On the client side, ssh, scp and sftp provide a wide range of capabilities. Interactive logins and file transfers are just the tip of the iceberg.
- ssh(1) - The basic login shell-like client program.
- sftp(1) - FTP-like program that works using the SSH protocol.
- scp(1) - File copy program that acts like rcp(1).
- ssh_config(5) - The client configuration file.
The SSH client
ssh is a program which provides the client side for secure, encrypted communications between hosts over an insecure network. Its main use is for logging into and running programs on a remote host. It can also be used to secure remote X11 connections and and forward arbitrary TCP ports to secure legacy protocols. ssh was made, in part, to replace insecure tools like rsh and telnet. It has largely succeeded at this goal. rsh and telnet are rarely seen anymore for interactive sessions or anywhere else. ssh can authenticate using regular passwords or with the help of a public-private key pair. More options, such as use of Kerberos, smartcards, or one-time passwords can be configured.
Remote login, authenticating via password:
$ ssh email@example.com
Another way of logging in to the same account:
$ ssh -l fred somehost.example.org
Remote programs can be run interactively when the client is run via the shell on the remote host. Or they can be run directly when passed as an argument to the SSH client. They can even be pre-configured in the authentication key or the server configuration.
Run uname on the remote machine:
$ ssh -l fred somehost.example.org "uname -a"
See what file systems are mounted and how much space is used there:
$ ssh -l fred somehost.example.org "mount; df -h"
It is possible to configure in great detail which programs are allowed by which accounts. There are many combinations of options that give extra capabilities, such as re-using a single connection for multiple sessions or passing through intermediary machines. The level of granularity can be increased even more with the help of sudo(8).
ssh client environment variables
Of course the foundation of most SSH activity is based upon the shell. Upon a successful connection, OpenSSH sets several environment variables.
SSH_CLIENT='192.168.223.17 36673 22' SSH_CONNECTION='192.168.223.17 36673 192.168.223.229 22' SSH_TTY=/dev/pts/6
SSH_CLIENT shows the address of the client system, the outgoing port number on the client system and the incoming port on the server. SSH_CONNECTION shows the address of the client, the outgoing port on the client, the address of the server and the incoming port on the server. SSH_TTY names the pseudo-terminal device, abbreviated pty, on the server used by the connection. For more information on pseudo-terminals see ptm(4), tty(1) and tty(4).
The login session can be constrained to a single program with a predetermined set of parameters using ForceCommand in the server configuration or Command= in the authorized keys file. In that case an additional environment variable gets set.
SSH_ORIGINAL_COMMAND=echo "hello, world"
Other variables are set depending on the user's shell settings and the system's own settings.
SSH client configuration options
Configuration options can be passed to ssh as arguments, see ssh(1) for the full list.
Connect very verbose output, GSSAPI authention:
$ ssh -vv -K -l account host.example.org
A subset of options can be defined on the server host in the user's own authorized keys file, in conjunction with specific keys. See sshd(8) for which subset exactly.
command="/usr/local/sbin/backup.sh",no-pty ssh-rsa AAAAB3NzaC1yc2EAAAQEAsY6u71N... command="/usr/games/wump",no-port-forwarding,no-pty ssh-dss AAAAB3NzaC1kc3MAeELb... environment="gtm_dist=/usr/local/gtm/utf8",environment="gtm_principal_editing=NOINSERT:EDITING" ssh-rsa AAAA8a2s809poloh05yhh...
Note that some directives, like setting the environment variables, are disabled by default and must be changed in the server configuration before available to the client. More configuration directives can be set by the user in ~/.ssh/config or by the system administrator in /etc/ssh/ssh_config. These same configuration directives can be passed as arguments using -o. See ssh_config(5) for the full list with descriptions.
$ ssh -o "ServerAliveInterval=60" -o "Compression=yes" -l fred server.example.org
The system administrators of the client host can set some defaults in /etc/ssh/config. Some of these global settings can be targeted per specific group or per user.
For example, if a particular SSH server is available via port 2022, it may be convenient to have the client use that port automatically. Some of OpenBSD’s anoncvs servers accept SSH connections on this port. However, compression should not be used in this case because CVS already uses compression. So that should be turned off. So, one could specify something like the following in the $HOME/.ssh/config configuration file so that the default port is 2022 and the connection is made without compression:
Host server.example.org Compression no Port 2022
The SFTP client
sftp is an interactive file transfer program which performs all operations over an encrypted SSH transport. It may also use many features of ssh(1), such as public key authentication and compression. It is also the name of the protocol used.
The SFTP protocol is similar in some ways to the now venerable File Transfer Protocol (FTP), except that the entire session, including the login, is encrypted. However, SFTP is not FTPS. The latter old-fashioned FTP tunneled over SSH/SSL. In contrast, SFTP is actually a whole new protocol. sftp can also be made to start in a specific directory on the remote host.
$ sftp firstname.lastname@example.org:/var/www
Frequently, SFTP is used to connect and log into a specified host and enter an interactive command mode. See the manual page for sftp(1) for the available interactive commands. Also, the same configuration options that work for ssh also apply to sftp. sftp accepts all ssh_config options and these can be passed along as arguments at run time. Some have explicit shortcuts, others can be specified by naming them in full using the -o option.
$ sftp -o "ServerAliveInterval=60" -o "Compression=yes" email@example.com
Another way to transfer is to write or retrieve files automatically. If a non-interactive authentication method is used, the whole process can be automatic using batch mode.
$ sftp -b session.batch -i ~/.ssh/some_key_rsa firstname.lastname@example.org
Batch processing only works with non-interactive authentication.
The SCP client
scp is used for encrypted transfers of files between hosts and is used a lot like regular cp. It is based on and a replacement for rcp from the original Berkeley Software Distribution (BSD), but uses ssh to encrypt the connection.
The scp client, unlike the SFTP client, is not based on any formal standard. It has aimed at doing more or less what old rcp does and responding the same way. Since the same program must be used at both ends of the connection and interoperability is required with other implementations of ssh. Changes in functionality would probably break that interoperability, so new features are more likely to be added to sftp if at all. Thus, it is best to lean towards using sftp instead when possible.
Copy from remote to local:
$ scp email@example.com:*.txt .
Copy from local to remote, recursively:
$ scp -r /etc firstname.lastname@example.org:.
See also the sftp client above.
There are a great many graphical utilities that support SFTP and SSH. Many started out as transfer utilities with the outdated legacy protocol FTP and grew with the times to include SSH and SFTP support. Sadly, many retain the epithet FTP program despite modernization. Others are more general file managers that include SFTP support as one means of network transparency. Most if not all provide full SFTP support including kerberos authentication.
Below is a partial list to give an idea of the range of options available.
Bluefish is a website managment tool and web page editor with built in support for SFTP. Closed source competitors XMetaL and Dreamweaver are said to have at least partial support for SFTP. Nothing for Quanta+ or Kompozer as of this writing. http://bluefish.openoffice.nl/
Cyberduck is a remote file browser for the Macintosh. It supports an impressive range of protocols in addition to SFTP. http://cyberduck.ch/
Dolphin is a highly functional file manager for the KDE desktop, but can also be run in other environments. It includes SFTP support
Fetch, by Fetch Softworks, is a reliable and well-known SFTP client for the Macintosh. It's been around since 1989, starting life as just an FTP client, and has many useful features combined with ease of use. It is closed source, but academic institutions are eligible for a free of charge site license. http://fetchsoftworks.com/fetch/
Filezilla is presented as a FTP utility, but it has built in support for SFTP. It is available for multiple platforms under the GPL. http://filezilla-project.org/
FireFTP is a SFTP plugin for Mozilla Firefox. Though it is presented as an FTP add-on, it supports SFTP. It is available under both the MIT license and the GPL. http://fireftp.mozdev.org/
Fugu, developed by the University of Michigan research systems unix group, is a graphical front-end for the Macintosh. http://rsug.itd.umich.edu/software/fugu/
gFTP is a multi-threaded file transfer client http://www.gftp.org/
Konqueror is a file manager and universal document viewer for the KDE desktop, but can also be run in other environments. It includes SFTP support. http://www.konqueror.org/
lftp is a file transfer program that supports multiple protocols. http://lftp.yar.ru/
Nautilus is the default file manager for the GNOME desktop, but can also be run in other environments. It includes SFTP support
PCManFM is an extremely fast, lightweight, yet feature-rich file manager with tabbed browsing which is the default for LXDE. It includes SFTP support. http://wiki.lxde.org/en/PCManFM
PuTTY is another FOSS implementation of Telnet and SSH for legacy and Unix platforms, released under the MIT license. It includes an SFTP client, PSFTP, in addition to an xterm terminal emulator and other tools like a key agent, Paegent. It is written and maintained primarily by Simon Tatham. http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Remmina is a remote desktop client written in GTK+ which supports multiple network protocols, including SSH. http://www.remmina.org/
SecPanel is a GUI for managing and running SSH and scp connections. It is not a new implementation of the protocol or software-suite, but sits on top of either of the SSH software-suites http://themediahost.de/secpanel/
Thunar is the default file manager for the XFCE desktop. It includes SFTP support. http://docs.xfce.org/xfce/thunar/start
Yafc is Yet Another FTP Client and despite the name supports SFTP. http://yafc.sourceforge.net/
Overview • Why Encryption • Protocols • Implementations • Clients • Client Configuration • Server • Patterns • Utilities • Third Party • Logging • Development