0

This is not a duplicate of How to perform checksums during a SFTP file transfer for data integrity? as I am more looking for the details of JSch and how it implements SFTP. If it implements SFTP, then as pointed out here, there is no need to do file checksum.

My problem statement is: For pulling files from remote SFTP location, we are using JSch library. We have been asked to ensure file integrity during the transfer.

The com.jcraft.jsch.Channel object has been created as

ChannelSftp sftpChannel = (ChannelSftp) session.openChannel("sftp");

Does creating an object of com.jcraft.jsch.ChannelSFTP ensure that SFTP is implemented properly? The reason I ask is I couldn't find any proper justification around it. If it doesn't, can someone help me how can I determine the remote file checksum before the start of the transfer?

Many thanks in advance for any help.

N R
  • 1
  • 1
  • you could examine the packets with wireshark – Scary Wombat Jul 07 '17 at 08:46
  • @ScaryWombat I am afraid I cannot get this tool installed.. – N R Jul 07 '17 at 08:53
  • 1
    If you can not trust SFTP (or any protocol, for that matter) to properly transfer the file, and given that most protocols won't allow you to execute remote code for computing a hash, the simple recipes apply : e.g. 1) have the checksum in the name of the file, or 2) have a metadatafile just next to the file to retreive, and download it to check integrity, or 3) use a data format that inherently uses a checksum (anywhere from a digitally signed file in a PKCS7 format to a simple CRC-32 checksumed format like ZIP). – GPI Jul 07 '17 at 08:58
  • @ScaryWombat: AFAIK wireshark can't decrypt SSH (after KEX) and therefore you wouldn't be able to usefully look at SFTP activity that way. – dave_thompson_085 Jul 07 '17 at 12:49

0 Answers0