Change OpenSSL context mode flags.

[ffftp/ffftp.git] / putty / DOC / PSCP.BUT

\define{versionidpscp} \versionid $Id: pscp.but 9366 2011-12-10 12:08:09Z simon $\r
\r
\#FIXME: Need examples\r
\r
\C{pscp} Using \i{PSCP} to transfer files securely\r
\r
\i{PSCP}, the PuTTY Secure Copy client, is a tool for \i{transferring files}\r
securely between computers using an SSH connection.\r
\r
If you have an SSH-2 server, you might prefer PSFTP (see \k{psftp})\r
for interactive use. PSFTP does not in general work with SSH-1\r
servers, however.\r
\r
\H{pscp-starting} Starting PSCP\r
\r
PSCP is a command line application.  This means that you cannot just\r
double-click on its icon to run it and instead you have to bring up a\r
\i{console window}.  With Windows 95, 98, and ME, this is called an\r
\q{MS-DOS Prompt} and with Windows NT, 2000, and XP, it is called a\r
\q{Command Prompt}.  It should be available from the Programs section\r
of your \i{Start Menu}.\r
\r
To start PSCP it will need either to be on your \i{\c{PATH}} or in your\r
current directory.  To add the directory containing PSCP to your\r
\c{PATH} environment variable, type into the console window:\r
\r
\c set PATH=C:\path\to\putty\directory;%PATH%\r
\r
This will only work for the lifetime of that particular console\r
window.  To set your \c{PATH} more permanently on Windows NT, 2000,\r
and XP, use the Environment tab of the System Control Panel.  On\r
Windows 95, 98, and ME, you will need to edit your \i\c{AUTOEXEC.BAT}\r
to include a \c{set} command like the one above.\r
\r
\H{pscp-usage} PSCP Usage\r
\r
Once you've got a console window to type into, you can just type\r
\c{pscp} on its own to bring up a usage message.  This tells you the\r
version of PSCP you're using, and gives you a brief summary of how to\r
use PSCP:\r
\r
\c Z:\owendadmin>pscp\r
\c PuTTY Secure Copy client\r
\c Release 0.62\r
\c Usage: pscp [options] [user@]host:source target\r
\c        pscp [options] source [source...] [user@]host:target\r
\c        pscp [options] -ls [user@]host:filespec\r
\c Options:\r
\c   -V        print version information and exit\r
\c   -pgpfp    print PGP key fingerprints and exit\r
\c   -p        preserve file attributes\r
\c   -q        quiet, don't show statistics\r
\c   -r        copy directories recursively\r
\c   -v        show verbose messages\r
\c   -load sessname  Load settings from saved session\r
\c   -P port   connect to specified port\r
\c   -l user   connect with specified username\r
\c   -pw passw login with specified password\r
\c   -1 -2     force use of particular SSH protocol version\r
\c   -4 -6     force use of IPv4 or IPv6\r
\c   -C        enable compression\r
\c   -i key    private key file for authentication\r
\c   -noagent  disable use of Pageant\r
\c   -agent    enable use of Pageant\r
\c   -batch    disable all interactive prompts\r
\c   -unsafe   allow server-side wildcards (DANGEROUS)\r
\c   -sftp     force use of SFTP protocol\r
\c   -scp      force use of SCP protocol\r
\r
(PSCP's interface is much like the Unix \c{scp} command, if you're\r
familiar with that.)\r
\r
\S{pscp-usage-basics} The basics\r
\r
To \I{receiving files}receive (a) file(s) from a remote server: \r
\r
\c pscp [options] [user@]host:source target\r
\r
So to copy the file \c{/etc/hosts} from the server \c{example.com} as\r
user \c{fred} to the file \c{c:\\temp\\example-hosts.txt}, you would type:\r
\r
\c pscp fred@example.com:/etc/hosts c:\temp\example-hosts.txt\r
\r
To \I{sending files}send (a) file(s) to a remote server: \r
\r
\c pscp [options] source [source...] [user@]host:target\r
\r
So to copy the local file \c{c:\\documents\\foo.txt} to the server\r
\c{example.com} as user \c{fred} to the file \c{/tmp/foo} you would\r
type:\r
\r
\c pscp c:\documents\foo.txt fred@example.com:/tmp/foo\r
\r
You can use \i{wildcards} to transfer multiple files in either\r
direction, like this:\r
\r
\c pscp c:\documents\*.doc fred@example.com:docfiles\r
\c pscp fred@example.com:source/*.c c:\source\r
\r
However, in the second case (using a wildcard for multiple remote\r
files) you may see a warning saying something like \q{warning:\r
remote host tried to write to a file called \cq{terminal.c} when we\r
requested a file called \cq{*.c}. If this is a wildcard, consider\r
upgrading to SSH-2 or using the \cq{-unsafe} option. Renaming of\r
this file has been disallowed}.\r
\r
This is due to a \I{security risk}fundamental insecurity in the old-style\r
\i{SCP protocol}: the client sends the wildcard string (\c{*.c}) to the\r
server, and the server sends back a sequence of file names that\r
match the wildcard pattern. However, there is nothing to stop the\r
server sending back a \e{different} pattern and writing over one of\r
your other files: if you request \c{*.c}, the server might send back\r
the file name \c{AUTOEXEC.BAT} and install a virus for you. Since\r
the wildcard matching rules are decided by the server, the client\r
cannot reliably verify that the filenames sent back match the\r
pattern.\r
\r
PSCP will attempt to use the newer \i{SFTP} protocol (part of SSH-2)\r
where possible, which does not suffer from this security flaw. If\r
you are talking to an SSH-2 server which supports SFTP, you will\r
never see this warning. (You can force use of the SFTP protocol,\r
if available, with \c{-sftp} - see \k{pscp-usage-options-backend}.)\r
\r
If you really need to use a server-side wildcard with an SSH-1\r
server, you can use the \i\c{-unsafe} command line option with PSCP:\r
\r
\c pscp -unsafe fred@example.com:source/*.c c:\source\r
\r
This will suppress the warning message and the file transfer will\r
happen. However, you should be aware that by using this option you\r
are giving the server the ability to write to \e{any} file in the\r
target directory, so you should only use this option if you trust\r
the server administrator not to be malicious (and not to let the\r
server machine be cracked by malicious people). Alternatively, do\r
any such download in a newly created empty directory. (Even in\r
\q{unsafe} mode, PSCP will still protect you against the server\r
trying to get out of that directory using pathnames including\r
\cq{..}.)\r
\r
\S2{pscp-usage-basics-user} \c{user}\r
\r
The \i{login name} on the remote server. If this is omitted, and \c{host}\r
is a PuTTY saved session, PSCP will use any username specified by that \r
saved session.  Otherwise, PSCP will attempt to use the local Windows\r
username.\r
\r
\S2{pscp-usage-basics-host} \I{hostname}\c{host}\r
\r
The name of the remote server, or the name of an existing PuTTY saved\r
session. In the latter case, the session's settings for hostname, port\r
number, cipher type and username will be used.\r
\r
\S2{pscp-usage-basics-source} \c{source}\r
\r
One or more source files. \ii{Wildcards} are allowed.  The syntax of\r
wildcards depends on the system to which they apply, so if you are\r
copying \e{from} a Windows system \e{to} a UNIX system, you should use \r
Windows wildcard syntax (e.g. \c{*.*}), but if you are copying \e{from} \r
a UNIX system \e{to} a Windows system, you would use the wildcard\r
syntax allowed by your UNIX shell (e.g. \c{*}).\r
\r
If the source is a remote server and you do not specify a full\r
pathname (in UNIX, a pathname beginning with a \c{/} (slash)\r
character), what you specify as a source will be interpreted relative\r
to your \i{home directory} on the remote server.\r
\r
\S2{pscp-usage-basics-target} \c{target}\r
\r
The filename or directory to put the file(s).  When copying from a\r
remote server to a local host, you may wish simply to place the\r
file(s) in the current directory.  To do this, you should specify a\r
target of \c{.}.  For example:\r
\r
\c pscp fred@example.com:/home/tom/.emacs .\r
\r
...would copy \c{/home/tom/.emacs} on the remote server to the current \r
directory.\r
\r
As with the \c{source} parameter, if the target is on a remote server\r
and is not a full path name, it is interpreted relative to your home\r
directory on the remote server.\r
\r
\S{pscp-usage-options} Options\r
\r
PSCP accepts all the general command line options supported by the\r
PuTTY tools, except the ones which make no sense in a file transfer\r
utility. See \k{using-general-opts} for a description of these\r
options. (The ones not supported by PSCP are clearly marked.)\r
\r
PSCP also supports some of its own options. The following sections\r
describe PSCP's specific command-line options.\r
\r
\S2{pscp-usage-options-ls}\I{-ls-PSCP}\c{-ls} \I{listing files}list remote files\r
\r
If the \c{-ls} option is given, no files are transferred; instead,\r
remote files are listed. Only a hostname specification and\r
optional remote file specification need be given. For example:\r
\r
\c pscp -ls fred@example.com:dir1\r
\r
The SCP protocol does not contain within itself a means of listing\r
files. If SCP is in use, this option therefore assumes that the\r
server responds appropriately to the command \c{ls\_-la};\r
this may not work with all servers.\r
\r
If SFTP is in use, this option should work with all servers.\r
\r
\S2{pscp-usage-options-p}\I{-p-PSCP}\c{-p} \i{preserve file attributes}\r
\r
By default, files copied with PSCP are \i{timestamp}ed with the date and\r
time they were copied.  The \c{-p} option preserves the original\r
timestamp on copied files.\r
\r
\S2{pscp-usage-options-q}\I{-q-PSCP}\c{-q} quiet, don't show \i{statistics}\r
\r
By default, PSCP displays a meter displaying the progress of the\r
current transfer:\r
\r
\c mibs.tar          |   168 kB |  84.0 kB/s | ETA: 00:00:13 |  13%\r
\r
The fields in this display are (from left to right), filename, size\r
(in kilobytes) of file transferred so far, estimate of how fast the\r
file is being transferred (in kilobytes per second), estimated time\r
that the transfer will be complete, and percentage of the file so far\r
transferred.  The \c{-q} option to PSCP suppresses the printing of\r
these statistics.\r
\r
\S2{pscp-usage-options-r}\I{-r-PSCP}\c{-r} copies directories \i{recursive}ly\r
\r
By default, PSCP will only copy files.  Any directories you specify to\r
copy will be skipped, as will their contents.  The \c{-r} option tells\r
PSCP to descend into any directories you specify, and to copy them and \r
their contents.  This allows you to use PSCP to transfer whole\r
directory structures between machines.\r
\r
\S2{pscp-usage-options-batch}\I{-batch-PSCP}\c{-batch} avoid interactive prompts\r
\r
If you use the \c{-batch} option, PSCP will never give an\r
interactive prompt while establishing the connection. If the\r
server's host key is invalid, for example (see \k{gs-hostkey}), then\r
the connection will simply be abandoned instead of asking you what\r
to do next.\r
\r
This may help PSCP's behaviour when it is used in automated\r
scripts: using \c{-batch}, if something goes wrong at connection\r
time, the batch job will fail rather than hang.\r
\r
\S2{pscp-usage-options-backend}\i\c{-sftp}, \i\c{-scp} force use of\r
particular protocol\r
\r
As mentioned in \k{pscp-usage-basics}, there are two different file\r
transfer protocols in use with SSH. Despite its name, PSCP (like many\r
other ostensible \cw{scp} clients) can use either of these protocols.\r
\r
The older \i{SCP protocol} does not have a written specification and\r
leaves a lot of detail to the server platform. \ii{Wildcards} are expanded\r
on the server. The simple design means that any wildcard specification\r
supported by the server platform (such as brace expansion) can be\r
used, but also leads to interoperability issues such as with filename\r
quoting (for instance, where filenames contain spaces), and also the\r
security issue described in \k{pscp-usage-basics}.\r
\r
The newer \i{SFTP} protocol, which is usually associated with SSH-2\r
servers, is specified in a more platform independent way, and leaves\r
issues such as wildcard syntax up to the client. (PuTTY's SFTP\r
wildcard syntax is described in \k{psftp-wildcards}.) This makes it\r
more consistent across platforms, more suitable for scripting and\r
automation, and avoids security issues with wildcard matching.\r
\r
Normally PSCP will attempt to use the SFTP protocol, and only fall\r
back to the SCP protocol if SFTP is not available on the server.\r
\r
The \c{-scp} option forces PSCP to use the SCP protocol or quit.\r
\r
The \c{-sftp} option forces PSCP to use the SFTP protocol or quit.\r
When this option is specified, PSCP looks harder for an SFTP server,\r
which may allow use of SFTP with SSH-1 depending on server setup.\r
\r
\S{pscp-retval} \ii{Return value}\r
\r
PSCP returns an \i\cw{ERRORLEVEL} of zero (success) only if the files\r
were correctly transferred. You can test for this in a \i{batch file},\r
using code such as this:\r
\r
\c pscp file*.* user@hostname:\r
\c if errorlevel 1 echo There was an error\r
\r
\S{pscp-pubkey} Using \i{public key authentication} with PSCP\r
\r
Like PuTTY, PSCP can authenticate using a public key instead of a\r
password. There are three ways you can do this.\r
\r
Firstly, PSCP can use PuTTY saved sessions in place of hostnames\r
(see \k{pscp-usage-basics-host}). So you would do this:\r
\r
\b Run PuTTY, and create a PuTTY saved session (see\r
\k{config-saving}) which specifies your private key file (see\r
\k{config-ssh-privkey}). You will probably also want to specify a\r
username to log in as (see \k{config-username}).\r
\r
\b In PSCP, you can now use the name of the session instead of a\r
hostname: type \c{pscp sessionname:file localfile}, where\r
\c{sessionname} is replaced by the name of your saved session.\r
\r
Secondly, you can supply the name of a private key file on the command\r
line, with the \c{-i} option. See \k{using-cmdline-identity} for more\r
information.\r
\r
Thirdly, PSCP will attempt to authenticate using Pageant if Pageant\r
is running (see \k{pageant}). So you would do this:\r
\r
\b Ensure Pageant is running, and has your private key stored in it.\r
\r
\b Specify a user and host name to PSCP as normal. PSCP will\r
automatically detect Pageant and try to use the keys within it.\r
\r
For more general information on public-key authentication, see\r
\k{pubkey}.\r