scp - secure file transfer program.
scp [-4] [-6] [-a [arg]] [-b buffer_size] [-B]
[-c cipher] [-d][-D debug_level] [-F file] [-h] [-i file]
[-N max_requests] [-o option] [--overwrite yes|no|ask] [-p] [-P port]
[-q] [-Q] [--statistics yes|no|simple] [-r] [-u] [-v] [-V] [-W]
[[user@]host[#port]:]file_or_dir ... [[user@]host[#port]:]file_or_dir
scp is a file transfer program that provides a secure alternative to rcp. It uses authentication and encryption provided by ssh, and a Secure Shell server must be running on the remote computer. The scp client uses the `sftp' subsystem of the server to establish and manage the secure connection.
Both source and destination file names can include host and user specifications to indicate that files are to be copied to or from that host. Copies between two remote hosts are permitted. Wildcards are supported. When recursion is off (the default), name substitution occurs on file names only, not directories. When recursion is enabled (using -r), name substitution includes files and directories. By default, existing files are overwritten. To control overwrite behavior, use --overwrite. (If the files are identical no transfer occurs regardless of this setting value.)
Settings for scp connections are controlled by the ssh client configuration file. For details about these settings, see ssh2_config(5). You can also use the -ooption to configure settings on the scp command line. Command line options override configuration file settings.
Note: The sshd2_config(5) keyword AllowSftpCommands controls what kinds of operations users can perform using scp. This keyword supports a comma-separated list of one or more of the following: `all', `none', `browse', `download', `upload', `delete',`rename'.
Options are available in both a single-character form (such as ‑o) and a descriptive equivalent (‑‑option). Single characters are shown here. To view the descriptive equivalents, use the ‑h command line option.
Caution: All options specified on the command line (including user names, host names, and other sensitive information) will show up in a process status (ps) listing. Exercise care when specifying sensitive options and switches so that other users cannot easily see that information. A more secure alternative is to set these options in a configuration file and to protect the configuration file using recommended file permissions (configuration file = 600, directory containing the file = 700).
Forces connections using IPv4 addresses only. You can also configure IP address requirements using the AddressFamily keyword.
Forces connections using IPv6 addresses only. You can also configure IP address requirements using the AddressFamily keyword.
Transfers files in ASCII mode. Use the optional argument to handle newline conversion. You can specify either `unix' or `dos'. By default, the value you specify for newline_type sets the destination newline convention, but you can specify either source or destination conventions by prefixing the argument with `src:' or `dest:'. For example:
scp -a src:unix –a dest:dos unixhost:src_file winhost:dest_file
Defaults are: `dest:unix', `src:unix'. If destination and source types are the same, no conversion occurs. Otherwise a conversion occurs based on values you specify for the `src' and `dest' newline types.
When -a is used without specified source or destination conventions, the client attempts to retrieve the end-of-line convention for source and/or destination from the server(s) to which connections have been established. If the server does not support this functionality, the DOS end-of-line convention is assumed.
Specifies the buffer size used for data transfer. The default is 32768 bytes. The minimum allowed value is 1024. The maximum allowed value is 4194304 bytes. In most cases the default value provides close to optimal transfer speeds. On some systems, moderate increases to the buffer size can improve performance. Caution: Using very large buffer sizes rarely improves performance and can create problems including: slower transfers, transfer failures with servers that don't support very large buffers, and fatal errors when client or server memory limits are exceeded.
Runs scp in batch mode, which disables all queries for user input. This is useful for scripts and batch jobs. Authentication methods that require user interaction are not supported when you use this option. In batch mode scp always overwrites existing destination files unless --overwrite is set to `no'.
Specifies one or more (comma-separated) encryption algorithms supported by the client. The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server. Allowed values are `aes128-ctr', `aes128-cbc', `aes192-ctr', `aes192-cbc', `aes256-ctr', `aes256-cbc', `blowfish-cbc', `arcfour', `arcfour128', `arcfour256', `cast128-cbc', and `3des-cbc'.
You can also set this value to `none'. When `none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended.
The following values are provided for convenience: `aes' (all supported aes ciphers), `blowfish' (equivalent to `blowfish-cbc'), `cast' (equivalent to `cast128-cbc'), `3des' (equivalent to `3des-cbc'), `Any' or `AnyStd' (all available ciphers plus `none'), and `AnyCipher' or `AnyStdCipher' (all available ciphers).
If no cipher is specified, the cipher is determined by the Ciphers keyword in the Secure Shell configuration file ssh2_config(5); the default is `AnyStdCipher'.
Forces the destination to be a directory that already exists. For example, the following command copies source_file to the directory called destination if this directory exists. If the directory doesn't exist, source_file is copied to the demo directory and given the file name destination.
scp source_file joe@myhost:~/demo/destination
With the -d flag added, the following command copies source_file to the destination directory, but fails if this directory doesn't exist.
scp -d source_file joe@myhost:~/demo/destination
Sets the debug level. Increasing the value increases the amount of information displayed. Use 1, 2, 3, or 99. (Values 4-98 are accepted, but are equivalent to 3.)
Specifies an additional configuration file. Settings are read from this file in addition to the default user-specific file (~/.ssh2/ssh2_config and/or the system-wide file (/etc/ssh2/ssh2_config). Settings in this file override settings in both the user-specific file and the system-wide file.
Displays a brief summary of command options.
Specifies an alternate identification file to use for public key authentication. The file location is assumed to be in the current working directory unless you specify a fully-qualified or relative path. The default identity file is ~/.ssh2/identification.
Specifies the maximum number of concurrent requests. Increasing this may slightly improve file transfer speed, but also increases memory use. The default is 256.
Sets any option that can be configured using a configuration file keyword. For a list of keywords and their meanings, see ssh2_config(5). Syntax alternatives are shown below. Use quotation marks to contain expressions that include spaces.
-o key1="sample value"
-o "key1 value"
-o key="value1, value2"
To configure multiple options, use multiple -o switches.
-o key1=value -o key2=value
Specifies whether or not to overwrite existing destination files. The allowed values are `yes', `no', and `ask'. The default is `yes'. Note: When the source and destination files are identical, no transfer occurs regardless of the value of this setting.
Preserves the modification times and file attributes of the original file.
Specifies the port to connect to on the server. The default is 22, which is the standard port for Secure Shell connections. You can also configure the port in the configuration file using the Port keyword.
Runs in quiet mode. Only fatal errors are displayed.
Disables display of all file transfer statistics.
Copies recursively, including all subdirectories.
Specifies how much information about the transfer is provided. When set to `yes', the the statistics include the filename, size, transfer rate, and a progress indicator that updates during the transfer. This is the default when a tty is present. When set to `simple', the statistics include the filename, size, and transfer rate, but no progress indicator. This is the default when there is no tty (for example in cron jobs). When set to `no', no transfer statistics are given (this is equivalent to the -Q option).
Note: Setting statistics output to `simple' can resolve problems caused when piping output to a file causes long filenames to be truncated.
Deletes the source file after the copy to the destination location is completed.
Sets the debug level to verbose mode, which is equivalent to setting the debug level to 2. You can also configure this in the configuration file using the VerboseMode keyword.
Displays product name and version information and exits. If other options are specified on the command line, they are ignored.
Specifies a file containing the password to use for the connection. Set permissions on the password file to 600; the file is not accepted if it has read or write permissions for group or other. Also, for a non-root user, the file is not accepted if there has been a change in identity (userid). This option applies only to password authentication. If AllowedAuthentications is configured to attempt keyboard-interactive before password authentication (the default), users will receive a password prompt even if a valid password file is present. To prevent this, modify the allowed authentications list to support only password authentication or to attempt password authentication before keyboard-interactive.
Note: Passphraseless public keys provide a more secure way to configure authentication without requiring user interaction, because private keys are not transmitted over the encrypted connection like passwords are.
Exit values are provided to assist in troubleshooting. In scripts we recommend that you use only zero or non-zero for error handling. Looking for specific non-zero values is not reliable because of variability caused by operating systems and servers.
1 An undetermined error occurred in the file copy.
2 The destination must be a directory and isn't.
4 A connection to the host could not be established.
5 The connection to the host was lost.
6 The specified file does not exist.
7 You don't have permission to access a specified file.
8 An undetermined error occurred.
9 There is a file transfer protocol mismatch.
255 An error occurred in ssh.
To transfer the remote file (file_remote) to the specified local name (file_local) and location:
scp joe@myhost:/source/file_remote /destination/file_local
To copy all *.htm files from the current working directory on the local computer to joe's default directory on myhost.com:
scp *.htm firstname.lastname@example.org:
To copy the specified file from remote host1 to remote host2. Note that two authentications will be required:
scp joe@host1:/dir/src_file joe@host2:/dir/dest_file
Copyright (C) 2016 Attachmate Corporation, a Micro Focus company. All rights reserved.
ssh(1), ssh2_config(5), ssh-keygen(1), sftp(1), ssh-add(1), ssh-agent(1), sshd(8), sshd2_config(5)
Additional Reflection for Secure IT documentation is available online from the documentation web page:
And from the technical note library: