1.\" $OpenBSD: sftp.1,v 1.131 2020/04/23 21:28:09 jmc Exp $ 2.\" 3.\" Copyright (c) 2001 Damien Miller. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24.\" 25.Dd $Mdocdate: April 23 2020 $ 26.Dt SFTP 1 27.Os 28.Sh NAME 29.Nm sftp 30.Nd OpenSSH secure file transfer 31.Sh SYNOPSIS 32.Nm sftp 33.Op Fl 46aCfNpqrv 34.Op Fl B Ar buffer_size 35.Op Fl b Ar batchfile 36.Op Fl c Ar cipher 37.Op Fl D Ar sftp_server_path 38.Op Fl F Ar ssh_config 39.Op Fl i Ar identity_file 40.Op Fl J Ar destination 41.Op Fl l Ar limit 42.Op Fl o Ar ssh_option 43.Op Fl P Ar port 44.Op Fl R Ar num_requests 45.Op Fl S Ar program 46.Op Fl s Ar subsystem | sftp_server 47.Ar destination 48.Sh DESCRIPTION 49.Nm 50is a file transfer program, similar to 51.Xr ftp 1 , 52which performs all operations over an encrypted 53.Xr ssh 1 54transport. 55It may also use many features of ssh, such as public key authentication and 56compression. 57.Pp 58The 59.Ar destination 60may be specified either as 61.Sm off 62.Oo user @ Oc host Op : path 63.Sm on 64or as a URI in the form 65.Sm off 66.No sftp:// Oo user @ Oc host Oo : port Oc Op / path . 67.Sm on 68.Pp 69If the 70.Ar destination 71includes a 72.Ar path 73and it is not a directory, 74.Nm 75will retrieve files automatically if a non-interactive 76authentication method is used; otherwise it will do so after 77successful interactive authentication. 78.Pp 79If no 80.Ar path 81is specified, or if the 82.Ar path 83is a directory, 84.Nm 85will log in to the specified 86.Ar host 87and enter interactive command mode, changing to the remote directory 88if one was specified. 89An optional trailing slash can be used to force the 90.Ar path 91to be interpreted as a directory. 92.Pp 93Since the destination formats use colon characters to delimit host 94names from path names or port numbers, IPv6 addresses must be 95enclosed in square brackets to avoid ambiguity. 96.Pp 97The options are as follows: 98.Bl -tag -width Ds 99.It Fl 4 100Forces 101.Nm 102to use IPv4 addresses only. 103.It Fl 6 104Forces 105.Nm 106to use IPv6 addresses only. 107.It Fl a 108Attempt to continue interrupted transfers rather than overwriting 109existing partial or complete copies of files. 110If the partial contents differ from those being transferred, 111then the resultant file is likely to be corrupt. 112.It Fl B Ar buffer_size 113Specify the size of the buffer that 114.Nm 115uses when transferring files. 116Larger buffers require fewer round trips at the cost of higher 117memory consumption. 118The default is 32768 bytes. 119.It Fl b Ar batchfile 120Batch mode reads a series of commands from an input 121.Ar batchfile 122instead of 123.Em stdin . 124Since it lacks user interaction it should be used in conjunction with 125non-interactive authentication to obviate the need to enter a password 126at connection time (see 127.Xr sshd 8 128and 129.Xr ssh-keygen 1 130for details). 131.Pp 132A 133.Ar batchfile 134of 135.Sq \- 136may be used to indicate standard input. 137.Nm 138will abort if any of the following 139commands fail: 140.Ic get , put , reget , reput , rename , ln , 141.Ic rm , mkdir , chdir , ls , 142.Ic lchdir , chmod , chown , 143.Ic chgrp , lpwd , df , symlink , 144and 145.Ic lmkdir . 146.Pp 147Termination on error can be suppressed on a command by command basis by 148prefixing the command with a 149.Sq \- 150character (for example, 151.Ic -rm /tmp/blah* ) . 152Echo of the command may be suppressed by prefixing the command with a 153.Sq @ 154character. 155These two prefixes may be combined in any order, for example 156.Ic -@ls /bsd . 157.It Fl C 158Enables compression (via ssh's 159.Fl C 160flag). 161.It Fl c Ar cipher 162Selects the cipher to use for encrypting the data transfers. 163This option is directly passed to 164.Xr ssh 1 . 165.It Fl D Ar sftp_server_path 166Connect directly to a local sftp server 167(rather than via 168.Xr ssh 1 ) . 169This option may be useful in debugging the client and server. 170.It Fl F Ar ssh_config 171Specifies an alternative 172per-user configuration file for 173.Xr ssh 1 . 174This option is directly passed to 175.Xr ssh 1 . 176.It Fl f 177Requests that files be flushed to disk immediately after transfer. 178When uploading files, this feature is only enabled if the server 179implements the "fsync@openssh.com" extension. 180.It Fl i Ar identity_file 181Selects the file from which the identity (private key) for public key 182authentication is read. 183This option is directly passed to 184.Xr ssh 1 . 185.It Fl J Ar destination 186Connect to the target host by first making an 187.Nm 188connection to the jump host described by 189.Ar destination 190and then establishing a TCP forwarding to the ultimate destination from 191there. 192Multiple jump hops may be specified separated by comma characters. 193This is a shortcut to specify a 194.Cm ProxyJump 195configuration directive. 196This option is directly passed to 197.Xr ssh 1 . 198.It Fl l Ar limit 199Limits the used bandwidth, specified in Kbit/s. 200.It Fl N 201Disables quiet mode, e.g. to override the implicit quiet mode set by the 202.Fl b 203flag. 204.It Fl o Ar ssh_option 205Can be used to pass options to 206.Nm ssh 207in the format used in 208.Xr ssh_config 5 . 209This is useful for specifying options 210for which there is no separate 211.Nm sftp 212command-line flag. 213For example, to specify an alternate port use: 214.Ic sftp -oPort=24 . 215For full details of the options listed below, and their possible values, see 216.Xr ssh_config 5 . 217.Pp 218.Bl -tag -width Ds -offset indent -compact 219.It AddressFamily 220.It BatchMode 221.It BindAddress 222.It BindInterface 223.It CanonicalDomains 224.It CanonicalizeFallbackLocal 225.It CanonicalizeHostname 226.It CanonicalizeMaxDots 227.It CanonicalizePermittedCNAMEs 228.It CASignatureAlgorithms 229.It CertificateFile 230.It ChallengeResponseAuthentication 231.It CheckHostIP 232.It Ciphers 233.It Compression 234.It ConnectionAttempts 235.It ConnectTimeout 236.It ControlMaster 237.It ControlPath 238.It ControlPersist 239.It GlobalKnownHostsFile 240.It GSSAPIAuthentication 241.It GSSAPIDelegateCredentials 242.It HashKnownHosts 243.It Host 244.It HostbasedAuthentication 245.It HostbasedKeyTypes 246.It HostKeyAlgorithms 247.It HostKeyAlias 248.It Hostname 249.It IdentitiesOnly 250.It IdentityAgent 251.It IdentityFile 252.It IPQoS 253.It KbdInteractiveAuthentication 254.It KbdInteractiveDevices 255.It KexAlgorithms 256.It LogLevel 257.It MACs 258.It NoHostAuthenticationForLocalhost 259.It NumberOfPasswordPrompts 260.It PasswordAuthentication 261.It PKCS11Provider 262.It Port 263.It PreferredAuthentications 264.It ProxyCommand 265.It ProxyJump 266.It PubkeyAcceptedKeyTypes 267.It PubkeyAuthentication 268.It RekeyLimit 269.It SendEnv 270.It ServerAliveInterval 271.It ServerAliveCountMax 272.It SetEnv 273.It StrictHostKeyChecking 274.It TCPKeepAlive 275.It UpdateHostKeys 276.It User 277.It UserKnownHostsFile 278.It VerifyHostKeyDNS 279.El 280.It Fl P Ar port 281Specifies the port to connect to on the remote host. 282.It Fl p 283Preserves modification times, access times, and modes from the 284original files transferred. 285.It Fl q 286Quiet mode: disables the progress meter as well as warning and 287diagnostic messages from 288.Xr ssh 1 . 289.It Fl R Ar num_requests 290Specify how many requests may be outstanding at any one time. 291Increasing this may slightly improve file transfer speed 292but will increase memory usage. 293The default is 64 outstanding requests. 294.It Fl r 295Recursively copy entire directories when uploading and downloading. 296Note that 297.Nm 298does not follow symbolic links encountered in the tree traversal. 299.It Fl S Ar program 300Name of the 301.Ar program 302to use for the encrypted connection. 303The program must understand 304.Xr ssh 1 305options. 306.It Fl s Ar subsystem | sftp_server 307Specifies the SSH2 subsystem or the path for an sftp server 308on the remote host. 309A path is useful when the remote 310.Xr sshd 8 311does not have an sftp subsystem configured. 312.It Fl v 313Raise logging level. 314This option is also passed to ssh. 315.El 316.Sh INTERACTIVE COMMANDS 317Once in interactive mode, 318.Nm 319understands a set of commands similar to those of 320.Xr ftp 1 . 321Commands are case insensitive. 322Pathnames that contain spaces must be enclosed in quotes. 323Any special characters contained within pathnames that are recognized by 324.Xr glob 3 325must be escaped with backslashes 326.Pq Sq \e . 327.Bl -tag -width Ds 328.It Ic bye 329Quit 330.Nm sftp . 331.It Ic cd Op Ar path 332Change remote directory to 333.Ar path . 334If 335.Ar path 336is not specified, then change directory to the one the session started in. 337.It Xo Ic chgrp 338.Op Fl h 339.Ar grp 340.Ar path 341.Xc 342Change group of file 343.Ar path 344to 345.Ar grp . 346If the 347.Fl h 348flag is specified, then symlinks will not be followed. 349.Ar path 350may contain 351.Xr glob 7 352characters and may match multiple files. 353.Ar grp 354must be a numeric GID. 355.It Xo Ic chmod 356.Op Fl h 357.Ar mode 358.Ar path 359.Xc 360Change permissions of file 361.Ar path 362to 363.Ar mode . 364If the 365.Fl h 366flag is specified, then symlinks will not be followed. 367.Ar path 368may contain 369.Xr glob 7 370characters and may match multiple files. 371.It Xo Ic chown 372.Op Fl h 373.Ar own 374.Ar path 375.Xc 376Change owner of file 377.Ar path 378to 379.Ar own . 380If the 381.Fl h 382flag is specified, then symlinks will not be followed. 383.Ar path 384may contain 385.Xr glob 7 386characters and may match multiple files. 387.Ar own 388must be a numeric UID. 389.It Xo Ic df 390.Op Fl hi 391.Op Ar path 392.Xc 393Display usage information for the filesystem holding the current directory 394(or 395.Ar path 396if specified). 397If the 398.Fl h 399flag is specified, the capacity information will be displayed using 400"human-readable" suffixes. 401The 402.Fl i 403flag requests display of inode information in addition to capacity information. 404This command is only supported on servers that implement the 405.Dq statvfs@openssh.com 406extension. 407.It Ic exit 408Quit 409.Nm sftp . 410.It Xo Ic get 411.Op Fl afpR 412.Ar remote-path 413.Op Ar local-path 414.Xc 415Retrieve the 416.Ar remote-path 417and store it on the local machine. 418If the local 419path name is not specified, it is given the same name it has on the 420remote machine. 421.Ar remote-path 422may contain 423.Xr glob 7 424characters and may match multiple files. 425If it does and 426.Ar local-path 427is specified, then 428.Ar local-path 429must specify a directory. 430.Pp 431If the 432.Fl a 433flag is specified, then attempt to resume partial transfers of existing files. 434Note that resumption assumes that any partial copy of the local file matches 435the remote copy. 436If the remote file contents differ from the partial local copy then the 437resultant file is likely to be corrupt. 438.Pp 439If the 440.Fl f 441flag is specified, then 442.Xr fsync 2 443will be called after the file transfer has completed to flush the file 444to disk. 445.Pp 446If the 447.Fl p 448.\" undocumented redundant alias 449.\" or 450.\" .Fl P 451flag is specified, then full file permissions and access times are 452copied too. 453.Pp 454If the 455.Fl R 456.\" undocumented redundant alias 457.\" or 458.\" .Fl r 459flag is specified then directories will be copied recursively. 460Note that 461.Nm 462does not follow symbolic links when performing recursive transfers. 463.It Ic help 464Display help text. 465.It Ic lcd Op Ar path 466Change local directory to 467.Ar path . 468If 469.Ar path 470is not specified, then change directory to the local user's home directory. 471.It Ic lls Op Ar ls-options Op Ar path 472Display local directory listing of either 473.Ar path 474or current directory if 475.Ar path 476is not specified. 477.Ar ls-options 478may contain any flags supported by the local system's 479.Xr ls 1 480command. 481.Ar path 482may contain 483.Xr glob 7 484characters and may match multiple files. 485.It Ic lmkdir Ar path 486Create local directory specified by 487.Ar path . 488.It Xo Ic ln 489.Op Fl s 490.Ar oldpath 491.Ar newpath 492.Xc 493Create a link from 494.Ar oldpath 495to 496.Ar newpath . 497If the 498.Fl s 499flag is specified the created link is a symbolic link, otherwise it is 500a hard link. 501.It Ic lpwd 502Print local working directory. 503.It Xo Ic ls 504.Op Fl 1afhlnrSt 505.Op Ar path 506.Xc 507Display a remote directory listing of either 508.Ar path 509or the current directory if 510.Ar path 511is not specified. 512.Ar path 513may contain 514.Xr glob 7 515characters and may match multiple files. 516.Pp 517The following flags are recognized and alter the behaviour of 518.Ic ls 519accordingly: 520.Bl -tag -width Ds 521.It Fl 1 522Produce single columnar output. 523.It Fl a 524List files beginning with a dot 525.Pq Sq \&. . 526.It Fl f 527Do not sort the listing. 528The default sort order is lexicographical. 529.It Fl h 530When used with a long format option, use unit suffixes: Byte, Kilobyte, 531Megabyte, Gigabyte, Terabyte, Petabyte, and Exabyte in order to reduce 532the number of digits to four or fewer using powers of 2 for sizes (K=1024, 533M=1048576, etc.). 534.It Fl l 535Display additional details including permissions 536and ownership information. 537.It Fl n 538Produce a long listing with user and group information presented 539numerically. 540.It Fl r 541Reverse the sort order of the listing. 542.It Fl S 543Sort the listing by file size. 544.It Fl t 545Sort the listing by last modification time. 546.El 547.It Ic lumask Ar umask 548Set local umask to 549.Ar umask . 550.It Ic mkdir Ar path 551Create remote directory specified by 552.Ar path . 553.It Ic progress 554Toggle display of progress meter. 555.It Xo Ic put 556.Op Fl afpR 557.Ar local-path 558.Op Ar remote-path 559.Xc 560Upload 561.Ar local-path 562and store it on the remote machine. 563If the remote path name is not specified, it is given the same name it has 564on the local machine. 565.Ar local-path 566may contain 567.Xr glob 7 568characters and may match multiple files. 569If it does and 570.Ar remote-path 571is specified, then 572.Ar remote-path 573must specify a directory. 574.Pp 575If the 576.Fl a 577flag is specified, then attempt to resume partial 578transfers of existing files. 579Note that resumption assumes that any partial copy of the remote file 580matches the local copy. 581If the local file contents differ from the remote local copy then 582the resultant file is likely to be corrupt. 583.Pp 584If the 585.Fl f 586flag is specified, then a request will be sent to the server to call 587.Xr fsync 2 588after the file has been transferred. 589Note that this is only supported by servers that implement 590the "fsync@openssh.com" extension. 591.Pp 592If the 593.Fl p 594.\" undocumented redundant alias 595.\" or 596.\" .Fl P 597flag is specified, then full file permissions and access times are 598copied too. 599.Pp 600If the 601.Fl R 602.\" undocumented redundant alias 603.\" or 604.\" .Fl r 605flag is specified then directories will be copied recursively. 606Note that 607.Nm 608does not follow symbolic links when performing recursive transfers. 609.It Ic pwd 610Display remote working directory. 611.It Ic quit 612Quit 613.Nm sftp . 614.It Xo Ic reget 615.Op Fl fpR 616.Ar remote-path 617.Op Ar local-path 618.Xc 619Resume download of 620.Ar remote-path . 621Equivalent to 622.Ic get 623with the 624.Fl a 625flag set. 626.It Xo Ic reput 627.Op Fl fpR 628.Ar local-path 629.Op Ar remote-path 630.Xc 631Resume upload of 632.Ar local-path . 633Equivalent to 634.Ic put 635with the 636.Fl a 637flag set. 638.It Ic rename Ar oldpath newpath 639Rename remote file from 640.Ar oldpath 641to 642.Ar newpath . 643.It Ic rm Ar path 644Delete remote file specified by 645.Ar path . 646.It Ic rmdir Ar path 647Remove remote directory specified by 648.Ar path . 649.It Ic symlink Ar oldpath newpath 650Create a symbolic link from 651.Ar oldpath 652to 653.Ar newpath . 654.It Ic version 655Display the 656.Nm 657protocol version. 658.It Ic \&! Ns Ar command 659Execute 660.Ar command 661in local shell. 662.It Ic \&! 663Escape to local shell. 664.It Ic \&? 665Synonym for help. 666.El 667.Sh SEE ALSO 668.Xr ftp 1 , 669.Xr ls 1 , 670.Xr scp 1 , 671.Xr ssh 1 , 672.Xr ssh-add 1 , 673.Xr ssh-keygen 1 , 674.Xr ssh_config 5 , 675.Xr glob 7 , 676.Xr sftp-server 8 , 677.Xr sshd 8 678.Rs 679.%A T. Ylonen 680.%A S. Lehtinen 681.%T "SSH File Transfer Protocol" 682.%N draft-ietf-secsh-filexfer-00.txt 683.%D January 2001 684.%O work in progress material 685.Re 686