Wednesday, February 29, 2012

How To Securely Destroy/Wipe Data On Hard Drives With shred


Sometimes you need to destroy or wipe data from hard drives (for example, before you sell your old hard drives on eBay) so that nobody else can access them. Simply deleting data (e.g. with rm) is not enough because that just removes the file system pointer, but not the data, so it can easily be undeleted with recovery software. Even zero'ing out your hard drive might not be enough. Here's where shred comes into play - shred can overwrite the files and partitions repeatedly, in order to make it harder for even very expensive hardware probing to recover the data.
I do not issue any guarantee that this will work for you!

1 Preliminary Note

shred can be used to wipe files and also partitions and hard drives. If you take a look at shred's man page...
man shred
... you might notice the following:
CAUTION: Note that shred relies on a very important assumption: that the file system overwrites data in place. This is the traditional way to do things, but many modern file system designs do not satisfy this assumption. The following are examples of file systems on which shred is not effective, or is not guaranteed to be effective in all file system modes:
* log-structured or journaled file systems, such as those supplied with AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)
* file systems that write redundant data and carry on even if some writes fail, such as RAID-based file systems
* file systems that make snapshots, such as Network Appliance's NFS server
* file systems that cache in temporary locations, such as NFS version 3 clients
* compressed file systems
In the case of ext3 file systems, the above disclaimer applies (and shred is thus of limited effectiveness) only in data=journal mode, which journals file data in addition to just metadata. In both the data=ordered (default) and data=writeback modes, shred works as usual. Ext3 journaling modes can be changed by adding the data=something option to the mount options for a particular file system in the /etc/fstab file, as documented in the mount man page (man mount).
This is something you need to worry about only if you use shred to wipe files. However, as I want to wipe hard drives, I will use shred for whole partitions or hard drives in this tutorial.

2 Using shred

If you want to wipe your system partition, you must boot into a live system (such as Knoppix, the Ubuntu Live-CD, your hoster's rescue system, etc.). This is not needed if you don't want to wipe your system partition.
shred should already be installed (you can check with
which shred
); if it isn't you can install it as follows (Debian/Ubuntu/Knoppix):
apt-get install coreutils
As I said before, I want to use shred on partitions and hard drives. So, for example, to wipe the partition /dev/sda5, you can use
shred -vfz -n 10 /dev/sda5
-v: show progress
-f: change permissions to allow writing if necessary
-z: add a final overwrite with zeros to hide shredding
-n: overwrite N times instead of the default (3)
So this would overwrite /dev/sda5 ten times.
You can also use shred for RAID partitions, e.g.
shred -vfz -n 10 /dev/md1
And to wipe a full hard drive like /dev/sda, you can use
shred -vfz -n 10 /dev/sda
Please note that shred can take a long time, depending on the size of your partitions/hard drives and the number of runs (-n).

Scaling Puppet With Apache And mod_passenger

As you keep on adding more and more machines to Puppet, it tends to get slower. A major reason for this is that Puppet uses Webrick by default which it ships with. While webrick is good for testing and small scale deployments, it performs poorly as the number of machines increases. So a good alternative is to use Apache or Nginx in combination with mod_passenger or Unicorn. I'll show you how to use Apache + mod_passenger in a very concise way. I think using other combinations should be equally easy.
Install httpd and mod_passenger into your puppetmaster box. Use Phusion Passenger RPM Repository for mod_passenger if it is not available for your distribution. 
# yum install mod_passenger httpd
Now you got to configure passenger. Include the passenger module in apache config and set various params. To keep the configs clean, I recommend creating a separate file and putting passenger related things there. My passenger config looks like this.
Finally let us create a virtual host for the puppet master. Remember that not only apache has to serve catalogs but it also has to take care of SSL as well. So you need to point apache to the certs and the CA created by the puppet master. You might need to install mod_ssl for turning on the SSLEngine. You can check out my apache virtual host config here. RequestHeader(s) are used to set the certificate verification result as environment variable. 
You can tweak around a bit, specially with passenger config to suit your infra needs. If at all anything is not clear please ask me in comments.

Using PHP5-FPM With Apache2 On CentOS 6.2


 This tutorial shows how you can install an Apache2 webserver on a CentOS 6.2 server with PHP5 (through PHP-FPM) and MySQL support. PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites.
I do not issue any guarantee that this will work for you!

1 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.

2 Enabling Additional Repositories

We need to install mod_fastcgi later on which is available in the RPMforge repositories. RPMforge can be enabled as follows:
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
cd /tmp
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -ivh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
php-fpm is not available from the official CentOS repositories, but from the Remi RPM repository which itself depends on the EPEL repository; we can enable both repositories as follows:
rpm --import https://fedoraproject.org/static/0608B895.txt
rpm -ivh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm
rpm --import http://rpms.famillecollet.com/RPM-GPG-KEY-remi
rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
yum install yum-priorities
Edit /etc/yum.repos.d/epel.repo...
vi /etc/yum.repos.d/epel.repo
... and add the line priority=10 to the [epel] section:
[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1
priority=10
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
[...]
Then do the same for the [remi] section in /etc/yum.repos.d/remi.repo, plus change enabled to 1:
vi /etc/yum.repos.d/remi.repo
[remi]
name=Les RPM de remi pour Enterprise Linux $releasever - $basearch
#baseurl=http://rpms.famillecollet.com/enterprise/$releasever/remi/$basearch/
mirrorlist=http://rpms.famillecollet.com/enterprise/$releasever/remi/mirror
enabled=1
priority=10
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi
failovermethod=priority

[remi-test]
name=Les RPM de remi en test pour Enterprise Linux $releasever - $basearch
#baseurl=http://rpms.famillecollet.com/enterprise/$releasever/test/$basearch/
mirrorlist=http://rpms.famillecollet.com/enterprise/$releasever/test/mirror
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi

3 Installing MySQL 5

To install MySQL, we do this:
yum install mysql mysql-server
Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:
chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
Set passwords for the MySQL root account:
mysql_secure_installation
[root@server1 ~]# mysql_secure_installation




NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!


In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n]
 <-- ENTER
New password: <-- yourrootsqlpassword
Re-enter new password: <-- yourrootsqlpassword
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n]
 <-- ENTER
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n]
 <-- ENTER
 ... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n]
 <-- ENTER
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n]
 <-- ENTER
 ... Success!

Cleaning up...



All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!


[root@server1 ~]#


4 Installing Apache2

Apache2 is available as a CentOS package, therefore we can install it like this:
yum install httpd
Now configure your system to start Apache at boot time...
chkconfig --levels 235 httpd on
... and start Apache:
/etc/init.d/httpd start
Now direct your browser to http://192.168.0.100, and you should see the Apache2 placeholder page:


Apache's default document root is /var/www/html on CentOS, and the configuration file is /etc/httpd/conf/httpd.conf. Additional configurations are stored in the /etc/httpd/conf.d/ directory.

5 Installing PHP5

We can make PHP5 work in Apache2 through PHP-FPM and Apache's mod_fastcgi module which we install as follows:
yum install mod_fastcgi php-fpm
Then open /etc/php.ini:
vi /etc/php.ini
In order to avoid errors like
[08-Aug-2011 18:07:08] PHP Warning: phpinfo(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Berlin' for 'CEST/2.0/DST' instead in /usr/share/nginx/html/info.php on line 2
... in /var/log/php-fpm/www-error.log when you call a PHP script in your browser, you should set date.timezone in /etc/php.ini:
[...]
[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
date.timezone = "Europe/Berlin"
[...]
You can find out the correct timezone for your system by running:
cat /etc/sysconfig/clock
[root@server1 nginx]# cat /etc/sysconfig/clock
ZONE="Europe/Berlin"
[root@server1 nginx]#
Next create the system startup links for php-fpm and start it:
chkconfig --levels 235 php-fpm on
/etc/init.d/php-fpm start
PHP-FPM is a daemon process (with the init script /etc/init.d/php-fpm) that runs a FastCGI server on port 9000.
Next restart Apache:
/etc/init.d/httpd restart

6 Configuring Apache

 
To make Apache work with PHP-FPM, we need the following configuration:

                DirectoryIndex index.html index.shtml index.cgi index.php
                AddHandler php5-fcgi .php
                Action php5-fcgi /php5-fcgi
                Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
                FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -host 127.0.0.1:9000 -pass-header Authorization
        
(To learn more about the FastCgiExternalServer directive, take a look at http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html#FastCgiExternalServer.)
You can put it in the global Apache configuration (so it's enabled for all vhosts), for example in /etc/httpd/conf.d/fastcgi.conf, or you can place it in each vhost that should use PHP-FPM. I want to use PHP-FPM with all vhosts so I open /etc/httpd/conf.d/fastcgi.conf...
vi /etc/httpd/conf.d/fastcgi.conf
... and put the following section at the end:
[...]
        
                DirectoryIndex index.html index.shtml index.cgi index.php
                AddHandler php5-fcgi .php
                Action php5-fcgi /php5-fcgi
                Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
                FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -host 127.0.0.1:9000 -pass-header Authorization
        
The /usr/lib/cgi-bin/ directory must exist, so we create it as follows:
mkdir /usr/lib/cgi-bin/
Restart Apache afterwards:
/etc/init.d/httpd restart
Now create the following PHP file in the document root /var/www/html of the default Apache vhost:
vi /var/www/html/info.php
Now we call that file in a browser (e.g. http://192.168.0.100/info.php):


As you see, PHP5 is working, and it's working through FPM/FastCGI, as shown in the Server API line. If you scroll further down, you will see all modules that are already enabled in PHP5. MySQL is not listed there which means we don't have MySQL support in PHP5 yet.

7 Getting MySQL Support In PHP5

To get MySQL support in PHP, we can install the php-mysql package. It's a good idea to install some other PHP5 modules as well as you might need them for your applications. You can search for available PHP5 modules like this:
yum search php
Pick the ones you need and install them like this:
yum install php-mysql php-gd php-imap php-ldap php-mbstring php-odbc php-pear php-xml php-xmlrpc
Now reload PHP-FPM:
/etc/init.d/php-fpm reload
Now reload http://192.168.0.100/info.php in your browser and scroll down to the modules section again. You should now find lots of new modules there, including the MySQL module:



8 phpMyAdmin

phpMyAdmin is a web interface through which you can manage your MySQL databases. It's a good idea to install it:
yum install phpmyadmin
Now we configure phpMyAdmin. We change the Apache configuration so that phpMyAdmin allows connections not just from localhost (by commenting out the stanza):
vi /etc/httpd/conf.d/phpmyadmin.conf
#
#  Web application to manage MySQL
#

#
#  Order Deny,Allow
#  Deny from all
#  Allow from 127.0.0.1
#

Alias /phpmyadmin /usr/share/phpmyadmin
Alias /phpMyAdmin /usr/share/phpmyadmin
Alias /mysqladmin /usr/share/phpmyadmin
Next we change the authentication in phpMyAdmin from cookie to http:
vi /usr/share/phpmyadmin/config.inc.php
[...]
/* Authentication type */
$cfg['Servers'][$i]['auth_type'] = 'http';
[...]
Restart Apache:
/etc/init.d/httpd restart
Afterwards, you can access phpMyAdmin under http://192.168.0.100/phpmyadmin/:



9 Making PHP-FPM Use A Unix Socket

By default PHP-FPM is listening on port 9000 on 127.0.0.1. It is also possible to make PHP-FPM use a Unix socket which avoids the TCP overhead. To do this, open /etc/php-fpm.d/www.conf...
vi /etc/php-fpm.d/www.conf
... and make the listen line look as follows:
[...]
;listen = 127.0.0.1:9000
listen = /tmp/php5-fpm.sock
[...]
Then reload PHP-FPM:
/etc/init.d/php-fpm reload
Next go through your Apache configuration and all your vhosts and change the lineFastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -host 127.0.0.1:9000 -pass-header Authorization to FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /tmp/php5-fpm.sock -pass-header Authorization, e.g. like this:
vi /etc/httpd/conf.d/fastcgi.conf
[...]
        
                DirectoryIndex index.html index.shtml index.cgi index.php
                AddHandler php5-fcgi .php
                Action php5-fcgi /php5-fcgi
                Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
                FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /tmp/php5-fpm.sock -pass-header Authorization
        
Finally reload Apache:
/etc/init.d/httpd reload

10 Links


Monday, February 27, 2012

Ten Things I Wish I Knew When Becoming A Linux Admin


Ten years ago I installed Linux for the very first time. To be exact, it was Slackware 7, the best distribution at the time in my opinion. Since then I’ve come to favor Debian Linux as my favorite version…at least for my Linux servers. I like to have a solid core system installed that I can build from scratch, but this is for another time. This article is for you new Linux admins; here are the ten things I wish I knew when starting my Linux admin journey.

1.) When in doubt check your logs. EVERYTHING is logged inside of Linux. If you are dealing with a nagging problem, the first thing you always need to do is check your logs. In most systems, this is found in /var/log/. /var/log/syslog logs all the system messages and is where you will find most common error messages. I encourage you to start digging through your logs and getting familiarized with those error messages.
2.) You can use the Tail command to view the last ten lines of a file. You can use the -f flag, or tail -f /var/log/syslog to watch the most recent lines append to the log file. This is a great tool to use while watching for error messages. You can also use the Head command to view the first ten lines of a specified file.
3.) Monitor your server resources. Depending on your disk and partition size, sometimes you can run out of space or your log files can take up most of your root partition. You can monitor the size of the partitions by using the df command. Two flags to know when starting are the -h and -m flag. The -h flag puts information in human readable form such as 5g. The -m flag puts information in megabyte form and displays only in megabytes.
4.) Never Use Root To Login. The most common hacks are done by port scanners and random password generators trying to break into your system with root as the username. Basic “admin 101″ says the first thing you should do on your system is disable root login. You do this by going into /etc/ssh and edit sshd_config. Change this line PermitRootLogin yes to PermitRootLogin no. When you are finished, restart ssh /etc/init.d/ssh restart.
5.) Get to know chown and chmod if you are going to be hosting any websites. Permissions security and file ownership are very important. Having the wrong permissions can leave your code open to exploits or hacks.
6.) Use SFTP instead of FTP. SFTP encrypts passwords through the tunnel where as port 21 ftp allows password information to be sent via clear text. Hackers could listen into and grab your passwords when using port 21.
7.) ls -al – LS lists the directory contents. The -a flag tells the ls command to list all files, even those that begin with a . (dot). The -l flag tells LS to list the contents and also display the date files were modified. This command should just be the basic ls -al command when you want to list directory contents. I use it when I use ls regardless of need.
8.) Top – top command will display your highest usage processes on your system. If your processor is running high, this will help you find the process and fix the problem.
9.) Use grep to search files for a specific word/expression. Grep is extensive…very extensive. This is why it is one of the best tools to search files. For example, grep -r pinehead.tv /etc/* will recursively search the /etc/ directory and all the directors under it that have the word pinehead.tv.
10.) Redirect the results of a grep search into a new file. This is easy to do. We can take the search results from our command above and write them to a file instead of reading them in the shell. Just type grep -r pinehead.tv /etc/* > test.test.
A few things about pipes…
> Creates a new file containing standard output. If the specified file exists, it’s overwritten.
>> Appends standard output to the existing file. If the specified file doesn’t exist, it creates it.

Sunday, February 26, 2012

Avoiding Common WordPress Setup Mistakes


WordPress has become one of the most popular content management systems (CMS) available. With its host of available themes, templates, and plugins, WordPress is versatile, easy to use – and provides an easy venue for users to make some very common mistakes.
Some users put too much trust in the standard WordPress installation. All too often, these users lack an understanding of basic security, database management, or the dangers of excessive plugin usage. Here are some simple steps to take to increase the security and usability of your WordPress platform.
Often times users install WordPress via FTP without any security enabled. Worse yet, key files and folders on your server may be inadequately protected after being uploaded. To minimize possible security problems, make sure to use your .htaccess file to protect your wp-config file, which controls key aspects of your site, and set up your folder permissions to prevent anyone from viewing content best left out of the public eye.
Some experts assert that if you’re using proper folder permissions, then using .htaccess to protect individual files is unnecessary. There may be some truth to that, but tweaking .htaccess adds yet another barrier to entry. It’s especially valuable if you co-administer your site with someone who could potentially do something foolish to undermine your site’s security.
To add extra protection to your wp-config file, first download your .htaccess file from the root directory of your Apache server, then edit the file and add the following lines:
# protect wpconfig.php

order allow,deny
deny from all

Save the file, but don’t upload it yet – we’re not done enhancing it.
You can also add protection for your wp-admin area to .htaccess. The wp-admin page lets you administer pages, posts, templates, and plugins, which means it’s pretty important. As long as your ISP isn’t changing your IP address on a regular basis, allowing only your own IP address to access files in wp-admin can help you avoid attacks by script kiddies who try to break into your WordPress installation. However, you must remember to update your .htaccess data when your IP address changes.
Add the following code to your downloaded .htaccess file, then save the file:
#Protect wp-admin
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx
# whitelist work IP address
allow from yy.yyy.yyy.yyy
If you can’t count on having a static IP address for your server, an alternative to using .htaccess to protect your wp-admin area is to install a plugin called AskApache Password Protect that’s designed to protect your WordPress site from potential hacking threats, and is an effective alternative to hacking your .htaccess file yourself each time your IP address changes.
Two other helpful .htaccess hacks include disabling your server signature and disabling directory browsing. Disabling your server signature hides sensitive data such as your Apache version number and operating system information. Public access to this information could lead to a malicious user trying to exploit a flaw in your WordPress installation. Disabling directory browsing prevents easy-to-exploit files and folders from being targeted. The code for these hacks is fairly straightforward:
# disable the server signature
ServerSignature Off

# disable directory browsing
Options All -Indexes
The final piece of your security puzzle is to make sure that your .htaccess file itself is adequately protected. Once you’ve added this last bit of code to the file, you can send it back to your server:
# protect the htaccess file

order allow,deny
deny from all

Have a Backup Plan

Protecting your crucial WordPress files is a great first step, but it may not be enough. Not having a reliable database backup strategy in place for your WordPress website is actually more dangerous than a poorly configured .htaccess file. Why? Because if you have a database backup, you can recover a hacked website, but a crashed site without a database backup is in real trouble. By the way, if you do find yourself in that unenviable position, check out Warrick, an Internet cache-based recovery script that can be a recovery tool of last resort.
The best approach to protecting your WordPress data is to make sure you have an up-to-date backup of your WordPress theme, the images directory, robots file, .htaccess file, and of course your database. You can make a backup of your WordPress database in a variety of ways. The most common method is to use phpMyadmin, which allows you to not only back up but also manage your database in other ways. You can also install a WordPress plugin to make backups automatically; I recommend WP-DB-Backup. Some backup plugins will even email you a copy of the database after it’s backed up. However, I recommend storing your database backups locally on the server; you can always connect to the server later on to download them for safekeeping at another location.

Themes and Structure

Once you have a handle on keeping your WordPress website secure, the next step is to think about the best way to present the information on your site. The first thing to think about is your theme. Avoid presenting visitors with a theme that’s difficult to navigate or a layout that’s difficult to use. I recommend using a minimalist theme that offer a white background with black text and blue hyperlinks, as most people consider that combination the easiest to read and navigate. When looking for WordPress themes for your website, I recommend starting with the WordPress.org theme portal, which offers a wide assortment of themes to choose from.
Next, consider your site’s structure. Are your categories easy to find? Would you consider your categories and tags relevant to your posted content? While this kind of analysis may sound obvious, it’s commonly overlooked by WordPress newcomers. Remember to keep things relevant to both human visitors and search engines indexing the site.
One of the most common mistakes users make when it comes to site structure is poorly thought-out permalink structure. A permalink is simply a URL designation for any post or page that will be left on the WordPress website for an extend period. Out of the box, WordPress permalink structure is going to be something like ?p=some-random-id, which does nothing for readers or search engines. A better permalink structure would be one of the following: /%postname%/ or /%category%/%postname%/. You can select either of these from the administration interface at your-wordpress-site.com/wp-admin/options-permalink.php. With both examples, the reader of the WordPress site can see clearly that the URL matches the content they’re looking for. Even better, search engines will find the data holds more relevance than some random URL variable.
Countless WordPress plugins cater to those wanting to tweak their permalinks, but I don’t recommend any of them. Your best permalink structure is one that is set to only a single layout. Ignoring this policy creates the potential for broken permalinks in the future, especially with WordPress updates.

Images and Advertising

The right theme and permalink structure can make it easy for visitors to find your text, but you probably also want to display images and maybe advertising. When it comes to images on any website, remember that people don’t need to see a large number of large images. In fact, for site visitors with slow connections, tons of unneeded images can be a real problem.
I recommend using images sparingly throughout a WordPress website. A single image on a blog post can add visual appeal to the text, but adding random images without context serves no one. Ask yourself whether any image you plan to post helps with the context of the post. Most plugins designed for image uploading aren’t especially helpful, but Image Pro does offer some powerful options when managing multiple images throughout a website. Image Pro allows you to easily upload, resize, add, and alter images.
Advertising has become a significant part of running many WordPress websites. The revenue accrued through your WordPress website can help contribute to hosting costs, in addition to potentially building up a tidy part-time income. Considering the financial rewards that come from advertising, you may be tempted to display too much of a good thing, but keep advertisements down to no more than three ad blocks per page. More than three blocks might be seen as disruptive by your readers. Regardless of your advertising type, I recommend display your ads using CSS code like div style="float:left; padding-right: 5px;" within the top part of your content entry. This provides you with great placement for a box ad without hurting the reader’s experience, and enables to you display less advertising on the same page thanks to careful placement of your primary ad. If you feel the need for additional ad placement, using a heat map can help to determine the best placement.
If using a heat map for your WordPress site is something that interests you, look into a plugin called WP Super Heatmap, which keeps track of website visitor actions while providing clear visual context as to what the “hot spots” are on different areas of each page.
Running WordPress is actually really simple. Just remember that a WordPress website needs to be securely set up, regularly backed up, and, of course, pleasant to read. If you remain mindful of these guidelines, chances are good you won’t have any serious issues using WordPress on your website.

Saturday, February 25, 2012

SSH, the Secure Shell


SSH is one of the protocols of the TCP/IP protocol suite found at the application layer (Layer 7) of the Open Systems Interconnection (OSI) network model. Officially specified in RFC 4251 (and later, several other RFCs) SSH functions in a way that is similar to telnet but is far more robust and capable. SSH lets you log in to other hosts, get a shell and execute commands on them (for more details, read up on the concept of the OS shell), and transfer files between hosts. The major difference between SSH and telnet as terminal emulation protocols is that SSH utilizes encryption and strong authentication while telnet transmits data (including passwords) in clear text, making it vulnerable to packet sniffing. SSH, in contrast, provides secure, reliable authentication and communication over data channels that might not be so trustworthy (such as the public Internet). Because the SSH protocol encrypts the communications between network devices, it decreases the chance of an attacker (possibly an internal user) sniffing traffic and obtaining sensitive data such as authentication credentials.
What is commonly called ‘SSH’ is actually a collection of utilities such as ssh, scp, slogin, and sftp. SSH can be used to effectively replace telnet in a manner almost invisible to users. However, in the background SSH sessions involve authentication, key exchange, encryption, and passphrase generation and storing, making SSH a complex protocol.

SSH versions

SSH version 1 was released in 1995; however, a few years later it was determined to be unreliable. SSHv1 is vulnerable to a well known exploit that allows an attacker to insert data into the communication stream, making it vulnerable to man-in-the-middle (MITM) attacks. In short, versions of SSH prior to v2.0 are not completely cryptographically safe, so they should not be used. Therefore this article will focus only on SSHv2. Bear in mind that if you see SSH version 1.99 installed, this means that the host supports both SSH v1.5 and v2.

SSH encryption

SSH uses the public key (asymmetric) cryptographic model which means that data encryption between hosts utilizes two keys: a public key to encrypt the data, and a private key to decrypt it. The asymmetric keys are used to authenticate the SSH server and client and then to negotiate a symmetric key. This symmetric key is utilized for data encryption.
Public key encryption diagram
Simple example of public key cryptography

SSH utilizes the following encryption symmetric algorithms: AES (aka Rijndael; default if supported), 3DES, Blowfish, Twofish, Arcfour/RC4, and Cast128-cbc. For asymmetric authentication it uses Diffie-Hellman or Digital Signature Algorithm (DSA), and for hashing it uses SHA or MD5. AES, 3DES, SHA-*, and DSA are all FIPS-validated. Note that SSH does not utilize any Public Key Infrastructure (PKI) like SSL does.
Jump to:

How SSH works

Since SSH works using the client/server networking model, the SSH service (or daemon) must be running on the host functioning as the server. On Linux this daemon is usually located in /etc/init.d/ssh/, and the SSH daemon can be configured by editing the /etc/ssh/sshd_config file. SSH servers listen for incoming SSH requests on port 22, so naturally this port will need to be open on any firewall that sits in front of the SSH server. Note: you can actually change the port that SSH daemon listens on by editing the ‘port’ parameter in the SSH configuration file and restarting the SSH daemon with the command /etc/init.d/ssh restart. You can change it to an arbitrary high port number (such as 25250) but you will need to specify this port when you log in. Your login command would then be:
$ ssh -p 25250 user@ssh_server
The most popular SSH server program is OpenSSH.
To compliment the SSH server, you will need an SSH client application installed on your computer. Most Linux distributions come with an SSH client (such as the OpenSSH client, openssh-clients). For Windows there are many available but some of the more popular ones are PuTTY, Tera Term, Cygwin and WinSCP.
SSH diagram
Encryption and authentication with SSH


How to use SSH

The ssh and slogin commands are intended to replace rlogin, rsh, and telnet. The scp and sftp commands are intended to replace rcp and FTP (note that there is such a thing as FTP Over SSH which is not the same as SFTP, aka SSH over FTP). Luckily for FTP users, SFTP uses nearly the same commands (ls, get, put, etc.) as FTP.
When you attempt to log in to a remote host the first time via SSH, you will see a message like this:
$ ssh ssh_server.domain.com
The authenticity of host 'ssh_server.domain.com' can't be established.
DSA key fingerprint is 85:68:4b:3a:bc:f3:7c:9b:01:5d:b8:03:38:e2:14:9c.
Are you sure you want to continue connecting (yes/no)?

When you continue, the server ssh_server.domain.com will be added to your list of known hosts located in
/home/you/.ssh/known_hosts. You will then get prompted to enter valid credentials.
Should you decide that you want to use key-based authentication, you will need to generate a public key on your SSH client. When the public key is present on the server side and the matching private key is present on the client side, authentication is achieved and typing in the password is no longer required (if desired). However, for additional security the private key itself can be locked with a passphrase. On the client issue the command ssh-keygen –t dsa and when prompted, enter a long passphrase (such as a sentence that you can easily remember but is difficult for others to guess). Your public key will then be saved in encrypted format as /home/you/.ssh/id_dsa.pub and your private key will go in /home/you/.ssh/id_dsa . Now, copy the public key to the SSH server you want to connect to with the command:
$ scp ~/.ssh/id_dsa.pub username@ssh_server.domain.com: .ssh/authorized_keys
Alternatively you could add the contents of id_dsa.pub to the end of authorized keys on the remote SSH server with the command:
$ cat .ssh/id_dsa.pub | ssh [host] ‘cat >> ~/.ssh/authorized_keys’
If the public key is still on your local host then the command would be:
$ cat ~/.ssh/id_dsa.pub | ssh ssh_server.domain.com ‘cat – >> ~/.ssh/authorized_keys’
Key-based encryption is an effective means at stopping brute force password attacks because unless the potential intruder has possession of your public key, he’s not going to get in.
After you log in to the SSH server, you’re probably going to want to transfer files to or from it. That’s where the scp commands comes in to play. Let’s say you have the file linux-3.3-rc3.tar.bz2 in the directory /home/you/software/ on your local computer, and you want to copy it to /home/you/linux-kernel/ on the remote SSH server. Just enter the command:
$ scp ~/software/linux-3.3-rc3.tar.bz2 ~/software/linux-kernel/:
As a security precaution, you might want to prevent root logins using SSH. This step can help mitigate the damage done if the root password is compromised. To access the server remotely as root, you would need to log in as a non-root user and then switch to root with the su – command. To disable direct root logins via SSH, you need to find the PermitRootLogin parameter in the SSH configuration file and set it to PermitRootLogin no.
To disable SSHv1 on the SSH server, you can once again edit /etc/ssh/sshd_config and change the line that says ‘protocol 2,1’ to ‘protocol 2’.
If you wish to configure a Cisco device running IOS to only accept SSH connections for remote administration, here are the steps to do so.
Router(config)# ip ssh time-out 60
Router(config)# ip ssh authentication-retries 3
Router(config)# ip ssh version 2
Router(config)# access-list 101 remark Permit SSH access
Router(config)# access-list 101 permit tcp host 10.2.7.2 any eq 22 log
Router(config)# access-list 101 permit tcp host 10.2.7.3 any eq 22 log
Router(config)# access-list 101 deny ip any any log
Router(config)# line vty 0 4
Router(config-line)# access-class 101 in
Router(config-line)# transport input ssh
Router(config-line)# exec-timeout 9 0



How to tunnel HTTP through SSH

SSH offers the ability to tunnel plain text protocols (such as HTTP for Web browsing) over an encrypted channel. What if you are on a computer at a remote location (work/library/hotel/etc) where Web browsing is curtailed and/or monitored, and there are some websites that you need to access that are blocked? With the help of your home PC you might be able to set up a more agreeable situation at the remote site.
SSH port forwarding diagram
SSH port forwarding to port 6667. This can be done with ports 80 and 443 as well.
1. Install and run the OpenSSH server on your Linux home computer. Configure the SSH daemon to run on a non-standard port such as 9009 or even 443 (this can be a critical step because the firewall at your remote location might block port 22 outbound). Then configure your home router or firewall to permit inbound traffic on the port number you chose. Need help with this? Visit PortForward.com.
If your home computer is Windows based, you can install the Windows version of OpenSSH. Then you need to run these three commands in succession in a command prompt:
cd C:\Program Files\OpenSSH\bin
mkgroup -l > ..\etc\group
mkpasswd -l > ..\etc\passwd

2. At the remote location, enter this command on your Linux host:
$ ssh –p 9009 –N –g –D 8080 your_user_name@your_home_IP_address
If your PC at the remote location is Windows based, you’ll need to download PuTTY. Then view the ‘PuTTy for Windows XP’ section on this page for detailed instructions.
3. Open Firefox on the remote host (whether Linux or Windows) and configure it to use a SOCKSv5 proxy on localhost:8080. Go to Tools->Options-> Advanced->Network->Settings. Enter your home IP address and the port you chose in the ‘SOCKS Host’ line and make sure the SOCKSv5 radio button is selected.
4. Finally, enter about:config in the Firefox address bar and hit Enter. Find network.proxy.socks_remote_dns and change it to true (double-click on the line). This is to ensure that Firefox will resolve DNS queries over the proxy link and not with the default DNS settings of the remote location.
5. On the remote host, use Firefox to go to an IP address checking website such as ICanHazIP.com. You should see the IP address of your home computer (the one running OpenSSH in step 1).
6. If you get stuck, there are several links in the Further reference section that will probably straighten you out.


Forwarding graphical (X11) applications

If what you want is to ‘remote desktop’ into a host, SSH makes it possible to open and use graphical (X11) applications remotely. For example, you connect to the remote SSH server, enter the command ‘notepad.exe’ or ‘gedit’ and the text editor opens for you to work with not on your local computer but on the SSH server. What you need to do is find X11Forwarding in sshd_config on the server and set it to yes. On the client side, ssh_config has to show ForwardAgent, ForwardX11, and ForwardX11Trusted as yes. Then you need issue a command using the -X switch, such as ssh -X user@server.company.com. Next you can issue the command startx to load the desktop environment.


Further reference

The SSH protocol, its functionality, and its many uses are a deep subject. As this article shows, there are many ways SSH can be utilized and configured. Below you will find a collection of informative SSH articles that can play a role in furthering and improving your use of the protocol.
GNUwhatimsaying.com, How to test an SSH connection.
GNUwhatimsaying.com, How to keep your SSH sessions alive.
Linux-Tipps, Access the Kindle 3 with SSH via WiFi.
SANS.org, A discussion of SSH Secure Shell (PDF).
SANS.org, Security implications of SSH (PDF).
Doug Vitale Tech Blog, Use an SSH terminal in Firefox.
Pastebin.org, Log of credentials used during attempted unauthorized SSH logins.
SDF.org, Practice SSH with an online SSH shell.
Sshmenu.org, SSHMenu: a graphical interface for SSH.
UWaterloo.ca, How to run an SSH server on Windows Server 2003.
SSH tunneling
IBM.com, SSH back doors.
Linuxers.org, Reverse SSH tunneling, bypassing firewalls and NAT.
Makeuseof.com, How to tunnel traffic with SSH.
Souptonuts.sourceforge.net, Breaking firewalls with OpenSSH and PuTTY.
TOIC.org, Bypass firewalls with reverse SSH port forwarding.
TOIC.org, SSH port forwarding.
Vdomck.org, Reversing an SSH connection.
Symantec.com, SSH port forwarding.


SSH command examples

The standard command syntax for ssh is:
$ssh [user@]hostname [command]
The standard command syntax for scp is:
$ scp SourceFileName user@remote-host:directory/TargetFileName
$ scp user@remote-host:directory/SourceFileName TargetFileName

The standard command syntax for sftp is:
$ sftp [user@]host[:file ...]
$ sftp [user@]host[:dir[/]]

$ scp notes.txt user@ssh_server:~/
Copies the local file notes.txt to the remote SSH server and puts it in your home folder there.
$ scp user@ssh_server:~/notes.txt .
Copies notes.txt from your home folder on the remote SSH server and puts it in your current location on the local computer (which is indicated by the final period).
$ scp /home/user/documents/info.doc username@ssh_server.domain.com:
Copies the file info.doc to your home folder on the remote SSH server.
$ scp username@ssh_server.domain.com:info.doc info.doc
Copies info.doc back to your local computer.
$ scp /home/doug/index.html doug@ssh_server.com: /var/www/htdocs/
Copies index.html from the local host to the SSH server.
$ scp info.doc username@ssh_server.domain.com reports/updated-info.doc
Copies info.doc from your local computer to the reports directory in your home folder on the SSH server and renames the file to updated-info.doc.
$ scp -r sales username@ssh_server.domain.com:
Recursively copies the folder ‘sales’ to your home directory on the SSH server.
$ ssh –p 6179 ssh_server.domain.com
Initiates an SSH session with ssh_server on the nonstandard port of 6179.
$ ssh-keygen -t dsa
Generates your public key.
$ ssh -X user@ssh_server ‘gedit’
Connects to ssh_server and executes the gedit text editor.
$ ssh username@ssh_server.domain.com
Connects to network host ssh_server using the credentials provided.
# ssh root@ssh_server.domain.com ‘df -h’
Connects to network host ssh_server as root and then shows file system info in human-readable format using the df -h command. Root logins via SSH will most likely have to first be enabled in the SSH daemon configuration file.
# ssh root@ssh_server@domain.com ‘ps -ef | grep apache | grep -v grep | wc -l’ (or pgrep -c apache instead of grep apache | grep -v grep)
Connects to the SSH server as root and then pipes the process table to grep apache. Useful for counting the number of Apache processes running on the server.
# ssh root@ssh_server.domain.com ‘top -b -n 1 | head -n 8′
Displays the server’s vital statistics and the processes utilizing the most CPU resources.
# ssh root@ssh_server.domain.com ‘who’
Displays who else is logged in to the SSH server.
$ ssh -l username -L 7979:target1:22 ssh_gateway
Opens an SSH connection to host ssh_gateway and redirects all connections to port 7979 on the local host to port 22 on host target11.
$ ssh –f –L 1110:localhost:110 user@pop3mailserver.com
Establishes a secure tunnel with the POP3 email server to retrieve mail from localhost:1110 instead of pop3mailserver.com:110. This command can work for SMTP (port 25) as well.
$ ssh -X -C user@ssh_server /path/application
Establishes a compressed connection to the remote host and forwards the application’s X-window content to the local host.


All SSH, SCP, and SFTP command options

Sourced from the OpenSSH.org manual pages.

SSH command options

Description

ssh -1 Forces SSH to try protocol version 1 only.
ssh -2 Forces SSH to try protocol version 2 only.
ssh -4 Forces SSH to use IPv4 addresses only.
ssh -6 Forces SSH to use IPv6 addresses only.
ssh -a Disables forwarding of the authentication agent connection.
ssh -A Enables forwarding of the authentication agent connection.
ssh -b [bind_address] Uses the address specified as the source address of the SSH connection. Obviously this is only useful on multihomed hosts with more than one IP address.
ssh -c [cipher] Sets the cipher specification for session encryption. For SSHv2, [cipher] is a comma-separated list of ciphers listed in order of preference. The default list is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour.
ssh -C Requests compression of all data.
ssh -D [bind_address:port] Specifies a local ‘dynamic’ application-level port forwarding. This works by allocating a socket to listen to specified port on the local side, optionally bound to the [bind_address]. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.
ssh -e [escape_char] Sets the escape character for sessions with a pty (default: `~’).
ssh -f Requests SSH to go to the background just before command execution.
ssh -F [config_file] Specifies an alternative per-user configuration file. If a configuration file is given on the command line, the system-wide configuration file (/etc/ssh/ssh_config) will be ignored. The default for the per-user configuration file is ~/.ssh/config.
ssh -g Allows remote hosts to connect to local forwarded ports.
ssh -i [identity_file] Selects a file from which the identity (private key) for public key authentication is read. The default is ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for SSHv2.
ssh -I [pkcs11] Specifies the PKCS#11 shared library that SSH should use to communicate with a PKCS#11 token providing the user’s private RSA key.
ssh -k Disables forwarding (delegation) of GSSAPI credentials to the server.
ssh -K Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI credentials to the server.
ssh -l [login_name] Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file.
ssh -L [bind_address:port:remote_host:remote_port] Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified [bind_address].
ssh -m [MAC_list] Specifies a comma-separated list of MAC (message authentication code) algorithms for data integrity protection. Multiple algorithms. The default is: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96.
ssh -M Places the SSH client into ‘master’ mode for connection sharing. When enabled, SSH will listen for connections on a control socket specified using the ControlPath argument in ssh_config. Additional sessions can connect to this socket using the same ControlPath with ControlMaster set to ‘no’ (the default).
ssh -n Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when SSH is run in the background. A common trick is to use this to run X11 programs on a remote machine. For example, ssh -n shadows.cs.hut.fi emacs & will start an emacs on shadows.cs.hut.fi, and the X11 connection will be automatically forwarded over an encrypted channel. The SSH program will be put in the background. This does not work if SSH needs to ask for a password or passphrase; see also the -f option.)
ssh -N Does not execute a remote command; useful for just forwarding ports (SSHv2 only).
ssh -o [option] Used to give options in the format used in ssh_config. Valid options for ssh -o are:
AddressFamily
Specifies which address family to use when connecting. Valid family arguments are ‘any’, ‘inet’ (IPv4), and ‘inet6′ (IPv6).
BatchMode [yes | no]
If set to ‘yes’, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password. The argument must be ‘yes’ or ‘no’ (default).
BindAddress [IP_address]
Uses the specified address on the local machine as the source address of the SSH connection. This option does not work if UsePrivilegedPort is set to ‘yes’.
ChallengeResponseAuthentication [yes | no]
Specifies whether to use challenge-response authentication. The argument must be ‘yes’ or ‘no’ (default).
CheckHostIP
If this flag is set to ‘yes’ (default), SSH will additionally check the host IP address in the known_hosts file which allows SSH to detect if a host key changed due to DNS spoofing. If set to ‘no’, the check will not be executed.
Cipher
Specifies the cipher to use for encrypting the session SSHv1 only.
Ciphers
Specifies the ciphers allowed for SSHv2 in order of preference. Multiple ciphers must be comma-separated. The
supported ciphers are: 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blowfish-cbc, and cast128-cbc. The default is: aes128-ctr,aes192-ctr,aes256ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour.
ClearAllForwardings
Specifies that all local, remote, and dynamic port forwardings specified in the configuration files or on the command line be cleared. This option is automatically set by scp and SFTP. The argument must be ‘yes’ or ‘no’ (default).
Compression
Enables or disables compression. The argument must be ‘yes’ or ‘no’ (default).
CompressionLevel
For SSHv1 only. Specifies the compression level to use if compression is enabled.
ConnectionAttempts
Specifies the number of connection tries (one per second) to make before exiting (default is 1). The argument must be an integer.
ConnectTimeout
Specifies the timeout (in seconds) used when connecting to the SSH server, instead of using the default system TCP timeout. This value is used only when the target is really down or unreachable, not when it refuses the connection.
ControlMaster
Enables the sharing of multiple sessions over a single network connection. When set to ‘yes’, SSH will listen for
connections on a control socket specified using the ControlPath argument. Additional sessions can connect to this socket using the same ControlPath with ControlMaster set to ‘no’ (the default). These sessions will try to reuse the master instance’s network connection rather than initiating new ones, but will fall back to connecting normally if the control socket does not exist or is not listening.
Setting this to ‘ask’ will cause SSH to listen for control connections, but require confirmation using the SSH_ASKPASS program before they are accepted. If the ControlPath cannot be opened, SSH will continue without connecting to a master instance.
‘Auto’ and ‘autoask’ allow for opportunistic multiplexing (try to use a master connection but fall back to creating a new one if one does not already exist). ‘Autoask’ requires confirmation like ‘ask’.
ControlPath
Specifies the path to the control socket used for connection sharing as described in the ControlMaster section above, or the string ‘none’ to disable connection sharing. In the path, ‘%L‘ will be substituted by the first component of the local host name, ‘%l‘ will be substituted by the local host name (including any domain name), ‘%h‘ will be substituted by the target host name, ‘%n‘ will be substituted by the original target host name specified on the command line, ‘%p‘ the port, ‘%r‘ by the remote login username, and ‘%u‘ by the username of the user running SSH. It is recommended that any ControlPath used for opportunistic connection sharing include at least %h, %p, and %r as these ensure that shared connections are uniquely identified.
ControlPersist
When used in conjunction with ControlMaster, specifies that the master connection should remain open in the background (waiting for future client connections) after the initial client connection has been closed. If set to ‘no’, then the master connection will not be placed into the background, and will close as soon as the initial client connection is closed. If set to ‘yes’, then the master connection will remain in the background indefinitely (until killed or closed via a mechanism such as the -O exit option). If set to a time in seconds, or a time in any of the formats documented in sshd_config, then the backgrounded master connection will automatically terminate after it has remained idle (with no client connections) for the specified time.
DynamicForward
Specifies that a TCP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. The argument must be [bind_address:]port. IPv6 addresses can be specified by enclosing addresses in square brackets. By default,
the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind address may be used to bind the connection to a specific address. The bind address of ‘localhost‘ indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all interfaces.
EnableSSHKeysign
Setting this option to ‘yes’ in the global client configuration file /etc/ssh/ssh_config enables the use of the helper program ssh-keysign during HostbasedAuthentication. The argument must be ‘yes’ or ‘no’ (default). This option should be placed in the non-host-specific section.
EscapeChar
Sets the escape character (default: `~'). The argument should be a single character, `^' followed by a letter, or ‘none’ to disable the escape character entirely (making the connection transparent for binary data).
ExitOnForwardFailure
Specifies whether SSH should terminate the connection if it cannot set up requested dynamic, tunnel, local, and remote port forwardings. The argument is either ‘yes’ or ‘no’ (default).
ForwardAgent
Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must ‘yes’ or ‘no’ (default).
ForwardX11
Specifies whether X11 connections will be automatically redirected over the secure channel and DISPLAY set. The argument must be ‘yes’ or ‘no’ (default).
ForwardX11Timeout
Specifies a timeout for untrusted X11 forwarding using the format described in the TIME FORMATS section of sshd_config. X11 connections received by SSH after this time will be refused. The default is to disable untrusted X11 forwarding after twenty minutes has elapsed.
ForwardX11Trusted
If this option is set to ‘yes’, remote X11 clients will have full access to the original X11 display. If this option is set to ‘no’ (default), remote X11 clients will be considered untrusted and prevented from stealing or tampering with data belonging to trusted X11 clients. Furthermore, the xauth token used for the session will be set to expire after 20 minutes and remote clients will be refused access after this time.
GatewayPorts
Specifies whether remote hosts are allowed to connect to local forwarded ports. By default, SSH binds local port forwardings to the loopback address, which prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that SSH should bind local port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. The argument must be ‘yes’ or ‘no’ (default).
GlobalKnownHostsFile
Specifies one or more files to use for the global host key database, separated by white space. The default is /etc/ssh/ssh_known_hosts, /etc/ssh/ssh_known_hosts2.
GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed. The default is ‘no’. SSHv2 only.
GSSAPIDelegateCredentials
Forwards (delegates) credentials to the server. The default is ‘no’. SSHv2 only.
HashKnownHosts
Indicates that SSH should hash host names and addresses when they are added to ~/.ssh/known_hosts. These hashed names may be used normally by SSH and sshd, but they do not reveal identifying information should the file’s contents be disclosed. The default is ‘no’. Note that existing names and addresses in known hosts files will not be converted automatically, but may be manually hashed using ssh-keygen.
HostbasedAuthentication
Specifies whether to try rhosts-based authentication with public key authentication. The argument must be ‘yes’ or ‘no’ (default). This option applies to SSHv2 only and is similar to RhostsRSAAuthentication.
HostKeyAlgorithms
Specifies the SSHv2 host key algorithms that the client wants to use in order of preference. The default for this option is: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss. If host keys are known for the destination host then this default is modified to prefer their algorithms.
HostKeyAlias
Specifies an alias that should be used instead of the real hostname when looking up or saving the host key in the host key database files. This option is useful for tunneling SSH connections or for multiple servers running on a single host.
HostName
Specifies the real host name to log into. This can be used to specify nicknames or abbreviations for hosts. If the hostname contains the character sequence ‘%h‘, then this will be replaced with the host name specified on the command line (this is useful for manipulating unqualified names). The default is the name given on the command line. Numeric IP addresses are also permitted (both on the command line and in HostName specifications).
IdentitiesOnly
Specifies that SSH should only use the authentication identity files configured in the ssh_config files, even if ssh-agent offers more identities. The argument to this keyword must be ‘yes’ or ‘no’ (default). This option is intended for situations where ssh-agent offers many different identities.
IdentityFile
Specifies a file from which the user’s DSA, ECDSA or DSA authentication identity is read. The default is ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for SSHv2. Additionally, any identities represented by the authentication agent will be used for authentication. SSH will try to load certificate information from the file name obtained by appending -cert.pub to the path of a specified IdentityFile.
The file name may use the tilde syntax to refer to a user’s home directory or one of the following escape characters: ‘%d‘ (local user’s home directory), ‘%u‘ (local user name), ‘%l‘ (local host name), ‘%h‘ (remote host name) or ‘%r‘ (remote user name).
IPQoS
Specifies the IPv4 type of service or DSCP class for connections. Accepted values are: ‘af11′, ‘af12′, ‘af13′, ‘af21′, ‘af22′, ‘af23′, ‘af31′, ‘af32′, ‘af33′, ‘af41′, ‘af42′, ‘af43′, ‘cs0′, ‘cs1′, ‘cs2′, ‘cs3′, ‘cs4′, ‘cs5′, ‘cs6′, ‘cs7′, ‘ef’, ‘lowdelay’, ‘throughput’, ‘reliability’, or a numeric value. This option may take one or two arguments, separated by white space. If one argument is specified, it is used as the packet class unconditionally. If two values are specified, the first is automatically selected for interactive sessions and the second for non-interactive sessions. The default is ‘lowdelay’ for interactive sessions and ‘throughput’ for non-interactive sessions.
KbdInteractiveAuthentication
Specifies whether to use keyboard interactive authentication. The argument must be ‘yes’ (default) or ‘no’.
KbdInteractiveDevices
Specifies the list of methods to use in keyboard-interactive authentication. Multiple method names must be comma-separated. The default is to use the server specified list. The methods available vary depending on what the server supports. For an OpenSSH server, it may be zero or more of: ‘bsdauth’, ‘pam’, or ‘skey’.
KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. The default is: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1.
LocalCommand
Specifies a command to execute on the local machine after successfully connecting to the SSH server. The command string extends to the end of the line, and is executed with the user’s shell. The following escape character substitutions will be performed: ‘%d‘ (local user’s home directory), ‘%h‘ (remote host name), ‘%l‘ (local host name), ‘%n‘ (host name as provided on the command line), ‘%p‘ (remote port), ‘%r‘ (remote user name) or ‘%u‘ (local user name).
The command is run synchronously and does not have access to the session of the SSH that spawned it. It should not be used for interactive commands.
This directive is ignored unless PermitLocalCommand has been enabled.
LocalForward
Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport. IPv6 addresses can be specified by enclosing addresses in square brackets. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting. However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of ‘localhost’ indicates that the listening port be bound for local use only, while an empty address or ‘*‘ indicates that the port should be available from all interfaces.
LogLevel
Gives the verbosity level that is used when logging messages from SSH. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output.
MACs
Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used in protocol version 2 for data integrity protection. Multiple algorithms must be comma-separated. The default is: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96.
NoHostAuthenticationForLocalhost
This option can be used if the home directory is shared across hosts. In this case localhost will refer to a different machine on each of the machines and the user will get many warnings about changed host keys. However, this option disables host authentication for localhost. The argument to this keyword must be ‘yes’ or ‘no’. The default is to check the host key for localhost.
NumberOfPasswordPrompts
Specifies the number of password prompts before giving up. The argument to this keyword must be an integer (default is 3).
PasswordAuthentication
Specifies whether to use password authentication. The argument must be ‘yes’ (default) or ‘no’.
PermitLocalCommand
Allow local command execution via the LocalCommand option or using the !command escape sequence in SSH. The argument must be ‘yes’ or ‘no’ (default).
PKCS11Provider
Specifies which PKCS#11 provider to use. The argument to this keyword is the PKCS#11 shared library should use to communicate with a PKCS#11 token providing the user’s private RSA key.
Port
Specifies the port number to connect on the remote host. The default is port 22.
PreferredAuthentications
Specifies the order in which the client should try protocol 2 authentication methods. This allows a client to prefer one method (e.g. keyboard-interactive) over another method (e.g. password). The default is: gssapi-with-mic,hostbased,publickey,keyboard-interactive,password.
Protocol
Specifies the protocol versions SSH should support in order of preference. The possible values are ’1′ and ’2′ (default). Multiple versions must be comma-separated. When this option is set to ’2,1′ SSH will try version 2 and fall back to version 1 if version 2 is not available.
ProxyCommand
Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user’s shell. In the command string, any occurrence of ‘%h‘ will be substituted by the host name to connect, ‘%p‘ by the port, and ‘%r‘ by the remote user name. The command can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an SSH server running on some machine, or execute sshd -i somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). Setting the command to ‘none’ disables this option entirely. Note that CheckHostIP is not available for connects with a proxy command.
PubkeyAuthentication
Specifies whether to try public key authentication (SSHv2 only). The argument to this keyword must be ‘yes’ (default) or ‘no’.
RekeyLimit
Specifies the maximum amount of data that may be transmitted before the session key is renegotiated (SSHv2 only). The argument is the number of bytes, with an optional suffix of ‘K’, ‘M’, or ‘G’ to indicate Kilobytes, Megabytes, or Gigabytes, respectively. The default is between ’1G’ and ’4G’, depending on the cipher.
RemoteForward
Specifies that a TCP port on the remote machine be forwarded over the secure channel to the specified host and port from the local machine. The first argument must be [bind_address:port] and the second argument must be [host:hostport]. IPv6 addresses can be specified by enclosing addresses in square brackets. Multiple forwardings may be specified, and additional forwardings can be given on the command line. Privileged ports can be forwarded only when logging in as root on the remote machine.
If the port argument is ’0′, the listen port will be dynamically allocated on the server and reported to the client at run time.
If the bind_address is not specified, the default is to only bind to loopback addresses. If the bind_address is ‘*’ or an empty string, then the forwarding is requested to listen on all interfaces. Specifying a remote bind_address will only succeed if the server’s GatewayPorts option is enabled.
RequestTTY
Specifies whether to request a pseudo-tty for the session. The argument may be one of: ‘no’ (never request a TTY), ‘yes’ (always request a TTY when standard input is a TTY), ‘force’ (always request a TTY) or ‘auto’ (request a TTY when opening a login session). This option mirrors the -t and -T flags for SSH.
RhostsRSAAuthentication
Specifies whether to try rhosts-based authentication with RSA host authentication. The argument must be ‘yes’ or ‘no’ (default). This option applies to SSHv1 only and requires SSH to be setuid root.
RSAAuthentication
Specifies whether to try RSA authentication. The argument to this keyword must be ‘yes’ (default) or ‘no’. RSA authentication will only be attempted if the identity file exists, or an authentication agent is running.
SendEnv
Specifies which variables from the local environ should be sent to the server. Note that environment passing is only supported for SSHv2. The server must also support it, and the server must be configured to accept these environment variables. Refer to AcceptEnv in sshd_config for how to configure the server. The default is not to send any environment variables.
ServerAliveCountMax
Sets the number of server alive messages (default: 3) which may be sent without SSH receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, SSH will disconnect from the server, terminating the session. The server alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. This option applies to SSHv2 only.
ServerAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the server, SSH will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to the server. This option applies to SSHv2 only.
StrictHostKeyChecking
If this flag is set to ‘yes’, SSH will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. If this flag is set to ‘no’, SSH will automatically add new host keys to the user known hosts files. If this flag is set to ‘ask’ (default), new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and SSH will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases.
TCPKeepAlive
Specifies whether the host should send TCP keepalive messages to the other side. If they are sent, downtime of one of the hosts will be properly noticed. The arguments are ‘yes’ (default) and ‘no’.
Tunnel
Request TUN device forwarding between the client and the server. The argument must be ‘yes’, ‘point-to-point’ (layer 3), ‘ethernet’ (layer 2), or ‘no’ (default). Specifying ‘yes’ requests the default tunnel mode, which is ‘point-to-point’.
TunnelDevice
Specifies the tun(4) devices to open on the client (local_tun) and the server (remote_tun). The argument must be [local_tun:remote_tun]. The devices may be specified by numerical ID or the keyword ‘any’, which uses the next available tunnel device. If remote_tun is not specified, it defaults to ‘any’. The default is ‘any:any’.
UsePrivilegedPort
Specifies whether to use a privileged port for outgoing connections. The argument must be ‘yes’ or ‘no’ (default). If set to ‘yes’, SSH must be setuid root. Note that this option must be set to ‘yes’ for RhostsRSAAuthentication with older servers.
User
Specifies the user to log in as. This can be useful when a different user name is used on different hosts. This saves the trouble of having to remember to give the user name on the command line.
UserKnownHostsFile
Specifies one or more files to use for the user host key database, separated by white space. The default is ~/.ssh/known_hosts, ~/.ssh/known_hosts2.
VerifyHostKeyDNS
Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to ‘yes’, the client will implicitly trust keys that match a secure fingerprint from DNS. If this option is set to ‘ask’, information on fingerprint match will be displayed, but the user will still need to confirm new host keys according to the StrictHostKeyChecking option. Insecure fingerprints will be handled as if this option were set to ‘ask’. The argument must be ‘yes’, ‘no’, (default) or ‘ask’. This option applies to SSHv2 only.
VisualHostKey
If this flag is set to ‘yes’, an ASCII art representation of the remote host key fingerprint is printed in addition to the hex fingerprint string at login and for unknown host keys. If this flag is set to ‘no’ (default), no fingerprint strings are printed at login and only the hex fingerprint string will be printed for unknown host keys.
XAuthLocation
Specifies the full path name of the xauth program. The default is /usr/X11R6/bin/xauth.
ssh -p [port] Specifies the port to connect to on the remote host.
ssh -q Enables quiet mode which causes most warning and diagnostic messages to be suppressed.
ssh -R [bind_address:port:host:hostport] Specifies that the given port on the remote host is to be forwarded to the given host and port on the local side. This works by allocating a socket to listen to [port] on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the local machine.
By default, the listening socket on the server will be bound to the loopback interface only. This may be overridden by specifying a [bind_address]. An empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces. Specifying a remote [bind_address] will only succeed if the server’s GatewayPorts option is enabled. If the port argument is ’0′, the listen port will be dynamically allocated on the server and reported to the client at run time. When used together with -O forward the allocated port will be printed to the standard output.
ssh -s May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use of SSH as a secure transport for other applications (eg., SFTP). The subsystem is specified as the remote command.
ssh -S [ctrl_path] Specifies the location of a control socket for connection sharing, or the string ‘none’ to disable connection sharing. Refer to the descriptions of ControlPath and ControlMaster for details.
ssh -t Forces pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine which can be very useful, e.g. when implementing menu services. Multiple -t options force TTY allocation, even if SSH has no local TTY.
ssh -T Disables pseudo-tty allocation.
ssh -v Enables verbose mode which causes SSH to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems. Multiple -v options increase the verbosity (maximum is 3).
ssh -V Displays the SSH version number.
ssh -w local_tun[:remote_tun] Requests tunnel device forwarding with the specified tun devices between the client (local_tun) and the server (remote_tun). The devices may be specified by numerical ID or the keyword ‘any’, which uses the next available tunnel device. If remote_tun is not specified, it defaults to ‘any’. See also the Tunnel and TunnelDevice directives in ssh_config. If the Tunnel directive is unset, it is set to the default tunnel mode, which is ‘point-to-point’.
ssh -W [host:port] Requests that standard input and output on the client be forwarded to host on the given port over the secure channel. Implies -N, -T, ExitOnForwardFailure and ClearAllForwardings and works with SSHv2 only.
ssh -x Disables X11 forwarding.
ssh -X Enables X11 forwarding.
ssh -y Sends log information using the syslog system module. By default this information is sent to stderr.
ssh -Y Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.

SCP command options

Description

scp -1 Forces SCP to use SSHv1.
scp -2 Forces SCP to use SSHv2.
scp -3 Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. Note that this option disables the
progress meter.
scp -4 Forces SCP to use IPv4 addresses only.
scp -6 Forces SCP to use IPv6 addresses only.
scp -B Enables batch mode (prevents asking for passwords or passphrases).
scp -c [cipher] Selects the cipher to use for encrypting the data transfer. For SSHv2, [cipher] is a comma-separated list of ciphers listed in order of preference. The default list is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour.
scp -C Enables compression.
scp -F [ssh_config_file] Specifies an alternative per-user configuration file for SSH.
scp -i [identity_file] Selects the file from which the identity (private key) for public key authentication is read.
scp -l Limits the bandwidth utilized in Kb/s.
scp -o [option] Same as ssh -o above.
scp -p Preserves modification times, access times, and modes from the original file.
scp -P [port] Specifies the port to connect to on the remote host.
scp -q Enables quiet mode which disables the progress meter as well as the warning and diagnostic messages from SSH.
scp -r Recursively copies entire directories. Note that SCP also follows symbolic links encountered in the tree traversal.
scp -S [program] Names the program to use for the encrypted connection. The program must understand SSH options.
scp -v Enables verbose mode which causes SCP and SSH to print debugging messages about their progress. This is helpful in debugging connection, authentication, and configuration problems.

SFTP command options

Description

sftp -1 Specifies the use of SSHv1.
sftp -2 Specifies the use of SSHv2.
sftp -4 Forces SFTP to use IPv4 addresses only.
sftp -6 Forces SFTP to use IPv6 addresses only.
sftp -b [batch_file] Batch mode; reads a series of commands from an input batch file instead of stdin.
sftp -B [buffer_size] Specifies the size of the buffer that SFTP uses when transferring files (default is 32768 bytes).
sftp -c [cipher] Selects the cipher to use for encrypting the data transfer. For SSHv2, [cipher] is a comma-separated list of ciphers listed in order of preference. The default list is: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour.
sftp -C Enables compression.
sftp -D [sftp_server_path] Connects directly to a local SFTP server (rather than via SSH).
sftp -F [ssh_config_file] Specifies an alternative per-user configuration file for SSH.
sftp -i [identity_file] Selects the file from which the identity (private key) for public key authentication is read.
sftp -l [limit] Limits the bandwidth utilized in Kb/s.
sftp -o [option] Same as ssh -o above.
sftp -p Preserves modification times, access times, and modes from the original files transferred.
sftp -P [port] Specifies the port to connect to on the remote host.
sftp -r Recursively copies entire directories when uploading and downloading. Note that SFTP does not follow symbolic links encountered in the tree traversal.
sftp -R [num_requests] Specifies how many requests may be outstanding at any one time (default is 64 outstanding requests).
sftp -s [subsystem | sftp_server] Specifies the SSHv2 subsystem or the path for an SFTP server on the remote host.
sftp -S [program] Names the program to use for the encrypted connection. The program must understand SSH options.
sftp -v Raises the logging level.
>bye Quits SFTP.
>cd [path] Changes the current remote directory to the one specified in [path].
>chgrp [group] [path] Changes group of file [path] to [group]. [grp] must be a numeric GID.
>chown [owner] [path] Changes the owner of file [path] to [owner]. [owner] must be a numeric UID.
>df [path] Displays usage information for the filesystem holding the current directory (or [path] if specified). This command is only supported on servers that implement the ‘statvfs@openssh.com’ extension.
>df -h [path] Displays usage information for the filesystem holding the current directory (or [path] if specified with the capacity information displayed using “human-readable” suffixes.
>df -i [path] Displays usage information for the filesystem holding the current directory (or [path] if specified and requests display of inode information in addition to capacity information.
>exit Quits SFTP.
>get [remote_path] [local_path] Retrieves the file specified in [remote_path] and stores it on the local host. If the [local_path] name is not specified, the file is given the same name it has on the remote host.
>get -p [remote_path] [local-path] or >get -P [remote_path] [local-path] Retrieves the file specified in [remote_path], stores it on the local host, and full file permissions and access times are copied also.
>get -r [remote_path] [local-path] Recursively retrieves the file specified in [remote_path] (along with all sub-directories and files) and stores it on the local host.
>help Displays the help message.
>lcd [path Changes the local directory to [path].
>lmkdir [path] Creates the local directory specified by [path].
>ln [oldpath] [newpath] Creates a hard link from [oldpath] to [newpath].
>ln -s [oldpath] [newpath] Creates a symbolic link from [oldpath] to [newpath].
>lpwd Displays the local working directory.
>ls [path] Displays a directory listing of either the remote [path] specified or the current remote directory if [path] is not specified.
>ls -1 [path] Displays a single columnar directory listing of either the remote [path] specified or the current remote directory if [path] is not specified.
>ls -a [path] Displays a full directory listing (including hidden files) of either the remote [path] specified or the current remote directory if [path] is not specified.
>ls -f [path] Displays a directory listing (without sorting) of either the remote [path] specified or the current remote directory if [path] is not specified.
>ls -h [path] Displays a directory listing of either the remote [path] specified or the current remote directory using unit suffixes such as Byte, Kilobyte, Megabyte, Gigabyte, Terabyte, Petabyte, and Exabyte in order to reduce the number of digits to four or fewer using powers of 2 for sizes (K=1024, M=1048576, etc.).
>ls -l [path] Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and also displays additional details including permissions and ownership information.
>ls -n [path] Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) by producing a long listing with user and group information presented numerically.
>ls -r [path] Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and reverses the sort order of the listing.
>ls -S [path] Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and sorts the listing by file size.
>ls -t [path] Displays a directory listing of either the remote [path] specified or the current remote directory (if [path] is not specified) and sorts the listing by last modification time.
>lumask [umask] Sets the local umask to [umask].
>mkdir [path] Creates the remote directory specified by [path].
>progress Toggles the display of the progress meter.
>put [local_path] [remote_path] Uploads the file specified in [local_path] and stores it on the remote host. If the [remote_path] name is not specified, the file is given the same name it has on the local machine.
>put -p [local_path] [remote_path] or put -P [local-path] [remote-path] Uploads the file specified in [local_path] (along with full file permissions and access times) and stores it on the remote host. If the [remote_path] name is not specified, the file is given the same name it has on the local machine.
>put -r [local_path] [remote_path] Recursively uploads the file specified in [local_path] (along with all subdirectories and files) and stores it on the remote host.
>pwd Displays the remote working directory.
>quit Quits SFTP.
>rename [oldpath] [newpath] Renames the remote file from [oldpath] to [newpath].
>rm [path] Deletes the remote file specified by [path].
>rmdir [path] Removes the remote directory specified by [path].
>symlink [oldpath] [newpath] Creates a symbolic link from [oldpath] to [newpath].
>version Displays the SFTP protocol version.
>! Escapes to the local shell.
>! [command] Executes [command] in the local shell.
>? Prints the help message.