The ability to transfer files from one computer to another on my home network using
scp felt magical when I first got into Linux. I had been using “sneaker net”. In those days, “sneaker net” meant putting the file on a 3.5" floppy and walking the floppy disk across the house into the room where the other computer was located. Before I started running Linux on old computers, I never had a network of computers. Once I had networked two Linux computers that I could
ssh between, this new world of networking fed my computer geek love.
On August 8th, 2018 Harry Sintonen working for F-Secure Corporation discovered the first vulnerabilities with the transfer protocol used by
scp. Although it creates compatibility bugs and issues to use a different transfer protocol,
scp can be used with the well tested and secure protocol behind
sftp. After these vulnerabilities were discovered, the team behind OpenSSH determined that the original protocol had too much technical debt and too many issues to attempt fixing the original protocol. At first, the encouragement came from the OpenSSH developers to just stop using
scp and instead use
rsync, or some other program that securely transfers files from one computer to another.
Yes, in the world of free and open source software, we have plenty of secure options for transferring our files from one computer to another,
scp is a useful tool that is probably included in a number of sysadmin scripts and engrained into the muscle memory of a number of Linux users. Red Hat decided to patch their builds of OpenSSH. Their patch included in all their builds of 8.7 and above make the default
sftp instead of its original and now discovered insecure protocol.
If you are using a Red Hat, CentOS, or Fedora distribution that is using OpenSSH 8.7 or above, than you can use
scp without concern about it being insecure. On Fedora 36, I am running OpenSSH 8.8p which has the Red Hat patch installed.
OpenSSH decided to adopt the Red Hat patch into their mainline stable edition as of version 9.0 which was released in April of 2022. As this version makes its way into the repos of your preferred distribution, your version of
scp will also use the
sftp protocol as its default as well. If you run into one of the compatibility bugs, you will be able to use the flag
scp -O to use the “original” protocol which is know to have vulnerabilities that are not fixed.
Besides using Fedora as my main desktop at home, and as my server OS in my home lab, I also have two workstations running MX Linux, Fluxbox Edition, and a Debian stable server at work. From my research these systems which are all built from Debian stable are using the unpatched version of OpenSSH, version 8.4p. Therefore, on those systems it would be advisable to use
sftp directly instead of
Rediscovering the Magic of scp and sftp
If you can
ssh into your remote computer or a computer on your LAN, you can use
scp. Here is a handy cheat sheet for
Cheat sheet for sftp
Connect to a remote server and enter an interactive command mode:
Connect using an alternate port:
sftp -P remote_port remote_user@remote_host
Connect using a predefined host (in
Transfer remote file to the local system:
Transfer local file to the remote system:
Transfer remote directory to the local system recursively (works with
get -R /path/remote_directory
Get list of files on local machine:
Get list of files on remote machine:
sftp allows you to engage with your local and your remote file system interactively. As you can see above, you can
ls your remote file system or you can change directories too with the common
cd command. To view the files on your local computer while you are connected via
sftp you need to us
lls for “local list files” and
lcd for “local change directory.” For most users
sftp provides a more powerful and useful experience. Since I have all of my remote computers that I ssh into configured in my
~/.ssh/config file it feels super easy to either
put files from my local computer to my remote computer, or
get files from my remote computer to my local computer.
scp is a utility that simply lets you copy files from one computer to another, but you can’t interact with the file system on other computer. You must simply know that path and file names that you desire to transfer from one computer to another. Once again, having your remote computers configured in your
~/.ssh/config file will save you from some typing mistakes.
Cheat sheet scp
Basic Syntax to Grab a File from a Remote Computer to the current-working-directory on your Local Computer.
By default here, port 22 is used, or whichever port is otherwise configured for SSH.
scp remote_user@remote_host:/path/remote_file ./
Copy a File from Local Computer to Remote Computer
scp local_file remote_user@remote_host:/path/remote_directory
sftp You Can Use SSH Aliases Defined in
Additionally you have to specify in
scpthe destination directory, which in the example below is the current-working-directory.
scp ssh_alias:/path/remote_file ./
sftp You Can Use
scp to Copy Files Between Two Remote Computers
If you would like a config file that is on one of your remote computers copied to another remote computer, you can use
scp to make that file transfer happen from your local computer without ever using
ssh to log into either of those remote computers. Consider the example below.
scp ssh_alias1:/path/remote_file ssh_alias2:/path/remote_directory
The above only works if you have exchanged ssh keys between the two remote machines, since
scpcan’t ask for passwords or passphrases between the two remote machines.
scp -3 ssh_alias1:/path/remote_file ssh_alias2:/path/remote_directory
Adding the “-3” flag enables you to pass a file between the two remote computers through your local computer.
Just Another Tool in the Toolbox
If you read other articles in this blog you know that I don’t depend on
sftp to do all of my file transfers. I definitely need to do an article about
rsync which gets used everyday in my home lab. I also use
git in combination with the bash script
yadm to sync all of my configuration files between the computers on my home and work networks. Sometimes, it is great to remember that you have
sftp at your finger tips because you more than likely have
ssh installed on your computers. Also, users of Fedora and the Red Hat family of distros can feel safe using
scp because of their patched version of OpenSSH, and soon everyone will be using OpenSSH 9.0 or above as well. Since my file transfers happen between my home and work networks that are connected by a VPN, I’m not concerned with using
scp on my Debian systems either since the traffic is going through my encrypted Wireguard tunnel. The beauty of Free and Open Source Software is often the number of solutions that are available to use, but that can also be challenging to determine which solution is the best as well.