Allen Kistler wrote:

> If you're going to implement sftp, you might as well implement scp,
> instead. scp is the "real" protocol in both.

Which is why it doesn't handle symlinks well. FTP can, and can mirror
them either way well.

A major flaw in almost all SSH/SFTP/SCP setups is the lack of chroot
cages: users who can get onto the server can go poking around the rest
of the system, which is a serious security issue. I've encouraged the
authors to include chroot cage capability, and tried providing patches,
but they've never brought them into the main codeline, so I've given
up. It's handy for systems where you already have user privileges: it's
quite dangerous for systems where you only want people to upload or
download specific directories, not to give them logiin access.

For many such setups, I've instead switched to WebDAV over HTTPS. It's
built into Windows, it allows Apache based account and user management
quite apart from system accounts, the "chroot" like behavior is built
right into Apache as a set of run-time configuration options, and it
easily supports uploading and downloading, anonymous repositories, and
all he other useful features of FTP except for the sniffable passwords
and the very awkward 2-port behavior.