How to use the command line version of SFTP

In this post, I will show you how I use the command line version of SFTP to log into my managed WordPress Linux server. My local machine is a Mac. I am assuming that you have some Mac/Linux command line experience, but please feel free to ask questions if something is not clear. SFTP is a secure version of the File Transfer Protocol (FTP). It works over the Secure Shell (SSH) protocol. While SFTP normally prompts for a password, we can set it up to use an SSH key pair for password-less access (which is still very secure). When we are done, we will be able to easily connect to our server using an alias. For example:

george@imac1: /Users/george
==> sftp wp1
Connected to wp1.
sftp> 

How to create an ed25519 SSH Key

I am using an ed25519 SSH key pair instead of the more traditional RSA key type. You can search the Internet to learn about the differences, but basically, the ed25519 SSH key type is newer, faster, more secure, and the keys are smaller. To generate the key, do (please replace username, example.com and server.com with your actual names):

george@imac1: /Users/george
==> ssh-keygen -t ed25519 -o -a 100 -C username@example.com
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/george/.ssh/id_ed25519): /Users/george/.ssh/username_ed25519
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/george/.ssh/username_ed25519.
Your public key has been saved in /Users/george/.ssh/username_ed25519.pub.
The key fingerprint is:
SHA256:kx2iTY3CVV/DhXZpWKrn4yUafG3lMLox01jPZ+uBNtM username@example.com
The key's randomart image is:
+--[ED25519 256]--+
|        ...  .=+o|
|     . . o . o=+.|
|      o + o .o.. |
|       = + ..    |
|      . S .. .+ .|
|         .. o=+*.|
|           o*X.E*|
|            *=B.+|
|           ....o |
+----[SHA256]-----+

The important things to note is that I created a unique name for my key instead of using the default name (id_ed25519). You will want to do this especially if you are defining keys for more than one server. I recommend that you use unique SSH key pairs for each server that you use. Just like you should use unique passwords for each website that you log into. Also, it’s very important that you define a very secure passphrase for your SSH key pair. I use a password generator to create a very long, complicated passphrase.

Now, we will add the SSH key to our Mac keychain (note, this only works on a Mac):

george@imac1: /Users/george
==> ssh-add -K ~/.ssh/username_ed25519
Enter passphrase for /Users/george/.ssh/username_ed25519: 
Identity added: /Users/george/.ssh/username_ed25519 (username@example.com)

If you want to, you can open your Mac Keychain Access App and search for your SSH key, you will find it listed as an OpenSSH application password. With the SSH config file that I describe below, you will never have to enter your password or passphrase again. SFTP will get this information from your Mac keychain.

Install the SSH public key on your Linux Server

The next step is to install the public SSH key on your Linux server. The following steps assume that you can only access your server via SFTP. That is, you have no shell capabilities via a direct SSH login.

george@imac1: /Users/george
==> cd .ssh
george@imac1: /Users/george/.ssh
==> ls username_ed25519*
username_ed25519    username_ed25519.pub
george@imac1: /Users/george/.ssh
==> sftp username@server.com
username@server.com's password: 
Connected to username@server.com.
sftp> mkdir .ssh
sftp> chmod 700 .ssh
Changing mode on /usr/home/username/.ssh
sftp> cd .ssh   
sftp> pwd
Remote working directory: /usr/home/username/.ssh
sftp> put username_ed25519.pub authorized_keys
Uploading username_ed25519.pub to /usr/home/username/.ssh/authorized_keys
username_ed25519.pub                                                                     100%  102     5.6KB/s   00:00    
sftp> ls
authorized_keys  
sftp> bye
george@imac1: /Users/george/.ssh
==> sftp username@server.com
Connected to username@server.com.
sftp> 
sftp> bye

The ssh-keygen program creates two files, storing a private and public version of your SSH key. We want to upload the public version and place it in the .ssh directory and rename it as authorized_keys. The above steps assumes that you are creating ~/.ssh/authorized_keys for the first time. If you have an existing authorized_keys file, you will need to download it, add your public key to it, and then upload it back to the ~/.ssh directory. Notice, that after logging out and logging back in, we did not have to use our password.

Create an SSH Server Alias via the SSH Config file

To make this capability permanent (for example, the next time after restarting your Mac), we need to create an SSH config file that will instruct sftp to get the passphrase from the Mac’s keychain. We will also add the server alias (wp1) to this file. Here is an example config file that goes into our local (Mac) .ssh directory:

george@imac1: /Users/george
==> cat ~/.ssh/config
Host *
  AddKeysToAgent yes
  UseKeychain yes
  AddressFamily inet

Host server.com wp1
  HostName server.com
  User username
  IdentityFile ~/.ssh/username_ed25519

The generic Host lines (*) allow me to use a passphrase that is saved in my Mac’s keychain. I also set the IP protocol is to only use IPv4 because my server only uses IPv4.

Next, I define the Host name, including the wp1 alias. I also set the username and the SSH IdentityFile that we previously created. With the addition of the SSH config file, we can now do:

george@imac1: /Users/george
==> sftp wp1
Connected to wp1.
sftp>

That’s about it. I can easily connect to my server using the command line version of SFTP. I do like using command line tools when it makes sense to do so. They can be very powerful when used properly. However, I will confess that when using SFTP, using a GUI SFTP application may prove very useful in some situations. The Transmit Mac App works very well for me, especially when I want to sync a remote folder with a local folder.