Skip to content.
Joe Heaton's Webzone
🥐 ☕
Online since 2011

SFTP instead of SCP

SCP suffered from weak input validation for decades until CVE-2019-6111, the maintainers recommended using SFTP until patched versions can be deployed. I, like many others, were reminded SFTP existed!

In brief, SFTP is the tried & true FTP wrapped in SSH; SCP is a very dated RCP inside SSH. As this CVE shows, the SCP codebase has been neglected and perhaps shouldn’t be relied on.

Send file to remote:

sftp [email protected]:/path/to/put.file <<< "put /path/to/local.file"

Receive file from remote:

sftp [email protected]:/path/to/remote.file /path/to/local.file

Add -r to recurse a directory.

It’s less trivial than SCP, although SFTP has more features, like interactive mode:

$ sftp [email protected]
Connected to host.
sftp> ls
test
sftp> cd test
sftp> ls
script.sh
sftp> get script.sh
Fetching /home/me/test/script.sh to script.sh
/home/me/test/script.sh           100%  196   193.7KB/s   00:00
sftp> exit
$ ls
script.sh 

Settings!