Once you've secured your shell, you need a way to move files. Many people use these terms interchangeably, but SFTP, SCP, and FTPS are fundamentally different protocols with different security implications.
SCP is a legacy tool that uses the SSH protocol to move files. It's fast because it's simple. However, SCP is effectively 'dead' in modern OpenSSH versions because it relies on the RCP protocol, which is insecure and doesn't allow for a proper file-system dialogue.
π‘ Most modern `scp` commands are actually wrappers for SFTP under the hood, though they look the same to the user.
SFTP is NOT 'FTP over SSH'; it is a completely separate protocol designed from the ground up to run inside an SSH connection. Unlike SCP, SFTP is a full-featured file system protocol. It allows you to list directories, delete files, and resume interrupted transfersβall while benefiting from the same hardening (keys, ciphers) as your SSH shell.
β οΈ A common security mistake is enabling a full SSH shell for users who only need to upload files. You can use 'Chrooted SFTP' to lock users into their home directory and prevent them from accessing the shell.
# Example: Creating a Chroot Jail for SFTP users in sshd_config
Match Group sftpusers
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding noFTPS is the 'old school' approach. It is the standard FTP protocol wrapped in a TLS tunnel (similar to how HTTP became HTTPS). Unlike SFTP, FTPS requires two connections: a control channel for commands and a data channel for the file itself. This makes it a nightmare for firewalls to manage.
| Protocol | Transport | Port | Security Level | Features |
|---|---|---|---|---|
| SCP | SSH | 22 | High | Basic Copy |
| SFTP | SSH | 22 | Very High | Full File Management |
| FTPS | TLS | 21/990 | Medium-High | Legacy FTP compatibility |
Never use plain FTP (Port 21). It sends passwords in cleartext, which can be sniffed by anyone on the local network.
Verify exercises to earn β 140 XP and unlock next lab level.