If you use Windows on your local computer, as you work with remote Linux servers, you will occasionally need to transfer files between these two points. Fortunately, all of the popular Linux distributions come pre-configured on Alibaba Cloud Elastic Compute Service (ECS) instances with an SSH daemon, which includes support for secure file transfers through SFTP. SFTP is an acronym for SSH (or Secure) File Transfer Protocol. Since the ECS instance already includes an SFTP server, that means we need an SFTP client to connect to it. In this tutorial we will learn how to use WinSCP, a client application that supports various transfer protocols such as FTP, SFTP, WebDAV, S3, etc.
How to Install WinSCP
Click on the following link to visit WinSCP’s download page. Scroll down until you find the link to the setup executable. After the download has finished, run the installer.
We will do a Typical installation here since we want all the features available.
In the next step, we’ll choose the Commander user interface style. Two panels, side by side, allow a faster and more efficient workflow than “Explorer” style.
Click on Next > until the setup is complete. Each step is well explained in the install wizard interface.
Set Up Connection to SFTP Server
When you first open WinSCP, the login manager will appear, where you can fill in the connection details to your Alibaba Cloud ECS instance(s).
Depending on how you’ve setup your instance, the login method will be identical to the one you’re currently using to connect with your SSH client (such as PuTTY), either with an username and password or username and private key.
In the next section you’ll learn how to fill in the input fields to log in with an username and password. If you need to log in with a private key, you have to fill in all of the details mentioned below, with the exception of the Password field.
Log In with Username and Password
File protocol: we’ll use SFTP since it’s available out of the box on the server. SFTP is good enough for most purposes, but if you often need to download/upload hundreds or thousands of files at a time, you might want to configure a WebDAV server in the future and connect through that protocol. WebDAV works faster when dealing with lots of small files and it also supports reading file blocks selectively. This allows you to read something in the middle of a 10GB file, without downloading the whole file to your computer.
Host name: This can be misleading, since instead of names, you can also enter numbers. In most cases you will fill in the external (Internet) IP address of your instance here (such as “203.0.113.0”). If you’ve already set up a domain name (such as example.com) to point to this instance, you can also use that.
Port number: In this case, the port on which the SSH daemon on your instance is configured to listen on. By default, this is 22. For other protocols, such as WebDAV, the default port will be different, for example 80.
Note: username is case-sensitive. “JohnSmith” will not work if the user is named “johnsmith” on your instance and vice versa. The same is true for passwords.
User name: When connecting through the SFTP protocol, here, you fill in the username you’re currently using to log in through SSH. In most cases, this will be “root”, since it’s the first user available on a Linux machine and has permissions to read/write files in all locations. It is however recommended to disable password logins, at least for root, and allow only key-based authentication for this user, through a directive such as
PermitRootLogin without-password added to the SSH daemon configuration file. Allowing root login on the server, combined with password authentication, greatly increases the risk of someone (or something, such as a scanning bot) successfully brute-forcing your password and compromising your instance. Private keys are resistant to brute-force attacks. If it's possible for your use-case, create an unprivileged user, give it read/write permissions only to specific areas of the filesystem, and use this account to log in with WinSCP. An unprivileged user cannot write, overwrite or delete important files from your Linux server, helping you avoid occasional mistakes.
After entering all of the information mentioned above, and your password, click Save, so you don’t have to re-enter the same data the next time you want to log in. Afterwards, click the Login button. If this is the first time you are connecting to the server, a warning will appear:
This is normal and nothing to worry about. Fingerprints, being unique, are a way to identify that the server we are connecting to is the intended one. This prevents connecting to the wrong server (for example due to writing the wrong IP) and man-in-the-middle attacks, when someone redirects you to a server they control, in an attempt to steal your login information. Since this is the first time you’re connecting, you don’t have the fingerprint in the database. Click “Yes” to add it. Once you know the key for an instance is in the database, you should pay attention if this warning appears again. The fingerprint should change only if you regenerate your SSH host keys. This can happen when you re-initialize the system disk, remove and then reinstall the SSH daemon, or simply manually regenerate your host keys for some reason. If you took no such action, and still get the warning, it may mean something is wrong.
Log in with SSH Private Key
After you fill in all of the fields mentioned above in the login/session manager, with the exception of Password:
Click on the button titled Advanced…. The following dialog will open:
In the left-side menu, under SSH, go to Authentication and click on the button included in the Private key file input field (the one with the three dots), like in the picture above. This expects a file with the .ppk extension, a key in the PuTTY Private Key format. If you only have one in the OpenSSH key format available, WinSCP will offer to automatically convert it. However, if the file you want to select doesn’t have the .ppk extension, you won’t find it listed in the file browser. Go to the bottom-right corner and change the filter to All Files (.).
Import your private key file. When you’re done, save your settings and click “Login”.
Transfer Files with WinSCP
After connecting, you’ll get two panels with files. The one on the right shows the files on the Linux instance and it opens by default in the user’s home directory. This is
/root for the root user and
/home/name_of_user for other users. In the left panel you have local files listed. To navigate "one directory up" (to the parent directory) double click the first entry in that list (the icon that shows an arrow pointing upward).
It’s assumed that users familiar with Windows know about dragging and dropping files, selecting multiple files by holding down the CTRL key and then clicking on the desired selections, right-clicking and selecting desired action, etc. These are all features integrated in WinSCP, so that it functions in a similar way to Windows File Explorer.
Binary vs Text Mode Transfer
When you write text in an editor, and press ENTER, you encode what’s known as a line ending, so that a program that reads that file in the future knows how to format that text when it displays it to the user. On Windows operating systems, a line ending is comprised of a “carriage return” and a “line feed” (rn). On Unix like operating systems like Linux, lines end with just a line feed. You can find more details here: https://en.wikipedia.org/wiki/Newline. This can cause problems when transferring files between Linux and Windows.
Let’s take an example. Navigate to
/etc on the remote server, right click on the file named
services and choose to download it. Accept the default settings and click OK. Now in the left panel right-click the
services file, navigate to "Edit" and then "Notepad". The text will look like in the following picture, which is clearly a mess:
- If we double click on the
servicesfile, in the left panel, it will display correctly, because it will open in WinSCP's file viewer, which is programmed to display Linux line endings correctly on Windows.
- Apparently, a new version of Notepad that can interpret both types of line endings, will soon be pushed to user’s computers: https://blogs.msdn.microsoft.com/commandline/2018/05/08/extended-eol-in-notepad/. But that doesn’t mean you should ignore this subject since other Windows programs may fail in unexpected ways if they haven’t been programmed to deal with Unix type line endings.
To transfer the data correctly, after you right-click on the
services file and choose to download it, in the dialog box that opens, click on the arrow pointing down next to Transfer settings... and select Text as a preset.
After we transfer the file this way, we’ll see that it displays correctly when opened in Notepad:
Incorrect line endings can be just a nuisance for users trying to read files but it can also potentially make some programs read configuration files incorrectly on Windows (though rarely). As a rule of thumb, if you’re just backing up files from server to local machine, then it’s perfectly fine to transfer them in the default binary mode. This will keep files bit-by-bit identical when you restore them to the Linux instance. But if you’re importing configuration files that you want to read and/or use in Windows, copy them in text mode. The same is true if you’re copying from Windows to Linux.
Use Compression to Speed up Transfers
For a few occasional file transfers of a few megabytes, compression is not necessary and may even be slightly detrimental. But if you’re constantly dealing with large amounts of data, then compression may shorten the time required to complete transfers.
Press CTRL+N to open the login dialog, select your saved connection profile, click Edit and then click Advanced…. In the left side menu you can now click on SSH which will present you with the following options:
Click on Enable compression. Now click OK and then save your settings again.
If you want to learn more about WinSCP, visit the following link: https://winscp.net/eng/docs/start