jcs.org
jcs's openbsd hax
openbsd
1.\"
2.\" scp.1
3.\"
4.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
5.\"
6.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
7.\" All rights reserved
8.\"
9.\" Created: Sun May 7 00:14:37 1995 ylo
10.\"
11.\" $OpenBSD: scp.1,v 1.115 2025/10/04 21:41:35 naddy Exp $
12.\"
13.Dd $Mdocdate: October 4 2025 $
14.Dt SCP 1
15.Os
16.Sh NAME
17.Nm scp
18.Nd OpenSSH secure file copy
19.Sh SYNOPSIS
20.Nm scp
21.Op Fl 346ABCOpqRrsTv
22.Op Fl c Ar cipher
23.Op Fl D Ar sftp_server_path
24.Op Fl F Ar ssh_config
25.Op Fl i Ar identity_file
26.Op Fl J Ar destination
27.Op Fl l Ar limit
28.Op Fl o Ar ssh_option
29.Op Fl P Ar port
30.Op Fl S Ar program
31.Op Fl X Ar sftp_option
32.Ar source ... target
33.Sh DESCRIPTION
34.Nm
35copies files between hosts on a network.
36.Pp
37.Nm
38uses the SFTP protocol over an
39.Xr ssh 1
40connection for data transfer, and uses the same authentication and provides
41the same security as a login session.
42.Pp
43.Nm
44will ask for passwords or passphrases if they are needed for
45authentication.
46.Pp
47The
48.Ar source
49and
50.Ar target
51may be specified as a local pathname, a remote host with optional path
52in the form
53.Sm off
54.Oo user @ Oc host : Op path ,
55.Sm on
56or a URI in the form
57.Sm off
58.No scp:// Oo user @ Oc host Oo : port Oc Op / path .
59.Sm on
60Local file names can be made explicit using absolute or relative pathnames
61to avoid
62.Nm
63treating file names containing
64.Sq :\&
65as host specifiers.
66.Pp
67When copying between two remote hosts, if the URI format is used, a
68.Ar port
69cannot be specified on the
70.Ar target
71if the
72.Fl R
73option is used.
74.Pp
75The options are as follows:
76.Bl -tag -width Ds
77.It Fl 3
78Copies between two remote hosts are transferred through the local host.
79This mode is the default,
80but see also the
81.Fl R
82option for copying data directly between two remote hosts.
83Note that when using the legacy SCP protocol (via the
84.Fl O
85flag), this option
86selects batch mode for the second host as
87.Nm
88cannot ask for passwords or passphrases for both hosts.
89.It Fl 4
90Forces
91.Nm
92to use IPv4 addresses only.
93.It Fl 6
94Forces
95.Nm
96to use IPv6 addresses only.
97.It Fl A
98Allows forwarding of
99.Xr ssh-agent 1
100to the remote system.
101The default is not to forward an authentication agent.
102.It Fl B
103Selects batch mode (prevents asking for passwords or passphrases).
104.It Fl C
105Compression enable.
106Passes the
107.Fl C
108flag to
109.Xr ssh 1
110to enable compression.
111.It Fl c Ar cipher
112Selects the cipher to use for encrypting the data transfer.
113This option is directly passed to
114.Xr ssh 1 .
115.It Fl D Ar sftp_server_path
116Connect directly to a local SFTP server program rather than a
117remote one via
118.Xr ssh 1 .
119This option may be useful in debugging the client and server.
120.It Fl F Ar ssh_config
121Specifies an alternative
122per-user configuration file for
123.Nm ssh .
124This option is directly passed to
125.Xr ssh 1 .
126.It Fl i Ar identity_file
127Selects the file from which the identity (private key) for public key
128authentication is read.
129This option is directly passed to
130.Xr ssh 1 .
131.It Fl J Ar destination
132Connect to the target host by first making an
133.Nm
134connection to the jump host described by
135.Ar destination
136and then establishing a TCP forwarding to the ultimate destination from
137there.
138Multiple jump hops may be specified separated by comma characters.
139This is a shortcut to specify a
140.Cm ProxyJump
141configuration directive.
142This option is directly passed to
143.Xr ssh 1 .
144.It Fl l Ar limit
145Limits the used bandwidth, specified in Kbit/s.
146.It Fl O
147Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
148Forcing the use of the SCP protocol may be necessary for servers that do
149not implement SFTP, for backwards-compatibility for particular filename
150wildcard patterns and for expanding paths with a
151.Sq ~
152prefix for older SFTP servers.
153.It Fl o Ar ssh_option
154Can be used to pass options to
155.Nm ssh
156in the format used in
157.Xr ssh_config 5 .
158This is useful for specifying options
159for which there is no separate
160.Nm scp
161command-line flag.
162For full details of the options listed below, and their possible values, see
163.Xr ssh_config 5 .
164.Pp
165.Bl -tag -width Ds -offset indent -compact
166.It AddKeysToAgent
167.It AddressFamily
168.It BatchMode
169.It BindAddress
170.It BindInterface
171.It CASignatureAlgorithms
172.It CanonicalDomains
173.It CanonicalizeFallbackLocal
174.It CanonicalizeHostname
175.It CanonicalizeMaxDots
176.It CanonicalizePermittedCNAMEs
177.It CertificateFile
178.It ChannelTimeout
179.It CheckHostIP
180.It Ciphers
181.It ClearAllForwardings
182.It Compression
183.It ConnectTimeout
184.It ConnectionAttempts
185.It ControlMaster
186.It ControlPath
187.It ControlPersist
188.It DynamicForward
189.It EnableEscapeCommandline
190.It EnableSSHKeysign
191.It EscapeChar
192.It ExitOnForwardFailure
193.It FingerprintHash
194.It ForkAfterAuthentication
195.It ForwardAgent
196.It ForwardX11
197.It ForwardX11Timeout
198.It ForwardX11Trusted
199.It GSSAPIAuthentication
200.It GSSAPIDelegateCredentials
201.It GatewayPorts
202.It GlobalKnownHostsFile
203.It HashKnownHosts
204.It Host
205.It HostKeyAlgorithms
206.It HostKeyAlias
207.It HostbasedAcceptedAlgorithms
208.It HostbasedAuthentication
209.It Hostname
210.It IPQoS
211.It IdentitiesOnly
212.It IdentityAgent
213.It IdentityFile
214.It IgnoreUnknown
215.It Include
216.It KbdInteractiveAuthentication
217.It KbdInteractiveDevices
218.It KexAlgorithms
219.It KnownHostsCommand
220.It LocalCommand
221.It LocalForward
222.It LogLevel
223.It LogVerbose
224.It MACs
225.It NoHostAuthenticationForLocalhost
226.It NumberOfPasswordPrompts
227.It ObscureKeystrokeTiming
228.It PKCS11Provider
229.It PasswordAuthentication
230.It PermitLocalCommand
231.It PermitRemoteOpen
232.It Port
233.It PreferredAuthentications
234.It ProxyCommand
235.It ProxyJump
236.It ProxyUseFdpass
237.It PubkeyAcceptedAlgorithms
238.It PubkeyAuthentication
239.It RekeyLimit
240.It RemoteCommand
241.It RemoteForward
242.It RequestTTY
243.It RequiredRSASize
244.It RevokedHostKeys
245.It SecurityKeyProvider
246.It SendEnv
247.It ServerAliveCountMax
248.It ServerAliveInterval
249.It SessionType
250.It SetEnv
251.It StdinNull
252.It StreamLocalBindMask
253.It StreamLocalBindUnlink
254.It StrictHostKeyChecking
255.It SyslogFacility
256.It TCPKeepAlive
257.It Tag
258.It Tunnel
259.It TunnelDevice
260.It UpdateHostKeys
261.It User
262.It UserKnownHostsFile
263.It VerifyHostKeyDNS
264.It VisualHostKey
265.It XAuthLocation
266.El
267.It Fl P Ar port
268Specifies the port to connect to on the remote host.
269Note that this option is written with a capital
270.Sq P ,
271because
272.Fl p
273is already reserved for preserving the times and mode bits of the file.
274.It Fl p
275Preserves modification times, access times, and file mode bits from the
276source file.
277.It Fl q
278Quiet mode: disables the progress meter as well as warning and diagnostic
279messages from
280.Xr ssh 1 .
281.It Fl R
282Copies between two remote hosts are transferred through the local host
283by default.
284This option instead copies between two remote hosts by connecting to the origin
285host and executing
286.Nm
287there.
288This requires that
289.Nm
290running on the origin host can authenticate to the destination host without
291requiring a password.
292.It Fl r
293Recursively copy entire directories.
294Note that
295.Nm
296follows symbolic links encountered in the tree traversal.
297.It Fl S Ar program
298Name of
299.Ar program
300to use for the encrypted connection.
301The program must understand
302.Xr ssh 1
303options.
304.It Fl T
305Disable strict filename checking.
306By default when copying files from a remote host to a local directory
307.Nm
308checks that the received filenames match those requested on the command-line
309to prevent the remote end from sending unexpected or unwanted files.
310Because of differences in how various operating systems and shells interpret
311filename wildcards, these checks may cause wanted files to be rejected.
312This option disables these checks at the expense of fully trusting that
313the server will not send unexpected filenames.
314.It Fl v
315Verbose mode.
316Causes
317.Nm
318and
319.Xr ssh 1
320to print debugging messages about their progress.
321This is helpful in
322debugging connection, authentication, and configuration problems.
323.It Fl X Ar sftp_option
324Specify an option that controls aspects of SFTP protocol behaviour.
325The valid options are:
326.Bl -tag -width Ds
327.It Cm nrequests Ns = Ns Ar value
328Controls how many concurrent SFTP read or write requests may be in progress
329at any point in time during a download or upload.
330By default 64 requests may be active concurrently.
331.It Cm buffer Ns = Ns Ar value
332Controls the maximum buffer size for a single SFTP read/write operation used
333during download or upload.
334By default a 32KB buffer is used.
335.El
336.El
337.Sh EXIT STATUS
338.Ex -std scp
339.Sh SEE ALSO
340.Xr sftp 1 ,
341.Xr ssh 1 ,
342.Xr ssh-add 1 ,
343.Xr ssh-agent 1 ,
344.Xr ssh-keygen 1 ,
345.Xr ssh_config 5 ,
346.Xr sftp-server 8 ,
347.Xr sshd 8
348.Sh HISTORY
349.Nm
350is based on the rcp program in
351.Bx
352source code from the Regents of the University of California.
353.Pp
354Since OpenSSH 9.0,
355.Nm
356has used the SFTP protocol for transfers by default.
357.Sh AUTHORS
358.An Timo Rinne Aq Mt tri@iki.fi
359.An Tatu Ylonen Aq Mt ylo@cs.hut.fi
360.Sh CAVEATS
361The legacy SCP protocol (selected by the
362.Fl O
363flag) requires execution of the remote user's shell to perform
364.Xr glob 3
365pattern matching.
366This requires careful quoting of any characters that have special meaning to
367the remote shell, such as quote characters.