Categories
linux security unix

to ftp or to sftp

Ftp is seen as an old-time unsecure protocol. Many shops nowadays have switched or are switching to sftp. I will try to point out some differences :

Compatibility: none. the protocol is completly different. Multiple graphical clients however do support both mode. But the basic “ftp” client will not work with sftp.

Ascii mode: only in ftp. In sftp, it is always binary so there will be no conversion. Also no blocksize, recordlength or primary/secondary space for your OS/390 connections.

Interactive mode: similar. you enter your username and password, do cd, put and get. But to quit, by will not work in sftp πŸ˜‰ Use quit or exit instead

Batch mode: different. Most probably you will end up setting a private/public key infrastructure for your ssh connection and use scp (secure copy). If you are using a ssh client like putty, it is possible to do something like pscp -l user -pw password server:file .

Security: sftp is secure, ftp is not.

Speed: ftp is fast, sftp is slow πŸ™ !

Oh NOOOOOOO!!!!! What’s the point is bringing something new if it is slower !!!

Ok, let’s try to download a 100m file:
$ time (echo "open dbsrv01
user oracle secret
bin
get 100m"|ftp -n )

real 0m24.673s
user 0m0.030s
sys 0m0.016s
$ time scp -q oracle@dbsrv01:100m .

real 1m46.978s
user 0m0.108s
sys 0m0.202s

it is about 4x slower! Is there anything we could do about it?

Well, maybe :

$ time scp -q -o Compression=yes oracle@dbsrv01:100m .

real 0m18.634s
user 0m0.748s
sys 0m0.452s

ssh/scp/sftp have a compression mode. If you are transferring your large files across a slow network, this may be an interesting option to consider !

OpenSSH homepage : http://www.openssh.org

By Laurent Schneider

Oracle Certified Master

6 replies on “to ftp or to sftp”

Thank you for your idea.
I use scp/sftp too… they’re secure.

scp + sftp use sshd to call sftpd subsystem;
that requires a shell, So user can login to server and run other commands.

That’s not good πŸ˜‰

By the way, I hear about rssh.
rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp πŸ˜‰ http://www.pizzashack.org/rssh/

You can do FTP over SSL which may be a good compromise. The data (and login too) is encrypted, but at the server end you are still using an FTP server rather than a shell account. We were using an FTP/SSL setup so that people could deposit files with us, but not download any.

That’s a very good point about the shell account πŸ™‚

About ftp with ssl, we will have to distribute the client to a bunch of OS/versions, right?

thanks for your comments

hmm, i don’t see any differences in speed:

$ lftp -e ‘get 100m’ -u oracle,oracle crash10
104857600 Bytes ΓΌbertragen in 9 Sekunden (11.18M/s)

$ scp oracle@crash10:100m .
100m 100% 100MB 11.1MB/s 00:09

$ sftp oracle@crash10:100m .
Connecting to crash10…
Fetching /home/oracle/100m to ./100m
/home/oracle/100m 100% 100MB 11.1MB/s 00:09

always 9 seconds.

about the shell account, recent versions of openssh allow rectrictions like this:

Match User joe
ChrootDirectory %h
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no

Andreas,

About the time, I do not know lftp, about with ftp when transfering from very distant nodes, compression (-o Compression=yes) does help.

Thanks a lot for ForceCommand internal-sftp, I will have a look!

Indeed you right..SFTP (which was developed over the ssh protocol) has nothing to do with ftp. But parallel to sftp, there is also been develop a secure ftp called FTPS, but is less used…

Despite the performance issues, a while ago I was asked to develop a pl/sql package to transfer files via sftp directly from the database..
FTP is pretty straight forward and their were already some packages developed using only pl/sql..

SFTP due tho its SSH background force me to develop using java..with some plsql wrappers..which become a problem because the java classes did not work very well on the database (10.2)..

Since then I haven’t tried to solve the issues, mainly because the project is “frozen” until..well i don’t know πŸ˜›

Well, I just thought it was important to point out that there is a FTPS protocol πŸ™‚

and by the way…your blog is very very helpful… keep up the good work!!

Leave a Reply

Your email address will not be published.