The sftp command connects the device to the SSH server so that you can manage files that are stored on the SFTP server.
# Connect the SFTP client to the SFTP server based on IPv4.
sftp [ -a source-address | -i interface-type interface-number ] host-ip [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } | prefer_kex prefer_key-exchange | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac| -ki aliveinterval ] | [ -kc alivecountmax] *
# Connect the SFTP client to the SFTP server based on IPv6.
sftp ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port ] [ identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } | -vpn-instance vpn-instance-name | prefer_kex prefer_key-exchange | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki aliveinterval | -kc alivecountmax ] *
Parameter |
Description |
Value |
|---|---|---|
-a source-address |
Specifies the source IP address for connecting to the SFTP client. You are advised to use the loopback interface IP address. |
- |
-i interface-type interface-number |
Specifies the source interface type and ID. You are advised to use the loopback interface. The IP address configured for this interface is the source IP address for sending packets. If no IP address is configured for the source interface, the SFTP connection cannot be set up. |
- |
host-ip |
Specifies the IP address or host name of the remote IPv4 SFTP server. |
The value is a string of 1 to 255 case-insensitive characters without spaces. When quotation marks are used around the string, spaces are allowed in the string. |
host-ipv6 |
Specifies the IPv6 address or host name of the remote IPv6 SFTP server. |
The value is a string of 1 to 255 case-insensitive characters without spaces. When quotation marks are used around the string, spaces are allowed in the string. |
-oi interface-type interface-number |
Specifies an outbound interface on the local device. If the remote host uses an IPv6 address, you must specify the outbound interface on the local device. |
- |
port |
Specifies the port number of the SSH server. |
The value is an integer that ranges from 1 to 65535. The default port number is 22. |
public-net |
Specifies the SFTP server on the public network. You must set the public-net parameter when the SFTP server IP address is a public network IP address. |
- |
-vpn-instance vpn-instance-name |
Name of the VPN instance where the SFTP server is located. |
The value must be an existing VPN instance name. |
prefer_kex prefer_key-exchange |
Indicates the preferred key exchange algorithm. |
Specifies the preferred key exchange algorithm. The dh_exchange_group, dh_exchange_group_sha256, dh_group14_sha1, dh_group14_sha256, dh_group15_sha512, and dh_group16_sha512 algorithms are supported currently. The default key exchange algorithm is dh_group14_sha1. |
prefer_ctos_cipher prefer_ctos_cipher |
Specify an encryption algorithm for transmitting data from the client to the server. |
Encryption algorithms 3des, aes128, aes128_ctr, aes256_ctr, and aes256 are supported. The default encryption algorithm is aes256_ctr. You are advised to use aes128_ctr and aes256_ctr encryption algorithms to ensure high security. NOTE:
|
prefer_stoc_cipher prefer_stoc_cipher |
Specify an encryption algorithm for transmitting data from the server to the client |
Encryption algorithms 3des, aes128, aes128_ctr, aes256_ctr, and aes256 are supported. The default encryption algorithm is aes256_ctr. You are advised to use aes128_ctr and aes256_ctr encryption algorithms to ensure high security. NOTE:
|
prefer_ctos_hmac prefer_ctos_hmac |
Specify an HMAC algorithm for transmitting data from the client to the server. |
HMAC algorithms sha1, sha1_96, md5, sha2_256, sha2_256_96, and md5_96 are supported. The default HMAC algorithm is sha2_256. NOTE:
To enhance security, you are not advised to use the md5 or md5_96 algorithm. |
prefer_stoc_hmac prefer_stoc_hmac |
Specify an HMAC algorithm for transmitting data from the server to the client. |
HMAC algorithms sha1, sha1_96, md5, sha2_256, sha2_256_96, and md5_96 are supported. The default HMAC algorithm is sha2_256. NOTE:
To enhance security, you are not advised to use the md5 or md5_96 algorithm. |
-ki aliveinterval |
Specifies the interval for sending keepalive packets when no packet is received in reply. |
The value is an integer that ranges from 1 to 3600, in seconds. |
-kc alivecountmax |
Specifies the times for sending keepalive packets when no packet is received in reply. |
The value is an integer that ranges from 3 to 10. The default value is 5. |
identity-key |
Specifies the public key for server authentication. |
The public key algorithm include dsa, rsa, and ecc. By default, the server authentication uses the ECC public key. NOTE:
To improve security, it is not recommended that you use RSA or DSA as the authentication algorithm. |
user-identity-key |
Specifies the public key algorithm for the client authentication. |
The public key algorithm include dsa, rsa, and ecc. By default, the client authentication uses the RSA public key. NOTE:
To improve security, it is not recommended that you use RSA or DSA as the authentication algorithm. |
Usage Scenario
SFTP is short for SSH FTP that is a secure FTP protocol. SFTP is on the basis of SSH. It ensures that users can log in to a remote device securely for file management and transmission, and enhances the security in data transmission. In addition, you can log in to a remote SSH server from the device that functions as an SFTP client.
When the connection between the SFTP server and client fails, the SFTP client must detect the fault in time and disconnect from the SFTP server. To ensure this, before being connected to the server in SFTP mode, the client must be configured with the interval and times for sending the keepalive packet when no packet is received in reply. If the client receives no packet in reply within the specified interval, the client sends the keepalive packet to the server again. If the maximum number of times that the client sends keepalive packets exceeds the specified value, the client releases the connection. By default, when no packet is received, the function for sending keepalive packets is not enabled.
Precautions
The SSH client can log in to the SSH server with no port number specified only when the port number of the SSH server is 22. If the SSH server uses another port, the port number must be specified when SSH clients log in to the SSH server.
If public-net or vpn-instance is not specified, the FTP client accesses the FTP server in the VPN instance managed by the NMS.
If public-net is specified, the FTP client accesses the FTP server on the public network.
If vpn-instance vpn-instance-name is specified, the FTP client accesses the FTP server in a specified VPN instance.
If you cannot run the sftp command successfully when you configured the ACL on the SFTP client, or when the TCP connection fails, an error message is displayed indicating that the SFTP client cannot be connected to the server.
# Set keepalive parameters when the client is connected to the server in SFTP mode.
<HUAWEI> system-view [HUAWEI] sftp 10.164.39.223 -ki 10 -kc 4 Please input the username: client001 Trying 10.164.39.223 ... Press CTRL+K to abort Connected to 10.164.39.223 ... Enter password: sftp-client>
# Connect the client to the server using the DSA authentication in SFTP mode.
<HUAWEI> system-view [HUAWEI] sftp 10.164.39.223 identity-key dsa Please input the username:root Trying 10.164.39.223 ... Press CTRL+K to abort Connected to 10.164.39.223 ... Enter password: sftp-client> quit Bye