The sftp command connects to the SSH server. After connecting to the SSH server, you can implement file operations.
By default, you can specify only the SSH server name or IP address in this command.
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | prefer_kex { dh_group1 | dh_exchange_group | dh_group14_sha1 } | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac| -ki aliveinterval | -kc alivecountmax | identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } ] *
sftp ipv6 { -a source-address host-ipv6 | host-ipv6 } [ [ -oi interface-type interface-number ] [ port ] | -vpn-instance vpn-instance-name | prefer_kex { { dh_group1 | dh_exchange_group | dh_group14_sha1} } | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki aliveinterval | -kc alivecountmax | identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } ] *
| Parameter | Description | Value |
|---|---|---|
-a source-address |
Specifies the SFTP source address. |
- |
-i interface-type interface-number |
Configuring a loopback interface as the source interface is recommended. |
- |
host-ipv4 |
Specifies the IPv4 address or host name of the remote system. |
The host name is a string of 1 to 255 case-insensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
host-ipv6 |
Specifies the IPv6 address or host name of the remote system. |
The value is a string of 1 to 46 characters. |
-oi interface-type interface-number |
Configuring an interface on the local device as the outbound interface is recommended. If host-ipv6 is the link local IPv6 address, the egress with this address must be specified. Otherwise, the egress does not need to be specified. |
- |
port |
Specifies the number of the monitoring port on the SSH server. |
The value can be any integer that ranges from 1 to 65535. By default, the standard port 22 is adopted. |
public-net |
Indicates that the SFTP server is connected over the public network. |
- |
-vpn-instance vpn-instance-name |
Specifies the VPN instance name. |
The name is a string of 1 to 31 characters. |
prefer_kex |
Indicates the preferred key exchange algorithm. |
Including the dh_group1 algorithm , the dh_group14_sha1, and the dh_exchange_group algorithm. The default algorithm is dh_group14_sha1. NOTE:
To enable the dh_group1 algorithm, run the ssh server key-exchange and ssh client key-exchange commands. By default, the dh_group1 algorithm is not supported. The dh_exchange_group algorithm is recommended. |
prefer_ctos_cipher prefer_ctos_cipher |
Specifies the preferred encryption algorithm from the client to the server. |
Including 3des, aes128, aes128_ctr, and aes256_ctr, and aes256. The default algorithm is aes256_ctr. To improve security, it is recommended that you use aes128 , aes128_ctr, aes256_ctr, and aes256 algorithm. NOTE:
|
prefer_stoc_cipher prefer_stoc_cipher |
Specifies the preferred encryption algorithm from the server to the client. |
Including 3des, aes128, aes128_ctr, aes256_ctr, and aes256. The default algorithm is aes256_ctr. To improve security, it is recommended that you use aes128, aes128_ctr, aes256_ctr, and aes256 algorithm. NOTE:
|
prefer_ctos_hmac prefer_ctos_hmac |
Specifies the preferred HMAC algorithm from the client to the server. |
Including shal, shal-96,sha2-256,sha2-256-96, md5, and md5-96. The default algorithm is sha2-256. The md5 and md5-96 provide the lowest security, you are advised to use sha2-256 algorithm. |
prefer_stoc_hmac prefer_stoc_hmac |
Specifies the preferred HMAC algorithm from the server to the client. |
Including shal, shal-96,sha2-256,sha2-256-96, md5, and md5-96. The default algorithm is sha2-256. The md5 and md5-96 provide the lowest security, it is advised to use sha2-256 algorithm. |
-ki aliveinterval |
Specifies the interval for sending keepalive packets when no packet is received. |
The value is an integer ranging from 1 to 3600, in seconds. |
-kc alivecountmax |
Specifies the number of times for no reply of keepalive packets. |
The value is an integer ranging from 3 to 10. The default value is 5. |
identity-key |
Specifies the public key algorithm for the server authentication. |
The public key algorithm include dsa, rsa and ecc. NOTE:
|
user-identity-key |
Specifies the public key algorithm for the client authentication. |
The public key algorithm include dsa, rsa and ecc. NOTE:
|
dsa |
Specifies the DSA public key for the authentication. |
- |
rsa |
Specifies the RSA public key for the authentication. |
- |
ecc |
Specifies the ECC public key for the authentication. |
- |
Usage Scenario
Before connecting the SSH server by using the sftp command, enable the SFTP service on the SSH server.
Only if the number of the monitoring port on the server is 22, the SSH client need not specify the port number when logging in to the server. Otherwise, the SSH client must specify the port number.
If the command fails because the ACL filtering is configured on the SFTP client, or the TCP connection fails, the system prompts error information of cannot connect to the server.
By default, when no packet is received, the function of sending keepalive packets is not enabled.
When the SFTP server or the connection between it and the client is faulty, the client must detect the fault in time and release the connection voluntarily. To implement this, when logging in to the server through SFTP, the client must be configured with the interval for sending the keepalive packet and the number of times for no reply restriction on the server if no packet is received by the client. If a client does not receive any packets within specified period, the client sends a keepalive packet to the server. If the number of times of no reply restriction exceeds the specified number, the client releases the connection voluntarily.
If neither public-net nor -vpn-instance is configured, the system accesses the SFTP server in the VPN instance.
If public-net is configured, the system accesses the SFTP server on the public network.
Precautions
By default, the server authentication uses the ECC public key.
# The number of the monitoring port on the SSH server is 1025, the SFTP client is on the public network and the SSH server is on the private network.
<sysname> system-view [sysname] sftp -a 10.1.1.1 10.1.1.2 1025 -vpn-instance ssh Please input the username: client001 Trying 10.1.1.1 ... Press CTRL+K to abort Enter password:
# Set keepalive parameters when the client logs in to the server through SFTP.
<sysname> system-view [sysname] sftp 10.1.1.3 -ki 10 -kc 4 Please input the username: client001 Trying 10.1.1.3... Press CTRL+K to abort Enter password: sftp-client>
# Configure the client to log in to the server in SFTP mode, using the DSA authentication.
<sysname> system-view [sysname] sftp 10.1.1.3 identity-key dsa Please input the username:root Trying 10.1.1.3 ... Press CTRL+K to abort Connected to 10.1.1.3 ... Enter password: sftp-client>quit Bye
# Configure the client to log in to the server in SFTP mode, using the ECC authentication.
<sysname> system-view [sysname] sftp 10.1.1.3 identity-key ecc Please input the username:root Trying 10.1.1.3 ... Press CTRL+K to abort Connected to 10.1.1.3 ... Enter password: sftp-client>quit Bye