SFTP
SSH File Transfer Protocol. The universal mechanism for dropping secure EDI files — simple, ubiquitous, not to be confused with FTPS.
Definition
SFTP is a file access and transfer protocol that runs over an SSH channel. It was developed by the IETF SECSH Working Group. The final specification (draft-ietf-secsh-filexfer-13) is frozen at version 6 and was never promoted to RFC, but the reference implementation (OpenSSH) has made it a de facto standard. Characteristics:
- Underlying transport: SSH (RFC 4253), default port 22. Confidentiality, integrity and authentication are provided by SSH.
- Authentication: password, public key (RSA, ECDSA, Ed25519), GSSAPI Kerberos.
- Operations: open, read, write, close, opendir, readdir, mkdir, rmdir, stat, fstat, lstat, setstat, rename, remove, symlink, readlink, realpath.
- No at-rest file encryption: SFTP encrypts transmission, not the dropped file. For an end-to-end signed/encrypted file, pre-sign/encrypt (S/MIME, PGP) before drop.
SFTP is not FTPS. FTPS is FTP wrapped in TLS (two connections, control and data). SFTP is SSH with a file-transfer subsystem (one connection, port 22). Two distinct technical worlds sharing the word "secure".
Origin
Tatu Ylönen developed SSH version 1 in 1995; SSH 2.0 was drafted by the IETF SECSH Working Group between 1997 and 2006 and published as RFCs 4250-4256. The SFTP subsystem was added to SSH 2.0; protocol versions 3 (OpenSSH 4.x, 5.x) and 6 (draft-13) still co-exist. The EDI industry adopts SFTP for its low operational cost (one port, one authentication) as an alternative to AS2 for low-criticality flows or long-tail tier suppliers.
Example in context
A buying central receives its INVOIC EDIFACT files via SFTP: each
supplier has an SSH account with a public key, drops INVOIC.txt files
into ~/in/, and reads CONTRL.txt responses in
~/out/. Files are PGP-encrypted with the central's key
before drop, to achieve the non-repudiation that bare SFTP does not
provide.