Bitvise SSH Client 9.42 - sftpc - free of charge for use in all environments Copyright (C) 2000-2024 by Bitvise Limited. Version status: Current, up to date USAGE: sftpc [username@]host[:port] OR -host=host OR -profile=file [-host=host] [-port=port] [-obfs=y|n] [-obfsKw=keyword] [-spn=SPN] [-gkx=y|n] [-gkxDlg=y|n] [-user=username] [-gka] [-gma [-krb OR -ntlm] [-gmaDlg]] [-pk=location [-pp=passphrase]] [-pw=password [-kbdiFallback=y|n]] [-pwKbdi=password] [-kbdi [-sub=submethods]] [-elevation=y|n|d] [-sessionId=text-id] [-unat=y|n] [-trustLsp=y|n] [-preferIP6 OR -6 OR -4] [-connectIntf=intf-list] [-encrAlgs=list] [-encrMod=mod-list] [-macAlgs=list] [-macMod=mod-list] [-cmprAlgs=list] [-cmprMod=mod-list] [-kexAlgs=list] [-kexMod=mod-list] [-strictKex=r|s] [-hkeyAlgs=list] [-hkeyMod=mod-list] [-ka=y|n] [-kre=y|n] [-sendExtInfo=y|n|d] [-dhGexMinBits=size] [-noFlowCtl=p|s|n] [-noRegistry=y|n] [-baseRegistry=registry-key] [-proxy=y|n] [-proxyType=type] [-proxyServer=server [-proxyPort=port] [-proxyUser=username [-proxyPass=password]]] [-proxyProfile=file] [-proxyResolveLocally=y|n] [-hostKeyFp=fingerprints] [-hostKeyFile=file] [-jumpProxy=y|n] [-jumpProxyType=type] [-jumpProxyServer=server [-jumpProxyPort=port] [-jumpProxyUser=username [-jumpProxyPass=password]] [-jumpProxyResolveLocally=y|n]] [-jumpHostKeyFp=fingerprints] [-jumpHostKeyFile=file] [-jumpKeypairFile=file [-jumpKeypairPass=passphrase]] [-jumpKeypairFile=file [-jumpKeypairPass=passphrase]] [-traceLog] [-flowDebugFile=file] [-flowDebugEvents=packets|all] [-title=title] [-bg] [-progress=standard|percent|dots|none] [-subsystem=name] [-pipelineSize=kbytes] [-sftpVersion=best|3] [[-ce] commands OR -cmd=commands OR -cmdFile=file] PARAMETERS: -profile=file Load connection parameters from the specified Bitvise SSH Client profile. If a command line parameter is additionally provided for any of the profile settings, the command line parameter overrides the profile. -host=host The server host to connect to, overriding any already set host. -port=port The port on the server to connect to, overriding any already set port. If the port number is unspecified or 0, the client will try to determine the port number based on stored host keys that match the destination host. If no matching host keys are found, or there are multiple host keys for different ports, port 22 will be used. -obfs=y|n If the SSH server to which you are conecting uses SSH protocol obfuscation, you can use this parameter to enable it. Obfuscation is supported by some SSH servers, and makes it more difficult for an outside observer to detect that the protocol being used is SSH. -obfsKw=keyword If the SSH server to which you are connecting uses an obfuscation keyword, you can use this parameter to provide it. -spn=SPN If specified, Bitvise SSH Client will use the value of this parameter as the service principal name during Kerberos authentication. If not specified, Bitvise SSH Client will use a default, but possibly incorrect, SPN based on the SSH server's host name. -gkx=y|n Enable GSS/Kerberos key exchange with Kerberos host authentication. Disabled by default, but can also be disabled explicitly to override profile setting. -gkxDlg=y|n Permit access delegation. Disabled by default, but can also be disabled explicitly to override profile setting. For use only with GSS/Kerberos key exchange. -user=username The username to login with overriding the already set username. -gka Log in using the gssapi-keyex method. Available only when GSS key exchange with Kerberos host authentication has been performed. Can be combined with other authentication methods, in which case gssapi-keyex is attempted first. -gma Log in using the gssapi-with-mic method. Can be combined with other authentication methods, in which case gssapi-with-mic is attempted after gssapi-keyex. -krb Use gssapi-with-mic with the Kerberos mechanism only. -ntlm Use gssapi-with-mic with the NTLM mechanism only. -gmaDlg Permit access delegation - disabled by default. For use only with gssapi-with-mic user authentication. -pk=location Log in using the 'publickey' method, with the client key stored on the specified location. Can be combined with other authentication methods. In this case, 'publickey' is attempted before other methods, but after gssapi-with-mic. Use "a" to automatically try any key the server will accept. To use a key stored globally in Windows registry for the current Windows user, identify the key as "" or "g". For keys stored in a profile provided with the -profile parameter, identify the key as "p". For keys accessible using a PuTTY or OpenSSH authentication agent, use "t" for PuTTY, "o" for OpenSSH. Examples: -pk=3 for the third key configured globally for the Windows user; -pk=p1 for the first key stored in the provided profile; -pk=a for any available key the server will accept. -pp=passphrase A passphrase for the keypair specified with -pk. -pw=password Log in with the specified password. Can also be combined with other authentication methods, in which case the password is attempted after the publickey method. Can be used alone, without =password, to interactively prompt for a password. -kbdiFallback=y|n A variety of servers, especially Unix-based, accept password authentication, but require the password to be sent using the authentication method 'keyboard-interactive' instead of 'password'. If the client cannot authenticate using 'password'; and if the server offers 'keyboard-interactive'; then this option controls whether the SSH Client should fallback and try to send the password using 'keyboard-interactive'. Enabled by default. -pwKbdi=password Log in with the specified password, sent using the 'keyboard-interactive' authentication method. Can also be combined with other authentication methods, in which case the password is attempted after the 'publickey' method. Can be used alone, without =password, to interactively prompt for a password. -kbdi Log in with the keyboard-interactive method. Can also be combined with other authentication methods, in which case the keyboard-interactive method is attempted last. -sub=submethods Optional submethods for keyboard-interactive. -elevation=y|n|d When connecting to a server that supports the "elevation" extension, whether the client should request elevation ('y'), no elevation ('n'), or the server's default behavior ('d'). On a Windows server, elevation state can only be chosen for sessions with an interactive logon type. In Bitvise SSH Server, logon type can be configured in Advanced settings, under Session setup in an account or group settings entry. Not usable with GSSAPI: connections that authenticate using Kerberos or NTLM will use the elevation state of the SSH client. -sessionId=text-id When network connectivity issues cause connections to disconnect, servers often do not detect this before the client reconnects. This can prevent use of resources (files, ports) still held by the disconnected session. To help servers identify reconnected sessions, the SSH Client can send a session ID which remains the same on reconnection. A session ID is sent as a global request if the server announces the extension "global-requests-ok". Bitvise command line clients attempt to automatically generate a session ID which does not disclose information, but remains the same when reconnecting using the same command line client to the same server. To ensure that a particular session ID is used, you can pass it manually using the -sessionId=text-id parameter. To prevent the sending of any session ID, pass -sessionId without a value. To allow automatic session ID generation, do not pass a -sessionId parameter. If a manual session ID is provided, it will be sent to the server verbatim. If there is a proxy jump session, it will use a session ID derived from the main session ID. -trustLsp=y|n If enabled, only a narrow selection of trusted Windows Sockets LSP providers will be used, promoting stability, but at a possible expense of connectivity. If disabled, any LSP that is installed will be used, promoting connectivity, but at a possible expense of stability. By default, only trusted LSPs are used. -preferIP6=y|n This setting comes into effect when connecting to a DNS name that resolves to both IPv4 and IPv6 addresses. If enabled, the SSH Client will try to connect to IPv6 addresses first and then, if unable to connect to any of these, to IPv4 addresses. If disabled, IPv4 addresses will be preferred over IPv6. -6 Alias for -preferIP6=y. -4 Alias for -preferIP6=n. -connectIntf=intf-list A comma-separated list of interfaces from which outgoing TCP connections will be made. The list may contain one IPv4 and/or one IPv6 interface. Additional or invalid entries will be ignored. When both IPv4 and IPv6 interfaces are specified, the first interface controls the preferred IP version. -unat=y|n Use unattended mode to prevent any user interaction by the SSH connection - in particular, host key verification and user authentication. Unattended mode is used by default only with the -cmd or -cmdFile parameters -encrAlgs=list A complete, comma-separated priority list of connection encryption algorithms. To add or remove a specific algorithm, see -encrMod. Both SSH algorithm names ('aes256-gcm@openssh.com') and user-friendly names ('aes256-gcm') can be used. If not specified, the following default list is assumed: aes256-gcm,aes256-ctr,aes192-ctr,aes128-gcm,aes128-ctr. -encrMod=mod-list A comma-separated list of encryption algorithms to enable or disable. Allows modifying the algorithm list without having to pass a complete new list of algorithms. Names prefixed with '+' are added to the front of the list. Names without a prefix are appended at the end. Names prefixed with '!' are removed. Both SSH algorithm names ('aes256-gcm@openssh.com') and user-friendly names ('aes256-gcm') can be used. Example: -encrMod=+aes256-gcm,!3des-ctr -macAlgs=list A complete, comma-separated priority list of connection integrity algorithms. To add or remove a specific algorithm, see -macMod. If not specified, the following default list is assumed: hmac-sha2-256,hmac-sha2-512. -macMod=mod-list A comma-separated list of connection integrity algorithms to enable or disable. Allows modifying the algorithm list without having to pass a complete new list of algorithms. Names prefixed with '+' are added to the front of the list. Names without a prefix are appended at the end. Names prefixed with '!' are removed. Example: -macMod=!hmac-sha1 -cmprAlgs=list A complete, comma-separated priority list of connection compression algorithms. To add or remove a specific algorithm, see -cmprMod. If not specified, the following default list is assumed: none,zlib. -cmprMod=mod-list A comma-separated list of compression algorithms to enable or disable. Allows modifying the algorithm list without having to pass a complete new list of algorithms. Names prefixed with '+' are added to the front of the list. Names without a prefix are appended at the end. Names prefixed with '!' are removed. Example: -cmprMod=+zlib -kexAlgs=list A complete, comma-separated priority list of key exchange algorithms. To add or remove a specific algorithm, see -kexMod. Both SSH algorithm names ('curve25519-sha256@libssh.org') and user-friendly names ('Curve25519') can be used. If not specified, the following default list is assumed: Curve25519,ECDH/secp256k1,ECDH/nistp521,ECDH/nistp384,ECDH/nistp256,diffie-hellman-group16-sha512,diffie-hellman-group15-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256. If -gkx is specified, the following GSS algorithms are prepended: gss-group16-sha512/Kerberos,gss-group15-sha512/Kerberos,gss-group14-sha256/Kerberos. When connecting to non-Bitvise servers, any algorithms with DH group exchange are automatically de-prioritized to the end of the list for compatibility reasons. -kexMod=mod-list A comma-separated list of key exchange algorithms to enable or disable. Allows modifying the algorithm list without having to pass a complete new list of algorithms. Names prefixed with '+' are added to the front of the list. Names without a prefix are appended at the end. Names prefixed with '!' are removed. Both SSH algorithm names ('curve25519-sha256@libssh.org') and user-friendly names ('Curve25519') can be used. Example: -kexMod=diffie-hellman-group14-sha1 -strictKex=r|s Whether to require strict key exchange. This prevents man-in-the-middle attacks based on packet sequence manipulation, regardless of the negotiated encryption algorithm. Not supported by server software released before December 2023. Use 'r' to require strict key exchange, 's' to support (default). -hkeyAlgs=list A complete, comma-separated priority list of host key algorithms. To add or remove a specific algorithm, see -hkeyMod. Both SSH algorithm names ('ssh-dss') and user-friendly names ('DSA') can be used. If not specified, the following default list is assumed: RSA/sha2-512,RSA/sha2-256,Ed25519,ECDSA/secp256k1,ECDSA/nistp521,ECDSA/nistp384,ECDSA/nistp256,RSA/sha1. -hkeyMod=mod-list A comma-separated list of host key algorithms to enable or disable. Allows modifying the algorithm list without having to pass a complete new list of algorithms. Names prefixed with '+' are added to the front of the list. Names without a prefix are appended at the end. Names prefixed with '!' are removed. Both SSH algorithm names ('ssh-dss') and user-friendly names ('DSA') can be used. Example: -hkeyMod=DSA -ka Keep-alive / broken connection detection - enabled by default, but can also be enabled explicitly to override profile. -kre Key re-exchange - enabled by default, but can also be enabled explicitly to override profile. -sendExtInfo=y|n|d Some servers advertise support for SSH_MSG_EXT_INFO (RFC 8308) but disconnect if the client sends it. Use 'y' to send SSH_MSG_EXT_INFO if the server advertises support. Use 'n' to NOT send SSH_MSG_EXT_INFO even if the server advertises support. Use 'd' or omit the parameter for default behavior based on server's version string. -dhGexMinBits=size Key exchange algorithms such as 'diffie-hellman-group-exchange-sha256' do not use preset Diffie Hellman group parameters, but allow the server to provide a DH group of suitable size. This parameter controls the minimum size of such dynamically negotiated DH groups. -noFlowCtl=p|s|n Specify the value 'p' to prefer the no-flow-control extension if the server supports it. Use 's' to support the no-flow-control extension, but only if the server prefers it. Use 'n' to not use the no-flow-control extension. -noRegistry Do not load settings from or store them to Windows registry. Use of global client proxy settings, host key database, and user keypair database is prevented. Some read-only access to the registry may still occur. This mode can also be enabled by setting the environment variable BVSSH_NOREGISTRY=1. If both are present, the command line parameter overrides the environment variable. -baseRegistry=registry-key A base Windows registry key to replace the default 'HKEY_CURRENT_USER\Software\Bitvise' key. -proxy=y|n Use a proxy server, overrides global client proxy settings. -proxyType=type The type of proxy server to use. 'SOCKS4', 'SOCK5', 'HTTP' and 'SSH' proxy types are supported. 'SOCKS4' is set by default. -proxyServer=server The IP address or DNS name of the proxy server. Used by all proxy types except SSH. -proxyPort=port The proxy server port, 1080 by default. Used by all proxy types except SSH. -proxyUser=username The proxy server username (SOCKS5 and HTTP only). -proxyPass=password The proxy server password (SOCKS5 and HTTP only). -proxyProfile=file The Bitvise SSH Client profile for the SSH jump proxy connection. Used by the SSH proxy type. -proxyResolveLocally=y|n If enabled, resolve any DNS name locally before passing it to the proxy. -hostKeyFp=fingerprints A comma-separated list of SHA-256, Bubble-Babble, or MD5 fingerprints of host keys to accept, used additionally to global and per-profile host keys -hostKeyFile=file A file containing host keys to accept, used additionally to global client host key database -keypairFile=file A file containing a private key for authentication. -keypairPass=passphrase Provide a passphrase for the keypair specified with the -keypairFile parameter. A passphrase must always be present for an OpenSSH encoded and passphrase-protected keypair. -jumpKeypairFile=file A file containing a private key for authentication in the connection to the SSH jump proxy. -jumpKeypairPass=passphrase Provide a passphrase for the keypair specified with the -jumpKeypairFile parameter. A passphrase must always be present for an OpenSSH encoded and passphrase-protected keypair. -jumpProxy=y|n Whether to connect to the SSH jump proxy using another proxy. Overrides global client proxy settings. -jumpProxyType=type The type of proxy server to use for the connection to the SSH jump proxy. 'SOCKS4', 'SOCK5', and 'HTTP' proxy types are supported. 'SOCKS4' is set by default. -jumpProxyServer=server The IP address or DNS name of the proxy server for the connection to the SSH jump proxy. -jumpProxyPort=port The proxy server port, 1080 by default. -jumpProxyUser=username The proxy server username (SOCKS5 and HTTP only). -jumpProxyPass=password The proxy server password (SOCKS5 and HTTP only). -jumpProxyResolveLocally=y|n If enabled, resolve any DNS name locally before passing it to the proxy. -jumpHostKeyFp=fingerprints A comma-separated list of SHA-256, Bubble-Babble, or MD5 fingerprints of host keys to accept for the connection to the SSH jump proxy. Used additionally to global and per-profile host keys. -jumpHostKeyFile=file A file containing host keys to accept for the connection to the SSH jump proxy. Used additionally to global client host key database. -traceLog Enable trace logging. Causes trace messages to appear in addition to the client's normal output. -flowDebugFile=file Records a detailed debug log of the connection in the specified textual file. If the file already exists, it will be appended to. The recording may include potentially sensitive information exchanged over the connection, stored in the file in plaintext. -flowDebugEvents=packets|all Used with -flowDebugFile, this parameter specifies whether to log only SSH packets ("packets"), or all possible debug events ("all", extremely detailed). The default is "packets". -title=title Sets a custom console window title. -bg Start downloads and uploads in background by default. -progress=standard|percent|dots|none Changes the way foreground transfer progress is displayed. 'standard' and 'dots' will display inline progress in the form of a percentage or dots. 'none' will display no progress information. 'percent' will use percentage values, but printed each time on a new line. The default value is 'standard' when using console output, and 'dots' when output is redirected to a file. -subsystem=name In most cases, this parameter should be absent. If absent or empty, the SSH Client will open SFTP channel using the standard "sftp" subsystem. With some servers, you can configure a custom SFTP subsystem to access the filesystem with elevated (root) credentials. Use this only if you know the server and how to configure this correctly. Example: "sudo /usr/lib/openssh/sftp-server". -pipelineSize=kbytes Pipeline size in kilobytes. The default value is 512. The valid range is 16 to 4096. -sftpVersion=best|3 The SFTP protocol version to request. Use 'best' to request the highest SFTP protocol version supported by the server (usually 3, 4 or 6). Use '3' to request SFTP version 3. -ce Continue on error: if multiple commands are specified using the -cmd or -cmdFile parameter and one fails, continue with subsequent commands. By default, execution will stop at the first failed command. The return code for the first failed command is returned in all cases, or 0 if all commands succeed. -cmd=commands Establish the connection, run semicolon-separated SFTP commands, and exit. There is no prompt for additional user input. All occurences of '"' that are part of the parameter value must be replaced with '\"', e.g. "-cmd=get \"file name.txt\"". See also Return Codes. -cmdFile=file Like -cmd but load commands from the specified textual file, one per line. In the file, there is no need for escaping the quote character as is necessary with -cmd. The file will be interpreted as Unicode or UTF-8 if the respective BOM marker is present. Otherwise, the ANSI code page will be used. Empty lines and lines containing only whitespace are ignored. EXAMPLES: sftpc myserver Logs into 'myserver' with the account name of the current Windows user as the username. Will prompt to choose an authentication method when connected. sftpc someuser@myserver Logs into 'myserver' as 'someuser'. Prompts to choose an authentication method when connected. sftpc someuser@myserver:9222 -bg Logs into 'myserver' on port 9222 as 'someuser'. Transfers will be started in background by default, i.e. if you execute "get x.txt", this will be treated as "get x.txt -bg". Transfers can still be started in foreground using the '-fg' flag, e.g. "get x.txt -fg". See "help get", "help put". sftpc -profile="C:\Path to\myserver.tlp" Logs into the server using settings in the SSH Client profile myserver.tlp. The profile is created and saved using the graphical SSH Client (BvSsh). The profile can store host keys and a client authentication keypair necessary to connect and authenticate, without relying on the current user's Windows registry. Profile settings can be overridden using additional command-line parameters. This is the recommended method for unattended, scripted connections. sftpc myusername@myserver -pw=mypassword -cmd="cd /temp; get *; put \"a b c\"" With these parameters, sftpc will log into 'myserver' as 'myusername' with password 'mypassword', and it will proceed to execute commands as follows: cd /temp get * put "a b c" Each of these commands is executed in order; if one fails (e.g. if the /temp directory does not exist), the rest will not be executed. sftpc myusername@myserver -pk=g3 -ce cd "/dir with spaces"; get *; put x.txt Similar to the example above, but the additional -ce parameter causes execution to continue even if an error occurs, and the -pk=g1 parameter uses public key authentication using the global client key at location 3, instead of password authentication. sftpc -profile="C:\Path to\myserver.tlp" -ce cd "/My Folder"; get *.txt Similar to the example above, but connect using settings in an SSH Client profile. retry -w=60 -m=10 -f=100,101 sftpc user@host -pw=... put *.log Uses the retry utility, also included with Bitvise SSH Client, to repeatedly execute sftpc if the first attempt fails. This example executes the sftpc transfer up to 10 times (-m=10), waits 60 seconds between attempts (-w=60), and retries only if the exit code is 100 (SSH connection failure) or 101 (Failure connecting to server). Run 'retry' without parameters for help. RETURN CODES: 0 Success 1 Unknown failure 2 Usage error 3 Error log failure 100 SSH connection failure 101 Failure connecting to server 102 SSH host authentication failure 103 SSH user authentication failure 200 SFTP session failure 201 SFTP channel failure 202 SFTP request rejected 205 SFTP session closed by server 1000 Failed -cmd command #1 1001 Failed -cmd command #2 ... ... Command line clients and utilities in Bitvise SSH Client: sftpc - SFTP file transfer stermc - interactive terminal console sexec - scripted command execution stnlc - tunneling / port forwarding, FTP bridge spksc - manage client public keys on the server log - record output of a command line program retry - retry a command until it succeeds BvSshUpdate - manage Bitvise SSH Client updates To read the above help more easily, try: sftpc -help-usage (display usage information) sftpc -help | more (displays help page by page) sftpc -help > h.txt (creates a text file you can open e.g. with Notepad) sftpc -help-params (display help for parameters in general) sftpc -help- (display help for a particular parameter) sftpc -help-examples (display examples) sftpc -help-codes (display return codes) sftpc -help-shell (display help for interactive commands)