"Linux Gazette...making Linux just a little more fun!"
ssh suite: Sftp, scp and ssh-agent
The aim of this article is to provide an introduction to some useful
programs in the SSH suite, i.e. sftp, scp, ssh-agent and ssh-add.
In the following we suppose that sshd2 daemon is well configured and
running.
Sftp and scp overview
Let's focus our attention on sftp and scp.
The first one (Secure
File Transfer) is a ftp-like client that can
be used in file transfer over the network.
It does not use the FTP daemon (ftpd or wu-ftpd) for connections,
allowing a significant improvement in the system security. In fact,
monitoring some logs file of our systems, we noted that
about 80% of attacks in last month was against ftpd daemon. The use of
sftp prevents all these tries since it permits to stop the
potentially dangerous wu-ftpd.
The second (Secure Copy) is used to copy files over the network
securely. It is a replacement for rcp insecure command.
Sftp and scp do not
require any dedicated daemon since the two programs connect
to sshd servers.
In order to use sftp and scp you have to insert the following
line in the configuration file /etc/ssh2/sshd2_config:
subsystem-sftp sftp-server
after this modification you must restart sshd.
So you could use sftp and scp only to
connect to hosts where sshd is running.
Sftp
Sftp uses ssh2 in data connections,
so the file transport is as secure as possible.
There are two main advantages in using sftp instead of ftp:
- Password are never transferred in clear text, preventing any
sniffer attack.
- Data are encrypted during the transfer, making difficult to spy or modify
the connection.
The use of sftp2 is really simple. Let's suppose that
you would connect via sftp to your account myname on
host1. In order to do that use the command:
sftp myname@host1
some options could be specified from the command line (see the sftp
manual page for a complete report).
When the sftp2 is ready to accept commands,
it will display a prompt sftp>.
In the sftp manual page there are a complete list of the commands
which the user can use; among them there are:
- quit:
Quits from the application.
- cd directory:
Changes the current remote working directory.
- lcd directory:
Changes the current local working directory.
- ls [ -R ] [ -l ] [ file ... ]:
Lists the names of the files on the remote server.
For directories, the contents of the directory are
listed. When the -R option is specified, the directory
trees are listed recursively. (By default,
the subdirectories of the argument directories are
not visited). When the -l option is specified,
permissions, owners, sizes and modification times are
also shown. When no arguments are given, it is
assumed that the contents of . are being listed.
Currently the options -R and -l are mutually incompatible.
- lls [ -R ] [ -l ] [ file ... ]:
Same as ls, but operates on the local files.
- get [ file ... ]:
Transfers the specified files from the remote end
to the local end. Directories are recursively
copied with their contents.
- put [ file ... ]:
Transfers the specified files from the local end to
the remote end. Directories are recursively copied
with their contents.
- mkdir dir (rmdir dir):
Tries to create (destroy) the directory specified in dir.
sftp2 supports glob patterns (wildcards) given to commands
ls, lls, get, and put. The format is described in the man
page sshregex.
Since sftp use encryption there is drawback: the connection is slower
(about a factor of 2-3 to my experience), but this point is of
marginal interest considering the great security benefits.
In a test conduced on our local network a Network Sniffer was able to
catch a mean of 4 password by hour, from ftp connections. The
introduction of sftp as standard protocol for transfer file across the
network could eliminate this security problem.
Scp
Scp2 (Secure Copy) is used to copy files over the network securely.
It uses ssh2 for data transfer: it uses the same authentication and
provides the same security as ssh2.
It is probably the simplest way to copy a file into a remote machine.
Let's suppose you want to copy the file filename contained in the
directory local_dir to your account myname on the
directory remote_dir on host host1. Using scp you
could enter from the command line:
scp local_dir/filename myname@host1:remote_dir
In such a way the file filename is copied with the same name.
Wildcards can be used (read more about those from sshregex man
page).
The command:
scp local_dir/* myname@host1:remote_dir
copies all files from directory local_dir into the directory
remote_dir of host1.
The command:
scp myname@host1:remote_dir/filename .
copies the file filename from remote_dir on
host1 to the local directory.
Scp supports many options and allows copies between two remote
systems as in the following example:
scp myname@host1:remote_dir/filename myname@host2:another_dir
See its manual page for a complete presentation.
Obviously, using scp, you must know the exact directory tree of the
remote machine, so in practice sftp is often preferred.
ssh key management
SSH suite contains two programs useful to manage authentications
keys, allowing the user to connect to a remote system without
specifying a password or even a passphrase. These programs are
ssh-agent and ssh-add.
ssh-agent
>From the manual page of ssh-agent we can read:
"ssh-agent2 is a program to hold authentication private
keys. The idea is that ssh-agent2 is started in the
beginning of an X-session or a login session, and all
other windows or programs are started as children of the
ssh-agent2 program (the command normally starts X or is
the user shell). The programs started under the agent
inherit a connection to the agent, and the agent is
automatically used for public key authentication when logging
to other machines using ssh".
There are two way to use ssh-agent depending on that you are running
xdm or not.
In the first case you should edit .xsession file, placed in the $HOME
directory. There are two possible procedures:
Copy .xsession to .xsession-stuff and modify
.xession in such a way it contains only the line:
exec ssh-agent ./.xsession-stuff
Alternatively you could edit .xsession file and search for each
line containing the expression "exec program". Modify
these lines to the form "exec ssh-agent program".
Log out from your X-session and restart it.
ssh-agent will start the
X-session as its own children and wait for ssh key to insert in
its database.
If xdm is not running the procedure to use ssh-agent is simpler
because you can start your X session using the command:
ssh-agent startx
In such a way you have ssh-agent properly running.
ssh-add
Once ssh-agent is correctly in place you could add identities in its
database using the command ssh-add.
You could add identities only from processes which are children of a ssh-agent
ancestor otherwise the following error message is displayed:
Failed to connect to authentication agent - agent not running?
The use of ssh-add is simple: from the command line issue the command:
ssh-add
ssh-add scans the file $HOME/.ssh2/identification
which contains names of the private keys that are to be
used in authentication. If this file doesn't exist, the standard name
for the private key is assumed (i.e. $HOME/.ssh2/id_dsa_1024_a).
If any public key file requires a passphrase, ssh-add asks
for the passphrase from the user as in the following example:
Adding identity: /home/matt/.ssh2/id_dsa_1024_a.pub
Need passphrase for /home/matt/.ssh2/id_dsa_1024_a (..)
Enter passphrase:
You could obtain a list of all identities currently represented by the
agent using the command ssh-add -l:
Listing identities.
The authorization agent has one key:
id_dsa_1024_a: 1024-bit dsa, (...)
Conclusions and useful links
Many users of telnet, rlogin, ftp might not
realize that their password is transmitted across the net unencrypted, but it is.
The use of some secure protocols could allow a secure transmission
over an insecure network.
SSH, encrypting all traffic, effectively
eliminates eavesdropping, connection hijacking, and other network attacks.
These articles are only an introduction to the SSH
suite; more about this topic could be found in the manual pages of ssh,
sshd and sftp.
You could get SSH suite from:
www.ssh.com/products/ssh/,
SSH master site or
from
a mirror
site.
Here you could also find some very interesting information about SSH
technology and cryptography in general in the Tech corner.
Otherwise you could check
www.openssh.com where you could
download openssh implementation of SSH protocol. The portable version
is at www.openssh.com/portable.html.
You could also read the openssh FAQ: www.openssh.com/faq.html.
Copyright © 2001, Matteo Dell'Omodarme.
Copying license http://www.linuxgazette.net/copying.html
Published in Issue 63 of Linux Gazette, Mid-February (EXTRA) 2001