|
|
|
Command Line Utility Switch Support
Technical Note 1893
Last Reviewed 29-Feb-2008
Applies To
Reflection for Secure IT Windows Client version 6.1 or higher
Summary
Technical Note 1893
Last Reviewed 29-Feb-2008
Applies To
Reflection for Secure IT Windows Client version 6.1 or higher
Summary
Beginning in version 6.1, the ssh, scp, and sftp command line utilities support the full range of command line switches provided by equivalent OpenSSH-style utilities. In addition, new ssh2, scp2 and sftp2 switches have been added for customers who are migrating from F-Secure and need to maintain scripts written for the F-Secure command line utilities. This technical note lists the switches and options available for use in ssh, scp, sftp, ssh2, scp2, and sftp2.
Note: For a list of available startup switches for Reflection for Secure IT Windows Client, see Technical Note 2300.
Determining Which Utility Is Running
If you have both F-Secure and Reflection for Secure IT installed on the same machine, you have two different ssh2, scp2, and sftp2 utilities on your machine; an F-Secure version and a Reflection for Secure IT version. The functionality of these two versions is equivalent.
Both F-Secure and Reflection installations add their install folders to the end of the user's PATH. Since the F-Secure folder appears first in the list, its command line utilities are executed first.
You can verify which utility is running (F-Secure or Reflection for Secure IT) by opening a command window and issuing the ssh2 –V command (or scp2 –V or sftp2 –V command). An SSH banner that identifies the manufacturer and version of the client that is being executed will display.
To temporarily change the version of the utility being run, change directories to the folder where Reflection for Secure IT is installed (by default C:\Program Files\Attachmate\Rsecure) and issue the utility's command in the command window.
Or to permanently change the version of the utility being run, go to My Computer > Properties. On the Advanced tab, click Environment Variables and edit the user PATH variable in the Environment Variables dialog box.
Switch Support
Information about the switches supported can be found in the following sections:
Secure Shell Utility Switch Support
OpenSSH-Style SSH Switches (ssh.exe) Supported in Reflection
OpenSSH-Style SCP Switches (scp.exe) Supported in Reflection
OpenSSH-Style SFTP Switches (sftp.exe) Supported in Reflection
SSH2, SCP2, and SFTP2 Utility Switch SupportOpenSSH-Style SCP Switches (scp.exe) Supported in Reflection
OpenSSH-Style SFTP Switches (sftp.exe) Supported in Reflection
Secure Shell Utility Switch Support
Reflection provides a robust Secure Shell protocol suite, which includes ssh, sftp, and scp. The addition of ssh2, scp2, and sftp2 switches eases the transition from F-Secure SSH products to the Reflection for Secure IT Window client by seamlessly supporting currently existing F-Secure scripts in the Reflection for Secure IT environment. Attachmate recommends that any future scripts be written using the OpenSSH-style switch format.
The tables below illustrate the OpenSSH-style switches and options available in Reflection for Secure IT version 6.1 for each command line utility. For F-Secure switch information see SSH2, SCP2, and SFTP2 Utility Switch Support.
OpenSSH-Style SSH Switches (ssh.exe) Supported in Reflection
| SSH Switch |
SSH Keyword |
Description |
| -A |
ForwardAgent=yes |
Enable Auth agent forwarding |
| -a |
ForwardAgent=no |
Disable Auth agent forwarding (default) |
| -b addr |
BindAddress=IP |
Local IP address |
| -c cipher,cipher |
Ciphers=c1,c2 |
Select encryption algorithm. Comma separated list |
| -C |
Compression=yes |
Enable compression |
| -v[vv] |
LogLevel=<string> QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3 |
Set debug level |
| -D port |
DynamicForward=<#> |
Enable dynamic application-level port forwarding through SOCKS4/5 |
| -e char |
EscapeChar=<char> |
Set escape character – none to disable |
| -E prov |
|
Use 'prov' as the external key provider |
| -F cfgfile |
|
Read an alternative configuration file |
| -g |
GatewayPorts=yes |
Gateway ports |
| -H scheme |
Host=<scheme string> |
SSH config scheme to use |
| -i keyfile |
IdentityFile=<path> |
Identity file for public key authentication |
| -k |
|
Custom configuration directory where config file, host keys and user keys are located |
| -l user |
User=<username> |
Login with this user name |
| -L listen-port: host:port |
"LocalForward= <lport host:rport>" |
Forward local port to remote address |
| -m MAC,MAC |
MACs=[hmac-md5, hmac-sha1, hmac- ripemd160, hmac-sha1-96, hmac-md5-96] |
Select MAC algorithm. Multiple -m options are allowed using a comma-separated list |
| -M |
ControlMaster=[yes, no, ask, auto] |
Places client in Control Master mode |
| -n |
|
Redirect input from /dev/null (do not read stdin) |
| -N |
|
Do not execute shell or command |
| -o option |
|
Process the option as if it was read from a configuration file |
| -p port# |
Port=<#> |
Connect to this port |
| -q |
|
Quiet; do not display any warning messages |
| -R listen-port: host:port |
"RemotelForward= <lport host:rport>" |
Forward remote port to local address |
| -s command |
|
Invoke command as ssh2 subsystem |
| -S ctl |
ConnectionReuse=[yes,no] |
Specifies the location of a control socket for connection sharing Note: Instead of using the –S ctl switch, we recommend that you use the –o switch: –o ConnectionReuse=yes |
| -t |
|
Allocate a tty even if command is given |
| -T |
|
Do not allocate a tty |
| -v |
|
Verbose; display verbose debugging messages. Equal to -d 2 |
| -V |
|
Display version string |
| -X |
ForwardX11=yes |
Enable X11 connection forwarding UNTRUSTED |
| -x |
ForwardX11=no |
Disable X11 connection forwarding |
| -Y |
ForwardX11Trusted= [yes, no] |
Enable X11 connection forwarding TRUSTED |
| -2 |
Protocol=2 |
Use protocol 2 only |
| -4 |
AddressFamily=inet |
Use Ipv4 to connect |
| -6 |
AddressFamily=inet6 |
Use Ipv6 to connect |
| -8 |
|
Ignored (was "8 bit clean" in rsh) |
| -? |
|
Display usage help |
OpenSSH-Style SCP Switches (scp.exe) Supported in Reflection
| SCP Switch |
SCP Keyword |
Description |
| -a |
|
Transfer files in ASCII mode |
| -B |
BatchMode=[yes, no] |
Sets batch-mode on |
| -b |
|
Maximum buffer size for one request |
| -c cipher,cipher |
Ciphers=c1,c2 |
Select encryption algorithm. Multiple -c options are allowed and a single -c flag can have only one cipher |
| -C |
Compression=yes |
Passes compression flag to ssh to enable compression |
| -d |
|
Force target to be a directory |
| -v[vv] |
LogLevel=<string>QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3 |
Set debug level |
| -F cfgfile |
|
Read an alternative configuration file |
| -H scheme |
Host=<scheme string> |
SSH config scheme to use |
| -i keyfile |
IdentityFile=<path> |
Identity file for public key authentication (single key) |
| -k dir |
|
Set a non-default folder for configuration file, hostkeys and userkeys |
| -l limit |
|
Limit the bandwidth to the value specified (in Kb). Supported beginning in version 7.0. |
| -o option |
|
Process the option as if it was read from a configuration file |
| -p |
|
Preserve file timestamps and attributes |
| -P port# |
Port=<#> |
Connect to this port |
| -q |
|
Do not show progress indicator |
| -r |
|
Recurse subdirectories |
| -S program |
|
Name of program to use for encrypted connection – program must understand ssh options |
| -u |
|
Remove source file after copying |
| -v |
|
Verbose mode; equal to -D 2 |
| -V |
|
Display version string |
| -1 |
Protocol=1 |
Engage scp1 compatibility – must be first switch and separated from other switches |
| -2 |
Protocol=2 |
Use protocol 2 only |
| -4 |
AddressFamily= inet |
Use Ipv4 to connect |
| -6 |
AddressFamily= inet6 |
Use Ipv6 to connect |
| -? |
|
Display usage help |
OpenSSH-Style SFTP Switches (sftp.exe) Supported in Reflection
There are no corresponding SFTP keywords for the switches listed.
| SFTP Switch |
Description |
| -a |
Transfer files in ASCII mode |
| -b buffer-size |
Define maximum buffer size for one request |
| -B batchfile |
Batch mode - File from which to read commands |
| -c cipher |
Select encryption algorithms (comma separated list) |
| -C |
Enable compression |
| -d |
Force target to be a directory |
| -F file |
Read an alternative configuration file |
| -h |
Display usage help |
| -H scheme |
SSH config scheme to use |
| -k dir |
Custom config dir |
| -m macs |
Specify MAC algorithms for protocol version 2 |
| -o option |
Process the option as if it was read from a configuration file |
| -p |
Preserve timestamps and file attributes |
| -P sftp-server-path |
Connect directly to the local sftp server, rather then through ssh server |
| -q |
Quiet; don’t display any warning messages |
| -Q |
Don’t show progress indicator |
| -R max-requests |
Define maximum number of concurrent requests |
| -s subsystem |
Specifies the ssh2 subsystem or path for an sftp server on the remote host. A path is useful for using sftp over ssh1 protocol or when it’s subsystem is not configured for the remote sshd |
| -S program |
Specify where sftp can find the program to use for encrypted connection – program must understand ssh options |
| -u |
Remove source file after copying |
| -v[vv] |
Set debug level |
| -v |
Verbose mode; equal to -D 2 |
| -V |
Display version string |
| -1 |
Use ssh protocol 1 |
| -2 |
Use protocol version2 |
| -4 |
Use IPv4 only |
| -6 |
Use IPv6 only |
| -? |
Display usage help |
SSH2, SCP2, and SFTP2 Utility Switch Support
Beginning in Reflection for Secure IT Windows client version 6.1, support for legacy F-Secure switches is supported, minimizing the effort needed to convert existing configurations from F-Secure to the Reflection for Secure IT Windows Client.
Note the following:
- The keywords below are for the F-Secure ssh2_config file and may or may not match the keywords that can be used in the Reflection config file.
- If an F-Secure ssh2_config file is present when you install Reflection for Secure IT, the ssh2_config file will be migrated to the \My Documents\Attachmate\Reflection\.ssh\ directory and will be used by default. Ssh2, scp2, and sftp2 will look for the ssh2_config file only and will not use the Reflection config file. You can force Reflection to read from the config file in several ways:
- Set a registry setting, "Use SSH Config Schemes"
- Set an environment variable, – UseReflectionSchemes
- Use the Reflection config file on a per usage basis by using the –H switch to specify a specific config scheme from the config file
The tables below list the switches and options available for each command line utility.
Legacy F-Secure SSH2 Switches (ssh2.exe) Supported in Reflection
| SSH2 Switch |
SSH2 Keyword |
Description |
| -c cipher -c cipher |
Ciphers=c1,c2 |
Select encryption algorithm. Multiple -c options are allowed using a comma-separated list |
| +C |
Compression=yes |
Enable compression |
| -C |
Compression=no |
Disable compression |
| -d level [1-99] |
Loglevel |
Set debug level |
| -E prov |
ExternalAuthorizationProgram=<path> |
Use prov as the external key provider |
| -F cfgfile |
|
Read an alternative configuration file |
| -g |
GatewayPorts=yes |
Gateway ports |
| +g |
GatewayPorts=no |
Do not gateway ports |
| -h |
|
Display usage help |
| -H scheme |
|
Use specified scheme name in the config file |
| -i keyfile |
IdentityFile=<path> |
Identity file for public key authentication |
| -k dir |
UserConfigDirectory =<path> |
Custom configuration dir where ssh2 config, hostkeys and userkeys are located |
| -l user |
User=<username> |
Login with this user name |
| -L listen-port: host:port |
"LocalForward= <lport:host:rport>" |
Forward local port to remote address |
| -m MAC -m MAC |
MACs= [hmac-sha1, hmac-md5] |
Select MAC algorithm. Multiple -m options are allowed using a comma-separated list |
| -n |
DontReadStdin=[yes, no] |
Redirect stdin from null |
| -p port# |
Port=<#> |
Connect to this port |
| -q |
QuietMode=[yes,no] |
Quiet; do not display any warning messages |
| -R listen-port: host:port |
"RemotelForward= <lport:host:rport>" |
Forward remote port to local address |
| -S |
|
Do not request a session channel |
| -t |
ForcePTTYAllocation = [yes, no] |
Allocate a tty even if command is given |
| -v |
verbosemode=[yes, no] |
Verbose; display verbose debugging messages. Equal to -d 2 |
| -V |
|
Display version string |
| +x |
ForwardX11= [yes, no] |
Enable X11 connection forwarding UNTRUSTED |
| -x |
|
Disable X11 connection forwarding |
| +X |
|
Enable X11 connection forwarding TRUSTED |
Legacy F-Secure SCP2 Switches (scp2.exe) Supported in Reflection
| SCP2 Switch |
SCP2 keyword |
Description |
| -a[arg] |
|
Transfer files in ASCII mode |
| -b buffer-size |
|
Define maximum buffer size for one request |
| -B |
BatchMode=[yes, no] |
Sets batch-mode status |
| -c cipher -c cipher |
Ciphers=c1,c2 |
Select encryption algorithm. Multiple -c options are allowed and a single -c flag can have only one cipher |
| -C |
|
Enable compression |
| -d |
|
Force target to be a directory |
| -D level [1-99] |
|
Set debug level |
| -F file |
|
Read an alternative config file |
| -h |
|
Display usage help |
| -H scheme |
|
Use specified scheme name in the config file |
| -i keyfile |
|
Identity file for public key authentication |
| -k dir |
UserConfigDirectory =<path> |
Custom configuration dir where ssh2_config, hostkeys and userkeys are located |
| -N max-requests |
|
Define maximum number of concurrent requests |
| -m fileperm [:dirperm] |
|
Set the default file/dir permission bits for upload |
| -o 'option' |
|
Process the option as if it was read from a configuration file |
| -p |
|
Preserve file timestamps and attributes |
| -P port# |
Port=<#> |
Connect to this port |
| -q |
|
Make scp quiet (only fatal errors are displayed) |
| -Q |
|
Don’t show progress indicator |
| -u |
|
Remove source files after copying |
| -r |
|
Recurse subdirectories |
| -v |
|
Verbose mode; equal to '-D 2' |
| -V |
|
Display version string |
| -1 |
|
Use protocol version1 only |
| -2 |
|
Use protocol version2 only |
| -4 |
|
Use IPv4 only |
| -6 |
|
Use IPv6 only |
| -? |
|
Display usage help |
Legacy F-Secure SFTP2 Switches (sftp2.exe) Supported in Reflection
| SFTP2 Switch |
SFTP2 Keyword |
Description |
| -a |
|
Transfer files in ASCII mode |
| -b buffer-size |
|
Define maximum buffer size for one request |
| -B batchfile |
BatchMode=<yes/no> |
Batch mode – Specify file from which to read commands |
| -c cipher -c cipher |
Ciphers=c1,c2 |
Select encryption algorithm. Multiple -c options are allowed and a single -c flag can have only one cipher |
| +C |
|
Enable Compression |
| -C |
|
Disable Compression |
| -d |
|
Force target to be a directory |
| -D level [1-99] |
|
Set debug level |
| -F file |
|
Read an alternative config file |
| -h |
|
Display usage help |
| -i keyfile |
|
Identity file for public key authentication |
| -k dir |
|
Custom configuration dir where ssh2_config, hostkeys and userkeys are located |
| -m MAC |
|
Select MAC algorithm |
| -N max-requests |
|
Define maximum number of concurrent requests |
| -o 'option' |
|
Process the option as if it was read from a configuration file |
| -P port# |
Port=<port#> |
Connect to this port |
| -q |
|
Quiet; don’t display any warning messages |
| -Q |
|
Don’t show progress indicator |
| -S program |
|
Program to use for encrypted connections |
| -S ssh2-path |
|
Tell scp2 where to find the program to use for encrypted connection – program must understand ssh options |
| -u |
|
Remove source files after copying |
| -V |
|
Display version string |
| -v |
|
Verbose mode; equal to -D 2 |
