7021696: SSH and SCP Return Codes

This technical note lists the return codes for SSH and SCP.

Note: For a list of SSH or SCP return codes that apply to later Reflection versions, see Technical Note 2285.

For return codes that apply to the UNIX Client, see KB 7021956.

Related:

7021830: Configuring Public Key Authentication Using Reflection X Advantage

Two options are described:

  • In the first option, you use Reflection X Advantage to generate keys and use command line options to configure the server.
  • In the second option, you use the Reflection FTP Client to generate and upload a key. The server configuration is handled automatically, and then you configure Reflection X Advantage to use the key pair.

Using Reflection X Advantage to Generate Keys

Use the following procedures to generate a key pair using Reflection X Advantage and configure your server to authenticate using the public key.

Note: The required key format and configuration details are different for different Secure Shell server types. To determine the server type running on your host, you can use the following command from a terminal window:

ssh -V

For example, the following command sequence shows that a Reflection for Secure IT server is running:

[joe@myhost ~]$ ssh -V

ssh: Reflection for Secure IT 8.0.0.71 on x86_64-redhat-linux-gnu (64-bit).

Generate a Key Pair and Export the Public Key

This procedure generates a new key pair and stores it in the Reflection X Advantage database. You will also export the public key of the key pair to upload to the server.

  1. Launch X Manager or X Manager for Domains.
  2. From the Tools menu, select Secure Shell User Keys.
  3. Click Generate.
  4. Enter a name for the key pair to be created, and configure the type and length.
  5. Enter a passphrase, or check the No passphrase box to connect without one.
  6. Click OK to generate the key. The key will appear in the list of available user keys.
  7. Select the key you just created and click Export.
  8. Select the key format used by your Secure Shell server.
    • For Reflection, F-Secure, and SSH Corporation servers: Export to SecSH format.
    • For OpenSSH servers: Export to OpenSSH format (the default).
  1. Click Export.
  2. Click Close to close the Secure Shell User Keys dialog box.

Note: By default X Manager and X Manager for Domains store user keys in the Reflection X Advantage Store. The database used for this key store is different in standalone and domain mode. If you use both applications and want to use the same key pair for both applications, you can configure an additional, shared key store on the local file system. To do this, open the Secure Shell User Keys dialog box, click the plus sign (+) next to User Key Sources, select Add Local Directory, and browse to select a local directory. Keys are saved to this location using OpenSSH format. If you need SecSH format you can generate the key first in the Reflection X Advantage store, then export it to the local directory. (This feature is available with Reflection X Advantage 4.0 and later.)

Review Your Secure Shell Authentication Settings

By default, Secure Shell connections first attempt to authenticate to your host using public key authentication. If public key authentication fails, Reflection X Advantage attempts keyboard interactive, then password authentication. (Both of these typically prompt you for your username and password.) These Secure Shell authentication settings are saved as part of your client definition. Use the following optional procedure to review or edit these settings.

  1. In X Manager or X Manager for Domains, under X Clients, select (or create) a definition to connect to your host. Confirm that “Connection method” is set to “Secure Shell.”
  2. Click the Advanced button.
  3. Select the Authentication tab and review or edit the settings under User Authentication.

Note: If you have multiple keys configured, you will see the Select User Key dialog box when you connect using your client definition. Until your host is correctly configured, you need to click Cancel to reject all keys and move on to a password login. If some of your hosts use only password authentication, you may want to use the Authentication tab to disable public key authentication for these hosts to avoid seeing the Select User Key dialog box when you connect to these hosts.

Upload the Key to the Server

Before you can authenticate using a public key, you need to upload your public key to the server and configure the server to authenticate using that key. The steps for doing this depend on your server type.

Configure Connections to a Reflection for Secure IT, F-Secure, or SSH Corporation Server

  1. Open a command window on the system running the X Manager or X Manager for Domains. (Start > All Programs > Accessories > Command Prompt)
  2. Navigate to the folder location where you exported your public key. (The default is your Windows home folder. For example, c:Usersjoe.) Use a dir command to confirm that your public key is present, for example:
C:Usersjoe>dir *.pub
  1. Enter the command “sftp user@host” to connect to the your host, replacing user and host with your values. For example:
C:Usersjoe>sftp joe@demohost

Enter your password on this host in response to the prompt.

  1. Enter “binary” to set the transfer format correctly. For example:
/home/joe> binary

Transfer mode set to binary
  1. Navigate to the .ssh2 directory. For example:
/home/joe> cd .ssh2

/home/joe/.ssh2>

(If the directory doesn’t already exist, enter “mkdir .ssh2” to create it, then navigate to it.)

  1. Enter “put filename.pub” to upload the new public key file, replacing filename with your key filename. For example.
/home/joe/.ssh2>put joeskey.pub

Transferring joeskey.pub

Uploaded C:Usersjoejoeskey.pub to /home/joe/.ssh2/joeskey.pub
  1. Enter “quit” to exit the sftp connection. For example:
/homejoe>quit

Connection closed to demohost



C:Usersjoe>
  1. Enter “ssh user@host” to establish a terminal session, replacing user and host with your values. Enter your password to log on. For example:
C:Usersjoe>ssh joe@demohost
  1. Navigate to the .ssh2 directory, and use an ls command to confirm that your key is present. For example:
[joe@demohost ~]$ cd .ssh2

[joe@demohost .ssh2]$ ls *.pub

joeskey.pub

[joe@demohost ~]$
  1. Enter the command “echo Key filename.pub >> authorization”, replacing filename with your key file name. This adds a line to the server's authorization file authorizing you to authenticate using this key. For example:
[joe@demohost ~]$ echo Key joeskey.pub >> authorization
  1. Use the "cat" command to confirm the change to the authorization file. For example:
[joe@demohost ~]$ cat authorization

Key joeskey.pub
  1. Enter “exit” to terminate the terminal session.

Configure Connections to an OpenSSH Server

  1. Open a command window on the system running the X Manager or X Manager for Domains. (Start > All Programs > Accessories > Command Prompt)
  2. Navigate to the folder location where you exported your public key. (The default is your Windows home folder. For example, c:Usersjoe.) Use a dir command to confirm that your public key is present, for example:
C:Usersjoe>dir *.pub
  1. Enter the command “sftp user@host” to connect to the your host, replacing user and host with your values . For example:
C:Usersjoe>sftp joe@demohost

Enter your password on this host in response to the prompt.

  1. Enter “binary” to set the transfer format correctly. For example:
/home/joe> binary

Transfer mode set to binary
  1. Navigate to the .ssh directory. For example:
/home/joe> cd .ssh

/home/joe/.ssh>

(If the directory doesn’t already exist, enter “mkdir .ssh” to create it, then navigate to it.)

  1. Enter “put filename.pub” to upload the new public key file, replacing filename with your key filename. For example.
/home/joe/.ssh>put joeskey.pub

Transferring joeskey.pub

Uploaded C:Usersjoejoeskey.pub to /home/joe/.ssh/joeskey.pub
  1. Enter “quit” to exit the sftp connection. For example:
/homejoe>quit

Connection closed to demohost



C:Usersjoe>
  1. Enter “ssh user@host” to establish a terminal session, replacing user and host with your values. Enter your password to log on. For example:
C:Usersjoe>ssh joe@demohost
  1. Navigate to the .ssh directory, and use an ls command to confirm that your key is present. For example:
[joe@demohost ~]$ cd .ssh

[joe@demohost .ssh]$ ls *.pub

joeskey.pub

[joe@demohost ~]$
  1. Enter the command “cat filename.pub >> authorized_keys”, replacing filename with your key file name. This adds a line to the server's authorized_keys file authorizing you to authenticate using this key. For example:
[joe@demohost ~]$ cat joeskey.pub >> authorized_keys
  1. Enter “exit” to terminate the terminal session.

Using the Reflection FTP Client to Generate and Upload Keys

An alternative approach to configuring public key authentication is to use the Reflection FTP Client. Attachmate products that include Reflection X Advantage on Windows also install the Reflection FTP Client by default. The FTP Client has the ability to generate key pairs, and also includes a key upload utility that automatically determines your server type, uploads the key to the correct location, and makes the necessary changes to the authorization file used by this server. Once this is done, you can configure Reflection X Advantage to authenticate using the key pair.

Generate a Key Pair and Upload the Public Key

  1. Start the Reflection FTP Client. (Start > All Programs > Attachmate Reflection > Reflection FTP Client)
  2. Click New to create a new site configuration.
  3. In the Add FTP Site panel, enter the host on which your run your X client, then click Next.
  4. In the Login Information pane, select User, then click Security.
  5. In the Security Properties dialog box, click the Secure Shell tab and select "Use Reflection Secure Shell."
  6. Click Configure to open the Reflection Secure Shell Settings dialog box.
  7. In the Reflection Secure Shell Settings dialog box, click the User Keys tab.
  8. Click the Generate button.
  9. In the User Key Generation dialog box, specify a key type and length and enter a passphrase, or check the No passphrase box to connect without one. Click Create.
  10. Specify a File name and location. (The private key is created using the name you specify. The public key is given the same name with a .pub extension.) Click Save. You should see a message saying that the key was successfully generated. Close this message box to return to the Reflection Secure Shell Settings dialog box.
  11. Click the Upload button. The "Upload to host" dialog box opens with your host name already entered. Click OK.
  12. Enter your user name and password on the host.
  13. Reflection determines the Secure Shell server running on your host and displays the folder and file edits that will be made. Click OK to accept these changes.
  14. Click OK to close the open dialog boxes. When you return to the Login information panel you can continue through the FTP Client site setup and test your connection. If you've connected successfully, you now have a key pair you can use in Reflection X Advantage.

Configure Reflection X Advantage to Use the Key Pair

Use this procedure to configure Reflection X Advantage to connect using a key pair you created and uploaded from the Reflection FTP Client.

  1. Launch the X Manager or X Manager for Domains.
  2. From the Tools menu, select Secure Shell User Keys.
  3. Next to the heading "User Key Sources" click the plus sign (+) and select "Add Local Directory."
  4. In the Directory field, enter or browse to the folder to which you saved the key pair from the FTP Client. (The default location is in your personal documents folder. For example: C:Users<username>DocumentsAttachmateReflection.ssh.)

The User Keys list should update to show your private key name. The key pair is now available for use by Reflection X Advantage client connections. Click Close.

Note: If you prefer to store your keys in the Reflection X Advantage database, you can import keys created using the FTP Client (or any other application). To do this, in the Secure Shell User Keys dialog box, under User Key Sources select Reflection X Advantage Store. Click Import, then browse to the private key of your key pair.

Related:

7022025: Reflection for Secure IT 8.2 Server for Windows – New Features and Release Notes

New Features in 8.2

The following new features are included in Reflection for Secure IT 8.2 Server for Windows:

  • You can now configure Post Transfer Actions (PTAs) to run after files have been successfully uploaded to the server. A PTA is a program that is invoked on the server and can be configured to perform on all uploaded files or on files that match a filter specification.
  • A new Process Priority setting is available. Process priority controls the amount of CPU the Reflection for Secure IT Server uses relative to other processes running on the computer. If your server consumes too much CPU (usually during the transfer of large files), you can adjust this setting to improve the server’s responsiveness to other processes.
  • You can now configure SFTP accessible directories for locations that do not yet exist. These directories are now created as needed.
  • The latest audit log file can now be opened from the Reflection for Secure IT Console using a new toolbar button.
  • DSA public keys between 1024 and 3072 bits are now accepted while in FIPS Mode.
  • The default maximum number of connections has been increased from 60 to 500.
  • Support for Microsoft Windows Server 2012 R2 on Intel or equivalent, 64-bit has been added.

Resolved Issues in 8.2

The following issues were resolved in Reflection for Secure IT 8.2 Server for Windows:

  • The “Allow log on locally” right is no longer required for domain users to access shared network folders.
  • Time stamps are now preserved when transferring files with an SFTP client that uses the SFTP v3 protocol.
  • “User AUTH” messages are now properly logged. To record these events in the debug log, the log level must be set to Protocol details or Custom with LOG_T_USERAUTH enabled.
  • The “[Warning] RemoteLogServer for xxxx Connection terminated by socket source error” event is no longer logged when a client disconnects successfully.
  • Uploading a file larger than 2GB using the OpenSSH SCP client is now supported.
  • The group column is now displayed when performing a long directory listing (ls -l) from the SFTP prompt.
  • Raw data containing escape characters can now be passed through an SSH session.
  • VT function keys F5 through F12 are now properly passed through to the host application when connected via SSH.
  • An SSH connection no longer disconnects with “Process terminated with exit code 3221226519.” This condition only occurred after executing a remote SSH command over 150,000 times.

Security Updates

  • The OpenSSL Cryptographic Module has been updated to include the latest OpenSSL release 1.0.1i.

For current information about security alerts and advisories that may affect Reflection for Secure IT, see Technical Note 2288.

Obtaining the Product

Maintained customers are eligible to download the latest product releases from the Attachmate Downloads website: https://download.attachmate.com/Upgrades/.

You will be prompted to login and accept the Software License Agreement before you can select and download a file. For more information on using the Attachmate Downloads website, see Technical Note 0200.

For information about purchasing Reflection for Secure IT, please find your local sales office at http://www.attachmate.com/company/contact/ or email us at SalesRecept@attachmate.com.

Supported Platforms

For information about Reflection for Secure IT supported platforms, see Technical Note 1944.

Installing or Upgrading to 8.2

For information about installing and upgrading Reflection for Secure IT 8.2 Server for Windows, see the Installing and Upgrading topics in the User Guide, which is available in the product or from the documentation page, http://support.attachmate.com/manuals/rsit_win_server.html.

Related:

7022023: Features Introduced in Reflection for Secure IT 8.0 Server for Windows and Release Notes

New Features in 8.0

The following new features are included in Reflection for Secure IT 8.0 Server for Windows:

  • The Credential Cache can now be exported into a comma separated value (CSV) file. This exported file includes user names and last used values; passwords are not exported.
  • The Server now supports file transfer auditing. When enabled, audit events will be created for file transfer uploads and downloads, including attempts that are denied by the operating system.
  • The debug log directory permissions can now be modified to allow groups other than Administrators and the SYSTEM account read access
  • SHA256 is supported for digital signature when X.509 certificates are used for authentication using RSA 2048 bit keys or larger.
  • SHA256 is supported for key authentication using RSA public keys.
  • The hmac-sha256 and hmac-sha512 have been added to the default MAC list. The hmac-sha256 has been placed at the top of the list.
  • Increased the Event and Debug logging for SCP1 file transfers.
  • The ability to specify the full path to the RSA SecurID Agent library has been added to the configuration pane.

Known Issue

Resolved Issues in 8.0

The following issues were resolved in Reflection for Secure IT 8.0 Server for Windows:

  • The Server now sends a case sensitive username when using SSH to connect to another remote SSH server from within an SSH terminal session.
  • Executing a remote command with SJIS Japanese characters from Reflection for Secure IT Client for UNIX to a Reflection for Secure IT Server for Windows no longer fails.
  • UNC SFTP directories can now be accessed when “Connect to accessible directories when accessed, instead of at login time” is enabled.
  • Restarting the operating system no longer causes the Server to log the message “Attachmate Reflection for Secure IT Server service terminated unexpectedly” in the Event Viewer.
  • High volumes of automated SFTP transfers no longer cause periodic failures with an error message: The data area passed to a system call is too small.
  • File transfers no longer fail when “Use SFTP accessible directory settings for SCP1” is enabled and the “%u” pattern string is defined in the SFTP Accessible Directory Settings.
  • UNC SFTP directories can now be accessed when the “%u” pattern string is defined in the SFTP Accessible Directory Settings.
  • The SFTP server no longer terminates with exit code 9, which caused the OpenSSH client to disconnect intermittently.
  • A customized “User login directory” setting is maintained after upgrading the product.
  • The User Interface for the Credential Cache has been improved to better differentiate between the available options.
  • Added the architecture designation (x86 and x64) to Setup and the Programs and Features description to better distinguish the installations.

Security Updates

  • Fix for security vulnerability described in CVE-2012-0008: Untrusted search path vulnerability in Microsoft Visual Studio 2010 allows local users to gain privileges via a Trojan horse add-in in an unspecified directory, aka “Visual Studio Add-In Vulnerability”.
  • Fix for security vulnerability described in CVE-2012-2110: An ASN.1 input function does not properly interpret integer data, which allows remote attackers (on the Server for Windows, Server or Client for UNIX) or local attackers (on the Client for Windows) to conduct buffer overflow attacks, and cause a denial of service (memory corruption), via crafted DER data, as demonstrated by an X.509 certificate.
  • Fix for security vulnerability described in CVE-2011-1280: The XML Editor in Microsoft Visual Studio 2010 does not properly handle external entities, which allows remote attackers to read arbitrary files via a crafted .disco (Web Service Discovery) file, aka “XML External Entities Resolution Vulnerability”.
  • Fix for security vulnerability described in CVE-2010-3190: Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio 2010 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application, aka “MFC Insecure Library Loading Vulnerability”.

For current information about security alerts and advisories that may affect Reflection for Secure IT, see Technical Note 2288.

Obtaining the Product

Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/.

You will be prompted to login and accept the Software License Agreement before you can select and download a file. For more information on using the Download Library web site, see Technical Note 0200.

For information about purchasing Reflection for Secure IT, please e-mail us: SalesRecept@attachmate.com.

Supported Platforms

For information about Reflection for Secure IT supported platforms, see Technical Note 1944.

Installing or Upgrading to Reflection for Secure IT 8.0 References

For information about installing and upgrading Reflection for Secure IT 8.0 Server for Windows, see the Installing and Upgrading topics in the User Guide, which is available in the product or from the documentation page, http://support.attachmate.com/manuals/rsit_win_server.html.

Related:

7022022: Features Introduced in Reflection for Secure IT Windows Server 7.2 and Release Notes

Reflection for Secure IT Windows Server 7.2 New Features

The following new features are included in Reflection for Secure IT Windows Server 7.2:

  • The keyboard-interactive title can be suppressed.
  • You can specify the location of the server configuration files on any local drive.
  • The Host certificate section on the Identity tab of the server console is disabled by default.
  • The Password Cache has been replaced with a secure database called the Credential Cache to store user credentials used for accessing network resources.
  • The Domain Access credentials are stored in the Credential Cache.
  • You can specify credentials to use when accessing SFTP directories (for file transfer) and mapped drives (terminal sessions), thus allowing users to access resources that are not available with their own credentials.
  • You can map a drive to a network path for use during a terminal session.
  • You can restrict the number of allowed connections per user.
  • Domain user authentication is faster in some environments.
  • The allowed number of simultaneous connections is increased.
  • DNS reverse lookup is now correctly processed when using Client Host and User access controls.
  • Support for Microsoft Windows Server 2008 R2 x86_64 enables you to run Reflection for Secure IT on the latest Windows Server platform.
  • You can specify passphrase (-P or –passphrase) option with the ssh-certtool utility.
  • The maximum packet size conforms to the SSH Transport RFC (RFC4253).

Resolved Issues in 7.2

The following issues were resolved in Reflection for Secure IT Windows Server 7.2:

  • The Reflection for Secure IT installer no longer generates a “Dependent Assembly Microsoft.VC80.MFCLOC could not be found” Event Viewer error.
  • The “Could not access directory <removable_storage_drive>” Event Viewer warning message logged when connecting to a chrooted virtual directory (/=$drive) has been removed.
  • Navigating to a directory using a relative path (../<directory>) no longer fails with the sftp client.
  • A memory leak in password cache migration has been addressed.
  • The Reflection for Secure IT Windows Server service is not installed as an interactive service.
  • A memory leak in LSASS.EXE with sftp connections to a UNC drive has been addressed.
  • The directory permissions required for a chrooted virtual directory are the same as in earlier version 6.1.x.
  • Uploading a file with the SSH Tectia Client no longer produces an “Error: Connection lost” message.
  • The warning “RemoteLogServer for RSSHAP xxx Event data size is unreasonable, ignoring event” no longer appears in the Event Viewer.
  • Network sessions no longer remain idle on the file server with public key authentication to a UNC home directory.
  • Non-administrator local users are now able to connect via public key authentication to the server running on Microsoft Windows Server 2008 R2.
  • The password option “Delay between tries” does not affect simultaneous connection attempts using other authentication methods such as public key.

Obtaining Your Product Upgrade

Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/.

You will be prompted to login and accept the Software License Agreement before you can select and download a file. For more information on using the Download Library web site, see Technical Note 0200.

For information about purchasing Reflection for Secure IT, please e-mail us: SalesRecept@attachmate.com.

Supported Platforms

For information about Reflection for Secure IT supported platforms, see Technical Note 1944.

Installing or Upgrading to Reflection for Secure IT Windows Server 7.2 References

For information about installing and upgrading Reflection for Secure IT Windows Server 7.2, see the Installing and Upgrading topics in the User Guide, which is available in the product or from the documentation page, http://support.attachmate.com/manuals/rsit_win_server.html.

Related:

7022000: The Relationship Between File Transfer, SSH, SCP2 (SCP), and SFTP

A Brief Introduction to SSH

The SSH protocol provides strong encrypted authentication and a secure encrypted tunnel through which you can move data and execute remote commands securely.

There are two different and incompatible implementations of the SSH protocol; SSH-2 and SSH-1. While the Reflection Windows clients support both protocols, it is highly recommended that you use the newer protocol, SSH-2, rather than SSH-1, which is deprecated.

This technical note assumes that you are using Reflection with SSH-2.

The Secure File Transfer Utilities

The file transfer capabilities of SSH are provided by utilities included with most SSH products, such as Reflection and the Reflection for Secure IT Windows and UNIX Clients. Typically, these utilities are called scp and sftp.

The scp and sftp utilities use the SCP and SFTP protocols (respectively) to provide file transfer capabilities and use the encrypted SSH tunnel to provide security.

Important distinction: The file transfer protocol SFTP is not a ‘secure version’ of the standard FTP protocol. It is a completely different protocol. You cannot connect to an FTP server using SFTP or to an SFTP server using FTP.

Different scp Implementations

There are two ways that scp utilities can implement file transfers; one implementation is based on OpenSSH and uses SCP over SSH, the other uses SFTP over SSH. These are two very different implementations and these differences can cause an incompatibility between some scp client utilities and some SSH servers.

scp Implementation Mismatches

The following clients use scp based on OpenSSH (using SCP over SSH) and are incompatible with these non-OpenSSH-based SSH servers.

These Clients
CANNOT Connect to these Servers
– Reflection 13.0.3 or earlier

– Reflection for Secure IT Windows Client 6.0

– OpenSSH client

– scp client in SSH-1 Compatibility mode

– Reflection for Secure IT Windows Server 6.x

– F-Secure SSH Windows or UNIX Server

Alternatively, these SSH servers are compatible with applications that use scp based on OpenSSH (using SCP over SSH), including these versions of Reflection.

These Clients
CAN Connect to these Servers
– Reflection 13.0.3 or earlier

– Reflection for Secure IT Windows Client 6.0

– OpenSSH client

– scp client in SSH-1 Compatibility mode

– Reflection for Secure IT UNIX Server 6.0 or higher

– Reflection for Secure IT Windows Server 7.0 or higher *

– OpenSSH servers

* To use these older Reflection clients with Reflection for Secure IT Windows Server 7.0 or higher, you must configure Reflection for Secure IT Windows Server to Allow SCP1 (from the Permissions panel).The term SCP1 does not mean that the SSH-1 protocol is being used; rather, that Reflection should allow the use of OpenSSH-based scp client utilities to transfer files. The scp client is still running over SSH-2.

scp Implementation Matches

Starting in Reflection 13.0.4 and Reflection for Secure IT 6.1, the scp utility included with Reflection uses SFTP over SSH for file transfers; however, even though SFTP is being used in the background, to the end user the utility appears to still be using SCP.

Reflection Windows clients ship with scp, scp2*, sftp, and sftp2* file transfer utilities. Reflection uses the SFTP protocol (SFTP over SSH) for all four of these utilities.

For these versions of Reflection to successfully access an SSH server, the server must be configured to use an sftp subsystem to provide file transfer capabilities. Most SSH servers, including the OpenSSH servers, can be configured to support SFTP and have an sftp subsystem.

* The number “2” in “scp2” and “sftp2” is there to indicate that the scp2 and sftp2 file transfer utilities behave like, and support the switches used by, the F-Secure SSH’s scp2 and sftp2 utilities. scp2 and sftp2 are included in the current product to facilitate the smooth migration from F-Secure SSH Windows clients to Reflection for Secure IT and Reflection Windows clients. For further details, see Technical Note 1893.

How the SCP / SFTP Implementations Work

The following sections detail what happens in the background when scp based on OpenSSH (using SCP over SSH) or scp/sftp (using SFTP) are used.

Transferring Files Using scp / sftp (using SFTP)

When an sftp or scp (using SFTP) command is issued, the following occurs:

  1. The command opens the sftp command line interface.
  2. It runs the ssh command with the –s option to start an sftp subsystem.
  3. It sets up a secure tunnel and securely authenticates.
  4. It starts the host SSH daemon’s sftp-server subsystem (the file transfer server).
  5. And it waits for interactive sftp commands.

The SSH tunnel remains open until the bye command is issued, allowing multiple sftp commands to be issued before it is closed.

Transferring Files Using scp Based on OpenSSH (using SCP over SSH)

When an scp command is issued, the following occurs:

  1. scp starts ssh with the specified options and the remote command to execute scp on the remote host. This initiates an SSH connection, sets up an encrypted tunnel, and securely authenticates to the SSH server.
  2. scp executes on the server, using the -t (uploads) or -f (gets) options.
  3. scp transfers the specified file(s) or folder(s), using the SCP protocol.
  4. Once the transfer is complete, the SSH tunnel is closed.

A new SSH tunnel is created and shut down for each scp command issued.

Related:

7021998: Automating SFTP File Transfers with Reflection for Secure IT

1. Establish an Authentication Method that can be Automated

To automate file transfers, you must first set up an authentication method that does not require user input, such as Public Key Authentication with an empty passphrase.

For detailed steps on configuring Reflection for Secure IT for public key authentication, see Technical Notes 1926 and 1881.

2. Create a Batch File of SFTP Commands

Use a text editor, such as Notepad or vi, to create a text batch file that contains the sftp file transfer commands you want to automate. You will call this file when you issue the sftp command.

Commands Available in Reflection for Secure IT

A full list of commands and their syntax can be viewed either from your product’s documentation page online or from the sftp client itself.

Windows Client

To access a list of commands for the Windows client online, see http://docs.attachmate.com/reflection/rsit-ssh/7.2sp3/winclient/help/en/rsit_client_sftp_command_rf.htm.

To access a list of commands from Reflection for Secure IT Windows Client, follow these steps:

  1. Establish an sftp connection to a host.
  2. At the host prompt, enter help.

A list of supported commands and definitions will be displayed.

UNIX Client

To access a list of commands for the UNIX client online, see http://docs.attachmate.com/reflection/rsit-ssh/8.0sp1/unix/en/man-pages/sftp_man_page.htm.

To access a list of commands from Reflection for Secure IT UNIX Client, follow these steps:

  1. At the client host prompt, before connecting to a host, enter sftp.
  2. At the sftp prompt, type help.

A list of supported commands will be displayed. Note: To obtain detailed information about a command, type help <command name>.

Sample Batch Files

The following sample batch files upload a file in binary mode to the user’s .ssh2 directory, and then disconnect:

##upload a public key from windows system to UNIX system.

lcd "C:Usersuser1DocumentsAttachmateReflection.ssh"

cd /home/user1/.ssh2

binary

put user1.pub

quit



##upload a public key from UNIX system to UNIX system

lcd /home/user2/.ssh2

cd /home/user2/.ssh2

binary

put user2.pub

quit

3. Use the SFTP Command to Authenticate and Run the File

Use the following command to authenticate to your host and run the file transfer batch file.

Windows Client

Syntax: sftp –B <path><batch_file> <username>@<hostname>

Example: sftp –B C:MyFilesuploadkey.txt user1@myhost

UNIX Client

Syntax: sftp –B /<path>/<batch_file> <user name>@<host name>

Example: sftp –B /home/user2/uploadkey user2@myhost

Note: The –B parameter is case sensitive and is capitalized.

If you plan to automate further processes using a Windows batch file, you can include this sftp command line in the Windows batch file.

Related: