Command Line Utility Switch Support in Reflection for Secure IT Windows Client

  • 7021948
  • 31-May-2006
  • 02-Mar-2018

Environment

Reflection for Secure IT Windows Client version 7.0 or higher

Situation

Beginning in version 6.1, the ssh, scp, and sftp command line utilities available in Reflection for Secure IT support the full range of executable command line switches provided by equivalent OpenSSH-style SSH utilities. Additionally, ssh2, scp2 and sftp2 command line switch support has been added for customers who are migrating from F-Secure and need to maintain scripts written for the F-Secure SSH2 command line utilities. This technical note lists the switches and options available for use in ssh, scp, sftp, ssh2, scp2, and sftp2.

Note: For a list of available startup switches for Reflection for Secure IT Windows Client, see KB 7021985.

Resolution

Determining Which Utility Is Running

If you have both F-Secure and Reflection for Secure IT installed on the same machine, you have two different ssh2, scp2, and sftp2 utilities on your machine; an F-Secure version and a Reflection for Secure IT version. The functionality of these two versions is equivalent.

Both F-Secure and Reflection installations add their install folders to the end of the user's PATH. Since the F-Secure folder appears first in the list, its command line utilities are executed first.

You can verify which utility is running (F-Secure or Reflection for Secure IT) by opening a command window and issuing the ssh2 –V command (or scp2 –V or sftp2 –V command). An SSH banner that identifies the manufacturer and version of the client that is being executed will display.

To temporarily change the version of the utility being run, change directories to the folder where Reflection for Secure IT is installed (by default C:\Program Files\Attachmate\Rsecure) and issue the utility's command in the command window.

Or to permanently change the version of the utility being run, go to My Computer > Properties. On the Advanced tab, click Environment Variables and edit the user PATH variable in the Environment Variables dialog box.

Switch Support

Information about the switches supported can be found in the following sections:

Secure Shell Utility Switch Support

Reflection provides a robust Secure Shell protocol suite, which includes ssh, sftp, and scp. The addition of ssh2, scp2, and sftp2 switches eases the transition from F-Secure SSH products to the Reflection for Secure IT Window client by seamlessly supporting currently existing F-Secure scripts in the Reflection for Secure IT environment. Attachmate recommends that any future scripts be written using the OpenSSH-style switch format.

The tables below illustrate the OpenSSH-style switches and options available in Reflection for Secure IT for each command line utility. For F-Secure switch information see SSH2, SCP2, and SFTP2 Utility Switch Support.

OpenSSH-Style SSH Switches (ssh.exe) Supported in Reflection

SSH Switch
SSH Keyword
Description
-A
ForwardAgent=yes
Enable Auth agent forwarding
-a
ForwardAgent=no
Disable Auth agent forwarding (default)
-b addr
BindAddress=IP
Local IP address
-c cipher[,cipher]
Ciphers=c1,c2
Select encryption algorithm. Comma separated list
-C
Compression=yes
Enable compression
 
 
 
-D port
DynamicForward=<#>
Enable dynamic application-level port forwarding through SOCKS4/5
-e char
EscapeChar=<char>
Set escape character – none to disable
-E prov
 
Use 'prov' as the external key provider
-f
 
Places client in background just before command execution (Version 7.0 or higher)
-F file
 
Read an alternative configuration file
-g
GatewayPorts=yes
Allow remote host to connect to forwarded ports
-H scheme
Host=<scheme string>
SSH config scheme to use
-i keyfile
IdentityFile=<path>
Identity file for public key authentication
-k dir
 
Custom configuration directory where config file, host keys and user keys are located
-l user
User=<username>
Login with this user name
-L [FTP/|TCP/]listen-port:host:port
"LocalForward=
<lport host:rport>"

Forward local port to remote address. Causes ssh to listen for connections on a port, and forward connections to the other side by connecting to host:port
-m mac[,mac]
MACs=[hmac-md5, hmac-sha1, hmac- ripemd160, hmac-sha1-96, hmac-md5-96]
Select MAC algorithm. Multiple -m options are allowed using a comma-separated list
-M
ControlMaster=[yes, no, ask, auto]
Places client in Control Master mode (Version 6.1 - 7.0 only)
-n
 
Redirect input from /dev/null (do not read stdin)
-N
 
Do not execute shell or command
-o "option"
 
Process the option as if it was read from a configuration file
-p port
Port=<#>
Connect to this port; server must be on the same port
-q
 
Quiet; do not display any warning messages
-R listen-port:host:port
"RemotelForward= <lport host:rport>"
Forward remote port to local address
-s command
 
Invoke command as ssh2 subsystem (Version 6.1 only)
-S ctl
ConnectionReuse=[yes,no]
Specifies the location of a control socket for connection sharing
Note: Instead of using the –S ctl switch, we recommend that you use the –o switch:
–o ConnectionReuse=yes
(Version 6.1 - 7.0 only)

-S
 
Do not execute a shell
(Version 7.1 or higher)

-t
 
Allocate a tty even if command is given
-T
 
Do not allocate a tty
-v
 
Verbose; display verbose debugging messages. Equal to -d 2
-v[vv]

LogLevel=<string>
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3

Set debug level
Additional "v"s increases the debug level.

-V
 
Display version string
-X
ForwardX11=yes
Enable X11 connection forwarding UNTRUSTED
-x
ForwardX11=no
Disable X11 connection forwarding (default)
-Y
ForwardX11Trusted= [yes, no]
Enable X11 connection forwarding TRUSTED
-1
 
Use protocol 1 only
-2
Protocol=2
Use protocol 2 only
-4
AddressFamily=inet
Use IPv4 to connect
-6
AddressFamily=inet6
Use IPv6 to connect
-?
 
Display usage help

OpenSSH-Style SCP Switches (scp.exe) Supported in Reflection

SCP Switch
SCP Keyword
Description
-a
 
Transfer files in ASCII mode
-B
BatchMode=[yes, no]
Sets batch-mode on
-b
 
Maximum buffer size for one request
-c cipher,cipher
Ciphers=c1,c2
Select encryption algorithm. Multiple -c options are allowed separated by commas
-C
Compression=yes
Passes compression flag to ssh to enable compression
-d
 
Force target to be a directory
-D level
 
Set debug level (Version 7.1 or higher)
-F file
 
Read an alternative configuration file
-h
 
Display usage help
-H scheme
Host=<scheme string>
SSH config scheme to use
-i keyfile
IdentityFile=<path>
Identity file for public key authentication (single key)
-k dir
 
Set a non-default folder for configuration file, host keys and user keys
-o "option"
 
Process the option as if it was read from a configuration file (Version 7.0 or higher)
--overwrite[=no]
 
Whether to overwrite existing destination files. Default is yes (Version 7.0 or higher)
-p
 
Preserve file timestamps and attributes
-P port
Port=<#>
Connect to this port
-q
 
Do not show progress indicator
-Q
 
Do not show progress indicator (Version 7.0 or higher)
-r
 
Recurse subdirectories
-S program
 
Name of program to use for encrypted connection – program must understand ssh options (Version 6.1 only)
-u
 
Remove source file after copying
-v
 
Verbose mode; equal to -D 2
-v[vv]

LogLevel=<string>
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3
Set debug level
Additional "v"s increases the debug level.


-V
 
Display version string
-z
 
In downloads that include a wildcard, ignore the case of server filename characters. (Version 7.2 SP3 or higher)
-1
Protocol=1
Engage scp1 compatibility – must be first switch and separated from other switches
-2
Protocol=2
Use protocol 2 only
-4
AddressFamily= inet
Use Ipv4 to connect
-6
AddressFamily= inet6
Use Ipv6 to connect
-?
 
Display usage help

OpenSSH-Style SFTP Switches (sftp.exe) Supported in Reflection

There are no corresponding SFTP keywords for the switches listed.

SFTP Switch
Description
-a
Transfer files in ASCII mode
-b buffer-size
Define maximum buffer size for one request
-B batch-file
Batch mode - File from which to read commands. Connection is terminated after commands have been executed
-c cipher[,cipher]
Select encryption algorithms (comma separated list)
-C
Enable compression
-d
Force target to be a directory
-F file
Read an alternative configuration file
-H scheme
SSH config scheme to use
-i keyfile
Identity file for public key authentication
-k dir
Custom config directory where config file, host keys and user keys are located
-m MAC
Specify MAC algorithms for protocol version 2
-o "option"
Process the option as if it was read from a configuration file
-p
Preserve timestamps and file attributes
-P port
Specifies the port to connect to on the remote host; server must be on same port (Version 7.1 or higher)
-P sftp-server-path
Connect directly to the local sftp server, rather then through ssh server (Version 6.1 only)
-q
Quiet; do not display any warning messages
-Q

Do not show progress indicator
-R max-requests
Define maximum number of concurrent requests
-s sub-system
Specifies the ssh2 subsystem or path for an sftp server on the remote host. A path is useful for using sftp over ssh1 protocol or when it’s subsystem is not configured for the remote sshd
-S program
Specify where sftp can find the program to use for encrypted connection – program must understand ssh options
-u
Remove source file after copying
-v
Verbose mode; equal to -D 2
-v[vv]
Set debug level
Additional "v"s increases the debug level.

-V
Display version string
-1
Use ssh protocol 1
-2
Use protocol version2
-4
Use IPv4 only
-6
Use IPv6 only
-?
Display usage help

SSH2, SCP2, and SFTP2 Utility Switch Support

Beginning in Reflection for Secure IT Windows client version 6.1, support for legacy F-Secure switches is supported, minimizing the effort needed to convert existing configurations from F-Secure to the Reflection for Secure IT Windows Client.

Note the following:

  • The keywords below are for the F-Secure ssh2_config file and may or may not match the keywords that can be used in the Reflection config file.
  • If an F-Secure ssh2_config file is present when you install Reflection for Secure IT, the ssh2_config file will be migrated to the \My Documents\Attachmate\Reflection\.ssh\ directory and will be used by default. Ssh2, scp2, and sftp2 will look for the ssh2_config file only and will not use the Reflection config file. You can force Reflection to read from the config file in several ways:
    • Set a registry setting, "Use SSH Config Schemes"
    • Set an environment variable, – UseReflectionSchemes
    • Use the Reflection config file on a per usage basis by using the –H switch to specify a specific config scheme from the config file

The tables below list the switches and options available for each command line utility.

Legacy F-Secure SSH2 Switches (ssh2.exe) Supported in Reflection

SSH2 Switch
SSH2 Keyword
Description
-c cipher

Ciphers=c1,c2
Select encryption algorithm.
A single -c flag can have only one cipher.
Multiple Ciphers options are allowed using a comma-separated list in the configuration file.

+C
Compression=yes
Enable compression
-C
Compression=no
Disable compression
-d level [1-99]
Loglevel
Set debug level
-E prov
ExternalAuthorizationProgram=<path>
Use prov as the external key provider
-f
 
Places client in background prior to command execution (Version 7.0 or higher)
-F file
 
Read an alternative configuration file
-g
GatewayPorts=yes
Gateway ports; remote hosts may connect o locally forwarded ports
+g
GatewayPorts=no
Do not use gateway ports
-h
 
Display usage help
-H scheme
 
Use specified scheme name in the config file
-i keyfile
IdentityFile=<path>
Identity file for public key authentication
-k dir
UserConfigDirectory =<path>
Custom configuration dir where ssh2 config, hostkeys and userkeys are located
-l login_name
User=<username>
Login with this user name
-L [FTP/|TCP/]listen-port:host:port
"LocalForward= <lport:host:rport>"
Forward local port to remote address
-m MAC -m MAC
MACs= [hmac-sha1, hmac-md5]
Select MAC algorithm.
A single -m flag can have only one MAC algorithm. Multiple -m flags can be used.
Multiple MACs options are allowed using a comma-separated list in the configuration file.

-n
DontReadStdin=[yes, no]
Redirect stdin from null
-N
 
Do not request a session channel; do not execute commands (Version 7.1 or higher)
-o "option"
 
Sets any option supported in the ssh config file (Version 7.0 or higher)
-p port#
Port=<#>
Connect to this port
-q
QuietMode=[yes,no]
Quiet; do not display any warning messages
-R listen-port: host:port
"RemotelForward= <lport:host:rport>"
Forward remote port to local address
-S
 
Do not request a session channel
-t
ForcePTTYAllocation = [yes, no]
Allocate a tty even if command is given
-T
 
Do not request a tty (Version 7.1 or higher)
-v
verbosemode=[yes, no]
Verbose; display verbose debugging messages. Equal to -d 2
-V
 
Display version string
-W pwfile
 
Read user's password from file (Version 7.0 or higher)
+x
ForwardX11= [yes, no]
Enable X11 connection forwarding UNTRUSTED
-x
 
Disable X11 connection forwarding
+X
 
Enable X11 connection forwarding TRUSTED

Legacy F-Secure SCP2 Switches (scp2.exe) Supported in Reflection

SCP2 Switch
SCP2 keyword
Description
-a
 
Transfer files in ASCII mode
-b buffer-size
 
Define maximum buffer size for one request
-B
BatchMode=[yes, no]
Sets batch-mode status
-c cipher[,cipher]
Ciphers=c1,c2
Select encryption algorithm. Comma separated list
-C
 
Enable compression (Version 6.1 - 7.0 only)
Disable compression (Version 7.1 only)

+C
 
Enable compression (7.1 or higher)
-d
 
Force target to be a directory
-D level [1-99]
 
Set debug level
-F file
 
Read an alternative config file (Version 6.1 only)
-h
 
Display usage help
-H scheme
 
Use specified scheme name in the config file
-i keyfile
 
Identity file for public key authentication
-k dir
UserConfigDirectory =<path>
Custom configuration dir where ssh2_config, hostkeys and userkeys are located
-N max-requests
 
Define maximum number of concurrent requests (Version 6.1 only)
-m fileperm [:dirperm]
 
Set the default file/dir permission bits for upload (Version 6.1 only)
-o "option"
 
Process the option as if it was read from a configuration file
--overwrite[=no]
 
Whether to overwrite existing destination file. Default is yes
-p
 
Preserve file timestamps and attributes
-P port
Port=<#>
Connect to this port on remote host
-q
 
Make scp quiet (only fatal errors are displayed)
-Q
 
Do not show progress indicator
-r
 
Recurse subdirectories
-u
 
Remove source files after copying
-v
 
Verbose mode; equal to '-D 2'
-V
 
Display version string
-z
 
In downloads that include a wildcard, ignore the case of server filename characters. (Version 7.2 SP3 or higher)
-1
 
Use protocol version1 only
-2
 
Use protocol version2 only
-4
 
Use IPv4 only
-6
 
Use IPv6 only
-?
 
Display usage help

Legacy F-Secure SFTP2 Switches (sftp2.exe) Supported in Reflection

SFTP2 Switch
SFTP2 Keyword
Description
-a
 
Transfer files in ASCII mode
-b buffer-size
 
Define maximum buffer size for one request
-B batch-file
BatchMode=<yes/no>
Batch mode; specify file from which to read commands. Connection is terminated after commands execute
-c cipher [-c cipher]
Ciphers=c1,c2
Select encryption algorithm. Multiple -c options are allowed and a single -c flag can have only one cipher
+C
 
Enable Compression (7.0 or higher)
-C
 
Disable Compression
-d
 
Force target to be a directory
-D level [1-99]

 
Set debug level
-F file
 
Read an alternative config file
-h
 
Display usage help
-i keyfile
 
Identity file for public key authentication
-k dir
 
Custom configuration dir where ssh2_config, host keys and user keys are located
-m MAC [-m MAC]
 
Select MAC algorithm. Multiple -m options are allowed. A single -m flag can only have one MAC
-N max-requests
 
Define maximum number of concurrent requests
-o 'option'
 
Process the option as if it was read from a configuration file
-P port
Port=<port#>
Connect to this port on the remote host
-q
 
Quiet; do not display any warning messages
-Q
 
Do not show progress indicator
-S program
 
Program to use for encrypted connections
-u
 
Remove source files after copying
-V
 
Display version string
-v
 
Verbose mode; equal to -D 2
-?
 
Display usage help

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 1893.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.