What is the difference between SSH protocol version vs. SFTP protocol version vs. SSH implementation version?


THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT Server (All Versions)

QUESTION

What is the difference between SSH protocol version vs. SFTP protocol version vs. SSH implementation version?

ANSWER

It is important to distinguish the Secure Shell (SSH) protocol version from the SSH File Transfer Protocol (SFTP) version, and each of these from the more granular SSH library implementation version.

Secure Shell (SSH) Protocol

The SSH protocol has a variety of versions which are grouped into the following two categories:

  • SSH 1.xx (SSH1) - Vulnerable and increasingly rare. Generally considered obsolete.
  • SSH 2.00 (SSH2) - RFC standard, by now most widely used. (See RFC 4251)

EFT Server supports SSH2 only. We do not support SSH1. (As of this writing, SSH3 does not yet exist.)

SSH File Transfer Protocol (SFTP)

The SFTP version affects functional features; it does not affect security of the connection (which is always SSH2.) Below is a list of SFTP versions and their use:

  • 1 (nonexistent)
  • 2 (rare)
  • 3 (common)
  • 4 (common)
  • 5 (nonexistent)
  • 6 (not yet common but increasingly supported)

EFT Server supports SFTP versions 2, 3, 4, and 6. The outbound client defaults to version 4, and it is not configurable through the GUI. The EFT Server outbound client negotiates the SFTP version with the receiving server during session establishment. That is, if the receiving server only supports version 2, EFT Server will negotiate down and operate at version 2.

SSH Implementation Version (sshlib)

Our sshlib has implementation versions such as 1.81, 1.82, but these refer to the library version, not the protocol version. The SSH protocol version is always 2.0.

For more information, refer to the following web pages: