scp
Function
The scp command uploads files to the remote Secure Copy Protocol (SCP) server or download files from the remote SCP server.
Format
# On an IPv4 network, copy files between the local device and a remote SCP server.
scp [ -port port-number | { public-net | vpn-instance vpn-instance-name } | { -a source-ip-address | -i interface-type interface-number } | -r | identity-key { rsa | dsa | ecc } | user-identity-key { rsa | dsa | ecc } | -cipher -cipher } | -c ] * source-filename destination-filename
# On an IPv6 network, copy files between the local device and a remote SCP server.
scp ipv6 [ -port port-number | { public-net | vpn-instance vpn-instance-name } | -a source-ip-address | -r | identity-key { rsa | dsa | ecc } | user-identity-key { rsa | dsa | ecc } | -cipher -cipher | -c ] * source-filename destination-filename [ -oi interface-type interface-number ]
Parameters
| Parameter | Description | Value |
|---|---|---|
-port port-number |
Specifies the port number of the remote SCP server. |
The value ranges from 1 to 65535. |
public-net |
Connects the SCP client to the SCP server on the public network. |
- |
vpn-instance vpn-instance-name |
Specifies the name of the VPN instance to which the remote SCP server belongs. |
The value is a string of 1 to 31 characters. |
identity-key |
Specifies the public key algorithm for the server authentication. |
The public key algorithm includes dsa, rsa and ecc. NOTE:
To improve security, it is not recommended that you use RSA or DSA as the authentication algorithm . |
user-identity-key |
Specifies the public key algorithm for the client authentication. |
The public key algorithm includes dsa, rsa and ecc. NOTE:
To improve security, it is not recommended that you use RSA or DSA as the authentication algorithm . |
dsa |
Specifies the Digital Signature Algorithm (DSA) public key algorithm for the server authentication. |
- |
rsa |
Specifies the Revest-Shamir-Adleman Algorithm (RSA) public key algorithm for the server authentication. |
- |
ecc |
Specifies the Elliptic Curves Cryptography (ECC) public key algorithm for the authentication. |
- |
-a source-ip-address |
Specifies the source IPv4 or IPv6 address of the local FW. |
- |
-i interface-type interface-number |
Configuring a loopback interface as the source interface is recommended. |
- |
-oi interface-type interface-number |
Configuring an interface on the local device as the outbound interface is recommended. |
- |
-r |
Uploads or downloads files in batches. |
- |
-cipher -cipher |
Specifies the encryption algorithm for uploading or downloading files. |
The system supports four encryption algorithms: des, 3des, aes128, and aes256, aes128_ctr, and aes256_ctr. The default encryption algorithm is aes256_ctr. NOTE:
|
-c |
Compresses files to be uploaded or downloaded. |
- |
source-filename |
Specifies the source file to be uploaded or downloaded. |
The value is a string of 1 to 256 characters. The source file to be downloaded is in the format of username@hostname:[ path ][ filename ]. |
destination-filename |
Specifies the destination file to be uploaded or downloaded. |
The value is a string of 1 to 256 characters. The destination file to be uploaded is in the format of username@hostname:[ path ][ filename ]. |
Usage Guidelines
Usage Scenario
SCP is a secure file transfer method and is based on SSH2.0. Unlike SFTP, SCP allows file uploading or downloading without user authentication and public key assignment, and also supports file uploading or downloading in batches.
If a VPN instance name is specified, the SCP client logs in to the SCP server in the specified VPN instance.
To enhance security, a loopback address specified by -a is recommended as the source IP address and a loopback interface specified by -i is recommended as the outbound interface.
If -r is specified, you can use the asterisk (*) to upload or download files in batches. For example, *.txt,huawei.*.
The system supports four encryption algorithms: des, 3des, aes128, and aes256. When higher security is required, aes256 is recommended.
If -c is specified, files are compressed before being transferred. File compression may take a long time and affect the file transfer rate. Therefore, it is not recommended.
- If filename and path are not specified, the system uploads files to the root directory in the working directory of users on the SCP server.
- If path, not filename, is specified, the system uploads files to the specified path on the SCP server.
- If filename is specified, the system uploads files to the SCP server and names each file with filename accordingly.
If hostname is an IPv6 address, the IPv6 address must be included in square brackets ([]). For example, zhangsan@[1000::1]:.
- If the destination host address is an IPv6 link local address, the local outbound interface must be specified.
If the destination file has the same name as an existing directory, the source file is copied to the specified directory. The name of the newly generated file is the same as the source file name. If the destination file has the same name as an existing file, the system will prompt you to replace the existing file.
Prerequisites
Before running the scp command, ensure that SCP services have been enabled using the scp server enable command in the system view.
Procedure
If the name length of a specified source file to be uploaded or downloaded exceeds 30 bits, the displayed maximum length of the file name is 30 bits in the window, which is displayed indicating the file transfer progress during the command execution.
Precautions
- If a source IP address or a source interface is not specified, the system uses the source IP address or source interface specified in the scp client-source command.
- If a source IP address or source interface has been specified, the system does not use the source IP address or source interface specified in the scp client-source command.
If an SCP user on the client authenticates the server using an RSA or a DSA public key, the SCP user is prompted to select the key pair for authentication.
The file system has a restriction on the number of files in the root directory. Therefore, if more than 50 files exist in the root directory, creating new files in this directory may fail.
Example
# Use 3des to encrypt the file license.txt, and then use port 1026 to upload the file to the working directory on the remote SCP server with the IP address of 10.10.10.1. The SCP client and SCP server belong to the same VPN instance mtv.
<sysname> system-view
[sysname] scp server enable
[sysname] scp -port 1026 vpn-instance mtv -a 1.1.1.1 -cipher 3des license.txt zhangsan@10.10.10.1:
Trying 10.10.10.1 ...
Press CTRL+K to abort
Connected to 10.10.10.1 ...
Enter password:
license.txt 100% 38529827Bytes 165KByte(s)/sec
# Configure users to remotely log in to the SCP server in DSA authentication mode.
<sysname> system-view [sysname] scp identity-key dsa flash:/xxxx.txt root@10.20.20.1:flash:/xxxx.txt Trying 10.20.20.1 ... Press CTRL+K to abort Connected to 10.20.20.1 ... The server's public key does not match the one catched before. The server is not authenticated. Continue to access it? [Y/N]:y Update the server's public key now? [Y/N]: y Enter password: flash:/xxxx.txt 100% 12Bytes 1KByte(s)/sec
# Upload the file log.log to the working directory on the remote SCP server with the IPv6 address of 2003::1:1:1:34.
<sysname> system-view [sysname] scp ipv6 log.log root@[2003::1:1:1:34]: Trying 2003::1:1:1:34 ... Press CTRL+K to abort Connected to 2003::1:1:1:34 ... Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey authentication; Ctrl_C for Can cel], Please select [R, D, Enter or Ctrl_C]: Enter password: log.log 100% 6429750Bytes 242KByte(s)/sec