Home Back to Tutorial Online Help

Set up Xlight FTP Server with SFTP protocol

Xlight FTP Server now supports SSH File Transfer Protocol (SFTP) over SSH2 Protocol and can run as an SFTP server. SFTP is not FTP run over SSH2, but a new protocol designed by the IETF SECSH working group. SFTP itself does not provide authentication and security, it relies on the underlying protocol SSH2 to provide a secure connection. Note: SSH2/SFTP is an optional feature for the standard or professional editions of the Xlight FTP Server. After the 30-day evaluation period, SSH2/SFTP is an optional feature and needs a separate add-on upgrade license. Only standard or professional edition Xlight FTP Server users can upgrade to the SSH2/SFTP feature.

The step to create an SFTP server is straightforward. When you create a new virtual server, select SSH2 as the protocol, as shown in the picture below: (Note: if the server doesn't have the SSH2/SFTP license, you will not be able to see SSH2 in the protocol selection.)


As the default port for FTP is 21, the default port for SSH2/SFTP is 22. After you create SSh2/SFTP virtual server, you can add users to it and manage it the same way as you manage FTP.

Manage SSH2 server host key

SSH2 server host key is a unique key to identify the Server. When you create a new SSH2/SFTP virtual server, an SSH2 host key is automatically generated for this server. However, if you have an existing host key want to import or you want to backup the SSH2 host key, you can manage it from [Virtual Server Configuration] -> [General] -> [Server SSH2 Host Key] as shown in the picture below:


Import SSH2 host key in pkcs12 format

When you create an SFTP virtual server, Xlight FTP Server will create an SSH2 host key automatically. You don't need to do anything. However, if you want to use a different SSH2 host key, you can find an example below.

This example uses openSSL to create a self-signed certificate file, RSA public and private key file, and then use them to generate a pkcs12 format file(myKey.p12). This file can be imported to Xlight FTP Server as your SSH server host key.

Create RSA key and self-signed certificate

openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 365

Generate pkcs12 format file from the RSA key and self-signed certificate created above

openssl pkcs12 -export -out myKey.p12 -inkey myKey.pem -in cert.pem


SSH public key authentication

Local SFTP users can use public key authentication to replace the default password authentication. Public key authentication is user-based. From the user's settings, you need to enable public key authentication and select a public key file for this user, as shown below:


Select the public key file

You can select a public key file used for public key authentication. The SSH2/SFTP client needs to use the related private key for authenticating against the server. The key length for DSA should always be 1024 bits as specified in FIPS 186-2. RSA key length isn’t limited to 1024 bits.


Select other public key files

Starting from version 3.8.1, Xlight FTP Server can support multiple public key files for authentication. To use other public key files, you can select a file containing the location of other public key files, as shown in the picture below: