WinSCP can be embedded and scripted as can PSFTP but not FileZilla
Posted by jpluimers on 2016/12/01
In a quest to perform SFTP in Delphi next to FTP, I first researched what I was up against. A tiny voice in the back of my head said “SFTP is totally unlike FTP” and it was right: SFTP means SSH File Transfer Protocol, not Simple File Transfer Protocol nor FTP over SSH nor FTP over SSL aka FTPS – the latter is supported by Indy but the former isn’t.
I decided against SecureBlackBox (providing SFTPBlackbox) and IPWorks (SSH) as I tried both a while ago for S/MIME support and was disappointed about both the lack of features and documentation; in the end I went for wrapping OpenSSL for the “encrypt-then-sign” process and Indy for the SSMTP part. The merger of the SecureBlackBox and IPWorks made me even less happy.
The Chilkat alternative for SFTP isn’t too compelling either: ActiveX or DLL black-box without a lot of insight on how many people do use it.
So when I had to do SFTP and knew there are no free or open source SFTP components for Delphi available I opted for thinking outside the Delphi realm.
My basic idea was to embed either of these:
- Filezilla (as Filezilla on Windows is waaaay faster than WinSCP)
- WinSCP (a Windows SCP and SFTP client written in C++ Builder)
- PSFTP (the Putty SFTP client)
FileZilla
FileZilla internally uses FzSFtp.exe which is based on PSFTP code (but with some buffers making it faster than PSFTP or WinSCP).
According to the author, neither FzSFtp.exe nor FileZilla can be automated:
FileZilla cannot make any automated transfers at all. Neither FileZilla.exe nor fzsftp.exe (is for SFTP) can be used for any batch processing.
Source: run filezilla tzsftp from batch command line – FileZilla Forums
The WinSCP author commented in a similar fashion:
FileZilla does not have any command line arguments (nor any other way) that allow automatic transfer.
Source: windows – Command line option to download file in FileZilla – Stack Overflow
In addition, FileZilla is always a GUI program, so running it as a console app (which I’d prefer) would be impossible.
WinSCP
WinSCP can be automated in two ways:
- The WinSCP.exe command-line allows for a
/consoleand/scriptswitch enabling scripting mode that you can use for Scripting and Task Automation :: WinSCP- For console-only operations using WinSCP.com is preferred as it has no GUI (so the
/consoleswitch is implicit) - There are many example scripts at Useful Scripts :: WinSCP
- It is easy to switch from PSFTP or SFTP: Converting PuTTY PSFTP or OpenSSH SFTP script to WinSCP script :: WinSCP
- For console-only operations using WinSCP.com is preferred as it has no GUI (so the
- A wrapper around WinSCP.exe is availble as WinSCP .NET Assembly and COM Library :: WinSCP which requires both .NET to be installed and (from Delphi) calling through COM which I don’t like much
Since I already had good Delphi wrapping code round starting/waiting-for running processes, I’d opt for using WinSCP.com scripting.
There used to be wrapping code around: Use with Delphi :: Support Forum :: WinSCP
PSFTP
These Using PSFTP to transfer files securely links should get me going:
-
-
- 6.2.1 General quoting rules for PSFTP commands
- 6.2.2 Wildcards in PSFTP
- 6.2.3 The
opencommand: start a session - 6.2.4 The
quitcommand: end your session - 6.2.5 The
closecommand: close your connection - 6.2.6 The
helpcommand: get quick online help - 6.2.7 The
cdandpwdcommands: changing the remote working directory - 6.2.8 The
lcdandlpwdcommands: changing the local working directory - 6.2.9 The
getcommand: fetch a file from the server - 6.2.10 The
putcommand: send a file to the server - 6.2.11 The
mgetandmputcommands: fetch or send multiple files - 6.2.12 The
regetandreputcommands: resuming file transfers - 6.2.13 The
dircommand: list remote files - 6.2.14 The
chmodcommand: change permissions on remote files - 6.2.15 The
delcommand: delete remote files - 6.2.16 The
mkdircommand: create remote directories - 6.2.17 The
rmdircommand: remove remote directories - 6.2.18 The
mvcommand: move and rename remote files - 6.2.19 The
!command: run a local Windows command
-
Practical examples:
- cmd – Batch file for PuTTY/PSFTP file transfer automation – Stack Overflow
- Delphi SFTP mit Indy – Seite 2 – Delphi-PRAXiS
- PuTTY plink wrapper in Delphi
Source locations
For my own reference, the open source locations:
- FileZilla SVN repository: https://svn.filezilla-project.org/svn/FileZilla3
- WinSCP does not have a repository; you can download ZIP files with source code for each release from https://winscp.net/eng/download.php
- Putty Git repository: http://tartarus.org/~simon-git/gitweb/?p=putty.git
Some semi-random Delphi SSL related postss
During the search above I found the below links that will be useful to me one day:
- Send mail to GMail using Indy and SSL/TLS SMTP
- FTPS (FTP over TLS/SSL): [Delphi] – INDY + IDFTP + SSL/TLS :: 4programmers.net
- Delphi Indy Samples & Articles – Delphi
- Indy SSL
- libssh2 Delphi wrapper: ZeljkoMarjanovic / libssh2 delphi — Bitbucket (unmaintained since 2013-01-02)
- WinSCP wrapper in the wayback machine: SeySo Software & Service – Projects
–jeroen
The Wiert Corner - irregular stream of stuff 
Cameron said
We use SecureBlackBox but I believe Synapse has an SFTP option. It is a bit convoluted but open source.
jpluimers said
When I last looked, Synapse only had FTP over SSL/TLS.
Another reason for not using Delphi coded security code is that the user-base is way too narrow to warrant good implementations. It’s really really really hard to write code that for instance survives side-channel attacks, so the current solution (thin Delphi wrapper around the libss2 DLL which is backed by a team at https://github.com/libssh2/libssh2) looks way more robust to me.
otherside82 said
I have used PSFTP to do SFTP from Delphi. It’s really easy and simple. I’ve got a simple unit of 123 LoC that can download some files and move some files on the SFTP server. It doesn’t call psftp.exe directly but instead calls a batch file which includes the connection details like address, username, private key
jpluimers said
Since I have varying experience running console stuff from my applications, I’ve taken over forked https://bitbucket.org/jeroenp/libssh2-delphi from https://bitbucket.org/ZeljkoMarjanovic/libssh2-delphi and updated it to the latest https://github.com/libssh2/libssh2, found out how to build libssh2.dll with OpenSSL ciphers (there are more than the default WinCNG ones). See https://github.com/jpluimers/Conferences/blob/master/2016/EKON-20-20161107-09/Network-Protocol-Security/Network-Protocol-Security.rst for more details.
Doing it via the DLL also makes the attack surface for sniffing credentials smaller. I wish Delphi had SecureString, but alas, that’s .NET only.
Leonardo Herrera said
Ah, too bad you decided against SecureBlackBox. You are right, not much documentation but their support is stellar. And their source code is quite clean, most of the time.