Secure Shell (SSH) has been used for many years to remotely access systems, and a common need has been to transfer files to those systems, along with a standard terminal connection.
Secure Copy Protocol (SCP) was developed to utilize the same SSH mechanism to transfer files between servers. SCP is available with most SSH clients that are commonly preinstalled on most Linux operating systems.
Using SCP on Windows
If you would like to use SCP on Windows, it is usable by installing the OpenSSH Client feature for Windows. There are third party packages that can provide the executable, but as of Windows 10, this is the most convenient method and often installed by default.
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
SCP has a number of options to enable controlling the connection and suit most connection scenarios.
These options are relevant to the 8.3 release of SCP.
- -3 - Copies between two remote hosts are transferred through the local host of SCP. If this option is not used, then files transfer directly between the two remote hosts, bypassing the localhost.
- -4 - Force SCP to only use IPv4 addresses.
- -6 - Force SCP to only use IPv6 addresses. Note that all IPv6 addresses must be enclosed in square brackets.
- -B - Enters Batch mode, which will prevent the asking for passwords or passphrases.
- -C - Enable Compression on the underlying SSH connection (passes the -C flag to SSH)
- -c - Change the cipher that is used and is passed directly to SSH.
- -F - Specify an alternate ssh_config file and is passed directly to SSH.
- -i - Select the private key (identity) file for public key authentication.
- -J - Connect to a target host by first making an SCP connection to a jump host and then establishing a TCP forwarding connection to the ultimate destination. Multiple hops may be configured through comma-separated destinations.
- -l - Limit the used bandwidth as specified in KBit/s.
- -o - Pass any number of different SSH options as specified in the formats used in ssh_config.
- -P - Specify the Port to connect to.
- -p - Preserve the modification times, access times, and modes from the original file (note this is a lowercase p).
- -q - Disable the progress meter as well as warning and diagnostic messages from SSH by enabling quiet mode.
- -r - Copy entire directories recursively.
- -S - Name of the program to use for the encrypted connection. This program may replace SSH but must understand SSH options.
- -T - Disable strict filename checking. The downside to this is that there is an expectation that the server will not send unexpected filenames. This was added to account for the differences in a filename that different server types could serve.
- -v - Set a verbose mode, which is useful for debugging.
As you can see there are a large number of options that make it easy to configure your connection to make even the most complex of connections work properly.
The simplest example is by transferring files from one server to another.
scp ~/backup.tar root@server:~/backup.tar
Of course, this assumes an extremely simple server connection. Oftentimes you may have a more complex connection with different ports and using a public/private key.
scp -P 55534 -i ~/.ssh/id_ed25519 ~/backup.tar root@server:~/backup.tar
Port 55534 is a randomly chosen port that may assist in obscuring the SSH servers.
Transferring a directory of files from the local system to a remote computer is just as easy.
scp -r ~/backups/ root@server:~/backups/
Perhaps you have limited bandwidth and want to make sure you do not saturate the link when transferring backup files (as in this example). You can use the -l option to specify KBit/s to transfer at. Additionally, we want to preserve modification times, access times, and modes from the original files, so we use the -p option.
scp -l 800 -p -r ~/backups/ root@server:~/backups/
In recent years, it has been noted by the creators of OpenSSH that SFTP is a better alternative, but there are limitations to how SFTP works versus SCP that may influence what tool you use. The reason that you may not want to use SCP is due to the -T and -r options. With the -r option, it’s possible for a malicious server to evaluate a shell script that could overwrite a file such as .ssh/authorized_keys, as an example. Additionally, using the -T option will disable strict filename checking, and causes a similar situation where it may be possible for a malicious server to overwrite files that it should not.
SFTP is not as flexible as SCP, which also translates into stricter checking of filenames that are transferred, but the downside to this is the loss of flexibility to run server scripts to return collections of files to return.
As you can see, SCP is an extremely useful utility that has been around for many years and used by countless system administrators. As with any utility, there are positives and negatives, but with a proper understanding, SCP becomes an excellent tool to have in one’s toolkit.