Secure FTP


As of February 2, 2009, FTP login is retired from servers in the Mason Cluster (mason.gmu.edu and www.gmu.edu) to improve security. Secure Shell File Transfer Protocol (SFTP), Secure Copy (SCP), and anonymous FTP are still supported.

Please ensure that any applications you have that use FTP (e.g., Dreamweaver, Contribute) are updated to use a SFTP connection.

Contents

General

Does My Application Support SFTP?

Note: Many of these applications do not use SFTP by default. Be sure to configure them to use SFTP.

Application Operating System(s) SFTP Support?
Adobe (formerly Macromedia) Dreamweaver Windows, Mac Since MX 2004
Adobe (formerly Macromedia) Contribute Windows, Mac Since 2.0
CuteFTP Windows, Mac Yes
Cyberduck Mac Since 2.1
Fetch Mac Since 5.0
FileZilla Windows, Mac, Linux Since 1.9.9
KompoZer Windows, Mac, Linux No
Adobe (formerly Macromedia) HomeSite Windows No
Microsoft Expression Web Windows No
Microsoft FrontPage Windows No
Microsoft Office Sharepoint Designer 2007 Windows No
Mozilla Composer Windows, Mac, Linux No
Netscape Composer Windows, Mac, Linux No
Nvu Windows, Mac, Linux No
WS_FTP Home Windows No
WS_FTP LE Windows No
WS_FTP Pro Windows Since 7.6

 

If your application is not listed in the table, check your client documentation or with your vendor to determine if there is SFTP support and how to enable it. This Wikipedia entry also has an expanded table of FTP clients that may support SFTP.

What Should I Do If My Application Does Not Support SFTP

You have a couple options. If a newer version of the software supports SFTP, you could upgrade your application. Otherwise, you’ll need to replace your FTP client with a SFTP client.

Note: You can continue to use web page editors like Dreamweaver or Frontpage for design purposes, and then upload the files with a dedicated SFTP client.

The following dedicated SFTP clients are recommended:

  • Filezilla (Windows, Mac, Linux) – Free, and open source
  • Cyberduck (Mac) – Free, and open source

IMPORTANT: Fixing Server Upload Permissions

Unlike FTP, the default setting for files uploaded with SFTP is that they are only readable by the user that uploaded them. This results in a “Forbidden” error when the files are viewed through a web browser.

Follow this tutorial to adjust this setting:

Technical Details

Why Retire FTP Login?

The standard FTP protocol has no means to encrypt the user’s username, password, and file content as they are transmitted between the client and server. The protocol was developed at a time when having a reliable and efficient file transfer capability was more of a concern then safe guarding what is sent across the network.

Can FTP Be Used Securely?

FTP could be used safely but not without additional hardware or software and protocols to provide a secure environment for FTP sessions to operate safely. That is, the FTP protocol may be wrapped or protected by these additional layers (e.g., Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunneling, Internet Protocol Security (IPsec), Virtual Private Network (VPN)). Additional examples are:

  • FTP over SSH, sometimes called Secure FTP
  • FTP/SSL (also known as FTPS), similar to the HTTPS protocol

Will FTP Over SSH Continue To Work After FTP Is Retired?

No, FTP over SSH will no longer work. It uses the actual FTP protocol over a SSH connection. SSH will continue to work but there will be no FTP service on the system for your client to communicate with. You must use a SFTP client.

What’s the Difference Between SFTP and FTP Over SSH.

SFTP and FTP over SSH are two entirely different sets of protocols. SFTP uses the SSH File Transfer Protocol over a SSH connection. FTP over SSH uses a File Transfer Protocol (FTP) session over a SSH connection. Both SFTP and FTP over SSH are used over a SSH connection but SFTP is different from FTP. Supporting FTP over SSH is difficult to accomplish due to how FTP works so SFTP was created.

To make the matter even more complicated FTP over SSH is sometimes called Secure FTP. Some people mistakenly call SFTP Secure FTP. This is how it is explained in the SSH The Secure Shell The Definitive Guide 2nd Edition by Barrett, Silverman, and Byrnes:

“The name ‘SFTP’ is also misleading in that it suggests security; many assume it stands for ‘Secure FTP’. This isn’t so. The SFTP protocol has no security features at all; implementations derive their security by speaking the protocol over an SSH connection.”

The reason this is important to you is if you are using an application that is configured for SFTP, then you are fine. If it is configured for FTP over SSH then it won’t be able to login and transfer files after the FTP service is disabled.

Unfortunately some vendors mistakenly use the term “Secure FTP” when they mean SFTP. For example, Dreamweaver 8 Site Definition Advanced tab has a feature titled “Use Secure FTP (SFTP)”. The application actually is using SFTP, not FTP over SSH.

Last Updated: October 10, 2017