The Relationship Between File Transfer, SSH, SCP2 (SCP), and SFTP

  • 7022000
  • 11-Nov-2004
  • 02-Mar-2018

Environment

Reflection for Secure IT Windows Client version 7.1 or higher
Reflection for Secure IT UNIX Client version 7.1 or higher
Reflection for Secure IT UNIX Server version 7.1 or higher
Reflection 2014
Reflection for IBM 2014
Reflection for UNIX and OpenVMS 2014
Reflection Standard Suite 2011
Reflection for IBM 2011
Reflection for UNIX and OpenVMS 2011
Reflection for HP with NS/VT version 14.x
Reflection for IBM version 14.x
Reflection for UNIX and OpenVMS version 14.x

Situation

This technical note explains how the scp and sftp file transfer utilities interact with SSH to provide secure file transfer.

Resolution

A Brief Introduction to SSH

The SSH protocol provides strong encrypted authentication and a secure encrypted tunnel through which you can move data and execute remote commands securely.

There are two different and incompatible implementations of the SSH protocol; SSH-2 and SSH-1. While the Reflection Windows clients support both protocols, it is highly recommended that you use the newer protocol, SSH-2, rather than SSH-1, which is deprecated.

This technical note assumes that you are using Reflection with SSH-2.

The Secure File Transfer Utilities

The file transfer capabilities of SSH are provided by utilities included with most SSH products, such as Reflection and the Reflection for Secure IT Windows and UNIX Clients. Typically, these utilities are called scp and sftp.

The scp and sftp utilities use the SCP and SFTP protocols (respectively) to provide file transfer capabilities and use the encrypted SSH tunnel to provide security.

Important distinction: The file transfer protocol SFTP is not a 'secure version' of the standard FTP protocol. It is a completely different protocol. You cannot connect to an FTP server using SFTP or to an SFTP server using FTP.

Different scp Implementations

There are two ways that scp utilities can implement file transfers; one implementation is based on OpenSSH and uses SCP over SSH, the other uses SFTP over SSH. These are two very different implementations and these differences can cause an incompatibility between some scp client utilities and some SSH servers.

scp Implementation Mismatches

The following clients use scp based on OpenSSH (using SCP over SSH) and are incompatible with these non-OpenSSH-based SSH servers.

These Clients
CANNOT Connect to these Servers
- Reflection 13.0.3 or earlier
- Reflection for Secure IT Windows Client 6.0
- OpenSSH client
- scp client in SSH-1 Compatibility mode

- Reflection for Secure IT Windows Server 6.x
- F-Secure SSH Windows or UNIX Server

Alternatively, these SSH servers are compatible with applications that use scp based on OpenSSH (using SCP over SSH), including these versions of Reflection.

These Clients
CAN Connect to these Servers
- Reflection 13.0.3 or earlier
- Reflection for Secure IT Windows Client 6.0
- OpenSSH client
- scp client in SSH-1 Compatibility mode

- Reflection for Secure IT UNIX Server 6.0 or higher
- Reflection for Secure IT Windows Server 7.0 or higher *
- OpenSSH servers

* To use these older Reflection clients with Reflection for Secure IT Windows Server 7.0 or higher, you must configure Reflection for Secure IT Windows Server to Allow SCP1 (from the Permissions panel).The term SCP1 does not mean that the SSH-1 protocol is being used; rather, that Reflection should allow the use of OpenSSH-based scp client utilities to transfer files. The scp client is still running over SSH-2.

scp Implementation Matches

Starting in Reflection 13.0.4 and Reflection for Secure IT 6.1, the scp utility included with Reflection uses SFTP over SSH for file transfers; however, even though SFTP is being used in the background, to the end user the utility appears to still be using SCP.

Reflection Windows clients ship with scp, scp2*, sftp, and sftp2* file transfer utilities. Reflection uses the SFTP protocol (SFTP over SSH) for all four of these utilities.

For these versions of Reflection to successfully access an SSH server, the server must be configured to use an sftp subsystem to provide file transfer capabilities. Most SSH servers, including the OpenSSH servers, can be configured to support SFTP and have an sftp subsystem.

* The number "2" in "scp2" and "sftp2" is there to indicate that the scp2 and sftp2 file transfer utilities behave like, and support the switches used by, the F-Secure SSH's scp2 and sftp2 utilities. scp2 and sftp2 are included in the current product to facilitate the smooth migration from F-Secure SSH Windows clients to Reflection for Secure IT and Reflection Windows clients. For further details, see KB 7021948.

How the SCP / SFTP Implementations Work

The following sections detail what happens in the background when scp based on OpenSSH (using SCP over SSH) or scp/sftp (using SFTP) are used.

Transferring Files Using scp / sftp (using SFTP)

When an sftp or scp (using SFTP) command is issued, the following occurs:

  1. The command opens the sftp command line interface.
  2. It runs the ssh command with the –s option to start an sftp subsystem.
  3. It sets up a secure tunnel and securely authenticates.
  4. It starts the host SSH daemon's sftp-server subsystem (the file transfer server).
  5. And it waits for interactive sftp commands.

The SSH tunnel remains open until the bye command is issued, allowing multiple sftp commands to be issued before it is closed.

Transferring Files Using scp Based on OpenSSH (using SCP over SSH)

When an scp command is issued, the following occurs:

  1. scp starts ssh with the specified options and the remote command to execute scp on the remote host. This initiates an SSH connection, sets up an encrypted tunnel, and securely authenticates to the SSH server.
  2. scp executes on the server, using the -t (uploads) or -f (gets) options.
  3. scp transfers the specified file(s) or folder(s), using the SCP protocol.
  4. Once the transfer is complete, the SSH tunnel is closed.

A new SSH tunnel is created and shut down for each scp command issued.

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 1918.