LINUX GAZETTE

[ Prev ][ Table of Contents ][ Front Page ][ Talkback ][ FAQ ][ Next ]

"Linux Gazette...making Linux just a little more fun!"


ssh suite: Sftp, scp and ssh-agent

By Matteo Dell'Omodarme


The aim of this article is to provide an introduction to some useful programs in the SSH suite, i.e. sftp, scp, ssh-agent and ssh-add. In the following we suppose that sshd2 daemon is well configured and running.

Sftp and scp overview

Let's focus our attention on sftp and scp.
The first one (Secure File Transfer) is a ftp-like client that can be used in file transfer over the network.
It does not use the FTP daemon (ftpd or wu-ftpd) for connections, allowing a significant improvement in the system security. In fact, monitoring some logs file of our systems, we noted that about 80% of attacks in last month was against ftpd daemon. The use of sftp prevents all these tries since it permits to stop the potentially dangerous wu-ftpd.

The second (Secure Copy) is used to copy files over the network securely. It is a replacement for rcp insecure command.

Sftp and scp do not require any dedicated daemon since the two programs connect to sshd servers. In order to use sftp and scp you have to insert the following line in the configuration file /etc/ssh2/sshd2_config:

 
subsystem-sftp                  sftp-server
after this modification you must restart sshd.
So you could use sftp and scp only to connect to hosts where sshd is running.

Sftp

Sftp uses ssh2 in data connections, so the file transport is as secure as possible.
There are two main advantages in using sftp instead of ftp:
  1. Password are never transferred in clear text, preventing any sniffer attack.
  2. Data are encrypted during the transfer, making difficult to spy or modify the connection.
The use of sftp2 is really simple. Let's suppose that you would connect via sftp to your account myname on host1. In order to do that use the command:
sftp myname@host1
some options could be specified from the command line (see the sftp manual page for a complete report).

When the sftp2 is ready to accept commands, it will display a prompt sftp>. In the sftp manual page there are a complete list of the commands which the user can use; among them there are:

sftp2 supports glob patterns (wildcards) given to commands ls, lls, get, and put. The format is described in the man page sshregex.

Since sftp use encryption there is drawback: the connection is slower (about a factor of 2-3 to my experience), but this point is of marginal interest considering the great security benefits.
In a test conduced on our local network a Network Sniffer was able to catch a mean of 4 password by hour, from ftp connections. The introduction of sftp as standard protocol for transfer file across the network could eliminate this security problem.

Scp

Scp2 (Secure Copy) is used to copy files over the network securely. It uses ssh2 for data transfer: it uses the same authentication and provides the same security as ssh2.
It is probably the simplest way to copy a file into a remote machine. Let's suppose you want to copy the file filename contained in the directory local_dir to your account myname on the directory remote_dir on host host1. Using scp you could enter from the command line:
scp local_dir/filename myname@host1:remote_dir
In such a way the file filename is copied with the same name. Wildcards can be used (read more about those from sshregex man page). The command:
scp local_dir/* myname@host1:remote_dir
copies all files from directory local_dir into the directory remote_dir of host1.
The command:
scp myname@host1:remote_dir/filename .
copies the file filename from remote_dir on host1 to the local directory.
Scp supports many options and allows copies between two remote systems as in the following example:
scp myname@host1:remote_dir/filename  myname@host2:another_dir
See its manual page for a complete presentation.

Obviously, using scp, you must know the exact directory tree of the remote machine, so in practice sftp is often preferred.

ssh key management

SSH suite contains two programs useful to manage authentications keys, allowing the user to connect to a remote system without specifying a password or even a passphrase. These programs are ssh-agent and ssh-add.

ssh-agent

>From the manual page of ssh-agent we can read: "ssh-agent2 is a program to hold authentication private keys. The idea is that ssh-agent2 is started in the beginning of an X-session or a login session, and all other windows or programs are started as children of the ssh-agent2 program (the command normally starts X or is the user shell). The programs started under the agent inherit a connection to the agent, and the agent is automatically used for public key authentication when logging to other machines using ssh".

There are two way to use ssh-agent depending on that you are running xdm or not.
In the first case you should edit .xsession file, placed in the $HOME directory. There are two possible procedures:
Copy .xsession to .xsession-stuff and modify .xession in such a way it contains only the line:

 
exec ssh-agent ./.xsession-stuff
Alternatively you could edit .xsession file and search for each line containing the expression "exec program". Modify these lines to the form "exec ssh-agent program".

Log out from your X-session and restart it. ssh-agent will start the X-session as its own children and wait for ssh key to insert in its database.

If xdm is not running the procedure to use ssh-agent is simpler because you can start your X session using the command:

ssh-agent startx
In such a way you have ssh-agent properly running.

ssh-add

Once ssh-agent is correctly in place you could add identities in its database using the command ssh-add. You could add identities only from processes which are children of a ssh-agent ancestor otherwise the following error message is displayed:
 
Failed to connect to authentication agent - agent not running?
The use of ssh-add is simple: from the command line issue the command:
ssh-add
ssh-add scans the file $HOME/.ssh2/identification which contains names of the private keys that are to be used in authentication. If this file doesn't exist, the standard name for the private key is assumed (i.e. $HOME/.ssh2/id_dsa_1024_a).
If any public key file requires a passphrase, ssh-add asks for the passphrase from the user as in the following example:
Adding identity: /home/matt/.ssh2/id_dsa_1024_a.pub
Need passphrase for /home/matt/.ssh2/id_dsa_1024_a (..)
Enter passphrase:
You could obtain a list of all identities currently represented by the agent using the command ssh-add -l:
Listing identities.
The authorization agent has one key:
id_dsa_1024_a: 1024-bit dsa, (...)

Conclusions and useful links

Many users of telnet, rlogin, ftp might not realize that their password is transmitted across the net unencrypted, but it is. The use of some secure protocols could allow a secure transmission over an insecure network.
SSH, encrypting all traffic, effectively eliminates eavesdropping, connection hijacking, and other network attacks.

These articles are only an introduction to the SSH suite; more about this topic could be found in the manual pages of ssh, sshd and sftp.

You could get SSH suite from:
www.ssh.com/products/ssh/, SSH master site or from a mirror site.
Here you could also find some very interesting information about SSH technology and cryptography in general in the Tech corner.

Otherwise you could check www.openssh.com where you could download openssh implementation of SSH protocol. The portable version is at www.openssh.com/portable.html.
You could also read the openssh FAQ: www.openssh.com/faq.html.


Copyright © 2001, Matteo Dell'Omodarme.
Copying license http://www.linuxgazette.net/copying.html
Published in Issue 63 of Linux Gazette, Mid-February (EXTRA) 2001

[ Prev ][ Table of Contents ][ Front Page ][ Talkback ][ FAQ ][ Next ]