SFTP versions support

0 votes
asked May 25, 2018 by Prabhakar (390 points)

SFTP Rebex client can communicate with SFTP server running on Windows / Linux / RTOS.
Can you confirm this?

Also SFTP v3 & v4 is supported by Rebex. I see there is v5 & v6.
Will the Rebex SFTP client have to be updated when the SFTP server is moved from v4 to v6?

Applies to: Rebex SFTP

1 Answer

0 votes
answered May 28, 2018 by Lukas Pokorny (97,670 points)

Rebex SFTP should be able to communicate with SFTP servers running on Windows / Linux / RTOS as long as they implement SSH v2 protocol and a compatible set of cipher suites.

But the answer to the other question is more complex.

Short answer:

SFTP v3 is currently the de-facto industry standard and it's not going away any time soon. As far as we know, it's supported by all SFTP servers - even those that support v4, v5 or v6 as well. Removing SFTP v3 support is not really an option for SSH client/server vendors because it would make their products incompatible with OpenSSH (SSH implementation with the largest market share), which only supports SFTP v3 and has no plans to add support for the higher versions.

Long answer:

The SFTP protocol never became a proper standard. It is described by series of IETF draft documents that have been expired for more than 10 years - the final version never materialized.

The main reason for this unfortunate state is that the evolving protocol specification started to get somewhat out of hand when SFTP v4 draft was published, and this progressed further with v5 and v6 drafts. Those higher versions incorporated new features that were perceived as unnecessary and too complex by a substantial share of SSH vendors and users, and never gained much traction. Finally, the SFTP standardization process became stuck when the IETF working group responsible for SSH decided to cease working on it in 2006.

Due to this, the higher versions have not been universally adopted, which left us with SFTP v3 as a de-facto standard. The most vocal critics of higher versions include OpenSSH developers - in their words, "more recent versions of the [...] drafts [...] are hopelessly bloated and broken" and OpenSSH won't ever be supporting those more recent versions (v4 to v6). They apparently consider them to be a dead-end.

Therefore, we too consider SFTP v3 to be a de-facto standard - a common protocol all SFTP servers implement. On the other hand, SFTP v4, v5 and v6 are just expired drafts that some vendors choose to support (usually partially) in addition to SFTP v3 because they do add several useful features.

This said, if our customers encountered a scenario where SFTP v6 is required, we would consider partially implementing it as well. However, this has not occurred so far.