SFTP and SCP are secure methods of transferring and copying files. They are part of the well respected SSH (Secure SHell) family of tools. Ordinary FTP presents the username and password in plaintext and is a somewhat less effective protocol for a number of technical as well as user-interface reasons.
SFTP and SCP can use passwords just like FTP. While the password login is secure with SFTP/SCP there are two principle downsides to this method. First, for every login somehow you need to store or remember a password. Second, if the person that set the password is different from the person using it then that password has to be transmitted to the end user. And the way that's done is almost certainly likely to be less secure than the highly secure transmission SFTP offers. (One reasonable solution is to use two 'bands': send the username and host via email and then the password by phone SMS. Correlating the two would be a substantial challenge.)
Many however prefer to avoid both these issues and use public/private key pair authentication. Once you have a key then you simply send the public key half to any prospective folks offering you access. No remembering passwords, and no compromising SSH's security by weak sharing techniques.
(WinSCP is a high quality free Open Source Windows SFTP/SCP client, and PuTTYgen is taken from the PuTTY free SSH client project. Conveniently, PuTTygen is included within WinSCP.)
id_rsa.pubfor public key and
id_rsafor private key (it'll be named
id_rsa.PPK). By default WinSCP seems to save in
C:\Documents and Settings\User Name\.
The *nix command line option below can work in Terminal (Open Finder, select Applications and then Utilities), or the MacGPG free Open Source GUI client. The easiest way is to copy and paste the command below in Terminal.
(This can apply to Mac OS X users too.)
Simply issue the following command:
ssh-keygen and follow the instructions. Use of a passphrase is highly recommended: it'll be your master password for all uses of the key.
ssh-keygen will create two files in
id_rsa (private key), and
id_rsa.pub (public key). Please send the
id_rsa.pub. An example of how to do all this is shown below: (What you type is in bold.)
my-mac:~ your-username$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/your-username/.ssh/id_rsa): Enter passphrase (empty for no passphrase): highly recommended Enter same passphrase again: Your identification has been saved in /Users/your-username/.ssh/id_rsa. Your public key has been saved in /Users/your-username/.ssh/id_rsa.pub. The key fingerprint is: 21:c4:d7:97:6a:bd:d2:80:5d:61:c0:8b:05:3b:b7:bc your-username@my-mac my-mac:~ your-username$ mail -s "id_rsa.pub" firstname.lastname@example.org < ~/.ssh/id_rsa.pub my-mac:~ your-username$
First up, ensure your sysadmin has told you the:
When you first login (described below), the client is likely to report that it doesn't know about the server's identity. This is normal; simply click or type 'yes' to continue.
We've already seen WinSCP for Windows.
Use these values to fill out the login screen (view a sample in WinSCP). Note that using
public/private keys save us from sharing a password so leave the Password
field blank; instead navigate with the
... button to your
id_rsa.PPK Private key file. A key point is that whatever
client you use it must be somehow told about the key pair location.
Note that WinSCP has a handy Send To context (right-click) menu for uploads and transfers.
A free Open Source Mac client is Cyberduck.
~/.ssh. Here, select 'id_rsa', mostly likely the first file in there. At this point back on the 'Open Connection' panel you should see '~/.ssh/id_rsa' under the 'Use Public Key Authentication' checkbox option.
A well liked payware client is MacSFTP. Note that Transmit supports public key
authentication but only in a mildly obscure way: you will need to leave
the password field blank and ensure your keys are in
as per *nix above. Thanks
to Joshua McFarren for pointing
this out. Finally Fugu can be made to work albeit with difficulty (start up in
There is even more detail at http://www.foothill.edu/ctis/howto/SFTP_WinSCP.html (note that this page is demonstrating a password-based login).
The scponly mini-suite
can be used to only permit sftp or scp, i.e. no login shell. Additionally, it
can be configured to provide a
chroot "jailed" environment
that amongst other features prevents tampering with
Handily, scponly provides an interactive
On Debian this is like,
apt-get install scponly # Or, if it's already there: dpkg-reconfigure scponly # to ensure setuid is on: select Yes cd /usr/share/doc/scponly/setup_chroot sh setup_chroot.sh