Environment
Reflection for Secure IT Windows Client version 7.0 or higher
Situation
Beginning in version 6.1, the ssh, scp, and sftp command line utilities available in Reflection for Secure IT support the full range of executable command line switches provided by equivalent OpenSSH-style SSH utilities. Additionally, ssh2, scp2 and sftp2 command line switch support has been added for customers who are migrating from F-Secure and need to maintain scripts written for the F-Secure SSH2 command line utilities. This technical note lists the switches and options available for use in ssh, scp, sftp, ssh2, scp2, and sftp2.
Note: For a list of available startup switches for Reflection for Secure IT Windows Client, see KB 7021985.
Resolution
Determining Which Utility Is Running
If you have both F-Secure and Reflection for Secure IT installed on the same machine, you have two different ssh2, scp2, and sftp2 utilities on your machine; an F-Secure version and a Reflection for Secure IT version. The functionality of these two versions is equivalent.
Both F-Secure and Reflection installations add their install folders to the end of the user's PATH. Since the F-Secure folder appears first in the list, its command line utilities are executed first.
You can verify which utility is running (F-Secure or Reflection for Secure IT) by opening a command window and issuing the ssh2 –V command (or scp2 –V or sftp2 –V command). An SSH banner that identifies the manufacturer and version of the client that is being executed will display.
To temporarily change the version of the utility being run, change directories to the folder where Reflection for Secure IT is installed (by default C:\Program Files\Attachmate\Rsecure) and issue the utility's command in the command window.
Or to permanently change the version of the utility being run, go to My Computer > Properties. On the Advanced tab, click Environment Variables and edit the user PATH variable in the Environment Variables dialog box.
Switch Support
Information about the switches supported can be found in the following sections:
Secure Shell Utility Switch Support
SSH2, SCP2, and SFTP2 Utility Switch Support
Legacy F-Secure SSH2 Switches (ssh2.exe) Supported in Reflection
Legacy F-Secure SCP2 Switches (scp2.exe) Supported in Reflection
Legacy F-Secure SFTP2 Switches (sftp2.exe) Supported in Reflection
Secure Shell Utility Switch Support
Reflection provides a robust Secure Shell protocol suite, which includes ssh, sftp, and scp. The addition of ssh2, scp2, and sftp2 switches eases the transition from F-Secure SSH products to the Reflection for Secure IT Window client by seamlessly supporting currently existing F-Secure scripts in the Reflection for Secure IT environment. Attachmate recommends that any future scripts be written using the OpenSSH-style switch format.
The tables below illustrate the OpenSSH-style switches and options available in Reflection for Secure IT for each command line utility. For F-Secure switch information see SSH2, SCP2, and SFTP2 Utility Switch Support.
OpenSSH-Style SSH Switches (ssh.exe) Supported in Reflection
| SSH Switch | SSH Keyword | Description |
| -A | ForwardAgent=yes | Enable Auth agent forwarding |
| -a | ForwardAgent=no | Disable Auth agent forwarding (default) |
| -b addr | BindAddress=IP | Local IP address |
| -c cipher[,cipher] | Ciphers=c1,c2 | Select encryption algorithm. Comma separated list |
| -C | Compression=yes | Enable compression |
| | | |
| -D port | DynamicForward=<#> | Enable dynamic application-level port forwarding through SOCKS4/5 |
| -e char | EscapeChar=<char> | Set escape character – none to disable |
| -E prov | | Use 'prov' as the external key provider |
| -f | | Places client in background just before command execution (Version 7.0 or higher) |
| -F file | | Read an alternative configuration file |
| -g | GatewayPorts=yes | Allow remote host to connect to forwarded ports |
| -H scheme | Host=<scheme string> | SSH config scheme to use |
| -i keyfile | IdentityFile=<path> | Identity file for public key authentication |
| -k dir | | Custom configuration directory where config file, host keys and user keys are located |
| -l user | User=<username> | Login with this user name |
| -L [FTP/|TCP/]listen-port:host:port | "LocalForward= <lport host:rport>" | Forward local port to remote address. Causes ssh to listen for connections on a port, and forward connections to the other side by connecting to host:port |
| -m mac[,mac] | MACs=[hmac-md5, hmac-sha1, hmac- ripemd160, hmac-sha1-96, hmac-md5-96] | Select MAC algorithm. Multiple -m options are allowed using a comma-separated list |
| -M | ControlMaster=[yes, no, ask, auto] | Places client in Control Master mode (Version 6.1 - 7.0 only) |
| -n | | Redirect input from /dev/null (do not read stdin) |
| -N | | Do not execute shell or command |
| -o "option" | | Process the option as if it was read from a configuration file |
| -p port | Port=<#> | Connect to this port; server must be on the same port |
| -q | | Quiet; do not display any warning messages |
| -R listen-port:host:port | "RemotelForward= <lport host:rport>" | Forward remote port to local address |
| -s command | | Invoke command as ssh2 subsystem (Version 6.1 only) |
| -S ctl | ConnectionReuse=[yes,no] | Specifies the location of a control socket for connection sharing Note: Instead of using the –S ctl switch, we recommend that you use the –o switch: –o ConnectionReuse=yes (Version 6.1 - 7.0 only) |
| -S | | Do not execute a shell (Version 7.1 or higher) |
| -t | | Allocate a tty even if command is given |
| -T | | Do not allocate a tty |
| -v | | Verbose; display verbose debugging messages. Equal to -d 2 |
| -v[vv] | LogLevel=<string> QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3 | Set debug level Additional "v"s increases the debug level. |
| -V | | Display version string |
| -X | ForwardX11=yes | Enable X11 connection forwarding UNTRUSTED |
| -x | ForwardX11=no | Disable X11 connection forwarding (default) |
| -Y | ForwardX11Trusted= [yes, no] | Enable X11 connection forwarding TRUSTED |
| -1 | | Use protocol 1 only |
| -2 | Protocol=2 | Use protocol 2 only |
| -4 | AddressFamily=inet | Use IPv4 to connect |
| -6 | AddressFamily=inet6 | Use IPv6 to connect |
| -? | | Display usage help |
OpenSSH-Style SCP Switches (scp.exe) Supported in Reflection
| SCP Switch | SCP Keyword | Description |
| -a | | Transfer files in ASCII mode |
| -B | BatchMode=[yes, no] | Sets batch-mode on |
| -b | | Maximum buffer size for one request |
| -c cipher,cipher | Ciphers=c1,c2 | Select encryption algorithm. Multiple -c options are allowed separated by commas |
| -C | Compression=yes | Passes compression flag to ssh to enable compression |
| -d | | Force target to be a directory |
| -D level | | Set debug level (Version 7.1 or higher) |
| -F file | | Read an alternative configuration file |
| -h | | Display usage help |
| -H scheme | Host=<scheme string> | SSH config scheme to use |
| -i keyfile | IdentityFile=<path> | Identity file for public key authentication (single key) |
| -k dir | | Set a non-default folder for configuration file, host keys and user keys |
| -o "option" | | Process the option as if it was read from a configuration file (Version 7.0 or higher) |
| --overwrite[=no] | | Whether to overwrite existing destination files. Default is yes (Version 7.0 or higher) |
| -p | | Preserve file timestamps and attributes |
| -P port | Port=<#> | Connect to this port |
| -q | | Do not show progress indicator |
| -Q | | Do not show progress indicator (Version 7.0 or higher) |
| -r | | Recurse subdirectories |
| -S program | | Name of program to use for encrypted connection – program must understand ssh options (Version 6.1 only) |
| -u | | Remove source file after copying |
| -v | | Verbose mode; equal to -D 2 |
| -v[vv] | LogLevel=<string>QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3 | Set debug level Additional "v"s increases the debug level. |
| -V | | Display version string |
| -z | | In downloads that include a wildcard, ignore the case of server filename characters. (Version 7.2 SP3 or higher) |
| -1 | Protocol=1 | Engage scp1 compatibility – must be first switch and separated from other switches |
| -2 | Protocol=2 | Use protocol 2 only |
| -4 | AddressFamily= inet | Use Ipv4 to connect |
| -6 | AddressFamily= inet6 | Use Ipv6 to connect |
| -? | | Display usage help |
OpenSSH-Style SFTP Switches (sftp.exe) Supported in Reflection
There are no corresponding SFTP keywords for the switches listed.
| SFTP Switch | Description |
| -a | Transfer files in ASCII mode |
| -b buffer-size | Define maximum buffer size for one request |
| -B batch-file | Batch mode - File from which to read commands. Connection is terminated after commands have been executed |
| -c cipher[,cipher] | Select encryption algorithms (comma separated list) |
| -C | Enable compression |
| -d | Force target to be a directory |
| -F file | Read an alternative configuration file |
| -H scheme | SSH config scheme to use |
| -i keyfile | Identity file for public key authentication |
| -k dir | Custom config directory where config file, host keys and user keys are located |
| -m MAC | Specify MAC algorithms for protocol version 2 |
| -o "option" | Process the option as if it was read from a configuration file |
| -p | Preserve timestamps and file attributes |
| -P port | Specifies the port to connect to on the remote host; server must be on same port (Version 7.1 or higher) |
| -P sftp-server-path | Connect directly to the local sftp server, rather then through ssh server (Version 6.1 only) |
| -q | Quiet; do not display any warning messages |
| -Q | Do not show progress indicator |
| -R max-requests | Define maximum number of concurrent requests |
| -s sub-system | Specifies the ssh2 subsystem or path for an sftp server on the remote host. A path is useful for using sftp over ssh1 protocol or when it’s subsystem is not configured for the remote sshd |
| -S program | Specify where sftp can find the program to use for encrypted connection – program must understand ssh options |
| -u | Remove source file after copying |
| -v | Verbose mode; equal to -D 2 |
| -v[vv] | Set debug level Additional "v"s increases the debug level. |
| -V | Display version string |
| -1 | Use ssh protocol 1 |
| -2 | Use protocol version2 |
| -4 | Use IPv4 only |
| -6 | Use IPv6 only |
| -? | Display usage help |
SSH2, SCP2, and SFTP2 Utility Switch Support
Beginning in Reflection for Secure IT Windows client version 6.1, support for legacy F-Secure switches is supported, minimizing the effort needed to convert existing configurations from F-Secure to the Reflection for Secure IT Windows Client.
Note the following:
- The keywords below are for the F-Secure ssh2_config file and may or may not match the keywords that can be used in the Reflection config file.
- If an F-Secure ssh2_config file is present when you install Reflection for Secure IT, the ssh2_config file will be migrated to the \My Documents\Attachmate\Reflection\.ssh\ directory and will be used by default. Ssh2, scp2, and sftp2 will look for the ssh2_config file only and will not use the Reflection config file. You can force Reflection to read from the config file in several ways:
- Set a registry setting, "Use SSH Config Schemes"
- Set an environment variable, – UseReflectionSchemes
- Use the Reflection config file on a per usage basis by using the –H switch to specify a specific config scheme from the config file
The tables below list the switches and options available for each command line utility.
Legacy F-Secure SSH2 Switches (ssh2.exe) Supported in Reflection
| SSH2 Switch | SSH2 Keyword | Description |
| -c cipher | Ciphers=c1,c2 | Select encryption algorithm. A single -c flag can have only one cipher. Multiple Ciphers options are allowed using a comma-separated list in the configuration file. |
| +C | Compression=yes | Enable compression |
| -C | Compression=no | Disable compression |
| -d level [1-99] | Loglevel | Set debug level |
| -E prov | ExternalAuthorizationProgram=<path> | Use prov as the external key provider |
| -f | | Places client in background prior to command execution (Version 7.0 or higher) |
| -F file | | Read an alternative configuration file |
| -g | GatewayPorts=yes | Gateway ports; remote hosts may connect o locally forwarded ports |
| +g | GatewayPorts=no | Do not use gateway ports |
| -h | | Display usage help |
| -H scheme | | Use specified scheme name in the config file |
| -i keyfile | IdentityFile=<path> | Identity file for public key authentication |
| -k dir | UserConfigDirectory =<path> | Custom configuration dir where ssh2 config, hostkeys and userkeys are located |
| -l login_name | User=<username> | Login with this user name |
| -L [FTP/|TCP/]listen-port:host:port | "LocalForward= <lport:host:rport>" | Forward local port to remote address |
| -m MAC -m MAC | MACs= [hmac-sha1, hmac-md5] | Select MAC algorithm. A single -m flag can have only one MAC algorithm. Multiple -m flags can be used. Multiple MACs options are allowed using a comma-separated list in the configuration file. |
| -n | DontReadStdin=[yes, no] | Redirect stdin from null |
| -N | | Do not request a session channel; do not execute commands (Version 7.1 or higher) |
| -o "option" | | Sets any option supported in the ssh config file (Version 7.0 or higher) |
| -p port# | Port=<#> | Connect to this port |
| -q | QuietMode=[yes,no] | Quiet; do not display any warning messages |
| -R listen-port: host:port | "RemotelForward= <lport:host:rport>" | Forward remote port to local address |
| -S | | Do not request a session channel |
| -t | ForcePTTYAllocation = [yes, no] | Allocate a tty even if command is given |
| -T | | Do not request a tty (Version 7.1 or higher) |
| -v | verbosemode=[yes, no] | Verbose; display verbose debugging messages. Equal to -d 2 |
| -V | | Display version string |
| -W pwfile | | Read user's password from file (Version 7.0 or higher) |
| +x | ForwardX11= [yes, no] | Enable X11 connection forwarding UNTRUSTED |
| -x | | Disable X11 connection forwarding |
| +X | | Enable X11 connection forwarding TRUSTED |
Legacy F-Secure SCP2 Switches (scp2.exe) Supported in Reflection
| SCP2 Switch | SCP2 keyword | Description |
| -a | | Transfer files in ASCII mode |
| -b buffer-size | | Define maximum buffer size for one request |
| -B | BatchMode=[yes, no] | Sets batch-mode status |
| -c cipher[,cipher] | Ciphers=c1,c2 | Select encryption algorithm. Comma separated list |
| -C | | Enable compression (Version 6.1 - 7.0 only) Disable compression (Version 7.1 only) |
| +C | | Enable compression (7.1 or higher) |
| -d | | Force target to be a directory |
| -D level [1-99] | | Set debug level |
| -F file | | Read an alternative config file (Version 6.1 only) |
| -h | | Display usage help |
| -H scheme | | Use specified scheme name in the config file |
| -i keyfile | | Identity file for public key authentication |
| -k dir | UserConfigDirectory =<path> | Custom configuration dir where ssh2_config, hostkeys and userkeys are located |
| -N max-requests | | Define maximum number of concurrent requests (Version 6.1 only) |
| -m fileperm [:dirperm] | | Set the default file/dir permission bits for upload (Version 6.1 only) |
| -o "option" | | Process the option as if it was read from a configuration file |
| --overwrite[=no] | | Whether to overwrite existing destination file. Default is yes |
| -p | | Preserve file timestamps and attributes |
| -P port | Port=<#> | Connect to this port on remote host |
| -q | | Make scp quiet (only fatal errors are displayed) |
| -Q | | Do not show progress indicator |
| -r | | Recurse subdirectories |
| -u | | Remove source files after copying |
| -v | | Verbose mode; equal to '-D 2' |
| -V | | Display version string |
| -z | | In downloads that include a wildcard, ignore the case of server filename characters. (Version 7.2 SP3 or higher) |
| -1 | | Use protocol version1 only |
| -2 | | Use protocol version2 only |
| -4 | | Use IPv4 only |
| -6 | | Use IPv6 only |
| -? | | Display usage help |
Legacy F-Secure SFTP2 Switches (sftp2.exe) Supported in Reflection
| SFTP2 Switch | SFTP2 Keyword | Description |
| -a | | Transfer files in ASCII mode |
| -b buffer-size | | Define maximum buffer size for one request |
| -B batch-file | BatchMode=<yes/no> | Batch mode; specify file from which to read commands. Connection is terminated after commands execute |
| -c cipher [-c cipher] | Ciphers=c1,c2 | Select encryption algorithm. Multiple -c options are allowed and a single -c flag can have only one cipher |
| +C | | Enable Compression (7.0 or higher) |
| -C | | Disable Compression |
| -d | | Force target to be a directory |
| -D level [1-99] | | Set debug level |
| -F file | | Read an alternative config file |
| -h | | Display usage help |
| -i keyfile | | Identity file for public key authentication |
| -k dir | | Custom configuration dir where ssh2_config, host keys and user keys are located |
| -m MAC [-m MAC] | | Select MAC algorithm. Multiple -m options are allowed. A single -m flag can only have one MAC |
| -N max-requests | | Define maximum number of concurrent requests |
| -o 'option' | | Process the option as if it was read from a configuration file |
| -P port | Port=<port#> | Connect to this port on the remote host |
| -q | | Quiet; do not display any warning messages |
| -Q | | Do not show progress indicator |
| -S program | | Program to use for encrypted connections |
| -u | | Remove source files after copying |
| -V | | Display version string |
| -v | | Verbose mode; equal to -D 2 |
| -? | | Display usage help |