We go on talking about the means of secure file transfer between a client and a server running Windows Server 2012 R2. Last time we discussed using FTPS as a secure extension of FTP. Today we’ll dwell on the peculiarities of SFTP (Secure FTP) and its use in Windows Server OSs.
SFTP (Secret File Transfer Protocol , Secure FTP or SSH FTP) is the extension of SSH protocol, being a standard in the world of UNIX/Linux systems. From the user point of view, it is similar to FTP, but in fact, it is a completely different protocol, having nothing in common with FTP. Data are transferred between a client and a server through the SSH tunnel using Port 22.
The main advantages of SFTP:
- Files and commands are transferred inside a secure SSH session
- One connection is used to transfer both files and commands
- Symbolic links, interrupt/resume transfer, file delete functions, etc. are supported
- As a rule, in channels where FTP is slow or failing, SFTP connection is faster and more reliable
- Possibility of authenticate using SSH keys
SFTP Implementation in Windows Systems
Microsoft operation systems do not provide any built-in means to organize a protected SFTP server. To do it, open-source or proprietary solutions, like Core FTP, FileZilla, CYGWIN, OpenSSH, FTP Shell, IPSwitch, etc., have been used.
However, in October, 2015, Microsoft development PowerShell team announced the release of the OpenSSH candidate for Windows, being a port of OpenSSH for win32.
Let’s consider the configuration of the SFTP server running Windows Server 2012 R2 using Win32 OpenSSH package.
Installation of Win32 OpenSSH on Windows Server 2012 R2
You can download a compiled version of the package here: https://github.com/PowerShell/Win32-OpenSSH/releases. We need a version for 64-bit Windows version: OpenSSH-Win64.zip (4 MB)
- Extract the archive to the target directory: C:\OpenSSH-Win
- Start PowerShell command prompt with the administrator privileges and go to the OpenSSH directory:
- Generate SSH keys for the server (they are necessary to start sshd):
generating new host keys: RSA DSA ECDSA ED25519
- Allow the incoming traffic on Port 22 (SSH server) in Windows Firewall:
New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName SSH
- To enable authentication using keys:
- Restart your server:
- Open the configuration file C:\OpenSSH-Win\sshd_config in any text editor, find and change the value of Subsystem sftp to C:\OpenSSH-Win\sftp-server.exe
- Install sshd service
- Specify that it has to be started automatically during the system boot and start it:
Set-Service sshd -StartupType Automatic
Test of the SFTP Connection
Let’s try to connect to the created SSH server by SFTP. To do it, use a free WinSCP client.
In the connection configuration window, select SFTP as the protocol of data transfer, specify the server name and the credentials of the Windows account, which is used for connection. (It is also possible to configure authentication using keys.)
When you try to connect for the first time, the following notification of the host key not found in the local cache appears.
If you configured it right, a client would connect to the SFTP server and display the list of files in the user home directory (by default, it is the directory with the user profile).
Using the familiar interface of the file manager, you can copy files between the server and the client. Files are transferred using the protected SFTP.
How to Uninstall Win32 OpenSSH
To uninstall Win32 OpenSSH from your system correctly:
- Start PowerShell console with the administrator privileges
- Stop the SSHD service:
- Uninstall the service:
- Uninstall the keys: