OpenSSH/Client Applications

On the client side, ssh(1), scp(1), and sftp(1) provide a wide range of capabilities. Interactive logins and file transfers are just the tip of the iceberg.

ssh(1) - The basic login shell-like client program.
sftp(1) - FTP-like program that works using the SSH protocol.
scp(1) - File copy program that acts like rcp(1).
ssh_config(5) - The client configuration file.

The SSH client

edit

ssh(1) is a program which provides the client side for secure, encrypted communications between hosts over an insecure network. Its main use is for logging into and running programs on a remote host. It can also be used to secure remote X11 connections and forward arbitrary TCP ports to secure legacy protocols. ssh was made, in part, to replace insecure tools like rsh and telnet. It has largely succeeded at this goal. rsh and telnet are rarely seen anymore for interactive sessions or anywhere else. ssh can authenticate using regular passwords or with the help of a public-private key pair. More options, such as use of Kerberos, smartcards, or one-time passwords can be configured.

Remote login, authenticating via password:

$ ssh fred@somehost.example.org

Another way of logging in to the same account:

$ ssh -l fred somehost.example.org

Remote programs can be run interactively when the client is run via the shell on the remote host. Or they can be run directly when passed as an argument to the SSH client. They can even be pre-configured in the authentication key or the server configuration.

Run uname(1) on the remote machine:

$ ssh -l fred  somehost.example.org  "uname -a"

See what file systems are mounted and how much space is used there:

$ ssh -l fred  somehost.example.org  "mount; df -h"

It is possible to configure in great detail which programs are allowed by which accounts. There are many combinations of options that give extra capabilities, such as re-using a single connection for multiple sessions or passing through intermediary machines. The level of granularity can be increased even more with the help of sudo(8).

SSH Client Environment Variables -- Server Side

edit

Of course the foundation of most SSH activity centers around use of the shell. Upon a successful connection, OpenSSH sets several environment variables.

SSH_CLIENT='192.168.223.17 36673 22'
SSH_CONNECTION='192.168.223.17 36673 192.168.223.229 22'
SSH_TTY=/dev/pts/6

SSH_CLIENT shows the address of the client system, the outgoing port number on the client system, and the incoming port on the server. SSH_CONNECTION shows the address of the client, the outgoing port on the client, the address of the server and the incoming port on the server. SSH_TTY names the pseudo-terminal device, abbreviated PTY, on the server used by the connection. For more information on pseudo-terminals see ptm(4), tty(1) and tty(4).

The login session can be constrained to a single program with a predetermined set of parameters using ForceCommand in the server configuration or Command="..." in the authorized keys file. When that happens an additional environment variable SSH_ORIGINAL_COMMAND gets set.

SSH_ORIGINAL_COMMAND=echo "hello, world"

If the server has ExposeAuthInfo set, then the SSH_USER_AUTH environment variable points to a temporary file listing details about the authentication methods used to start the current session.

SSH_USER_AUTH=/tmp/sshauth.4JmbYfF0bhF6C17

The file is removed when the session ends.

Other variables are set depending on the user's shell settings and the system's own settings.

SSH Client Configuration Options

edit
GSSAPI, or Generic Security Service Application Program Interface, a standard interface defined by RFC 2743 to provide a means for independent modules with means for generic authentication and secure messaging. Kerberos V is one of the more common examples of a service using it.

Configuration options can be passed to ssh(1) as arguments, see the manual pages for ssh(1) and ssh_config(5) for the full list.

Connect very verbose output, GSSAPI authentication:

$ ssh -vv -K -l account host.example.org

A subset of options can be defined on the server host in the user's own authorized keys file, in conjunction with specific keys. See sshd(8) for which subset exactly.

command="/usr/local/sbin/backup.sh",no-pty ssh-rsa AAAAB3NzaC1yc2EAAAQEAsY6u71N...
command="/usr/games/wump",no-port-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1...
environment="gtm_dist=/usr/local/gtm/utf8",environment="gtm_principal_editing=NOINSERT:EDITING" ssh-rsa AAAA8a2s809poloh05yhh...

Note that some directives, like setting the environment variables, are disabled by default and must be named in the server configuration before available to the client. More configuration directives can be set by the user in ~/.ssh/config or by the system administrator in /etc/ssh/ssh_config. These same configuration directives can be passed as arguments using -o. See ssh_config(5) for the full list with descriptions.

$ ssh -o "ServerAliveInterval=60" -o "Compression=yes" -l fred server.example.org

The system administrators of the client host can set some global defaults in /etc/ssh/config. Some of these global settings can be targeted to a specific group or user by using a Match directive.

For example, if a particular SSH server is available via port 2022, it may be convenient to have the client try that port automatically. Some of OpenBSD’s anonymous CVS servers accept SSH connections on this port. However, compression should not be used in this case because CVS already uses compression. So it should be turned off. So, one could specify something like the following in the $HOME/.ssh/config configuration file so that the default port is 2022 and the connection is made without compression:

Host anoncvs anoncvs.example.org
        Compression no
        Port 2022

See ssh_config(5) for the client side and sshd_config(5) for the server side for the full lists with descriptions.

The SFTP client

edit

sftp(1) is an interactive file transfer program which performs all its operations over an encrypted SSH transport channel. It may also use many features of ssh(1), such as public key authentication and compression. It is also the name of the protocol used.

The SFTP protocol is similar in some ways to the now venerable File Transfer Protocol (FTP), except that the entire session, including the login, is encrypted. However, SFTP is not FTPS. The latter old-fashioned FTP tunneled over SSH/SSL. In contrast, SFTP is actually a whole new protocol. sftp(1) can also be made to start in a specific directory on the remote host.

$ sftp fred@server.example.org:/var/www

Frequently, SFTP is used to connect and log into a specified host and enter an interactive command mode. See the manual page for sftp(1) for the available interactive commands such as get, put, rename, and so on. Also, the same configuration options that work for ssh(1) also apply to sftp(1). sftp(1) accepts all ssh_config(5) options and these can be passed along as arguments at run time. Some have explicit shortcuts.

$ sftp -i ~/.ssh/some.key.ed25519 fred@server.example.org:/var/www

While others can be specified by naming them in full using the -o option.

$ sftp -o "ServerAliveInterval=60" -o "Compression=yes" fred@server.example.org

Another way to transfer is to send or receive files automatically. If a non-interactive authentication method is used, the whole process can be automatic using batch mode.

$ sftp -b session.batch -i ~/.ssh/some_key_rsa fred@server.example.org

Batch processing only works with non-interactive authentication.

The SCP client

edit

scp(1) is used for encrypted transfers of files between hosts and is used a lot like regular cp(1). Since 9.0[1] it is based on the SFTP protocol under the hood, while the old version prior to that was inspired by the Berkeley Software Distribution (BSD) Remote Copy Protocol (RCP) for which it has been a secure replacement. Both the old and the new versions use SSH to encrypt the connection.

The scp(1) client, unlike the SFTP client, is not based on any formal standard. It has aimed at doing more or less what old rcp did and responded the same way. Since with it the same program must be used at both ends of the connection and interoperability is required with other implementations of SSH. Changes in functionality would probably break that interoperability, so new features are more likely to be added to sftp(1) if at all. Thus, it is best to lean towards using sftp(1) instead when possible. Again, recent versions of scp(1) are a front end the SFTP protocol anyway.

Copy from remote to local:

$ scp myaccount@sftp.example.org:*.txt .

Copy from local to remote, recursively:

$ scp -r /etc/ myaccount@sftp.example.org:.

Being a front end for the SFTP protocol now, the new scp(1) client can cover most but not all of the behavior of the old client and is not quite bug-for-bug compatible. One noticeable change which is fixed on the server side in OpenSSH 8.7 or later was the absence of tilde (~) expansion. So the "expand-path@openssh.com" protocol extension has been added to support this. Another area where there can potentially be trouble is when there are shell meta-characters, such as * or ?, in the file names.

See also the section for the SFTP client above.

GUI Clients

edit

There are a great many graphical utilities that support SFTP and SSH. Many started out as transfer utilities with the outdated legacy protocol FTP and grew with the times to include SSH and SFTP support. Sadly, many retain the epithet FTP program despite modernization. Others are more general file managers that include SFTP support as one means of network transparency. Most if not all provide full SFTP support including Kerberos authentication.

Below is a partial list to give an idea of the range of options available.

Bluefish is a website management tool and web page editor with built in support for SFTP. Closed source competitors XMetaL and Dreamweaver are said to have at least partial support for SFTP. No support for SFTP is available for Quanta+ or Kompozer as of this writing. http://bluefish.openoffice.nl/

Cyberduck is a remote file browser for the Macintosh. It supports an impressive range of protocols in addition to SFTP. http://cyberduck.ch/

Dolphin is a highly functional file manager for the KDE desktop, but can also be run in other desktop environments. It includes SFTP support

Fetch, by Fetch Softworks, is a reliable and well-known SFTP client for the Macintosh. It has been around since 1989 and started life as just an FTP client. It has many useful features combined with ease of use. It is closed source, but academic institutions are eligible for a free of charge site license. http://fetchsoftworks.com/fetch/

Filezilla is presented as a FTP utility, but it has built in support for SFTP. It is available for multiple platforms under the Free Software license, the GPL. http://filezilla-project.org/

FireFTP is a SFTP plugin for Mozilla Firefox. Though it is presented as an FTP add-on, it supports SFTP. It is available under both the MIT license and the GPL. http://fireftp.mozdev.org/

Fugu, developed by the University of Michigan research systems unix group, is a graphical front-end for SFTP on the Macintosh. http://rsug.itd.umich.edu/software/fugu/

gFTP is a multi-threaded file transfer client http://www.gftp.org/

JuiceSSH is an SSH Client for Android/Linux. It uses the jsch Java implementation of SSH2. https://juicessh.com/

Konqueror is a file manager and universal document viewer for the KDE desktop, but can also be run in other environments. It includes SFTP support. http://www.konqueror.org/

lftp is a file transfer program that supports multiple protocols. http://lftp.yar.ru/

Midnight Commander is a visual file manager based on a text interface and thus usable over a terminal or console. It includes SFTP support. https://midnight-commander.org/

Nautilus is the default file manager for the GNOME desktop, but can also be run in other environments. It includes SFTP support

PCManFM is an extremely fast, lightweight, yet feature-rich file manager with tabbed browsing which is the default for LXDE. It includes SFTP support. http://wiki.lxde.org/en/PCManFM

PuTTY is another FOSS implementation of Telnet and SSH for both legacy and Unix platforms. It is released under the MIT license and includes an SFTP client, PSFTP, in addition to an xterm terminal emulator and other tools like a key agent, Paegent. It is written and maintained primarily by Simon Tatham. http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Remmina is a remote desktop client written in GTK+ which supports multiple network protocols, including SSH. http://www.remmina.org/

RemoteShell is the default SSH client for MorphOS, written in C using the GUI library Magic User Interface (MUI). The operating system also contains the command-line tools ssh(1), scp(1) and sftp(1). http://www.morphos-team.net

SecPanel is a GUI for managing and running SSH and scp connections. It is not a new implementation of the protocol or software-suite, but sits on top of either of the SSH software-suites http://themediahost.de/secpanel/

Thunar is the default file manager for the XFCE desktop. It includes SFTP support. http://docs.xfce.org/xfce/thunar/start

Transfer is the default SFTP client for MorphOS, written in C using the GUI library Magic User Interface (MUI). http://www.morphos-team.net

Yafc is Yet Another FTP Client and despite the name supports SFTP. http://yafc.sourceforge.net/

 


  1. "OpenSSH 9.0 Release Notes". www.openssh.com. 2022-04-08. Retrieved 2022-04-10.