Secure copy protocol

scp
Developer(s)	The OpenSSH Project
Repository	github.com/openssh/openssh-portable/
Written in	C
Operating system	Cross-platform
Type	Command, Communication protocol
Website	www.openssh.com

Secure copy protocol (SCP) is a means of securely transferring computer files between a local host and a remote host or between two remote hosts. It is based on the Secure Shell (SSH) protocol.^[1] "SCP" commonly refers to both the Secure Copy Protocol and the program itself.^[2]

According to OpenSSH developers in April 2019, SCP is outdated, inflexible and not readily fixed; they recommend the use of more modern protocols like SFTP and rsync for file transfer.^[3] As of OpenSSH version 9.0, scp client therefore uses SFTP for file transfers by default instead of the legacy SCP/RCP protocol.^[4]

Secure Copy Protocol[edit]

The SCP is a network protocol, based on the BSD RCP protocol,^[5] which supports file transfers between hosts on a network. SCP uses Secure Shell (SSH) for data transfer and uses the same mechanisms for authentication, thereby ensuring the authenticity and confidentiality of the data in transit. A client can send (upload) files to a server, optionally including their basic attributes (permissions, timestamps). Clients can also request files or directories from a server (download). SCP runs over TCP port 22 by default.^[6] Like RCP, there is no RFC that defines the specifics of the protocol.

Function[edit]

Normally, a client initiates an SSH connection to the remote host, and requests an SCP process to be started on the remote server. The remote SCP process can operate in one of two modes:

source mode, which reads files (usually from disk) and sends them back to the client, or
sink mode, which accepts the files sent by the client and writes them (usually to disk) on the remote host.

For most SCP clients, source mode is generally triggered with the -f flag (from), while sink mode is triggered with -t (to).^[2] These flags are used internally and are not documented outside the SCP source code.

Remote to remote mode[edit]

In the past, in remote-to-remote secure copy, the SCP client opens an SSH connection to the source host and requests that it, in turn, open an SCP connection to the destination. (Remote-to-remote mode did not support opening two SCP connections and using the originating client as an intermediary). It is important to note that SCP cannot be used to remotely copy from the source to the destination when operating in password or keyboard-interactive authentication mode, as this would reveal the destination server's authentication credentials to the source. It is, however, possible with key-based or GSSAPI methods that do not require user input.^[2]

Recently, remote-to-remote mode supports routing traffic through the client which originated the transfer, even though it is a 3rd party to the transfer. This way, authorization credentials must reside only on the originating client, the 3rd party.^[7]

Issues using talkative shell profiles[edit]

SCP does not expect text communicating with the SSH login shell. Text transmitted due to the SSH profile (e.g. echo "Welcome" in the .bashrc file) is interpreted as an error message, and a null line (echo "") causes SCP client to deadlock waiting for the error message to complete.^[2]

scp program[edit]

The SCP program^[8] is a software tool implementing the SCP protocol as a service daemon or client. It is a program to perform secure copying.

Perhaps the most widely used SCP program is the OpenSSH command line scp program, which is provided in most SSH implementations. The scp program is the secure analog of the rcp command. The scp program must be part of all SSH servers that want to provide SCP service, as scp functions as SCP server too. Since OpenSSH 9.0, the program has been updated to use the newer, more secure SFTP protocol; an -O option is added for using SCP with old SCP-only servers.^[4]

Syntax[edit]

Typically, a syntax of scp program^[9] is like the syntax of cp (copy):

Copying local file to a remote host:

scp LocalSourceFile user@remotehost:directory/TargetFile

Copying file from remote host and recursively copying folder (with -r switch) from remote host:

scp user@remotehost:directory/SourceFile LocalTargetFile
scp -r user@host:directory/SourceFolder LocalTargetFolder

Note that if the remote host uses a port other than the default of 22, it can be specified in the command. For example, copying a file from host:

scp -P 2222 user@host:directory/SourceFile TargetFile

Other clients[edit]

As the Secure Copy Protocol implements file transfers only, GUI SCP clients are rare, as implementing it requires additional functionality (directory listing at least). For example, WinSCP defaults to the SFTP protocol.^[10] Even when operating in SCP mode, clients like WinSCP are typically not pure SCP clients, as they must use other means to implement the additional functionality (like the ls command).^[11] This in turn brings platform-dependency problems.

More comprehensive tools for managing files over SSH are SFTP clients.

Security[edit]

In 2019 vulnerability CVE-2019-6111^[12] was announced related to the openssh SCP tool and protocol allowing users to overwrite arbitrary files in the SCP client target directory.

References[edit]

^ "Linux and Unix scp command". Computer Hope. Retrieved 4 August 2015.
^ ^a ^b ^c ^d Pechanec, Jan. "How the SCP protocol works". Jan Pechanec's weblog. Oracle. Archived from the original on 2017-02-15. Retrieved 4 August 2015.
^ "OpenSSH 8.0". OpenSSH Release Notes. 17 April 2019.
^ ^a ^b "OpenSSH 9.0". OpenSSH Release Notes. 8 April 2022.
^ "scp(1) - OpenBSD manual pages (history section)". Retrieved 25 June 2012.
^ "SCP - Secure Copy Protocol - What is it & Full Definition & Example Cmds!". PC & Network Downloads - PCWDLD.com. 2019-06-29. Retrieved 2020-05-22.
^ Carroll, Brandon (16 August 2017). "How to use Secure Copy for file transfer". TechRepublic. Retrieved 2020-05-22.
^ "Portable OpenSSH". GitHub. 13 May 2022.
^ "scp(1) - OpenBSD manual pages" https://man.openbsd.org/scp
^ "Supported File Transfer Protocols :: WinSCP". winscp.net. Retrieved 2020-05-22.
^ "The SCP/Shell Page (Advanced Site Settings dialog) :: WinSCP". winscp.net. Retrieved 2020-05-22.
^ "NVD - Cve-2019-6111".

[1] "Linux and Unix scp command". Computer Hope. Retrieved 4 August 2015.

[Pechanec-2] Pechanec, Jan. "How the SCP protocol works". Jan Pechanec's weblog. Oracle. Archived from the original on 2017-02-15. Retrieved 4 August 2015.

[3] "OpenSSH 8.0". OpenSSH Release Notes. 17 April 2019.

[ossh9-4] "OpenSSH 9.0". OpenSSH Release Notes. 8 April 2022.

[5] "scp(1) - OpenBSD manual pages (history section)". Retrieved 25 June 2012.

[6] "SCP - Secure Copy Protocol - What is it & Full Definition & Example Cmds!". PC & Network Downloads - PCWDLD.com. 2019-06-29. Retrieved 2020-05-22.

[7] Carroll, Brandon (16 August 2017). "How to use Secure Copy for file transfer". TechRepublic. Retrieved 2020-05-22.

[8] "Portable OpenSSH". GitHub. 13 May 2022.

[9] "scp(1) - OpenBSD manual pages" https://man.openbsd.org/scp

[10] "Supported File Transfer Protocols :: WinSCP". winscp.net. Retrieved 2020-05-22.

[11] "The SCP/Shell Page (Advanced Site Settings dialog) :: WinSCP". winscp.net. Retrieved 2020-05-22.

[12] "NVD - Cve-2019-6111".

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

v t e Windows command-line programs and shell builtins
COMMAND.COM Command Prompt Windows PowerShell Recovery Console
File system navigation	cd (chdir) dir popd pushd tree
File management	attrib cacls cipher compact copy del (erase) deltree icacls mkdir (md) mklink move openfiles recover ren (rename) replace rmdir (rd) robocopy takeown xcopy
Archiving	expand extrac32 extract makecab pax tar
Disk management	chkdsk convert defrag diskcomp diskcopy diskpart diskraid diskshadow drvspace fdisk format fsutil label manage-bde refsutil subst scandisk sys vol vssadmin
Processes	at exit kill powercfg runas sc schtasks shutdown start taskkill tasklist
Registry	assoc ftype reg regini regsvr32
User environment	chcp cmdkey date graftabl mode path set setver setx time title ver where whoami
File contents	comp edit edlin fc find findstr print type
Scripting	choice clip cscript doskey echo for forfiles goto if more pause prompt rem timeout
Networking	arp bitsadmin curl getmac hostname ipconfig nbtstat net netsh netstat nslookup PathPing ping rpcping route scp setspn sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan tracert winrm winrs
Maintenance and care	auditpol dispdiag driverquery eventcreate eventtriggers logman mofcomp msiexec ntbackup pnpunattend pnputil REAgentC relog sfc sxstrace systeminfo tracerpt typeperf w32tm WBAdmin wecutil wevtutil winmgmt winsat wmic
Boot management	bcdedit bootcfg bootsect fixboot fixmbr
Software development	debug exe2bin QBasic
Miscellaneous	break cls dism dpath gpresult gpupdate help MSCDEX pentnt tpmtool tpmvscmgr wsl
List of DOS commands Environment variables Windows Support Tools