sftpc - The Unix SafeTP Client

sftpc is the SafeTP client for Unix. Note that a separate Windows client is available.


sftpc [ options ] server [ port ]


sftpc works similarly to the ordinary Unix FTP client, except that it can encrypt user's passwords (and, optionally, data) when conversing with a SafeTP server, such as sftpd.

The server to contact must be specified on the command line. Optionally, a port may be specified; if it is not, the default of 21 is used.

When sftpc is run for the first time on a given machine by a given user, it will gather entropy and create ElGamal keys. During entropy gathering, you may be asked to type at the keyboard; please be patient with this process, as it is essential for key security.

Upon connecting to the server, sftpc will authenticate the server, then ask for your username and password. Once these have been accepted by the server, you can enter interactive commands.


Prints the version number for sftpc.

Specifies the size of the protection buffer. Note that a value that is either too large or too small may hurt performance; the default value has been experimentally determined to be a good size for most situations.

Starts sftpc in passive mode. See passive command.

Print extra debugging information.

Print value of ADATs (Authentication DATa) exchanged during authentication. Mostly for debugging.

Behave as a normal (RFC 959) FTP client. This effectively disables all encryption, including password encryption. This option is not recommended, unless the network connection is secured by some alternate means.

Start with data encryption off. See prot command.

Start with data channel in integrity-only mode. See prot command.

Print the help message, which provides short descriptions of the command-line options.

Accept new server keys without prompting the user.

Automatically use the normal (insecure) FTP protocol if the server doesn't understand the encrypted protocol.


help [<command>]
Basic and per-command help information.
(no arg): general info
(command): per-command help
commands: list of all commands
aliases: list of all command aliases
crlf: info about CRLF stuff
In the 'help' list, commands listed with a plus (+) have more info available as 'help '.

help commands
Show list of all commands.

help aliases
Show list of all command aliases.

debug [on|off|1|breaker|dump|binaryAnyway|localCRLF]
Debugging support.
(no arg): toggle printing of outgoing FTP commands
on: print outgoing ftp commands
off: don't print outgoing ftp commands (default)
1: toggle diagnostic output level 1
breaker: breakpoint when debugger is attached
dump: print internal state variables
binaryAnyway: toggle binary transfer despite ascii/binary mode
localCRLF: toggle local CRLF convention
localGlobbing: toggle whether we glob locally or remotely

passive [on|off]
Set whether we use active or passive transfers.
(no arg): toggle active/passive mode
on: use passive transfers (default)
off: use active transfers
Normally, active transfers are used. This means that, during a data transfer, the server initiates a connection to the client. However, under some circumstances (especially when firewalls are involved), it may be necessary for the client to initiate the data connection. This is called a 'passive' transfer.

Use text-mode file transfers (see 'help crlf').

Use binary-mode file transfers (see 'help crlf').

help crlf
Shows information about CRLF issues.

type (i|a)
Set transfer mode.
i: binary mode (default)
a: ascii mode
See 'help crlf'.

Change current local working directory.

Print working directory on the local machine.

prompt [on|off]
Change prompting mode.
(no arg): toggle prompts for mget/mput
on: turn on prompting
off: turn off prompting (default)

hash [on|off]
Set whether to print progress characters.
(no arg): toggle printing of # every 1k transferred
on: turn on hashes
off: turn off hashes (default)

Exit sftpc

! <command>
Execute a command on the local machine. Calls system(3) to execute a shell command

Empty FTP response queue. This is useful only if the server or client gets confused, and violates the FTP protocol.

test [active|passive|text|binary|multi]
Run online self-tests.
(no arg): all tests, both active and passive
active: all tests, in active mode
passive: all tests, in passive mode
text: text transfers in current active/passive mode
binary: binary transfers in current active/passive mode
multi: multiple-file command tests

quote <raw-ftp-cmd>
Send an FTP command directly. No interpretation is done on the command.

prot [p|t|c]
Set or get data channel protection level:
(no arg): print the current protection level
p (private): turn on privacy and integrity protection
t (integrity): turn on just integrity protection
c (clear): turn off protection
Note that this does *not* affect control-channel encryption, which is always on (unless sftpc was started with the -9 switch).

Print remote current directory (PWD ftp command).

cd [dir]
Change remote directory (CWD ftp command).

Same as 'cd ..' (CDUP ftp command).

dir [directory]
Remote directory listing (LIST ftp command).

nlist [arg]
Remote directory listing, with names only. This issues the NLST ftp command.

get <remotefile> [localfile]
Get remote file (GET ftp command).

put <localfile> [remotefile]
Send local file to remote machine (PUT ftp command).

mget <pattern>
Multiple-file get; local globbing by default.

mput <pattern>
Multiple-file put; local globbing (of course).

mls <pattern>
Multiple-file list. This command is primarily useful to see what mget will get.

mdelete <pattern>
Multiple-file delete.

mkdir <dir>
Create remote directory (MKD ftp command).

rmdir <dir>
Remove remote directory (RMD ftp command).

mv <oldName> <newName>
Rename remote file (RNFR and RNTO ftp commands).

rm <filename>
Delete remote file (DELE ftp command).


Basic Information

sftpc must store three kinds of configuration state:

Of these, by far the most sensitive are the ElGamal keys. In particular, if an attacker learns the ElGamal private key, he/she can decrypt both future and past sessions protected with that key.

The random seed is primarily a concern just prior to key generation; an attacker that knows the seed may be able to predict the generated key.

The server keys are only a concern if an attacker modifies them; in that case, an attacker could masquerade as a trusted server.

sftpc's Implementation

The above state, especially the ElGamal private key, must be stored on the local disk (assuming typical insecure networks such as NFS). Therefore sftpc by default stores all of this information in /tmp/user, where user is the username of the person using sftpc.

This can be inconvenient, especially on systems where /tmp is not saved across reboot. To support alternatives, sftpc will store keys in a directory specified by the SAFETP_CONFIG environment variable.


sftpd, SafeTP