secure-file-transfer-protocol-known-issues.md

title	titleSuffix	description	author	ms.subservice	ms.service	ms.topic	ms.date	ms.author	ms.reviewer
Limitations & known issues with SFTP in Azure Blob Storage	Azure Storage	Learn about limitations and known issues of SSH File Transfer Protocol (SFTP) support for Azure Blob Storage.	normesta	blobs	storage	conceptual	10/20/2022	normesta	ylunagaria

Limitations and known issues with SSH File Transfer Protocol (SFTP) support for Azure Blob Storage

This article describes limitations and known issues of SFTP support for Azure Blob Storage.

Important

Because you must enable hierarchical namespace for your account to use SFTP, all of the known issues that are described in the Known issues with Azure Data Lake Storage Gen2 article also apply to your account.

Known unsupported clients

The following clients are known to be incompatible with SFTP for Azure Blob Storage. See Supported algorithms for more information.

• Five9
• Kemp
• Mule
• paramiko 1.16.0
• SSH.NET 2016.1.0

The unsupported client list above is not exhaustive and may change over time.

Client settings

To transfer files to or from Azure Blob Storage via SFTP clients, see the following recommended settings.

• WinSCP

  • Under the Preferences dialog, under Transfer - Endurance, select Disable to disable the Enable transfer resume/transfer to temporary filename option.

Caution

Leaving this option enabled can cause failures or degraded performance during large file uploads.

Unsupported operations

Category	Unsupported operations
ACLs	chgrp - change group chmod - change permissions/mode chown - change owner put/get -p - preserving permissions
Resuming Uploads	reput. put -a
Random writes and appends	Operations that include both READ and WRITE flags. For example: SSH.NET create API Operations that include APPEND flag. For example: SSH.NET append API.
Links	symlink - creating symbolic links ln - creating hard links Reading links not supported
Capacity Information	df - usage info for filesystem
Extensions	Unsupported extensions include but aren't limited to: fsync@openssh.com, limits@openssh.com, lsetstat@openssh.com, statvfs@openssh.com
SSH Commands	SFTP is the only supported subsystem. Shell requests after the completion of key exchange will fail.
Multi-protocol writes	Random writes and appends (PutBlock,PutBlockList, GetBlockList, AppendBlock, AppendFile) aren't allowed from other protocols (NFS, Blob REST, Data Lake Storage Gen2 REST) on blobs that are created by using SFTP. Full overwrites are allowed.
Rename Operations	Rename operations where the target file name already exists is a protocol violation. Attempting such an operation will return an error. See Removing and Renaming Files for more information.

Authentication and authorization

• Local users are the only form of identity management that is currently supported for the SFTP endpoint.

• Azure Active Directory (Azure AD) isn't supported for the SFTP endpoint.

• POSIX-like access control lists (ACLs) aren't supported for the SFTP endpoint.

To learn more, see SFTP permission model and see Access control model in Azure Data Lake Storage Gen2.

Networking

• To access the storage account using SFTP, your network must allow traffic on port 22.

• Static IP addresses aren't supported for storage accounts. This is not an SFTP specific limitation.

• Internet routing is not supported. Use Microsoft network routing.

• There's a 2 minute time out for idle or inactive connections. OpenSSH will appear to stop responding and then disconnect. Some clients reconnect automatically.

Other

• For performance issues and considerations, see SSH File Transfer Protocol (SFTP) performance considerations in Azure Blob storage.

• Maximum file upload size via the SFTP endpoint is 100 GB.

• To change the storage account's redundancy/replication settings or initiate account failover, SFTP must be disabled. SFTP may be re-enabled once the conversion has completed.

• Special containers such as $logs, $blobchangefeed, $root, $web aren't accessible via the SFTP endpoint.

• Symbolic links aren't supported.

• SSH and SCP commands that aren't SFTP aren't supported.

• FTPS and FTP aren't supported.

• TLS and SSL aren't related to SFTP.

Troubleshooting

• To resolve the Failed to update SFTP settings for account 'accountname'. Error: The value 'True' is not allowed for property isSftpEnabled. error, ensure that the following pre-requisites are met at the storage account level:

  • The account needs to be a general-purpose v2 and premium block blob accounts.

  • The account needs to have hierarchical namespace enabled on it.

• To resolve the Home Directory not accessible error. error, check that:

  • The user has been assigned appropriate permissions to the container.

  • The container name is specified in the connection string for local users don't have a home directory.

  • The container name is specified in the connection string for local users that have a home directory that doesn't exist.

• To resolve the Received disconnect from XX.XXX.XX.XXX port 22:11: when connecting, check that:

  • Public network access is Enabled from all networks or Enabled from selected virtual networks and IP addresses.

  • The client IP address is allowed by the firewall.

  • Network Routing is set to Microsoft network routing.

See also

• SSH File Transfer Protocol (SFTP) support for Azure Blob Storage
• Connect to Azure Blob Storage by using the SSH File Transfer Protocol (SFTP)
• Host keys for SSH File Transfer Protocol (SFTP) support for Azure Blob Storage
• SSH File Transfer Protocol (SFTP) performance considerations in Azure Blob storage