Real Programmers/ How To/ Sftp And Scp
Google site:

Using SFTP and SCP

SFTP and SCP are secure methods of transferring and copying files. They are part of the well respected SSH (Secure SHell) family of tools. Ordinary FTP presents the username and password in plaintext and is a somewhat less effective protocol for a number of technical as well as user-interface reasons.

SFTP and SCP can use passwords just like FTP. While the password login is secure with SFTP/SCP there are two principle downsides to this method. First, for every login somehow you need to store or remember a password. Second, if the person that set the password is different from the person using it then that password has to be transmitted to the end user. And the way that's done is almost certainly likely to be less secure than the highly secure transmission SFTP offers. (One reasonable solution is to use two 'bands': send the username and host via email and then the password by phone SMS. Correlating the two would be a substantial challenge.)

Many however prefer to avoid both these issues and use public/private key pair authentication. Once you have a key then you simply send the public key half to any prospective folks offering you access. No remembering passwords, and no compromising SSH's security by weak sharing techniques.

Creating a public/private key pair

...with WinSCP / PuTTYgen

(WinSCP is a high quality free Open Source Windows SFTP/SCP client, and PuTTYgen is taken from the PuTTY free SSH client project. Conveniently, PuTTygen is included within WinSCP.)

...with a Mac

The *nix command line option below can work in Terminal (Open Finder, select Applications and then Utilities), or the MacGPG free Open Source GUI client. The easiest way is to copy and paste the command below in Terminal.

...with the command line on *nix

(This can apply to Mac OS X users too.)

Simply issue the following command: ssh-keygen and follow the instructions. Use of a passphrase is highly recommended: it'll be your master password for all uses of the key. ssh-keygen will create two files in ~/.ssh: id_rsa (private key), and (public key). Please send the An example of how to do all this is shown below: (What you type is in bold.)

my-mac:~ your-username$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/your-username/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): highly recommended
Enter same passphrase again: 
Your identification has been saved in /Users/your-username/.ssh/id_rsa.
Your public key has been saved in /Users/your-username/.ssh/
The key fingerprint is:
21:c4:d7:97:6a:bd:d2:80:5d:61:c0:8b:05:3b:b7:bc your-username@my-mac
my-mac:~ your-username$ mail -s "" < ~/.ssh/
my-mac:~ your-username$ 

If the mail command fails, just attach the file in an ordinary email. (Copying and pasting into an email is OK but generally messes the key up with extra linebreaks which is a headache for your admin. So if possible, please attach!)

Using your SFTP client

First up, ensure your sysadmin has told you the:

When you first login (described below), the client is likely to report that it doesn't know about the server's identity. This is normal; simply click or type 'yes' to continue.


We've already seen WinSCP for Windows.

Use these values to fill out the login screen (view a sample in WinSCP). Note that using public/private keys save us from sharing a password so leave the Password field blank; instead navigate with the ... button to your id_rsa.PPK Private key file. A key point is that whatever client you use it must be somehow told about the key pair location.

Note that WinSCP has a handy Send To context (right-click) menu for uploads and transfers.


A free Open Source Mac client is Cyberduck.

  1. In preferences, select Default protocol to be 'SFTP (SSH Secure File Transfer)'
  2. On the Cyberduck main panel click the 'Open Connection' icon, and ensure SFTP is selected as the protocol.
  3. Then enter the server and username you've been given.
  4. Open the 'More options' revealer, and select 'Use Public Key Authentication'.
  5. The software will drop you right in at ~/.ssh. Here, select 'id_rsa', mostly likely the first file in there. At this point back on the 'Open Connection' panel you should see '~/.ssh/id_rsa' under the 'Use Public Key Authentication' checkbox option.
  6. Try it! Click Connect.
  7. (If you selected a passphrase for your key Cyberduck will ask for it with a 'Private key passoword protected' panel: enter it and continue.)

A well liked payware client is MacSFTP. Note that Transmit supports public key authentication but only in a mildly obscure way: you will need to leave the password field blank and ensure your keys are in ~/.ssh as per *nix above. Thanks to Joshua McFarren for pointing this out. Finally Fugu can be made to work albeit with difficulty (start up in ~/.ssh).

There is even more detail at (note that this page is demonstrating a password-based login).

Admins: Creating SFTP/SCP-only accounts

The scponly mini-suite can be used to only permit sftp or scp, i.e. no login shell. Additionally, it can be configured to provide a chroot "jailed" environment that amongst other features prevents tampering with ~/.ssh. Handily, scponly provides an interactive script:

On Debian this is like,

apt-get install scponly # Or, if it's already there:
dpkg-reconfigure scponly # to ensure setuid is on: select Yes
cd /usr/share/doc/scponly/setup_chroot

All non-user content and code Copyright © 2000-2006 / Paul Makepeace. Comments & feedback welcome!