Secure FTP (SFTP)
Standard FTP clients do not encrypt the data that they send to remote hosts, which theoretically allows malicious third parties to intercept and read that data. Secure FTP (SFTP) is a modified client that does encrypt all the files that it sends for greater safety.
SFTP clients reside on all OCF and SCF production machines.
- FIS—LC's File Interchange Service (FIS, at fis.llnl.gov) is the only LC server that now accepts incoming files from SFTP clients. FIS only accepts SFTP transfers from within the LC firewall, so direct SFTP transfers from outside machines by means of VPN are not accepted.
- Others—No other LC FTP servers accept SFTP transfers. In particular, you cannot store files (at storage.llnl.gov) from any host by running SFTP.
SFTP clients present a different user dialog than do standard FTP clients on LC machines. While some differences are trivial, others require different user responses to open connections or to transfer files successfully. SFTP:
- Does not request your user name (nor present it as a default to which you can simply respond by hitting the RETURN key).
- Checks for a host key for every new host to which you try to connect and, if not found, asks if you want to continue connecting (yes/no) anyway.
- Requests your one-time password (OTP) to open every connection unless you have Kerberos or public key authentication (no default preauthentication occurs, unlike for standard FTP connections among LC machines).
- Prompts for input with sftp>.
SFTP recognizes many of the usual set of FTP control options. Type ? or help at the SFTP prompt to see the list of available commands.
Among the most useful standard FTP options that SFTP does not accept are:
In most situations, the SFTP alternative option (ls -l) lists files and their properties just as dir does for standard FTP sessions.
The SFTP alternative rm removes remote files and performs the same functions as delete during standard FTP sessions.
ascii, binary, parallel, quote, site
SFTP provides no alternative options for these commands. It is supposed to automatically detect ASCII and BINARY files on arrival and transfer them in the appropriate mode, but you cannot force the mode if inappropriate transfers occur.
Public Keys (SCF Only)
If you prefer not to use your OTP (one-time password) to authenticate every SFTP session, you can create and install a special file called an SSH public key, generated using OpenSSH, on every pair of machines between which you transfer files with SFTP. Generating an appropriate public key, converting it to the needed OpenSSH format if needed, and installing it in the right directories (including those on the open FIS node) is a complex, multi-step process. If you need assistance with creating a public key, please contact the LC Hotline.
Note: On OCF, SSH public key authentication is only allowed in limited cases. One is between production clusters using port 622, and the other is when uploading to FIS.