OpenBSD manual page server

Manual Page Search Parameters

SCP(1) General Commands Manual SCP(1)

scpOpenSSH secure file copy

scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config] [-i identity_file] [-J destination] [-l limit] [-o ssh_option] [-P port] [-S program] [-X sftp_option] source ... target

scp copies files between hosts on a network.

scp uses the SFTP protocol over a ssh(1) connection for data transfer, and uses the same authentication and provides the same security as a login session.

scp will ask for passwords or passphrases if they are needed for authentication.

The source and target may be specified as a local pathname, a remote host with optional path in the form [user@]host:[path], or a URI in the form scp://[user@]host[:port][/path]. Local file names can be made explicit using absolute or relative pathnames to avoid scp treating file names containing ‘:’ as host specifiers.

When copying between two remote hosts, if the URI format is used, a port cannot be specified on the target if the -R option is used.

The options are as follows:

Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. Note that, when using the legacy SCP protocol (via the -O flag), this option selects batch mode for the second host as scp cannot ask for passwords or passphrases for both hosts. This mode is the default.
Forces scp to use IPv4 addresses only.
Forces scp to use IPv6 addresses only.
Allows forwarding of ssh-agent(1) to the remote system. The default is not to forward an authentication agent.
Selects batch mode (prevents asking for passwords or passphrases).
Compression enable. Passes the -C flag to ssh(1) to enable compression.
cipher
Selects the cipher to use for encrypting the data transfer. This option is directly passed to ssh(1).
sftp_server_path
Connect directly to a local SFTP server program rather than a remote one via ssh(1). This option may be useful in debugging the client and server.
ssh_config
Specifies an alternative per-user configuration file for ssh. This option is directly passed to ssh(1).
identity_file
Selects the file from which the identity (private key) for public key authentication is read. This option is directly passed to ssh(1).
destination
Connect to the target host by first making an scp connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive. This option is directly passed to ssh(1).
limit
Limits the used bandwidth, specified in Kbit/s.
Use the legacy SCP protocol for file transfers instead of the SFTP protocol. Forcing the use of the SCP protocol may be necessary for servers that do not implement SFTP, for backwards-compatibility for particular filename wildcard patterns and for expanding paths with a ‘~’ prefix for older SFTP servers.
ssh_option
Can be used to pass options to ssh in the format used in ssh_config(5). This is useful for specifying options for which there is no separate scp command-line flag. For full details of the options listed below, and their possible values, see ssh_config(5).

AddKeysToAgent
 
AddressFamily
 
BatchMode
 
BindAddress
 
BindInterface
 
CASignatureAlgorithms
 
CanonicalDomains
 
CanonicalizeFallbackLocal
 
CanonicalizeHostname
 
CanonicalizeMaxDots
 
CanonicalizePermittedCNAMEs
 
CertificateFile
 
ChannelTimeout
 
CheckHostIP
 
Ciphers
 
ClearAllForwardings
 
Compression
 
ConnectTimeout
 
ConnectionAttempts
 
ControlMaster
 
ControlPath
 
ControlPersist
 
DynamicForward
 
EnableEscapeCommandline
 
EnableSSHKeysign
 
EscapeChar
 
ExitOnForwardFailure
 
FingerprintHash
 
ForkAfterAuthentication
 
ForwardAgent
 
ForwardX11
 
ForwardX11Timeout
 
ForwardX11Trusted
 
GSSAPIAuthentication
 
GSSAPIDelegateCredentials
 
GatewayPorts
 
GlobalKnownHostsFile
 
HashKnownHosts
 
Host
 
HostKeyAlgorithms
 
HostKeyAlias
 
HostbasedAcceptedAlgorithms
 
HostbasedAuthentication
 
Hostname
 
IPQoS
 
IdentitiesOnly
 
IdentityAgent
 
IdentityFile
 
IgnoreUnknown
 
Include
 
KbdInteractiveAuthentication
 
KbdInteractiveDevices
 
KexAlgorithms
 
KnownHostsCommand
 
LocalCommand
 
LocalForward
 
LogLevel
 
LogVerbose
 
MACs
 
NoHostAuthenticationForLocalhost
 
NumberOfPasswordPrompts
 
ObscureKeystrokeTiming
 
PKCS11Provider
 
PasswordAuthentication
 
PermitLocalCommand
 
PermitRemoteOpen
 
Port
 
PreferredAuthentications
 
ProxyCommand
 
ProxyJump
 
ProxyUseFdpass
 
PubkeyAcceptedAlgorithms
 
PubkeyAuthentication
 
RekeyLimit
 
RemoteCommand
 
RemoteForward
 
RequestTTY
 
RequiredRSASize
 
RevokedHostKeys
 
SecurityKeyProvider
 
SendEnv
 
ServerAliveCountMax
 
ServerAliveInterval
 
SessionType
 
SetEnv
 
StdinNull
 
StreamLocalBindMask
 
StreamLocalBindUnlink
 
StrictHostKeyChecking
 
SyslogFacility
 
TCPKeepAlive
 
Tag
 
Tunnel
 
TunnelDevice
 
UpdateHostKeys
 
User
 
UserKnownHostsFile
 
VerifyHostKeyDNS
 
VisualHostKey
 
XAuthLocation
 
port
Specifies the port to connect to on the remote host. Note that this option is written with a capital ‘P’, because -p is already reserved for preserving the times and mode bits of the file.
Preserves modification times, access times, and file mode bits from the source file.
Quiet mode: disables the progress meter as well as warning and diagnostic messages from ssh(1).
Copies between two remote hosts are performed by connecting to the origin host and executing scp there. This requires that scp running on the origin host can authenticate to the destination host without requiring a password.
Recursively copy entire directories. Note that scp follows symbolic links encountered in the tree traversal.
program
Name of program to use for the encrypted connection. The program must understand ssh(1) options.
Disable strict filename checking. By default when copying files from a remote host to a local directory scp checks that the received filenames match those requested on the command-line to prevent the remote end from sending unexpected or unwanted files. Because of differences in how various operating systems and shells interpret filename wildcards, these checks may cause wanted files to be rejected. This option disables these checks at the expense of fully trusting that the server will not send unexpected filenames.
Verbose mode. Causes scp and ssh(1) to print debugging messages about their progress. This is helpful in debugging connection, authentication, and configuration problems.
sftp_option
Specify an option that controls aspects of SFTP protocol behaviour. The valid options are:
=value
Controls how many concurrent SFTP read or write requests may be in progress at any point in time during a download or upload. By default 64 requests may be active concurrently.
=value
Controls the maximum buffer size for a single SFTP read/write operation used during download or upload. By default a 32KB buffer is used.

The scp utility exits 0 on success, and >0 if an error occurs.

sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh_config(5), sftp-server(8), sshd(8)

scp is based on the rcp program in BSD source code from the Regents of the University of California.

Since OpenSSH 9.0, scp has used the SFTP protocol for transfers by default.

Timo Rinne <tri@iki.fi>
Tatu Ylonen <ylo@cs.hut.fi>

The legacy SCP protocol (selected by the -O flag) requires execution of the remote user's shell to perform glob(3) pattern matching. This requires careful quoting of any characters that have special meaning to the remote shell, such as quote characters.

December 6, 2024 OpenBSD-current