Documentation
6.4. SFTP¶
An sftp location provides access to an SFTP (version 3) server over SSH (version 2). This does not include access over SCP.
6.4.1. Introduction¶
As the connection is done in non-interactive mode, the identity of the remote SSH server needs to be verified, so that credentials are not sent to an untrusted remote SSH server.
To validate the remote SSH server, the fingerprint of its public key is stored as a hexadecimal string in the ssh_server_identity option.
An SSH server can authenticate users using either a password or an SSH key.
6.4.2. name¶
- Default value:
Empty
- Optional:
No
- From version:
2.8.0
- Values:
Any text.
- Description:
Human-readable short text used to identify this location.
6.4.3. description¶
- Default value:
Empty
- Optional:
Yes
- From version:
2.8.0
- Values:
Any text.
- Description:
Human-readable text that describes the purpose of this location.
6.4.4. type¶
- Default value:
''
- Optional:
No
- From version:
2.6.0
- Values:
filesystem - Local file system.
sftp - SFTP protocol v3 over SSH v2.
ftp - FTP protocol without any encryption.
ftpse - Explicit FTPS protocol.
ftpsi - Implicit FTPS protocol.
webdavs - WebDAV over HTTPS.
as2 - AS2 over HTTP or HTTPS
azure-file - Azure File Service.
smb - SMB / Windows Share
- Description:
This option specifies the type of the location. Each type has a set of specific configuration options
6.4.5. idle_connection_timeout¶
- Default value:
300
- Optional:
Yes
- From version:
3.0.0
- Values:
Number of seconds
0
- Description:
This controls the automatic disconnection from the remote server after the location has not received any file transfer operation requests for the configured number of seconds.
Keep-alive command requests are not counted as file transfer operations. The connection gets automatically disconnected if keep-alive is the only command requested in the configured interval.
Disconnected locations automatically reconnect when a new file transfer operation request is made. For example, when a new file needs to be transferred to the remote server.
If the remote peer closes the connection before the configured timeout, the connection is left closed. It gets automatically reconnected when a new file transfer operation is requested.
Set to 0 to always keep the connection active, by forcing re-connection when the remote server closes the connection.
Note
The idle_connection_timeout is the maximum number of seconds before closing an idle connection to the server. If the remote server decides that the connection is idle and closes the connection, SFTPPlus doesn't try to "challenge" the server, leaving the connection closed. The connection is automatically reopened next time a file needs to be transferred.
6.4.6. idle_connection_keepalive_interval¶
- Default value:
0
- Optional:
Yes
- From version:
3.0.0
- Values:
Number of seconds
- Description:
Send a keep-alive command every N seconds to avoid having the connection disconnected by the other peer due to inactivity.
Set to 0 to disable keep-alive commands.
The keep-alive command does not reset the idle connection timeout,
6.4.7. connection_retry_count¶
- Default value:
12
- Optional:
Yes
- From version:
3.9.0
- Values:
Number of retries
- Description:
Number of times to retry connection to the location, when the initial connection fails.
Set to 0 to not retry.
6.4.8. connection_retry_interval¶
- Default value:
300
- Optional:
Yes
- From version:
3.9.0
- Values:
Number of seconds
- Description:
Number of seconds to wait between connection attempts.
Set to 0 to retry right away without any delay.
6.4.9. ssh_server_identity¶
- Default value:
''
- Optional:
No
- Values:
MD5 Hexadecimal, delimited by colons
SHA1 Base64
SHA256 Base64
OpenSSH Public Key
X.509 certificate
Multiple identities on multiple lines.
set-on-first-connection
- From version:
3.51.0
- Description:
This configuration defines the identity of the remote SSH server.
It can be defined as an MD5, SHA1, or SHA256 fingerprint.
You can also define it as an OpenSSH public key or an X.509 SSL/TLS certificate.
To automatically configure with the identity of the server found during the first connection, you can use the set-on-first-connection option. For security reasons, we do not recommend this option. This option is not available for cluster operations when the remote SFTP service has more than one SSH server identity.
When you are connecting to a remote SSH / SFTP service which is deployed as a cluster or as a disaster recovery failover it is possible that each node/server from the cluster to have its own identity. You will need to configure SFTPPlus with the identity of each server by defining multiple identities on separate lines.
This configuration is mandatory and critical for securing the SSH connection. When the server's key fingerprint cannot be verified, all connections are rejected.
6.4.10. address¶
- Default value:
Empty
- Optional:
No
- Values:
Host name or IP address of the SFTP server.
- From version:
2.8.0
- Description:
Address of the remote SSH server. IP or DNS name.
6.4.11. port¶
- Default value:
Empty
- Optional:
No
- Values:
Number, greater than 0.
- From version:
2.8.0
- Description:
Port number of the remote SSH server.
6.4.12. username¶
- Default value:
Empty
- Optional:
No
- From version:
2.8.0
- Values:
Text.
- Description:
Username used to authenticate to the remote SSH server.
6.4.13. password¶
- Default value:
Empty
- Optional:
Yes
- From version:
2.8.0
- Values:
Plain text password.
Empty.
- Description:
This option specifies the password used to connect to the remote SSH server. It is provided in plain text. To disable password authentication, set this to an empty string.
Note
Prio to version 5.7.0, when a password is configured together with the ssh_private_key configuration, the password was used to decrypt the SSH key. In current SFTPPlus version, there is a separate ssh_private_key_password configuration option, dedicated to the decryption password for the SSH key.
6.4.14. ssh_private_key¶
- Default value:
Empty
- Optional:
Yes
- From version:
3.0.0
- Values:
Absolute path on the local filesystem.
Content of the SSH private key (Since 3.40.0).
Empty.
- Description:
SSH private key used to authenticate to the remote SSH server. Leave it empty to disable SSH key authentication.
It can be configured with a path on the local filesystem containing the content of the SSH key.
You can also define the content of the SSH key directly as a text value. In this case the configuration will look like the following example. It's important to start each line with at least one space character and keep the number of leading spaces constant:
[locations/b904e6h6-c295-4ccf-8abd-edcae4d3324f] name = SFTP Acme Server type = sftp ssh_private_key = -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,ACD9A45C68DD1924FF2A1A54BE2A7BF4 RAHH7yMbPk/vrhT5jkSDGIUdH+nG0OQpeSWcQXd4JJ6pqdJh/cw/havtxlHFp1yz ... MORE SSH KEY CONTENT ... Pkf+23OGZln2dLz/pkJkiRRzmsWgT2hUv/EK4NYRQq1kEAXLf3J6xZqLlR3ZBLJm -----END RSA PRIVATE KEY-----
We recommend to store the key in PEM OpenSSH format, but Putty or Tectia formats are also supported.
When the configured key is encrypted, the value configured in ssh_private_key_password is used to decrypt the key.
6.4.15. ssh_private_key_password¶
- Default value:
Empty
- Optional:
Yes
- From version:
5.7.0
- Values:
Text
- Description:
The password used to decrypt the SSH key configured via ssh_private_key.
Leave this option empty when the configured SSH key is not encrypted.
6.4.16. proxy¶
- Default value:
Empty
- Optional:
Yes
- Values:
URI like expression.
socks5://12.342.421.2:8899
Empty
- From version:
3.31.0
- Description:
This option configures a proxy to be used when making connection to the remote server.
When no port is defined, it will use port 1080.
Leave it empty to disable proxy usage.
For now, only the SOCKS5 without authentication is supported. The DNS resolution will be delegated to the SOCKS server.
6.4.17. ssh_cipher_list¶
- Default value:
secure
- Optional:
Yes
- Values:
List of SSH algorithm names.
all
secure
fips
- From version:
3.11.0
- Description:
This is configured as a comma-separated list of full name for each host public key, key exchange, HMAC or cipher.
You can find all the names of the supported algorithms on SSH cryptography page.
For SFTP services the configuration must include at least one algorithm from each of:
ciphers
HMACs
key exchanges
For SFTP service, the list of public keys is extracted from the SSH keys configured at ssh_host_private_keys.
For SFTP locations the configuration must include at least one algorithm from each of:
public key
ciphers
HMACs
key exchanges
For example, to only allow RSA host keys, AES256 in CTR mode with SHA256 HMAC hash and Diffie-Hellman group 14 key exchange with sha256 algorithms, the configuration is:
ssh_cipher_list = ssh-rsa, aes256-ctr, hmac-sha2-256, diffie-hellman-group14-sha256
The special keyword secure contains all the algorithms that we currently consider secure.
We recommend using the latest version of SFTPPlus, for automatic enforcement of any newly-deprecated ciphers via the secure list.
When we update this list of algorithms to exclude any newly-deprecated ciphers, your SFTPPlus installations automatically enforce our changes when upgraded to a version that contains the updated secure list of algorithms.
The keyword all is available for configuring all the supported algorithms, including weak ciphers. This is provided mainly to help with backward compatibility.
Warning
Configuring all ciphers also enables ciphers no longer considered secure by modern standards.
A pre-defined set of FIPS 140-2 approved ciphers is available by using the special fips keyword in this configuration. When FIPS 140-s ciphers are enabled, any other configured cipher in the list is ignored.
If an unsupported name is used, the component fails to start.
When the all keyword is used, all other values are ignored. When the secure keyword is used, all other values are ignored, including fips and explicit ciphers. When the fips keyword is used, any explicit cipher configuration is ignored.
Only one option from all, secure, or fips should be used at a single time.