>_cmd.script

sftp

Secure interactive file transfer over SSH

Networking

By CMD Script Team · 4 min read · Last updated

SYNTAX
sftp [OPTIONS] [user@]host[:path]

Options

Command options and flags
FlagDescription
-PConnect to a non-default remote port (uppercase, unlike ssh's -p)
-rRecursively transfer directories with get/put
-iUse a specific private key file for authentication
-bRun in batch mode, reading commands from a file (non-interactive)
-oPass an ssh_config-style option, e.g. -o StrictHostKeyChecking=no
-vVerbose mode, useful for debugging connection problems

Distribution compatibility

  • Ubuntu
  • Debian
  • Fedora
  • Arch
  • macOS

What it does

sftp (SSH File Transfer Protocol client) opens an interactive, encrypted session to a remote host over SSH and lets you browse, upload, and download files as if you were in an FTP client — except every byte, including your login credentials, is protected by the same encryption SSH uses for remote shells. It's the modern, secure replacement for plain ftp when you need an interactive back-and-forth file browsing experience rather than a single copy command.

Beginner examples

  • sftp user@server.example.com — connect and drop into an interactive sftp prompt
  • ls — list files in the current remote directory (inside the session)
  • lls — list files in the current local directory
  • get file.txt — download file.txt from the remote host to the local directory
  • put file.txt — upload a local file.txt to the remote host
sftp deploy@10.0.0.5

Advanced examples

  • Connect on a custom SSH port: sftp -P 2222 user@server.example.com
  • Recursively download a whole directory: get -r /var/www/html ./html-backup
  • Recursively upload a whole directory: put -r ./dist /var/www/app
  • Change the remote working directory and local one independently: cd /etc/nginx then lcd ~/backups
  • Run a fixed set of transfer commands unattended: sftp -b batch.txt user@host, where batch.txt contains lines like cd uploads, put report.csv, bye
sftp -P 2200 -i ~/.ssh/deploy_key deploy@server.example.com

Common mistakes

  • Confusing sftp's -P (capital, for port) with ssh/scp's -p (lowercase) — using the wrong case silently fails to connect or throws an option error.
  • Forgetting -r when trying to get/put a directory, then getting a "not a regular file" error.
  • Assuming a batch script can prompt for a password — batch mode requires key-based authentication since there's no interactive terminal to type a passphrase into.
  • Mixing up local and remote paths: cd changes the remote directory, lcd changes the local one, and it's easy to put a file into the wrong place.

Tips

  • Use lpwd/pwd inside a session to double-check which directory (local vs remote) you're currently operating in before a transfer.
  • Tab completion works for remote paths in most sftp clients, just like a local shell.
  • Combine sftp with ssh-agent and key-based auth so batch transfers in cron jobs or CI pipelines don't need an interactive password prompt.

Best practices

  • Prefer key-based authentication over passwords, especially for automated/batch sftp jobs — it's both more secure and required for non-interactive use.
  • Restrict sftp-only users with ChrootDirectory and ForceCommand internal-sftp in sshd_config when you want to grant file access without a full shell login.
  • Verify the host key on first connect rather than blindly accepting it, to guard against man-in-the-middle attacks on untrusted networks.

Try it yourself

A simulated shell with a sample home directory — experiment freely, nothing leaves your browser. Type help to list supported commands.

Real-world use cases

  • Giving a contractor or client secure, browsable access to a specific upload directory on a server without exposing SSH shell access.
  • Automated nightly backups that put database dumps to a remote archive host via a batch script triggered from cron.
  • Replacing legacy FTP workflows in web hosting environments where compliance requires encrypted file transfer.

Common interview questions

  • How does sftp differ from FTP over TLS (FTPS)? sftp is a subsystem of the SSH protocol using a single encrypted connection and port (usually 22); FTPS is plain FTP wrapped in TLS, which still uses separate control and data connections and often multiple ports.
  • Can sftp resume an interrupted transfer? Yes, the reget and reput commands resume partial downloads/uploads instead of starting over.
  • What server-side configuration is needed to support sftp? A running sshd with the sftp-server (or internal-sftp) subsystem enabled — no dedicated FTP daemon is required.

Frequently Asked Questions

How is sftp different from ftp?

sftp runs entirely over an encrypted SSH connection (typically port 22), so credentials and data are protected in transit. Plain ftp sends usernames, passwords, and file contents in clear text over its own protocol and port, making it unsafe on untrusted networks.

How is sftp different from scp?

Both ride on top of SSH, but sftp opens an interactive session with commands like ls, cd, get, and put so you can browse the remote filesystem before transferring. scp is a one-shot, non-interactive copy command better suited to scripts.

Can I use sftp non-interactively in a script?

Yes, with the -b flag pointing at a batch file of sftp commands, or by piping commands via a heredoc: sftp -b batchfile user@host.

Do I need a separate FTP server to use sftp?

No. sftp only requires a running SSH server (sshd) on the remote host; it does not need vsftpd, proftpd, or any other FTP daemon.

Cheat sheet

Download a quick-reference cheat sheet for sftp.