Why do I not need to start an SFTP Server ( why does SSH automatically start SFTP )?

Question

When I start SSH server, my Debian automatically start the SFTP server as well – why is it design in such way?

Environment:

  • Linux 5.10.0-14-amd64 Debian 5.10.113-1 (2022-04-29) x86_64 GNU/Linux
  • ssh.service – OpenBSD Secure Shell server

Background

Today I realized:

  • when I want to handle http requests, I start a web server – Apache(2), Node.js, etc.
  • when I want to handle SSH, I start an SSH server
  • when I want to handle SFTP… Debian already started SFTP server for me

So I researched, and according to this post 378313/default-sftp-server-in-debian-9-stretch, I found out SFTP is started as "part of (Open)SSH" which makes perfect sense but also feels strange for reasons such as separation of concerns.

Unlike Windows, I have never felt Debian doing something unexpected or extra on my behalf. But today I felt it – after all I said systemctl restart ssh, not systemctl restart ssh-and-also-ftp (the latter command is made-up).

As I am new to Unix/Linux and its philosophy, I would appreciate if there are any good explanations for this situation.

Asked By: dungarian

||

Although SFTP is not part of the extensible core SSH protocol, it is built-in to at least one of the the common SSH implementations (OpenSSH) and therefore can be considered to be a standard component.

You can disable the functionality on the server if it’s not required by changing /etc/ssh/sshd_config so that you remove the Subsystem line corresponding to the sftp-server.

For example, this line defines an external sftp-server utility to handle the SFTP service:

Subsystem sftp-server

This line defines an internal implementation of the SFTP service:

Subsystem internal-sftp

Removing or commenting out the Subsystem line will disable the SFTP service entirely.

# Subsystem …

Remember that tools such as rsync (if it’s installed) and versions of scp will still function, though, so disabling SFTP will not of itself prevent users from transferring files between client and server. (Older versions of scp will work independently of SFTP. Newer versions use SFTP but can be forced to use the older protocol with the -O flag.) There are also "trivial" solutions such as ssh remoteHost cat somefile > local_copy_of_somefile to consider.

Answered By: Chris Davies

To disable the built-in sftp server of sshd on Debian based systems including Ubuntu, it is not sufficient to remove or comment out the Subsystem line of sshd_config because these systems have a compiled-in default of Subsystem sftp /usr/lib/openssh/sftp-server (see man sshd_config).

I had success disabling SFTP with this line in sshd_config instead in an yet old Ubuntu 16 system:

Subsystem sftp /bin/false

followed by systemctl reload ssh; killall sftp-server.

Citation from man sshd_config (same text in Ubuntu 16 and Ubuntu 22):
"Note that the Debian openssh-server package sets several options as standard in /etc/ssh/sshd_config which are not the default in sshd(8):
(…)
Subsystem sftp /usr/lib/openssh/sftp-server"

Answered By: Juergen

Oddly, the accepted answer here does not address the question asked.

why is it design in such way?

The SFTP Server in openssh is not a conventional daemon/server. An instance is run on demand when a ssh connection requesting SFTP starts.

ssh can do lots of things – designing it this way means that there’s no overhead from the sftp-server when people are using ssh for other stuff. Similarly ssh is often used for providing a remote terminal session but it doesn’t implement its own shell.

In addition to being more conservative with resources, it also simplifies development by making the system modular.

Answered By: symcbean
Categories: Answers Tags: , , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.