OpenSSH: Difference between internal-sftp and sftp-server

Both sftp-server and internal-sftp are part of OpenSSH. The sftp-server is a standalone binary. The internal-sftp is just a configuration keyword that tells sshd to use the SFTP server code built-into the sshd, instead of running another process (what would typically be the sftp-server).

The internal-sftp was added much later (OpenSSH 4.9p1 in 2008?) than the standalone sftp-server binary. But it is the default by now. The sftp-server is now redundant and is kept probably for a backward compatibility.

I believe there’s no reason to use the sftp-server for new installations.

From a functional point of view, the sftp-server and internal-sftp are almost identical. They are built from the same source code.

The main advantage of the internal-sftp is, that it requires no support files when used with ChrootDirectory directive.

Quotes from the sshd_config(5) man page:

  • For Subsystem directive:

    The command sftp-server implements the SFTP file transfer subsystem.

    Alternately the name internal-sftp implements an in-process SFTP server. This may simplify configurations using ChrootDirectory to force a different filesystem root on clients.

  • For ForceCommand directive:

    Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory.

  • For ChrootDirectory directive:

    The ChrootDirectory must contain the necessary files and directories to support the user’s session. For an interactive session this requires at least a shell, typically sh, and basic /dev nodes such as null, zero, stdin, stdout, stderr, and tty devices. For file transfer sessions using SFTP no additional configuration of the environment is necessary if the in-process sftp-server is used, though sessions which use logging may require /dev/log inside the chroot directory on some operating systems (see sftp-server for details).

Another advantage of the internal-sftp is a performance, as it’s not necessary to run a new sub-process for it.

It may seem that the sshd could automatically use the internal-sftp, when it encounters the sftp-server, as the functionality is identical and the internal-sftp has even the above advantages. But there are edge cases, where there are differences.

Few examples:

  • Administrator may rely on a login shell configuration to prevent certain users from logging in. Switching to the internal-sftp would bypass the restriction, as the login shell is no longer involved.

  • Using the sftp-server binary (being a standalone process) you can use some hacks, like running the SFTP under sudo.

  • For SSH-1 (if anyone is still using it), Subsystem directive is not involved at all. An SFTP client using SSH-1 tells the server explicitly, what binary the server should run. So legacy SSH-1 SFTP clients have the sftp-server name hard-coded.

Related Posts:

  1. SFTP logging: is there a way?
  2. Is it possible to use rsync over sftp (without an ssh shell)?
  3. Git: How to solve Permission denied (publickey) error when using Git?
  4. Putty: Getting Server refused our key Error
  5. Copying a local file from Windows to a remote server using scp
  6. ssh: The authenticity of host ‘hostname’ can’t be established
  7. ssh “permissions are too open” error
  8. Permission denied (publickey,keyboard-interactive)
  9. How to deal with “Pseudo-terminal will not be allocated because stdin is not a terminal.”
  10. What is actually in known_hosts?
  11. ‘heroku’ does not appear to be a git repository
  12. How to solve “sign_and_send_pubkey: signing failed: agent refused operation”?
  13. How to fix request failed on channel 0
  14. How to scp in Python?
  15. Forward X11 failed: Network error: Connection refused
  16. PuTTY PSCP error “Local to local copy not supported” when username contains a slash
  17. Starting ssh-agent on Windows 10 fails: “unable to start ssh-agent service, error :1058”
  18. Git error: “Host Key Verification Failed” when connecting to remote repository
  19. Convert PEM to PPK file format
  20. Copying files using rsync from remote server to local machine
  21. How to read iPhone files without jailbreaking?
  22. SSH to Vagrant box in Windows?
  23. How to use Sublime over SSH
  24. Differences between SFTP and “FTP over SSH”
  25. Use qdel to delete all my jobs at once, not one at a time
  26. Paramiko’s SSHClient with SFTP
  27. Automating command/script execution using PuTTY
  28. Public and Private Keys are Incorrect for user
  29. How to automate SSH login with password?
  30. ssh returns “Bad owner or permissions on ~/.ssh/config”
  31. How do I change my private key passphrase?
  32. Create a public SSH key from the private key?
  33. How do diff over ssh?
  34. “Add correct host key in known_hosts” / multiple ssh host keys per hostname?
  35. SSH use only my password, Ignore my ssh key, don’t prompt me for a passphrase
  36. ssh-agent forwarding and sudo to another user
  37. Non interactive git clone (ssh fingerprint prompt) [duplicate]
  38. How to check sshd log?
  39. What does “Warning: untrusted X11 forwarding setup failed: xauth key data not generated” mean when ssh’ing with -X?
  40. What’s the difference between authorized_keys and authorized_keys2?
  41. Is my password compromised because I forgot to hit Enter after ssh username?
  42. How do I make ssh fail rather than prompt for a password if the public-key authentication fails?
  43. ssh-keygen does not create RSA private key
  44. What significance does the user/host at the end of an SSH public key file hold?
  45. SSH Suddenly returning Invalid format
  46. How can I prevent the warning No xauth data; using fake authentication data for X11 forwarding?
  47. How to recover from “Too many Authentication Failures for user root”
  48. Why does my OpenSSH key fingerprint not match the AWS EC2 console keypair fingerprint?
  49. Login without running bash_profile or bashrc
  50. How do I do Multihop SCP transfers between machines?
  51. scp without known_hosts check
  52. How do I validate an RSA SSH public key file (id_rsa.pub)?
  53. How can I run arbitrarily complex command using sudo over ssh?
  54. Add comment to existing SSH public key
  55. ssh connection takes forever to initiate, stuck at “pledge: network”
  56. What is the benefit of not allocating a terminal in ssh?
  57. bad ownership or modes for chroot directory component
  58. Why Block Port 22 Outbound?
  59. Ansible stuck on gathering facts
  60. SSH Allow Password For One User, Rest Only Allow Public Keys [duplicate]
  61. ssh : Permission denied (publickey,gssapi-with-mic)
  62. ssh connect Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password)
  63. Error in FTP connection using domain name, username and password?
  64. Could not open a connection to your authentication agent
  65. Could not open a connection to your authentication agent
  66. ssh remote host identification has changed
  67. How to establish ssh key pair when “Host key verification failed”
  68. scp or sftp copy multiple files with single command
  69. AWS – Disconnected : No supported authentication methods available (server sent :publickey)
  70. scp or sftp copy multiple files with single command
  71. Perform commands over ssh with Python
  72. How to set ssh timeout?
  73. ssh: The authenticity of host ‘hostname’ can’t be established
  74. Using putty to scp from windows to Linux
  75. SFTP in Python? (platform independent)
  76. mysql_config not found when installing mysqldb python interface
  77. SSH -X “Warning: untrusted X11 forwarding setup failed: xauth key data not generated”
  78. ssh: Could not resolve hostname [hostname]: nodename nor servname provided, or not known
  79. Pseudo-terminal will not be allocated because stdin is not a terminal
  80. X11 forwarding request failed on channel 0
  81. SSH library for Java
  82. mysql_config not found when installing mysqldb python interface
  83. mysql_config not found when installing mysqldb python interface
  84. Pseudo-terminal will not be allocated because stdin is not a terminal
  85. How to download a file from server using SSH?
  86. Upload file to SFTP using PowerShell
  87. connect to host localhost port 22: Connection refused
  88. Transfer files to/from session I’m logged in with PuTTY
  89. channel 3: open failed: connect failed: Connection refused
  90. Getting “socket.error: [Errno 61] Connection refused” python paramiko
  91. How to specify the private SSH-key to use when executing shell command on Git?
  92. SFTP upload file Permission denied
  93. X Error of failed request: BadValue (integer parameter out of range for operation)
  94. Getting stty: standard input: Inappropriate ioctl for device when using scp through an ssh tunnel
  95. Copying files from server to local computer using SSH
  96. Could not create work tree dir ‘example.com’.: Permission denied
  97. Specify an SSH key for git push for a given domain
  98. How to ssh from within a bash script?
  99. key_load_public: invalid format
  100. EC2 ssh Permission denied (publickey,gssapi-keyex,gssapi-with-mic)

Leave a Comment