting of any characters that have special meaning to the remote shell, such as quote characters.

That relates to 1666127 – (CVE-2019-6111) CVE-2019-6111 openssh: Improper validation of object names allows malicious server to overwrite files via scp client

In other words, a command like scp foo:dir/*.txt ~ used to depend on shell of the remote machine to handle the glob, and “inventive” shell could expand that to: scp foo:dir/.bashrc ~
The sftp protocol supposedly does not use remote shell.

Then again, one can run rsync foo:dir/*.txt ~ too and a quick browse on the oh-so-short man rsync did not tell who does expand the dir/*.txtprobably the remove shell.


(If you cannot trust a system that you can ssh to … would any file transfer protocol be any safer?)

But then you have to remember if you’re pulling or pushing, whether you need a trailling slash, and one tiny typing mistake, you could end up syncronising gigabytes of data.