scpg3
[
options
...]
[ src_profile
: |
[user@
]
src_host
[#port
]: ]
src_file
...
[ dst_profile
: |
[user@
]
dst_host
[#port
]: ]
dst_file_or_dir
scpg3
(scpg3.exe on Windows) is used to securely copy
files over the network. scpg3 launches ssh-broker-g3 to
provide a secure transport using the Secure Shell version 2 protocol.
ssh-broker-g3 will ask for passwords or passphrases if they are needed
for authentication. scpg3 uses the configuration specified in the
ssh-broker-config.xml
file.
Copies between two remote hosts are permitted. The remote host(s) must be running a Secure Shell version 2 server with the sftp-server (or sft-server-g3) subsystem enabled. Tectia Server has sft-server-g3 enabled by default.
Any filename may contain a host, user, and port specification to indicate that the file is
to be copied to or from that host ([user@
] host
[#port
]). If no
user name is given, the local user name is assumed. If no port is given, the default Secure
Shell port 22 is assumed. Alternatively, a connection profile defined in the
ssh-broker-config.xml
file (profile
) can be
given.
Note | |
---|---|
When entering a connection profile in the scpg3 command, note that
Tectia Client deduces the meaning of the argument differently depending on its format. If
there is an Also, if there are dots in a profile name (for example
|
The host
parameter can optionally be enclosed in square
brackets ([]) to allow the use of semicolons. The
file
argument can contain simple wildcards: asterisk
(*) for any number of any characters, and question mark
(?) for any one character.
For information on special characters in file names, see the section called “Filename Support”.
The following command-line parameters can be used to further specify the scpg3 options.
-4
Defines that all connection-related DNS resolutions will be resolved as an IPv4 address.
-6
Defines that all connection-related DNS resolutions will be resolved as an IPv6 address.
-a
[
arg
]
Transfers files using the ASCII mode, that is, newlines will be converted on the fly. For transfers between Tectia on z/OS and other hosts, this also enables automatic ASCII-EBCDIC conversions. See the sftpg3 ascii command in the section called “Commands”.
If the server does not advertise the newline convention, and you are not using a
host profile that specifies its host type, you can give scpg3 a hint
by giving an argument after -a
. The default is to set the destination
newline convention, but you can specify either one by prefixing the argument with
src:
or dest:
for source or destination convention,
respectively. The available conventions are dos
, unix
,
and mac
, using \r\n
, \n
, and
\r
as newlines, respectively. Note that there is no space between the
-a
and its argument. An example is shown below:
$ scpg3 -asrc:unix -adest:dos src_host:src_file dest_host:dest_file
To force the newline conventions, use these values: force-dos
,
force-unix
, and force-mac
. These settings force the
newline mode irrespective of what the remote SSH server suggests to the SCP client.
-B, --batch-mode
Uses batch mode. Fails authentication if it requires user interaction on the terminal.
Using batch mode requires that you have previously saved the server host key on the client and set up a non-interactive method for user authentication (for example, host-based authentication or public-key authentication without a passphrase).
-b
buffer_size_bytes
Defines the maximum buffer size for one SFTP protocol read or write request
(default: 32768
bytes).
The maximum number of SFTP protocol read or write requests sent in parallel within
the transfer of a single file can be specified with the -N
option.
Note that when streaming (see --streaming
)
is used (as it is by
default when transferring files larger than buffer_size_bytes
to/from Tectia Server), this option is not used for defining buffer sizes.
-C
Disables compression from the current connection.
+C
Enables zlib compression for this particular connection.
-c, --ciphers=
LIST
Sets the allowed ciphers in their preferred order offered to the server. List the cipher names in a comma-separated list. For example:
--ciphers AEAD_AES_128_GCM,seed-cbc@ssh.com,aes256-cbc
Value any
allows all supported algorithms.
Enter help
as the value to view the currently supported cipher
names.
-D, --debug=
LEVEL
Sets the debug level. LEVEL
is a number from 0 to 99,
where 99 specifies that all debug information should be displayed. This should be the
first argument on the command line.
Note | |
---|---|
Option |
Note | |
---|---|
The debug level can be set only when the scpg3 command starts the Connection Broker. This option has no effect in the command if the Connection Broker is already running. |
-d
Forces target to be a directory.
-I, --interactive
Prompts whether to overwrite an existing destination file (does not work with
-B
).
-i
FILE
Defines that private keys defined in the identification file are used for public-key authentication.
-K, --identity-key-file=
FILE
Defines that the given key file of a private key or certificate is used in user authentication. The path to the key file is given in the command.
If the file is a private key, it will be read and compared to the keys already known
by the Connection Broker key store. If the key is not known, it will be decoded and added to the key
store temporarily. If the file is a certificate and Connection Broker knows a matching private key,
it will be used. Both the certificate and the private key can be given using multiple
-K
options on command line.
-m
fileperm
[:dirperm
]
This option can be used only on Windows. Sets the default file and directory permission bits for file upload to Unix servers.
-N
max_requests
Defines the maximum number of SFTP protocol read or write requests sent in parallel (default: 10).
The size of the buffer used in each read or write request can be specified with the
-b
option.
Note that this value applies within the transfer of a single file; it cannot be used to define the number of files sent in parallel.
When streaming (see --streaming
)
is used (as it is by
default when transferring files larger than buffer_size_bytes
specified with the -b
option to/from Tectia Server), this option is not
used.
-O, --offset=
r
<offset>
|
w
<offset>
|
l
<length>
|
t
<length>
Sets offset. Offset r
<offset>
specifies the start offset in the source file. Offset
w
<offset>
specifies the start offset
in the destination file. Length
l
<length>
specifies the amount of
data to be copied. Truncate length
t
<length>
, if given, specifies the
length to which the destination file is truncated or expanded after the file data has
been copied.
-p
Preserves the file permissions and the timestamps when both the source and the destination are on Unix file systems (including z/OS USS). Preserves the timestamps but not the file permissions, if either one, the source or the destination is on Windows. If the destination is on z/OS MVS, none will be preserved.
-P
port
Connects to this Secure Shell port on the remote machine (default:
22
).
-Q
Does not show progress indicator. The effect of this option is the same as using
--progress-display=no
.
Do not use this option together with parameter --statistics
.
-q
Uses quiet mode (only fatal errors are shown). This option overrides the
quiet-mode
setting made in the Connection Broker configuration file.
-r
Recurses subdirectories.
-u, --unlink-source
Removes source files after copying (file move).
-v, --verbose
Uses verbose mode (equal to -D 2
).
-W, --whole-file
Does not try incremental checks. By default (if this option is not given),
incremental checks are tried. This option can only be used together with the
--checksum
option.
--aa, --allowed-authentications=
METHODS
Defines the only allowed methods that can be used in user authentication. List the methods in a comma-separated list. For example:
--allowed-authentications keyboard-interactive,password
Enter help
as the value to view the currently supported
authentication methods.
--any-alg
Allow any supported cipher, mac, kex, hostkey and publickey algorithm to be used.
--append
Appends data to the end of the destination file.
--binary
Uses binary transfer mode. If the server is Tectia Server for IBM z/OS, the server is requested not to
perform ASCII to EBCDIC conversion, and the file is transferred using the Stream format.
You can use the --src-site
and --dst-site
options to
change the values.
--checkpoint=b
<bytes>
Byte interval between checkpoint updates (default: 10 MB). This option can only be
used when --checksum=checkpoint
.
--checkpoint=s
<seconds>
Time interval between checkpoint updates (default: 10
seconds). This option can only be used when
--checksum=checkpoint
.
--checksum
[
=yes
|
no
|
md5
|
sha1
|
sha256
|
sha512
|
md5-force
|
sha1-force
|
sha256-force
|
sha512-force
|
checkpoint
]
Uses MD5, SHA-1 or SHA-2 checksums or a separate checkpoint database to determine the point
in the file where file transfer can be resumed. Files smaller than
buffer_size_bytes
are not checked unless forced,
i.e. sha1-force
. (default:
yes
, uses SHA-1 checksums in FIPS mode, MD5 checksums otherwise).
Use checkpointing when transferring large files one by one.
--compressions=
METHODS
Sets the allowed compression methods to be offered to the server. List the methods in a comma-separated list.
Enter help
as the value to view the currently supported compression
methods.
--dst-site=
PARAM
Uses the specified site parameters with the destination files. See the sftpg3 site command in the section called “Commands”.
--exclusive
Defines that a new connection will be opened for each connection attempt, otherwise Connection Broker can reuse recently closed connections.
--fips
Performs the checksums using the FIPS cryptographic library.
--force-lower-case
Destination filename will be converted to lowercase characters.
--hostkey-algorithms=
HOSTKEYALGORITHMS
Sets the allowed host key algorithms to be offered to the server. List the host key algorithms in a comma-separated list. For example:
--hostkey-algorithms ssh-dss-sha224@ssh.com,ssh-dss-sha256@ssh.com
Value any
allows all supported algorithms.
Enter help
as the value to view the currently supported host key
algorithms.
--overwrite
[
=yes
|
no
]
Selects whether to overwrite existing destination file(s) (default:
yes
).
--identity=
ID
Defines that the ID of the private key is used in user authentication. The ID can be Connection Broker-internal ordinary number of the key, the key hash or the key file name.
--identity-key-hash=
ID
Defines the private key used in user authentication with the corresponding public key hash.
--identity-key-id=
ID
Defines that the Connection Broker-internal ordinary number of the key is used in user authentication.
--keep-alive=
VALUE
Defines how often keep-alive messages (non-operation packages) are sent to the Secure Shell server. Enter the value as seconds. The default value is 0, meaning that keep-alive messages are disabled.
--kexs=
kexs
Sets the allowed key exchange (KEX) methods to be offered to the server. List the KEX names in a comma-separated list. For example:
--kexs diffie-hellman-group14-sha224@ssh.com,diffie-hellman-group14-sha256@ssh.com
Value any
allows all supported algorithms.
Enter help
as the value to view the currently supported KEX
methods.
--kip
Defines keyboard-interactive and password as the allowed methods for user authentication; the same as
--allowed-authentications keyboard-interactive,password
--macs=
LIST
Sets the allowed MACs in preferred order to be offered to the server. List the MAC names in comma-separated list. For example:
--macs hmac-sha2-256,hmac-sha1-96,hmac-md5
Value any
allows all supported algorithms.
Enter help
as the value to view the currently supported MAC
names.
--password=
PASSWORD
|
file://
PASSWORDFILE
|
extprog://
PROGRAM
Sets user password that the client will send as a response to password
authentication. The PASSWORD
can be given directly as an
argument to this option (not recommended). Better alternatives are entering a path to a
file containing the password
(--password=file://
PASSWORDFILE
), or
entering a path to a program or script that outputs the password
(--password=extprog://
PROGRAM
).
When using the extprog://
option to refer to a shell script, make
sure the script also defines the user's shell, and outputs the actual password.
Otherwise the executed program fails, because it does not know what shell to use for the
shell script. For example, if the password string is defined in a file named
my_password.txt
, and you want to use the bash shell, include
these lines in the script:
#!/usr/bash cat /full/pathname/to/my_password.txt
Caution | |
---|---|
Supplying the password on the command line is not a secure option. For example, in a multi-user environment, the password given directly on the command line is trivial to recover from the process table. You should set up a more secure way to authenticate. For non-interactive batch jobs, it is more secure to use public-key authentication without a passphrase, or host-based authentication. At a minimum, use a file or a program to supply the password. |
--plugin-path=
PATH
Sets plugin path to PATH
. This is only used in the FIPS
mode.
--prefix=
PREFIX
Adds a prefix to a filename during the file transfer. The prefix is removed after the file has been successfully transferred.
On z/OS, when applied to MVS data set names, the prefix is inserted after the High Level Qualifier (HLQ). In case you want the prefix to be a separate qualifier, include a dot at the end of the prefix:
--prefix=PREFIX.
--publickey-algorithms=
PUBLICKEY_ALGORITHMS
Allow only selected signature algorithms to be used in public key authentication. For example:
--publickey-algorithms=x509v3-ssh-rsa,rsa-sha2-512
Value any
allows all supported algorithms.
Enter help
as the value to view the available signature algorithms.
--src-site=
PARAM
Uses the specified site parameters with the source files. See the site command in the section called “Commands”.
--statistics
[
=no
|
yes
|
simple
]
Note | |
---|---|
In release 6.1.5, the behavior of the |
The --statistics
option chooses the style of the statistics to be
shown after a file transfer operation. Note that --statistics
and
--summary-display
must not be used together.
The --statistics
option takes the following values:
no
- no statistics will be created.
yes
- shows a progress bar during the file transfer. This is the
default. An example of the output:
scpg3 --statistics="yes" sourcefile destinationfile sourcefile | 127MB | 42.9MiB/s | TOC: 00:00:03 | 100%
simple
- simple one-line statistics will be displayed after the
file transfer has ended. For example:
scpg3 --statistics=simple sourcefile destinationfile sourcefile | 127MB | 151.3MiB/s | TOC: 00:00:00 | 100%
--summary-display
[
=no
|
yes
|
simple
|
bytes
]
Chooses the style of the file transfer summary data to be displayed after a file transfer operation. With the summary display, the progress bar data is also displayed by default.
Note that --summary-display
and --statistics
must
not be used together.
The --summary-display
option takes the following values:
no
- no summary data will be created. This is the default.
yes
- detailed summary data will be created. You can configure the
contents with the summary-format
option. By default, the following
contents are displayed in the summary:
Default settings: Render for example this: "Source: %c:%g\n" user@host1#22:/path/to/source/file "Source parameters: %e\n" X=TEXT, C=ISO8859-1,D=IBM.1047 "Destination: %C:%G\n" user@host2#22:/path/to/destination/file "Destination parameters: %E\n" NONE "File size: %s bytes\n" 123456 bytes "Transferred: %t bytes\n" 123456 bytes "Rate: %RB/s\n" 345kiB/s "Start: %xy-%xt-%xd %xh:%xm:%xs\n" 2010-01-26 13:10:56 "Stop: %Xy-%Xt-%Xd %Xh:%Xm:%Xs\n" 2010-01-26 13:23:30 "Time: %y\n" 00:12:34
simple
- simple one-line summary will be displayed. For
example:
scpg3 --summary-display=simple sourcefile destinationfile sourcefile | 127MB | 151.3MiB/s | TOC: 00:00:00 | 100%
bytes
- basic statistics reporting the transferred bytes will be
displayed. For example:
scpg3 --summary-display=bytes sourcefile destinationfile Transferred 12915145984 bytes, file: 'sourcefile' -> 'destinationfile'
--summary-format=
FORMAT_STRING
Chooses the format and the contents of the summary. You can use this option when
--summary-display=yes
. Do not use this option with
--statistics
.
Select the contents for the summary using the following definitions:
%c - source connection: user@host#port or profile %C - destination connection: user@host#port or profile %D* - current date %e - source parameters (file transfer and data set parameters) %E - destination parameters (file transfer and data set parameters) %f - source file name %F - destination file name %g - /path/to/source/file %G - /path/to/destination/file %k - compression done ("zlib" or "none") %p - transfer percentage %q - transfer rate in bit/s %Q - transfer rate as "XXyb/s" (b/s, kib/s, Mib/s, Gib/s) %r - transfer rate in bytes/s %R - transfer rate as "XXyB/s" (B/s, kiB/s, MiB/s, GiB/s) %s - file size in bytes %S - file size as "XXyB" (B, kiB, MiB or GiB) %t - transfer size in bytes %T - transfer size as "XXyB" (B, kiB, MiB or GiB) %x* - start date %X* - end date %y - elapsed time %Y - time remaining %z - ETA or TOC, if transfer has finished %Z - string "ETA" or "TOC", if transfer has finished Where * is one of the following: h - hours (00-23) m - minutes (00-59) s - seconds (00-59) f - milliseconds (0-999) d - day of the month (1-31) t - month (1-12) y - year (1970-) Other special characters in format strings are: \n - line feed \r - carriage return \t - horizontal tab \\ - backslash
--progress-display
[
=no
|
bar
|
line
]
Chooses the mode of displaying the progress during a file transfer operation. The
default is bar
, which shows a progress bar. Option
line
shows the progress information according to the settings made in
the --progress-line-format
option.
Do not use this option with --statistics
.
--progress-line-format=
FORMAT_STRING
Chooses what information will be shown on the progress line. You can use this option
when --progress-display=line
.
Do not use this option with --statistics
.
Select the contents for the progress line using the definitions described for
command: --summary-format
--progress-line-interval=
seconds
Defines how often the progress information is updated in line mode. The interval is given in seconds, and the default is 60 seconds.
Do not use this option with --statistics
.
--streaming
[
=yes
|
no
|
force
|
ext
]
Uses streaming in file transfer, if server supports it. Files smaller than
buffer_size_bytes
are not transferred using streaming. Use
force
with small files. Default: yes
Use ext
with z/OS hosts to enable direct MVS data set access. Use
this option only when the file transfer is mainly used for mainframe data set transfers,
as it can slow down the transfer of small files in other environments.
The --streaming=ext
option requires also the
--checksum=no
option, because if checksums are calculated, the file
transfer uses staging, which excludes streaming.
--sunique
Stores files with unique names. In case more than one of the
transferred files have the same name, this feature adds a sequential number to the end
of the repeated file name, for example: file.name
,
file.name1
, and file.name2
.
--tcp-connect-timeout=
VALUE
Defines a timeout period (in seconds) for establishing a TCP connection to the Secure Shell server. Enter the timeout value as a positive number. Value 0 (zero) disables this feature and the default system TCP timeout will be used instead.
--template-profile profile
Use the specified profile when connecting.
--user=
USERNAME
Logs in using this user name if the user name is not provided in the address string.
-V, --version
Displays program version and exits.
-h, --help, -?
Displays a short summary of command-line options and exits.
Different operating systems allow different character sets in filenames. On Unix, some of the special characters are allowed in filenames, but on Windows, the following characters are not allowed:
\/ : * ? " < > |
When you use the scpg3 command to copy files with special characters
(for example unixfilename*?".txt
) from a Unix server to Windows, you need
to provide the files with new names that are acceptable on Windows. Enter the commands in the
following format:
$ scpg3 user@unixserver:"unixfilename~*~?\".txt" windowsfilename.txt
The general rule is to follow your platform specific syntax when you enter filenames containing special characters as arguments to the scpg3 command.
Tectia fully supports filenames containing only ASCII and UTF-8 characters. Filenames containing characters from other character sets are not guaranteed to work.
The scpg3 command supports *
and
?
as wildcards.
The wildcards can be used both on the remote and the local side in the commands. The
following example command will copy all text files (*.txt
) from all
subdirectories of directory dir2
whose names begin with the prefix
data-
into the current local directory ( .
):
$ scpg3 -r user@server
:"dir2/data-*/*.txt" .
Note that on Unix, the characters * and ? can appear also in the filenames. So it is necessary to use escape characters to distinguish the wildcards from the characters belonging to a filename. See more information in the section called “Escaping Special Characters”.
Some special characters that are used in filenames in different operating system, may have a special meaning in the Tectia commands. Note also that the meaning can be different in various parts of the file transfer system.
In the scpg3 command, the following characters have a special meaning, and they need to be escaped in commands that take filenames as arguments:
* asterisk is a wildcard for any number of any characters
? question mark is a wildcard for any single character
"" quotation marks placed around strings that are to be taken 'as is'
\ backslash is an escape character on Unix
~ tilde is an escape character on Windows.
The escape character tells the scpg3 command to treat the next character "as is" and not to assume any special meaning for it. The escape character is selected according to the operating system of the local machine.
Note that the \ and ~ characters are special characters themselves, and if they are present in the filename, escape characters must be placed in front of them, too. Therefore, if you need to enter a filename containing \ in Unix or ~ in Windows to the scpg3 command, add the relevant escape character to it:
\\ on Unix
~~ on Windows
See the examples below to learn how the escape characters are used in the Tectia scpg3 command, and how to enter filenames with special characters in different operating systems.
The following filenames are valid in Unix, but they need escape characters in the commands:
file|name.txt file-"name".txt file?name.txt file*name.txt file\name.txt file - name.txt file~name.txt
When using the scpg3 command on Unix, in certain cases several escape characters are needed, as they escape one another. Enter the above mentioned filenames in the following formats:
file\|name.txt or "file|name.txt" file-\"name\".txt file\\\?name.txt or "file\?name.txt" file\\\*name.txt or "file\*name.txt" file\\\\name.txt or "file\\\name.txt" file\ -\ name.txt or "file - name.txt" file~name.txt
Example commands on Unix:
$ scpg3 user@server
:file\\\*name.txt .
$ scpg3 user@server
:file\ -\ name.txt .
When using the scpg3 command on Windows, enter the above mentioned Unix filenames in the following formats:
"file|name.txt" file-\"name\".txt (Note that Windows requires \ to escape the " character) "file~?name.txt" "file~*name.txt" file~\name.txt "file - name.txt" file~~name.txt
The operating system interprets the quotation marks ("") here so that the scpg3 command receives the string without the quotation marks as a parameter.
Example commands on Windows:
> scpg3 user@server
:"file~*name.txt" filename.txt
> scpg3 user@server
:"file - name.txt" .
scpg3 uses the following environment variables:
=yes|no|md5|sha1|sha256|sha512|md5-force|sha1-force|sha256-force|sha512-force|checkpoint
Defines the setting for comparing checksums. For more information on the available values, see checksum .
=yes|no
If this variable is set to yes
, the number of transferred bytes is
shown after successful file transfer. Also the names of source and destination files are
shown. The default is no
.
=yes|no|simple
If this variable is set to yes
(default), normal progress bar is
shown while transferring the file. If it is set to no
, progress bar is
not shown. If it is set to simple
file transfer statistics are shown
after the file has been transferred.
=0|1
If this variable is set to 0
, the default charset mode UTF-8 is
disabled. To force UTF-8 charset mode for file names, set the variable to
1
.
scpg3 returns the following values based on the result of the operation:
0 Operation was successful. 1 Internal error. 2 Connection aborted by the user. 3 Destination is not a directory, but a directory was specified by the user. 4 Connecting to the host failed. 5 Connection lost. 6 File does not exist. 7 No permission to access file. 8 Undetermined error from sshfilexfer. 11 Some non-fatal errors occured during a directory operation. 101 Wrong command-line arguments specified by the user.
Copy files from your local system to a remote Unix system:
$ scpg3 localfile user@remotehost:/dst/dir/
Copy files from your local system to a remote Windows system:
$ scpg3 localfile user@remotehost:/C:/dst/dir/
Copy files from a remote system to your local disk:
$ scpg3 user@remotehost:/src/dir/srcfile /dst/dir/dstfile
Copy files from one remote system to another using connection profiles defined in the
ssh-broker-config.xml
file:
$ scpg3 profile1:/src/dir/srcfile profile2:/dst/dir/dstfile