13.11 sftp Command Line Options

The sftp syntax is:

sftp [-4] [-6] [-b buffer_size] [-B batch_file] [-c cipher] [-D debug_level] [-h] [-m mac_algorithm] [‑N max_requests] [-o option] [-P port] [-v] [-V] [-W] [[user@]host[#port]]

Options are available in both a single-character form (such as -o) and a descriptive equivalent (--option). Single characters are shown here. To view the descriptive equivalents, use the -h command line option.

Caution: All options specified on the command line (including user names, host names, and other sensitive information) will show up in a process status (ps) listing. Exercise care when specifying sensitive options and switches so that other users cannot easily see that information. A more secure alternative is to set these options in a configuration file and to protect the configuration file using recommended file permissions (configuration file = 600, directory containing the file = 700).

-4

Forces connections using IPv4 addresses only. You can also configure IP address requirements using the AddressFamily keyword.

-6

Forces connections using IPv6 addresses only. You can also configure IP address requirements using the AddressFamily keyword.

-b buffer_size

Specifies the buffer size used for data transfer. The default is 32768 bytes. The minimum allowed value is 1024. The maximum allowed value is 4194304 bytes. In most cases the default value provides close to optimal transfer speeds. On some systems, moderate increases to the buffer size can improve performance. Caution: Using very large buffer sizes rarely improves performance and can create problems including: slower transfers, transfer failures with servers that don't support very large buffers, and fatal errors when client or server memory limits are exceeded.

-B batch_file

Specifies a file to use for batch processing sftp commands. After a successful login, sftp executes each command in the specified file until a bye, exit or quit command is found, and then terminates the connection. Authentication methods that require user interaction are not supported in this mode. The batch file can use any of the interactive commands documented below. If a command in the batch file fails, sftp continues executing the remaining commands, and returns the error code of the first failed command. However, commands prefixed with "-" (dash) always return 0, even if the command fails.

-c cipher

Specifies one or more (comma-separated) encryption algorithms supported by the client. If no cipher is specified, the cipher is determined by the Ciphers keyword in the Secure Shell configuration file ssh2_config(5); the default is 'AnyStdCipher'.

The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server. Allowed values are 'aes128-ctr', 'aes128-cbc', 'aes192-ctr', 'aes192-cbc', 'aes256-ctr', 'aes256-cbc', 'blowfish-cbc', 'arcfour', 'arcfour128', 'arcfour256', 'cast128-cbc', and '3des-cbc'.

You can also set this value to 'none'. When 'none' is the agreed on cipher, data is not encrypted. Note that this method provides no confidentiality protection, and is not recommended.

The following values are provided for convenience: 'aes' (all supported aes ciphers), 'blowfish' (equivalent to 'blowfish-cbc'), 'cast' (equivalent to 'cast128-cbc'), '3des' (equivalent to '3des-cbc'), 'Any' or 'AnyStd' (all available ciphers plus 'none'), and 'AnyCipher' or 'AnyStdCipher' (all available ciphers).

-D debug_level

Sets the debug level. Increasing the value increases the amount of information displayed. Use 1, 2, 3, or 99. (Values 4-98 are accepted, but are equivalent to 3.)

-h

Displays a brief summary of command options.

-m mac_algorithm

Specifies which MACs (message authentication codes) are supported for this connection. Allowed values are 'hmac-sha256', 'hmac-sha1', 'hmac-sha1-96', 'hmac-md5', 'hmac-md5-96', 'hmac-sha512', and 'hmac-ripemd160'. Use 'AnyMac' to support all of these. Use 'AnyStdMac' to specify 'hmac-sha256, hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96, hmac-sha512'. Specifying hmac-sha256 also enables hmac-sha2-256. Specifying hmac-sha512 also enables hmac-sha2-512. Multiple MACs can also be specified as a comma-separated list. Additional options are 'none', 'any' (equivalent to AnyMac plus 'none'), and 'AnyStd' (equivalent to 'AnyStdMac' plus 'none'). When 'none' is the agreed on MAC, no message authentication code is used. Because this provides no data integrity protection, options that include 'none' are not recommended.

-N max_requests

Specifies the maximum number of concurrent requests. Increasing this may slightly improve file transfer speed, but also increases memory use. The default is 256.

-o option

Sets any option that can be configured using a configuration file keyword. For a list of keywords and their meanings, see ssh2_config(5). Syntax alternatives are shown below. Use quotation marks to contain expressions that include spaces.

-o key1=value
-o key1="sample value"
-o "key1 value"
-o key=value1,value2
-o key="value1, value2"

To configure multiple options, use multiple -o switches.

-o key1=value -o key2=value
--overwrite [yes|no|ask]

Specifies whether or not to overwrite existing destination files. The allowed values are 'yes', 'no', and 'ask'. The default is 'yes'. Note: When the source and destination files are identical, no transfer occurs regardless of the value of this setting.

-P port

Specifies the port to connect to on the server. The default is 22, which is the standard port for Secure Shell connections. You can also configure the port in the configuration file using the Port keyword.

-v

Sets the debug level to verbose mode, which is equivalent to setting the debug level to 2. You can also configure this in the configuration file using the VerboseMode keyword.

-V

Displays product name and version information and exits. If other options are specified on the command line, they are ignored.

-W password_file

Specifies a file containing the password to use for the connection. Set permissions on the password file to 600; the file is not accepted if it has read or write permissions for group or other. Also, for a non-root user, the file is not accepted if there has been a change in identity (userid). This option applies only to password authentication. If AllowedAuthentications is configured to attempt keyboard-interactive before password authentication (the default), users will receive a password prompt even if a valid password file is present. To prevent this, modify the allowed authentications list to support only password authentication or to attempt password authentication before keyboard-interactive.

Note: Passphraseless public keys provide a more secure way to configure authentication without requiring user interaction, because private keys are not transmitted over the encrypted connection like passwords are.