Linux tips and tricks
How To Remotely Copy Files Over SSH (Without Entering Your Password)
SSH is really good to remotely manage a computer including upload and download files. Using SSH keys, you can skip having to enter passwords (and use this for scripts)!
This process works on Linux and Mac OS, provided that they’re properly configured for SSH access. If you’re using Windows, you can use [Putty], [MobaXterm] or [Cygwin]
Copying Files Over SSH
Secure copy is a really useful command, and it’s really easy to use. The basic format of the command is as follows:
scp [options] original_file destination_file
The biggest problem is how to format the remote part. When you address a remote file, you need to do it in th e following manner:
user@server:path/to/file
The server can be a URL or an IP address. This is followed by a colon, then the path to the file or folder in question. Here is an example:
scp –P 222 ~/Desktop/MyFile.txt user@gunvor.stockholmresilience.su.se:~/Desktop/MyFile.txt
This command features the [-P] flag (note that it’s a capital P). This allows you to specify a port number instead of the default 22. This is necessary for me because of the way e.g. GUNVOR server is configured.
To copy whole directories, you’ll need to use the [-r] flag (note that it’s a lowercase r).
scp –P 222 –r ~/Dropbox/MyFolder/ user@gunvor.stockholmresilience.su.se:~/Dropbox/
Copying Files between two remote servers with SCP
For secure direct copy of files between your computer and Gunvor you may for the ease of simlicity use [Filezilla]. However, sometimes you have data on a remote server and you want to copy it to another remote server (e.g. Gunvor) without first download them locally. Using scp with the -3Crv flag you can even securely copy files between two remote servers:
scp -3Crv user1@server1:/path-to-dir/ user2@server2:/path-to-dir
Important is that you can access both servers via ssh (either with password or with a key see next paragraph). SCP will handle the authentification between both servers and the files are still streamed through your computer. Make sure your are connected via a fast (ethernet) line with the internet. Without -3 flag SCP can handle also direct copying between the two servers but then you would need to enable access from one server to the other with a key-file (see next paragraph)
The synstax for copying files to Gunvor would be:
scp -3Crv user1@server1:/path-to-dir/ -P 222 user2@gunvor.stockholmresilience.su.se:~/path-to-dir/
Turning source and sink server:/directories around would copy your files from Gunvor to a remote server
SSH and SCP Without Passwords (using authentication key-file pairs)
Secure copy is great. You can put it in scripts and have it do backups to remote computers. The problem is that you may not always be around to enter the password. And, let’s be honest, it’s a real big pain to put in your password to a remote computer you obviously have access to all the time.
Well, we can get around using passwords by using key files. We can have the computer generate two key files – one public that belongs on the remote server, and one private which is on your computer and needs to be secure – and these will be used instead of a password. Pretty convenient, right?
On your computer, enter the following command:
ssh-keygen –t rsa
This will generate the two keys and put them in:
~/.ssh/
with the names “id_rsa” for your private key, and “id_rsa.pub” for your public key.
After entering the command, you’ll be asked where to save the key. You can hit Enter to use the above-mentioned defaults.
Next, you’ll be asked to enter a passphrase. Hit Enter to leave this blank, then do it again when it asks for confirmation. You may want to enter a passphrase here. If not (which many to for the sake of easyness) you need to take really good care of you key that nobody else but you has access to the key not to be missused! Be aware that everybody accessing your computer and using a key without passphrase also will automatically access to your files on any remote server your are sharing your key pair with.
The next step is to copy the public key file to your remote computer. You can use scp to do this:
scp -P 222 .ssh/id_rsa.pub user@gunvor.stockholmresilience.su.se:~/.ssh/authorized_keys
The destination for your public key is on the remote server, in the following file:
~/.ssh/authorized_keys
Subsequent public keys can be appended to this file, much like the ~/.ssh/known_hosts file. This means that if you wanted to add another public key for your account on this server, you would copy the contents of the second id_rsa.pub file into a new line on the existing authorized_keys file.
Sometime ssh or scp complain about security level of your key. Make sure the access right for the the key files are are i) set to 'read only' ii) only you have access to them. On Linux and Mac OS X systems you can set the correct rights with:
chown -R user:user ~/.ssh #sets you as the owner of all files in folder .ssh: user = your user ID chmod 400 ~/.ssh/id_rsa* #sets the key files to readable only
Security Considerations
Isn’t this less secure than a password?
In a practical sense, not really. The private key that’s generated is stored on the computer you’re using, and it is never transferred, not even to be verified. This private key ONLY matches with that ONE public key, and the connection needs to be started from the computer that has the private key. RSA is pretty secure and uses a 2048 bit-length by default.
It’s actually pretty similar in theory to using your password. If someone has knows your password, your security goes out of the window. If someone has your private key file, then security is lost to any computer that has the matching pubic key, but they need access to your computer to get it.
Can this be more secure?
You can combine a password with key files. Follow the steps above, but enter a strong passphrase. Now, when you connect over SSH or use SCP, you’ll need the proper private key file as well as the proper passphrase.
Once you enter your passphrase once, you won’t be asked again for it until you close your session. That means that the first time you SSH/SCP, you’ll need to enter your password, but all subsequent actions won’t require it. Once you log out of your computer (not the remote one) or close your terminal window, then you’ll have to enter it again. In this way, you’re not really sacrificing security, but you’re also not harassed for passwords all the time.
Can I reuse the public/private key pair?
This is a really bad idea. If someone finds your password, and you use the same password for all of your accounts, then they now have access to all of those accounts. Similarly, your private key file is also super-secret and important. (For more information, take a look at How To Recover After Your Email Password Is Compromised)
It’s best to create new key pairs for every computer and account you want to link. That way, if one of your private keys get caught somehow, then you’ll only compromise one account on one remote computer.
It’s also really important to note that all of your private keys are stored in the same place: in ~/.ssh/ on your computer