SFTP

At Files.com, we are one of the largest providers of cloud-based SFTP in the world. That said, SFTP lacks some of the more sophisticated capabilities for security and performance found in our direct integrations, such as our Desktop, Mobile, and Web apps, SDKs, API, and Command Line app. Additionally, corporate firewalls commonly interfere with SFTP traffic.

Please visit our Preferred Apps For File Transfer page to learn about and download the Files.com native apps as an alternative to SFTP.

We offer SFTP primarily as an integration tool to enable connectivity to some other application that supports SFTP but no direct integration with Files.com.

If you represent a vendor seeking to connect to Files.com via SFTP, we would much prefer that you implement one of our SDKs or our forthcoming App Store functionality. We offer incentives for you to do so; please get in touch to learn more.

SFTP Server Details

Files.com operates a proprietary SFTP server software that we build and maintain in-house using our full-time employees. Our server is compatible with SSH standards and tested against many popular SFTP apps used by businesses.

SCP (Secure Copy) Protocol

Files.com's SFTP server also supports the SCP protocol, another file transfer protocol that is built on top of SSH. For purposes of most interactions with Files.com, SCP will work exactly the same as SFTP.

SFTP Host Key Fingerprints

Files.com makes use of a 4096-bit RSA SSH host key. The host key itself (in OpenSSH format) as well as fingerprints in 3 different formats are provided below. Use whichever format is required by your SFTP app.

  • OpenSSH host key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCD+pdvc7zeWkcDuyo4k7fca+BVqSSnbGteq2fcquo+jbN9rXySnlbHyAZsxwXIxn/TMWFQCgD619TbdMQ2F4x0tC/UfrNiF0tCQ0UZNlOuQz6G2a0QBzMRgeugGqbFOHHQTaOcgMJoW0ai8vbpHlGMybqcjQg+MWC8fNl4WcX9Ruze713WhcTIbrA4P7iqlyjFkiaQMX642mO0/RboME/4TdyNg7w0bxJaLifiIGtStZ5cRWSW8nxr/PEdQPeSg/2HshyUFJx6GD7ej3NeFsDuYCYFdBXGpZ/Tp6i2mIC/NoVO+3Hz7Pw6JA+H3tEy8U9zqSwPk9RIGlKoWTtZvo9xcBwCFIPyMymU83gfioZYZN4uK196oX/2sspMUIOTUlA4eeIdmbDbK0w1QYGr1bOk/5bKgxybDx4m7FsY3NDylZKDmS1SMVPg1C/GYVdpheOHZpzH5f8qT34ZRFGmktIhRqD+cSiNdcDMDebRBeFG/mCIVSNnoEiDKjKqH/+dpdiJHlTDSH1QCg/d+HSX4eEVG0AudIeSELjaJg2V0kVbk9gF28G0BzQ6NxGm9d7hZD61BfjcuxgRr1bqx6uEip0WrNTinNEIleB1L6M5BUapeICBe+F0Kte+qBYrVENWJoai9V9l/IuBvYWIWkMf0MsuGeiQi2IOvEMfwrD9jBlWqw==

  • SHA256 fingerprint: JvS7SrgY9QfsC2otdG0TGo0aWcvvieGg1R2Vx8/5VSw

  • SHA1 fingerprint: go2g72JG1emRzP54QtFmFrE0DTg

  • MD5 fingerprint: 79:e1:fc:1c:8d:d7:95:25:84:c5:70:16:4d:07:e0:c5

For maximum security, we recommend verifying the host key fingerprint when connecting via SFTP.

Per-User Root Folders

Files.com supports setting a custom root folder on a per-user basis, and it will apply only to FTP connections (and optionally also SFTP connections), but not anywhere else such as the web, mobile, or desktop app.

This is meant for applications that are unable to change directories appropriately in order to look in the right place for files.

This setting is not a security setting and does not restrict the user from accessing other folders via mechanisms other than FTP. You should use Permissions to set access controls on a per folder basis.

Set this on a user by going to Setting > Users and then look under the Other Connections section.

If set, Files.com will act as if the selected folder is the root folder for any given FTP session.

This setting may also be optionally applied to SFTP connections via the SFTP client root folders setting on the Settings > Integrations page.

Performance Tips

Tip: Set the number of simultaneous connections to the maximum supported by your SFTP app.

To increase the number of simultaneous connections in FileZilla, go to Edit > Settings > Transfers and increase the Maximum simultaneous transfers setting to 10.

To increase the number of simultaneous connections in Cyberduck, first go to Edit > Preferences > Transfers and set Transfer Files to "Open multiple connections".

Then, go to to Window > Transfers and increase the counter in the lower right to the maximum.

SFTP (SSH) Keys

Under the hood, the SFTP protocol uses an SSH connection. One of the benefits to SFTP and SSH is the ability to use an SSH Key as opposed to a Password for authentication.

This is not a requirement. (You're also free to use a regular password.)

SSH Keys are actually a pair of keys: a public and private key, that you get to generate on your local computer.

When you generate a key pair, there will be two halves to it, a public key and a private key.

The private key must never be shared, and will remain on your local computer or transferred to the machine performing an SFTP connection.

The public key is what you will provide to Files.com. The great part about a public key is that you don't have to keep it secret like a password. You can safely email it, paste it publicly online, or send it through any nonsecure channel. The public key by itself does not grant any access. It's only when you combine a public and private key that access is granted.

Important: It's very important you don't share your private key. One common mistake people make is that if they want to give access to another person to connect to Files.com via SFTP, they just email them their existing private key. This is the wrong way to do it, instead, that other person should generate their own public/private key pair, and then add that new public key to Files.com.

Once you've generated your key pair, and have added the public key to your Files.com account, you simply need ensure that your chosen SFTP app will use the private key you've created.

Public keys are not viewable once saved. If you only need to verify that you have the correct key, you can view the public key's fingerprint by going to Settings > Users > [select user]. Select the Authentication tab and scroll to the SFTP keys section. All of the keys for the selected user are listed with the title given to the key, the fingerprint and the option to delete the public key from Files.com. If you believe that the key pair has been compromised or is no longer in use, remove the key by clicking the Delete button.

Supported Key Types

We support the ED25519, RSA, and DSA encryption types for keys.

We recommend using ED25519 keys because they are the most secure. RSA and DSA keys are considered less secure and slower than ED25519.

If using an RSA key, we recommend using a key length of at least 2048 bits.

Adding SFTP Keys in Files.com

Users can add their own SFTP public keys themselves in the web interface by going to My account (in the top right menu) > SFTP keys > Add key.

Administrators can add a public key for a Files.com user by going to Settings > Users > [username] > Authentication > SFTP keys > Add key.

SFTP public keys can also be added programmatically via the REST API.

Generating SSH (SFTP) Key Tutorial

We have put together separate tutorials for Windows, Mac, and Linux.

Windows

This guide requires you to use the PUTTYgen (free) open-source application. PUTTYgen is a standalone application that does not require you to install it. You can download a copy of this utility from the downloads page at the maintainer's website.

Generating compatible keys with PUTTYgen

1) Open the PUTTYgen application by double clicking on it.

2) Choose ED25519 for the Type of key to generate

1 1

3) Click the Generate button

4) Move your mouse around until the progress bar is full.

5) You now will have a generated public and private key.

6) Save the private and public key files to a location that only you can access and that you will not lose.

7) Right click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All

1 2

8) Right click again and choose Copy

1 3

9) Finally you need to add the SFTP public key to your Files.com account. Navigate to Settings > Users and click the the username of the appropriate user. Click the SFTP Keys setting, and paste the contents of your clipboard into the Public Key text area. For the Title you can enter any piece of identifying information that you want (for example, my laptop).

MacOS

MacOS already includes the necessary software to generate a key pair. Simply click the magnifying in the top right hand of your screen, type in Terminal and hit enter to open the application.

1) Create the new ED25519 Key

ssh-keygen -t ed25519

2) When prompted specify the path you want to save the key files in.

Enter file in which to save the key (/home/user/.ssh/id_ed25519):

3) If you wish to enter a passphrase for the private key you can enter it when prompted. A passphrase is not required for the private key though. If you do enter a passphrase you will have to type it in each time you use the private key.

Enter passphrase (empty for no passphrase):

4) Now that your key is generated you will want to copy it to your clipboard so that you can add it to your SFTP Keys.

pbcopy < ~/.ssh/id_ed25519.pub

5) Finally you need to add the SFTP public key to your Files.com account. Navigate to Settings > Users and click the the username of the appropriate user. Click the SFTP Keys setting, and paste the contents of your clipboard into the Public Key text area. For the Title you can enter any piece of identifying information that you want (for example, my laptop).

Linux

Linux already includes the necessary software to generate a key pair. Simply open your bash shell and type the following commands.

1) Create the new ED25519 Key

ssh-keygen -t ed25519

2) When prompted specify the path you want to save the key files in.

Enter file in which to save the key (/home/user/.ssh/id_ed25519):

3) If you wish to enter a passphrase for the private key you can enter it when prompted. A passphrase is not required for the private key though. If you do enter a passphrase you will have to type it in each time you use the private key.

Enter passphrase (empty for no passphrase):

4) Now that your key is generated you will want to copy it to your clipboard so that you can add it to your SFTP Keys.

xclip -sel clip < ~/.ssh/id_ed25519.pub

5) Finally you need to add the SFTP public key to your Files.com account. Navigate to Settings > Users and click the the username of the appropriate user. Click the SFTP Keys setting, and paste the contents of your clipboard into the Public Key text area. For the Title you can enter any piece of identifying information that you want (for example, my laptop).

Troubleshooting SFTP

Most of the time, SFTP connection issues are caused by firewalls or incorrect settings in SFTP software. The below steps will help you resolve these issues.

We are often met with resistance by customers who don't want to perform these steps because a given connection may have worked in the past but isn't working now. In our experience, the change that caused the problem is usually on the customer side, and that's why we'd really like you to go through and verify all of the following things before asking us for further help.

If we end up doing a Zoom call together to troubleshoot, these steps are exactly what we will do together.

Check For Local Network / Firewall Issues

On probably 9 out of 10 support calls for SFTP, the root cause is a customer or customer counterparty's corporate or network firewall. SFTP is very commonly blocked by firewalls, and often firewall changes can introduce new blocks that didn't previously exist.

  • Have you manually whitelisted any IP addresses anywhere? If so, you need to all of the appropriate IPs are whitelisted, not just some of them.

    • If your site uses a custom domain, you have two dedicated IPs that need to be whitelisted in your firewall. You can find your dedicated IPs by going to Settings > Integrations and scroll to Firewall configuration. If you have a custom domain, you also need to ensure that you are connecting to it, and not to [your_subdomain].files.com.

    • If you do not have a custom domain, ensure that our main IPs on this list are whitelisted, not just some of them. There are quite a lot of IPs on that list (over 80 at last count) and you need to whitelist all IPs or else you will experience failures. If whitelisting that many IP addresses is a problem for you, the solution is to move to a custom domain. This will get you a pair of IP addresses you can whitelist (see the prior bullet.)

  • See if you need to ask for an IP whitelist. If you have not whitelisted IP addresses, maybe your firewall administrator requires this for SFTP traffic. Please submit a request to your network or firewall administrator to allow SFTP port 22 traffic to all of the IPs on this list. If your firewall team does not allow whitelisting port 22 traffic, ask for port 3022 instead and see the next bullet point.

  • Try other ports. - By default, SFTP is used on port 22. Files.com also supports 3022 as an alternate port. Many firewalls will allow traffic on port 3022 despite blocking it on port 22. We recommend testing this next if you have exhausted other firewall issues. In many cases, simply using the alternate port will get your corporate firewall to let the connection through.

Connection Settings in Your SFTP App

The following connection settings are the next most common issues related to SFTP. Please double check all of the following things:

  • Hostname - The hostname should be set to [your_subdomain].files.com or the custom domain for your site, if applicable. Connecting by specifying an IP address may sometimes work, and we do have customers doing this for specific reasons, but it is not officially supported and we are unable to proceed with helping you troubleshoot if you are doing this.

  • Port - By default, you should be using port 22. However, the "port" setting is a great way to work around corporate firewalls. The default SSH/SFTP port of 22 is blocked or interfered with by many corporate firewalls. You can test port 3022 as an alternate port if you suspect possible firewall issues. In many cases, simply using the alternate port will get your corporate firewall to let the connection through.

  • Timeout - If supported in your app, please increase the connection timeout value to 60 seconds.

  • Retry Logic - If supported in your app, have your app attempt three connection retries at 10 second intervals. This allows failed connections contacting one server to retry the connection via a different server. Our hostnames always resolve to multiple physical server hosts in different datacenter locations. Ensure that your SFTP app tries multiple IPs when available.

  • Keepalives - Files.com will time out SFTP sessions that have been idle for 60 seconds. This is to prevent unused sessions from being left open and using server resources. Such idle timeouts are normal, and most SFTP apps handle them without issue, but there are some apps that may not handle these timeouts gracefully. To prevent these idle timeouts, many apps offer a "keepalive" setting. Many SFTP apps will complete transfers in progress and then will connect again upon the user issuing another command. If your app aborts a transfer or errors out due to the idle timeout message, you can implement keepalives (either null packets or dummy commands) every 30 seconds to maintain the SFTP connection and avoid the timeout messages.

Configuration on Files.com That May be Relevant

If you have confirmed all of the above, here are some remaining things that have caused SFTP issues for some of our customers.

  • Verify that the username is enabled, and that the username and password are correct. Go to Settings > Users > [select user] and verify that the Account enabled setting is turned on. Under the Authentication tab in that user's settings, verify that the Authentication method is not set to "none".

  • The user might have SFTP disabled in their settings. Go to Settings > Users > [select user]. Select the Privileges tab, and scroll to Protocol access section and check for SFTP. You might discover here that SFTP is disabled for your entire site due to not having purchased our Enterprise Connectivity Addon (ECA). If that's the case, we can connect you to an account manager who can get that added for you.

  • If the user has Two Factor Authentication (2FA) Enabled, be aware that only certain 2FA methods work with FTP. The Two Factor Authentication documentation page has more information on this.. Additionally, when using 2FA with SFTP, you need to disable any parallelism in your SFTP app, because 2FA is only valid for one connection at a time. (In a later step we will suggest maxing out the available parallelism in your app for performance. 2FA is a case where this would not be available.)

  • If your site or user is subject to an IP whitelist, the user must access the site using one of the whitelisted IPs from either list. You can manage IP whitelists for all users by going to Settings > Users > User Settings and scroll to the IP whitelists section. You may add additional IPs for an individual user by going to Settings > Users > [select user]. Select the Authentication tab and scroll to the IP whitelists section.

Invalid Username/Password failures

If you are specifically receiving error messages in your SFTP client about an invalid username or password, please be aware of the following. The SFTP protocol uses integers internally to communicate authentication failure codes and does not provide for detailed error messages that relate to authentication. This is in contrast to nearly every other protocol, such as our API, FTP, web, etc., which all provide detailed messages that explain login failures.

If you are receiving error messages in your SFTP client about an invalid username or password, you should go to Settings > Logs in your Files.com site and then filter the history logs by Action: Login Failure. You can optionally filter the log further by username or IP. This will generate a log of the detailed reasons for the login failure. Often times these can be due to factors such as expired password, brute force protection, IP restrictions, 2FA restrictions, geographic restrictions, or other authentication restrictions that you've configured on your site.

Get Instant Access to Files.com and Start Collaborating and Automating

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, fill out the short form on the next page, get your account activated instantly, and start setting up your Files and Workflows immediately.

Start My Free Trial