1.\" $OpenBSD: sftp.1,v 1.132 2020/08/03 02:43:41 djm Exp $ 2.\" 3.\" Copyright (c) 2001 Damien Miller. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24.\" 25.Dd $Mdocdate: August 3 2020 $ 26.Dt SFTP 1 27.Os 28.Sh NAME 29.Nm sftp 30.Nd OpenSSH secure file transfer 31.Sh SYNOPSIS 32.Nm sftp 33.Op Fl 46AaCfNpqrv 34.Op Fl B Ar buffer_size 35.Op Fl b Ar batchfile 36.Op Fl c Ar cipher 37.Op Fl D Ar sftp_server_path 38.Op Fl F Ar ssh_config 39.Op Fl i Ar identity_file 40.Op Fl J Ar destination 41.Op Fl l Ar limit 42.Op Fl o Ar ssh_option 43.Op Fl P Ar port 44.Op Fl R Ar num_requests 45.Op Fl S Ar program 46.Op Fl s Ar subsystem | sftp_server 47.Ar destination 48.Sh DESCRIPTION 49.Nm 50is a file transfer program, similar to 51.Xr ftp 1 , 52which performs all operations over an encrypted 53.Xr ssh 1 54transport. 55It may also use many features of ssh, such as public key authentication and 56compression. 57.Pp 58The 59.Ar destination 60may be specified either as 61.Sm off 62.Oo user @ Oc host Op : path 63.Sm on 64or as a URI in the form 65.Sm off 66.No sftp:// Oo user @ Oc host Oo : port Oc Op / path . 67.Sm on 68.Pp 69If the 70.Ar destination 71includes a 72.Ar path 73and it is not a directory, 74.Nm 75will retrieve files automatically if a non-interactive 76authentication method is used; otherwise it will do so after 77successful interactive authentication. 78.Pp 79If no 80.Ar path 81is specified, or if the 82.Ar path 83is a directory, 84.Nm 85will log in to the specified 86.Ar host 87and enter interactive command mode, changing to the remote directory 88if one was specified. 89An optional trailing slash can be used to force the 90.Ar path 91to be interpreted as a directory. 92.Pp 93Since the destination formats use colon characters to delimit host 94names from path names or port numbers, IPv6 addresses must be 95enclosed in square brackets to avoid ambiguity. 96.Pp 97The options are as follows: 98.Bl -tag -width Ds 99.It Fl 4 100Forces 101.Nm 102to use IPv4 addresses only. 103.It Fl 6 104Forces 105.Nm 106to use IPv6 addresses only. 107.It Fl A 108Allows forwarding of 109.Xr ssh-agent 1 110to the remote system. 111The default is not to forward an authentication agent. 112.It Fl a 113Attempt to continue interrupted transfers rather than overwriting 114existing partial or complete copies of files. 115If the partial contents differ from those being transferred, 116then the resultant file is likely to be corrupt. 117.It Fl B Ar buffer_size 118Specify the size of the buffer that 119.Nm 120uses when transferring files. 121Larger buffers require fewer round trips at the cost of higher 122memory consumption. 123The default is 32768 bytes. 124.It Fl b Ar batchfile 125Batch mode reads a series of commands from an input 126.Ar batchfile 127instead of 128.Em stdin . 129Since it lacks user interaction it should be used in conjunction with 130non-interactive authentication to obviate the need to enter a password 131at connection time (see 132.Xr sshd 8 133and 134.Xr ssh-keygen 1 135for details). 136.Pp 137A 138.Ar batchfile 139of 140.Sq \- 141may be used to indicate standard input. 142.Nm 143will abort if any of the following 144commands fail: 145.Ic get , put , reget , reput , rename , ln , 146.Ic rm , mkdir , chdir , ls , 147.Ic lchdir , chmod , chown , 148.Ic chgrp , lpwd , df , symlink , 149and 150.Ic lmkdir . 151.Pp 152Termination on error can be suppressed on a command by command basis by 153prefixing the command with a 154.Sq \- 155character (for example, 156.Ic -rm /tmp/blah* ) . 157Echo of the command may be suppressed by prefixing the command with a 158.Sq @ 159character. 160These two prefixes may be combined in any order, for example 161.Ic -@ls /bsd . 162.It Fl C 163Enables compression (via ssh's 164.Fl C 165flag). 166.It Fl c Ar cipher 167Selects the cipher to use for encrypting the data transfers. 168This option is directly passed to 169.Xr ssh 1 . 170.It Fl D Ar sftp_server_path 171Connect directly to a local sftp server 172(rather than via 173.Xr ssh 1 ) . 174This option may be useful in debugging the client and server. 175.It Fl F Ar ssh_config 176Specifies an alternative 177per-user configuration file for 178.Xr ssh 1 . 179This option is directly passed to 180.Xr ssh 1 . 181.It Fl f 182Requests that files be flushed to disk immediately after transfer. 183When uploading files, this feature is only enabled if the server 184implements the "fsync@openssh.com" extension. 185.It Fl i Ar identity_file 186Selects the file from which the identity (private key) for public key 187authentication is read. 188This option is directly passed to 189.Xr ssh 1 . 190.It Fl J Ar destination 191Connect to the target host by first making an 192.Nm 193connection to the jump host described by 194.Ar destination 195and then establishing a TCP forwarding to the ultimate destination from 196there. 197Multiple jump hops may be specified separated by comma characters. 198This is a shortcut to specify a 199.Cm ProxyJump 200configuration directive. 201This option is directly passed to 202.Xr ssh 1 . 203.It Fl l Ar limit 204Limits the used bandwidth, specified in Kbit/s. 205.It Fl N 206Disables quiet mode, e.g. to override the implicit quiet mode set by the 207.Fl b 208flag. 209.It Fl o Ar ssh_option 210Can be used to pass options to 211.Nm ssh 212in the format used in 213.Xr ssh_config 5 . 214This is useful for specifying options 215for which there is no separate 216.Nm sftp 217command-line flag. 218For example, to specify an alternate port use: 219.Ic sftp -oPort=24 . 220For full details of the options listed below, and their possible values, see 221.Xr ssh_config 5 . 222.Pp 223.Bl -tag -width Ds -offset indent -compact 224.It AddressFamily 225.It BatchMode 226.It BindAddress 227.It BindInterface 228.It CanonicalDomains 229.It CanonicalizeFallbackLocal 230.It CanonicalizeHostname 231.It CanonicalizeMaxDots 232.It CanonicalizePermittedCNAMEs 233.It CASignatureAlgorithms 234.It CertificateFile 235.It ChallengeResponseAuthentication 236.It CheckHostIP 237.It Ciphers 238.It Compression 239.It ConnectionAttempts 240.It ConnectTimeout 241.It ControlMaster 242.It ControlPath 243.It ControlPersist 244.It GlobalKnownHostsFile 245.It GSSAPIAuthentication 246.It GSSAPIDelegateCredentials 247.It HashKnownHosts 248.It Host 249.It HostbasedAuthentication 250.It HostbasedKeyTypes 251.It HostKeyAlgorithms 252.It HostKeyAlias 253.It Hostname 254.It IdentitiesOnly 255.It IdentityAgent 256.It IdentityFile 257.It IPQoS 258.It KbdInteractiveAuthentication 259.It KbdInteractiveDevices 260.It KexAlgorithms 261.It LogLevel 262.It MACs 263.It NoHostAuthenticationForLocalhost 264.It NumberOfPasswordPrompts 265.It PasswordAuthentication 266.It PKCS11Provider 267.It Port 268.It PreferredAuthentications 269.It ProxyCommand 270.It ProxyJump 271.It PubkeyAcceptedKeyTypes 272.It PubkeyAuthentication 273.It RekeyLimit 274.It SendEnv 275.It ServerAliveInterval 276.It ServerAliveCountMax 277.It SetEnv 278.It StrictHostKeyChecking 279.It TCPKeepAlive 280.It UpdateHostKeys 281.It User 282.It UserKnownHostsFile 283.It VerifyHostKeyDNS 284.El 285.It Fl P Ar port 286Specifies the port to connect to on the remote host. 287.It Fl p 288Preserves modification times, access times, and modes from the 289original files transferred. 290.It Fl q 291Quiet mode: disables the progress meter as well as warning and 292diagnostic messages from 293.Xr ssh 1 . 294.It Fl R Ar num_requests 295Specify how many requests may be outstanding at any one time. 296Increasing this may slightly improve file transfer speed 297but will increase memory usage. 298The default is 64 outstanding requests. 299.It Fl r 300Recursively copy entire directories when uploading and downloading. 301Note that 302.Nm 303does not follow symbolic links encountered in the tree traversal. 304.It Fl S Ar program 305Name of the 306.Ar program 307to use for the encrypted connection. 308The program must understand 309.Xr ssh 1 310options. 311.It Fl s Ar subsystem | sftp_server 312Specifies the SSH2 subsystem or the path for an sftp server 313on the remote host. 314A path is useful when the remote 315.Xr sshd 8 316does not have an sftp subsystem configured. 317.It Fl v 318Raise logging level. 319This option is also passed to ssh. 320.El 321.Sh INTERACTIVE COMMANDS 322Once in interactive mode, 323.Nm 324understands a set of commands similar to those of 325.Xr ftp 1 . 326Commands are case insensitive. 327Pathnames that contain spaces must be enclosed in quotes. 328Any special characters contained within pathnames that are recognized by 329.Xr glob 3 330must be escaped with backslashes 331.Pq Sq \e . 332.Bl -tag -width Ds 333.It Ic bye 334Quit 335.Nm sftp . 336.It Ic cd Op Ar path 337Change remote directory to 338.Ar path . 339If 340.Ar path 341is not specified, then change directory to the one the session started in. 342.It Xo Ic chgrp 343.Op Fl h 344.Ar grp 345.Ar path 346.Xc 347Change group of file 348.Ar path 349to 350.Ar grp . 351If the 352.Fl h 353flag is specified, then symlinks will not be followed. 354.Ar path 355may contain 356.Xr glob 7 357characters and may match multiple files. 358.Ar grp 359must be a numeric GID. 360.It Xo Ic chmod 361.Op Fl h 362.Ar mode 363.Ar path 364.Xc 365Change permissions of file 366.Ar path 367to 368.Ar mode . 369If the 370.Fl h 371flag is specified, then symlinks will not be followed. 372.Ar path 373may contain 374.Xr glob 7 375characters and may match multiple files. 376.It Xo Ic chown 377.Op Fl h 378.Ar own 379.Ar path 380.Xc 381Change owner of file 382.Ar path 383to 384.Ar own . 385If the 386.Fl h 387flag is specified, then symlinks will not be followed. 388.Ar path 389may contain 390.Xr glob 7 391characters and may match multiple files. 392.Ar own 393must be a numeric UID. 394.It Xo Ic df 395.Op Fl hi 396.Op Ar path 397.Xc 398Display usage information for the filesystem holding the current directory 399(or 400.Ar path 401if specified). 402If the 403.Fl h 404flag is specified, the capacity information will be displayed using 405"human-readable" suffixes. 406The 407.Fl i 408flag requests display of inode information in addition to capacity information. 409This command is only supported on servers that implement the 410.Dq statvfs@openssh.com 411extension. 412.It Ic exit 413Quit 414.Nm sftp . 415.It Xo Ic get 416.Op Fl afpR 417.Ar remote-path 418.Op Ar local-path 419.Xc 420Retrieve the 421.Ar remote-path 422and store it on the local machine. 423If the local 424path name is not specified, it is given the same name it has on the 425remote machine. 426.Ar remote-path 427may contain 428.Xr glob 7 429characters and may match multiple files. 430If it does and 431.Ar local-path 432is specified, then 433.Ar local-path 434must specify a directory. 435.Pp 436If the 437.Fl a 438flag is specified, then attempt to resume partial transfers of existing files. 439Note that resumption assumes that any partial copy of the local file matches 440the remote copy. 441If the remote file contents differ from the partial local copy then the 442resultant file is likely to be corrupt. 443.Pp 444If the 445.Fl f 446flag is specified, then 447.Xr fsync 2 448will be called after the file transfer has completed to flush the file 449to disk. 450.Pp 451If the 452.Fl p 453.\" undocumented redundant alias 454.\" or 455.\" .Fl P 456flag is specified, then full file permissions and access times are 457copied too. 458.Pp 459If the 460.Fl R 461.\" undocumented redundant alias 462.\" or 463.\" .Fl r 464flag is specified then directories will be copied recursively. 465Note that 466.Nm 467does not follow symbolic links when performing recursive transfers. 468.It Ic help 469Display help text. 470.It Ic lcd Op Ar path 471Change local directory to 472.Ar path . 473If 474.Ar path 475is not specified, then change directory to the local user's home directory. 476.It Ic lls Op Ar ls-options Op Ar path 477Display local directory listing of either 478.Ar path 479or current directory if 480.Ar path 481is not specified. 482.Ar ls-options 483may contain any flags supported by the local system's 484.Xr ls 1 485command. 486.Ar path 487may contain 488.Xr glob 7 489characters and may match multiple files. 490.It Ic lmkdir Ar path 491Create local directory specified by 492.Ar path . 493.It Xo Ic ln 494.Op Fl s 495.Ar oldpath 496.Ar newpath 497.Xc 498Create a link from 499.Ar oldpath 500to 501.Ar newpath . 502If the 503.Fl s 504flag is specified the created link is a symbolic link, otherwise it is 505a hard link. 506.It Ic lpwd 507Print local working directory. 508.It Xo Ic ls 509.Op Fl 1afhlnrSt 510.Op Ar path 511.Xc 512Display a remote directory listing of either 513.Ar path 514or the current directory if 515.Ar path 516is not specified. 517.Ar path 518may contain 519.Xr glob 7 520characters and may match multiple files. 521.Pp 522The following flags are recognized and alter the behaviour of 523.Ic ls 524accordingly: 525.Bl -tag -width Ds 526.It Fl 1 527Produce single columnar output. 528.It Fl a 529List files beginning with a dot 530.Pq Sq \&. . 531.It Fl f 532Do not sort the listing. 533The default sort order is lexicographical. 534.It Fl h 535When used with a long format option, use unit suffixes: Byte, Kilobyte, 536Megabyte, Gigabyte, Terabyte, Petabyte, and Exabyte in order to reduce 537the number of digits to four or fewer using powers of 2 for sizes (K=1024, 538M=1048576, etc.). 539.It Fl l 540Display additional details including permissions 541and ownership information. 542.It Fl n 543Produce a long listing with user and group information presented 544numerically. 545.It Fl r 546Reverse the sort order of the listing. 547.It Fl S 548Sort the listing by file size. 549.It Fl t 550Sort the listing by last modification time. 551.El 552.It Ic lumask Ar umask 553Set local umask to 554.Ar umask . 555.It Ic mkdir Ar path 556Create remote directory specified by 557.Ar path . 558.It Ic progress 559Toggle display of progress meter. 560.It Xo Ic put 561.Op Fl afpR 562.Ar local-path 563.Op Ar remote-path 564.Xc 565Upload 566.Ar local-path 567and store it on the remote machine. 568If the remote path name is not specified, it is given the same name it has 569on the local machine. 570.Ar local-path 571may contain 572.Xr glob 7 573characters and may match multiple files. 574If it does and 575.Ar remote-path 576is specified, then 577.Ar remote-path 578must specify a directory. 579.Pp 580If the 581.Fl a 582flag is specified, then attempt to resume partial 583transfers of existing files. 584Note that resumption assumes that any partial copy of the remote file 585matches the local copy. 586If the local file contents differ from the remote local copy then 587the resultant file is likely to be corrupt. 588.Pp 589If the 590.Fl f 591flag is specified, then a request will be sent to the server to call 592.Xr fsync 2 593after the file has been transferred. 594Note that this is only supported by servers that implement 595the "fsync@openssh.com" extension. 596.Pp 597If the 598.Fl p 599.\" undocumented redundant alias 600.\" or 601.\" .Fl P 602flag is specified, then full file permissions and access times are 603copied too. 604.Pp 605If the 606.Fl R 607.\" undocumented redundant alias 608.\" or 609.\" .Fl r 610flag is specified then directories will be copied recursively. 611Note that 612.Nm 613does not follow symbolic links when performing recursive transfers. 614.It Ic pwd 615Display remote working directory. 616.It Ic quit 617Quit 618.Nm sftp . 619.It Xo Ic reget 620.Op Fl fpR 621.Ar remote-path 622.Op Ar local-path 623.Xc 624Resume download of 625.Ar remote-path . 626Equivalent to 627.Ic get 628with the 629.Fl a 630flag set. 631.It Xo Ic reput 632.Op Fl fpR 633.Ar local-path 634.Op Ar remote-path 635.Xc 636Resume upload of 637.Ar local-path . 638Equivalent to 639.Ic put 640with the 641.Fl a 642flag set. 643.It Ic rename Ar oldpath newpath 644Rename remote file from 645.Ar oldpath 646to 647.Ar newpath . 648.It Ic rm Ar path 649Delete remote file specified by 650.Ar path . 651.It Ic rmdir Ar path 652Remove remote directory specified by 653.Ar path . 654.It Ic symlink Ar oldpath newpath 655Create a symbolic link from 656.Ar oldpath 657to 658.Ar newpath . 659.It Ic version 660Display the 661.Nm 662protocol version. 663.It Ic \&! Ns Ar command 664Execute 665.Ar command 666in local shell. 667.It Ic \&! 668Escape to local shell. 669.It Ic \&? 670Synonym for help. 671.El 672.Sh SEE ALSO 673.Xr ftp 1 , 674.Xr ls 1 , 675.Xr scp 1 , 676.Xr ssh 1 , 677.Xr ssh-add 1 , 678.Xr ssh-keygen 1 , 679.Xr ssh_config 5 , 680.Xr glob 7 , 681.Xr sftp-server 8 , 682.Xr sshd 8 683.Rs 684.%A T. Ylonen 685.%A S. Lehtinen 686.%T "SSH File Transfer Protocol" 687.%N draft-ietf-secsh-filexfer-00.txt 688.%D January 2001 689.%O work in progress material 690.Re 691