Bitvise SSH Client 8.36 - sftpc, a command line SFTP client Copyright (C) 2000-2019 by Bitvise Limited. Version status: Current, up to date USAGE: sftpc [username@]host[:port] OR -profile=file [-host=host] [-port=port] [-obfs=y|n] [-obfsKw=keyword] [-spn=SPN] [-gkx=y|n] [-gkxDlg=y|n] [-user=username] [-gka] [-gma [-krb OR -ntlm] [-gmaDlg]] [-pk=location [-pp=passphrase]] [-pw=password [-kbdiFallback=y|n]] [-pwKbdi=password] [-kbdi [-sub=submethods]] [-elevation=y|n|d] [-unat=y|n] [-trustLsp=y|n] [-preferIP6=y|n] [-encrAlgs=list] [-encrMod=mod-list] [-macAlgs=list] [-macMod=mod-list] [-cmprAlgs=list] [-cmprMod=mod-list] [-kexAlgs=list] [-kexMod=mod-list] [-hkeyAlgs=list] [-hkeyMod=mod-list] [-ka=y|n] [-kre=y|n] [-noFlowCtl=p|s|n] [-noRegistry OR -baseRegistry=registry-key] [-proxy=y|n [-proxyType=type] -proxyServer=server [-proxyPort=port] [-proxyUsername=username [-proxyPassword=password]] [-proxyResolveLocally=y|n]] [-hostKeyFp=fingerprints] [-hostKeyFile=file] [-keypairFile=file [-keypairPassphrase=passphrase]] [-traceLog] [-flowDebugFile=file] [-title=title] [-bg] [-progress=standard|percent|dots|none] [-pipelineSize=kbytes] [[-ce] commands OR -cmd=commands OR -cmdFile=file] PARAMETERS: -profile=file Load session parameters from the specified Bitvise SSH Client profile. If a command line parameter is additionally provided for any of the profile settings, the command line parameter overrides the profile. -host=host The server host to connect to, overriding any already set host. -port=port The port on the server to connect to, overriding any already set port. If the port number is unspecified or 0, the client will try to determine the port number based on stored host keys that match the destination host. If no matching host keys are found, or there are multiple host keys for different ports, port 22 will be used. -obfs=y|n If the SSH server to which you are conecting uses SSH protocol obfuscation, you can use this parameter to enable it. Obfuscation is supported by some SSH servers, and makes it more difficult for an outside observer to detect that the protocol being used is SSH. -obfsKw=keyword If the SSH server to which you are connecting uses an obfuscation keyword, you can use this parameter to provide it. -spn=SPN If specified, Bitvise SSH Client will use the value of this parameter as the service principal name during Kerberos authentication. If not specified, Bitvise SSH Client will use a default, but possibly incorrect, SPN based on the SSH server's host name. -gkx=y|n Enable GSS/Kerberos key exchange with Kerberos host authentication. Disabled by default, but can also be disabled explicitly to override profile setting. -gkxDlg=y|n Permit access delegation. Disabled by default, but can also be disabled explicitly to override profile setting. For use only with GSS/Kerberos key exchange. -user=username The username to login with overriding the already set username. -gka Log in using the gssapi-keyex method. Available only when GSS key exchange with Kerberos host authentication has been performed. Can be combined with other authentication methods, in which case gssapi-keyex is attempted first. -gma Log in using the gssapi-with-mic method. Can be combined with other authentication methods, in which case gssapi-with-mic is attempted after gssapi-keyex. -krb Use gssapi-with-mic with the Kerberos mechanism only. -ntlm Use gssapi-with-mic with the NTLM mechanism only. -gmaDlg Permit access delegation - disabled by default. For use only with gssapi-with-mic user authentication. -pk=location Log in using the 'publickey' method, with the client key stored on the specified location. Can be combined with other authentication methods. In this case, 'publickey' is attempted before other methods, but after gssapi-with-mic. Use "a" to automatically try any key the server will accept. To use a key stored globally in Windows registry for the current Windows user, identify the key as "" or "g". For keys stored in a profile provided with the -profile parameter, identify the key as "p". For keys accessible using a PuTTY or OpenSSH authentication agent, use "t" for PuTTY, "o" for OpenSSH. Examples: -pk=3 for the third key configured globally for the Windows user; -pk=p1 for the first key stored in the provided profile; -pk=a for any available key the server will accept. -pp=passphrase A passphrase for the keypair specified with -pk. -pw=password Log in with the specified password. Can also be combined with other authentication methods, in which case the password is attempted after the publickey method. Can be used alone, without =password, to interactively prompt for a password. -kbdiFallback=y|n A variety of servers, especially Unix-based, accept password authentication, but require the password to be sent using the authentication method 'keyboard-interactive' instead of 'password'. If the client cannot authenticate using 'password'; and if the server offers 'keyboard-interactive'; then this option controls whether the SSH Client should fallback and try to send the password using 'keyboard-interactive'. Enabled by default. -pwKbdi=password Log in with the specified password, sent using the 'keyboard-interactive' authentication method. Can also be combined with other authentication methods, in which case the password is attempted after the 'publickey' method. Can be used alone, without =password, to interactively prompt for a password. -kbdi Log in with the keyboard-interactive method. Can also be combined with other authentication methods, in which case the keyboard-interactive method is attempted last. -sub=submethods Optional submethods for keyboard-interactive. -elevation=y|n|d When connecting to a server that supports the "elevation" extension, whether the client should request elevation ('y'), no elevation ('n'), or the server's default behavior ('d'). On a Windows server, elevation state can only be chosen for sessions with an interactive logon type. In Bitvise SSH Server, logon type can be configured in Advanced settings, under Session setup in an account or group settings entry. Not usable with GSSAPI: sessions that authenticate using Kerberos or NTLM will use the elevation state of the SSH client. -trustLsp=y|n If enabled, only a narrow selection of trusted Windows Sockets LSP providers will be used, promoting stability, but at a possible expense of connectivity. If disabled, any LSP that is installed will be used, promoting connectivity, but at a possible expense of stability. By default, only trusted LSPs are used. -preferIP6=y|n This setting comes into effect when connecting to a DNS name that resolves to both IPv4 and IPv6 addresses. If enabled, the SSH Client will try to connect to IPv6 addresses first and then, if unable to connect to any of these, to IPv4 addresses. If disabled, IPv4 addresses will be preferred over IPv6. -unat=y|n Use unattended mode to prevent any user interaction by the SSH session - in particular, host key verification and user authentication. Unattended mode is used by default only with the -cmd or -cmdFile parameters -encrAlgs=list A complete, comma-separated priority list of session encryption algorithms. To add or remove a specific algorithm, see -encrMod. Both SSH algorithm names ('aes256-gcm@openssh.com') and user-friendly names ('aes256-gcm') can be used. If not specified, the following default list is assumed: aes256-gcm,aes256-ctr,aes192-ctr,aes128-gcm,aes128-ctr,3des-ctr. -encrMod=mod-list A comma-separated list of encryption algorithms to enable or disable. Allows modifying the algorithm list without having to pass a complete new list of algorithms. Names prefixed with '+' are added to the front of the list. Names without a prefix are appended at the end. Names prefixed with '!' are removed. Both SSH algorithm names ('aes256-gcm@openssh.com') and user-friendly names ('aes256-gcm') can be used. Example: -encrMod=+aes256-gcm,!3des-ctr -macAlgs=list A complete, comma-separated priority list of session integrity algorithms. To add or remove a specific algorithm, see -macMod. If not specified, the following default list is assumed: hmac-sha2-256,hmac-sha1. -macMod=mod-list A comma-separated list of session integrity algorithms to enable or disable. Allows modifying the algorithm list without having to pass a complete new list of algorithms. Names prefixed with '+' are added to the front of the list. Names without a prefix are appended at the end. Names prefixed with '!' are removed. Example: -macMod=!hmac-sha1 -cmprAlgs=list A complete, comma-separated priority list of session compression algorithms. To add or remove a specific algorithm, see -cmprMod. If not specified, the following default list is assumed: none,zlib. -cmprMod=mod-list A comma-separated list of compression algorithms to enable or disable. Allows modifying the algorithm list without having to pass a complete new list of algorithms. Names prefixed with '+' are added to the front of the list. Names without a prefix are appended at the end. Names prefixed with '!' are removed. Example: -cmprMod=+zlib -kexAlgs=list A complete, comma-separated priority list of key exchange algorithms. To add or remove a specific algorithm, see -kexMod. Both SSH algorithm names ('curve25519-sha256@libssh.org') and user-friendly names ('Curve25519') can be used. If not specified, the following default list is assumed: Curve25519,ECDH/secp256k1,ECDH/nistp521,ECDH/nistp384,ECDH/nistp256,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256. If -gkx is specified, the following GSS algorithms are prepended: gss-group16-sha512/Kerberos,gss-group15-sha512/Kerberos,gss-group14-sha256/Kerberos,gss-gex-sha1/Kerberos,gss-group14-sha1/Kerberos. When connecting to non-Bitvise servers, any algorithms with DH group exchange are automatically de-prioritized to the end of the list for compatibility reasons. -kexMod=mod-list A comma-separated list of key exchange algorithms to enable or disable. Allows modifying the algorithm list without having to pass a complete new list of algorithms. Names prefixed with '+' are added to the front of the list. Names without a prefix are appended at the end. Names prefixed with '!' are removed. Both SSH algorithm names ('curve25519-sha256@libssh.org') and user-friendly names ('Curve25519') can be used. Example: -kexMod=diffie-hellman-group14-sha1 -hkeyAlgs=list A complete, comma-separated priority list of host key algorithms. To add or remove a specific algorithm, see -hkeyMod. Both SSH algorithm names ('ssh-dss') and user-friendly names ('DSA') can be used. If not specified, the following default list is assumed: RSA/sha2-512,RSA/sha2-256,Ed25519,ECDSA/secp256k1,ECDSA/nistp521,ECDSA/nistp384,ECDSA/nistp256,RSA. -hkeyMod=mod-list A comma-separated list of host key algorithms to enable or disable. Allows modifying the algorithm list without having to pass a complete new list of algorithms. Names prefixed with '+' are added to the front of the list. Names without a prefix are appended at the end. Names prefixed with '!' are removed. Both SSH algorithm names ('ssh-dss') and user-friendly names ('DSA') can be used. Example: -hkeyMod=DSA -ka Keep-alive / broken session detection - enabled by default, but can also be enabled explicitly to override profile. -kre Key re-exchange - enabled by default, but can also be enabled explicitly to override profile. -noFlowCtl=p|s|n Specify the value 'p' to prefer the no-flow-control extension if the server supports it. Use 's' to support the no-flow-control extension, but only if the server prefers it. Use 'n' to not use the no-flow-control extension. -noRegistry Do not load settings from or store them to Windows registry. Use of global client proxy settings, host key database, and user keypair database is prevented. -baseRegistry=registry-key A base Windows registry key to replace the default 'HKEY_CURRENT_USER\Software\Bitvise' key. -proxy=y|n Use a proxy server, overrides global client proxy settings. -proxyType=type The type of proxy server to use. 'SOCKS4', 'SOCK5', and 'HTTP' proxy types are supported. 'SOCKS4' is set by default. -proxyServer=server The IP address or DNS name of the proxy server. -proxyPort=port The proxy server port, 1080 by default. -proxyUsername=username The proxy server username (SOCKS5 and HTTP only). -proxyPassword=password The proxy server password (SOCKS5 and HTTP only). -proxyResolveLocally=y|n Resolve a DNS name locally before passing it to the proxy when this flag is used. -hostKeyFp=fingerprints A comma-separated list of SHA-256, Bubble-Babble, or MD5 fingerprints of host keys to accept, used additionally to global and per-profile host keys -hostKeyFile=file A file containing host keys to accept, used additionally to global client host key database -keypairFile=file A file containing a private key for authentication. -keypairPassphrase=passphrase Provide a passphrase for the keypair specified with the -keypairFile parameter. Passphrase must always be present when an OpenSSH encoded and passphrase protected keypair is specified. -traceLog Enable trace logging. Causes trace messages to appear in addition to the client's normal output. -flowDebugFile=file Records an extremely detailed debug log of the session in the specified textual file. If the file already exists, it will be appended to. The recording may include potentially sensitive information exchanged over the session, stored in the file in plaintext. -title=title Use this parameter to set a custom console window title. -bg Start downloads and uploads in background by default. -progress=standard|percent|dots|none Changes the way foreground transfer progress is displayed. 'standard' and 'dots' will display inline progress in the form of a percentage or dots. 'none' will display no progress information. 'percent' will use percentage values, but printed each time on a new line. The default value is 'standard' when using console output, and 'dots' when output is redirected to a file. -pipelineSize=kbytes Pipeline size in kilobytes. The default value is 512. The valid range is 16 to 4096. -ce Continue on error: if multiple commands are specified using the -cmd or -cmdFile parameter and one fails, continue with subsequent commands. By default, execution will stop at the first failed command. The return code for the first failed command is returned in all cases, or 0 if all commands succeed. -cmd=commands Establish the session, run semicolon-separated SFTP commands, and exit. There is no prompt for additional user input. All occurences of '"' that are part of the parameter value must be replaced with '\"', e.g. "-cmd=get \"file name.txt\"". See also Return Codes. -cmdFile=file Like -cmd but load commands from the specified textual file, one per line. In the file, there is no need for escaping the quote character as is necessary with -cmd. The file will be interpreted as Unicode or UTF-8 if the respective BOM marker is present. Otherwise, the ANSI code page will be used. Empty lines and lines containing only whitespace are ignored. EXAMPLES: sftpc myserver Logs into 'myserver' with the account name of the current Windows user as the username. Will prompt to choose an authentication method when connected. sftpc someuser@myserver Logs into 'myserver' as 'someuser'; will prompt to choose an authentication method when connected. sftpc someuser@myserver:9222 -bg Logs into 'myserver' on port 9222 as 'someuser'. Transfers will be started in background by default, i.e. if you execute "get x.txt", this will be treated as "get x.txt -bg". Transfers can still be started in foreground using the '-fg' flag, e.g. "get x.txt -fg". See "help get", "help put". sftpc myusername@myserver -pw=mypassword -cmd="cd /temp; get *; put \"a b c\"" With these parameters, sftpc will log into 'myserver' as 'myusername' with password 'mypassword', and it will proceed to execute commands as follows: cd /temp get * put "a b c" Each of these commands is executed in order; if one fails (e.g. if the /temp directory does not exist), the rest will not be executed. sftpc myusername@myserver -pk=g3 -ce cd /temp; get *; put x.txt This is a similar example to the one above, but the additional -ce parameter will cause execution to continue even if an error occurs, and the -pk=g1 parameter will cause the public key with global client key at location 3 to be used instead of a plain password. retry -w=60 -m=10 -f=100,101 sftpc user@host -pw=... put *.log Uses the retry utility, also included with Bitvise SSH Client, to repeatedly execute sftpc if the first attempt fails. This example executes the sftpc transfer up to 10 times (-m=10), waits 60 seconds between attempts (-w=60), and retries only if the exit code is 100 (SSH session failure) or 101 (Failure connecting to server). Run 'retry' without parameters for help. RETURN CODES: 0 Success 1 Unknown failure 2 Usage error 100 SSH session failure 101 Failure connecting to server 102 SSH host authentication failure 103 SSH user authentication failure 200 SFTP session failure 201 SFTP channel failure 202 SFTP request rejected 205 SFTP session closed by server 1000 Failed -cmd command #1 1001 Failed -cmd command #2 ... ... Command line clients and utilities in Bitvise SSH Client: sftpc - SFTP file transfer stermc - interactive terminal console sexec - scripted command execution stnlc - tunneling / port forwarding, FTP bridge spksc - manage client public keys on the server log - record output of a command line program retry - retry a command until it succeeds BvSshUpdate - manage Bitvise SSH Client updates To read the above help more easily, try: sftpc -help-usage (display usage information) sftpc -help | more (displays help page by page) sftpc -help > h.txt (creates a text file you can open e.g. with Notepad) sftpc -help-params (display help for parameters in general) sftpc -help- (display help for a particular parameter) sftpc -help-examples (display examples) sftpc -help-codes (display return codes)