Mastering FTP, FTPS, and SFTP: When to Use Active vs Passive Mode

FTP, FTPS and SFTP Overview

FTP (File Transfer Protocol) is an application‑layer protocol that enables clients to upload files to, or download files from, a server. FTPS adds SSL/TLS encryption to FTP, while SFTP is a completely different protocol built on SSH.

How FTP Works

FTP establishes two separate TCP connections: a command channel for sending instructions and a data channel for the actual file transfer.

FTPS

FTPS comes in two variants:

Implicit SSL runs on port 990; the entire session is encrypted from the start and non‑SSL connections are rejected.

Explicit SSL uses the standard FTP port (21). The client first opens an unencrypted connection, then issues AUTH TLS or AUTH SSL to upgrade the channel to SSL before transmitting credentials.

SFTP

SFTP (Secure File Transfer Protocol) operates over a single SSH connection, eliminating separate command and data channels. Authentication can be performed with encrypted username/password pairs or with SSH public‑key credentials.

Username/password (encrypted by SSH).

SSH key‑based authentication.

Active vs Passive Transfer Modes

Active Mode

In the default active (port) mode, the client connects to the server’s command port (21) and sends a PORT command indicating a client‑side port. The server then initiates a data connection from its port 20 to the client’s specified port.

Passive Mode

In passive mode, after establishing the command channel, the client sends a PASV command. The server opens a random high‑numbered port for data transfer, and the client initiates the data connection to that port.

Active mode is simpler for server‑side firewall configuration (only ports 21 and 20 need to be open), but it can be blocked by client‑side firewalls because the server initiates the data connection. Passive mode avoids this issue by having the client initiate both connections, making it friendlier to client firewalls.