How to securely allow scp, but not ssh

bash ssh scp
28,435

Solution 1

Ok, you messed things up.

From what I've understood, you just want to copy a file from bar to foo:

[file]  *bar* ------copy------> *foo*

In order to do just that, you first ssh to bar then scp file to foo:

        *bar* -------ssh------> *foo* [file]

then:

        *foo* ----scp[file]---> *bar*

If you are doing like this, you are doing it insecurely and wrong. All you have to do is scp the file back to you directly:

bob@foo$ scp bob@bar:/guest/buzz ~

in other words:

        *foo* <---scp[file]---- *bar*

Now there are a couple of problems to be solved …

How to know where the file is?

a) Use SSH in another terminal

Just open a second terminal, SSH to bar, find your file and copy/paste the path to the first one.

b) Use SFTP

SFTP (not related to FTP nor FTPS in any way!) is implemented in OpenSSH and is available by default. Just SFTP to the server and use the FTP-like commands to find you files and get them.

c) Use a GUI

Filezilla or Nautilus for instance can browse remote SFTP/SSH shares.

d) Set up certificates

When you set up certificate connection, you can do tab completion on the local side as well as on the remote side! For instance, with your buzz example, you can do:

bob@foo$ scp bob@bar:/guest/[tab][tab]

and wait a little for the list of files contained in the remote /guest/ folder.

How to set up SSH with certificates?

a) If not already done, generate your personal RSA key pair

If you've installed OpenSSH client, you can do it by typing 

bob@foo$ ssh-keygen -t rsa

(look at the manual or online for all the available options). It may ask you for a password. This is not your local account password but an optional password that can be used to encrypt the private key you are about to generate.

Actually, you will generate 2 files:

  • /Users/[yourusername]/.ssh/id_rsa
  • /Users/[yourusername]/.ssh/id_rsa.pub

The first one, *id_rsa* ought to be private. By default, ssh-keygen will do everything it can to avoid making it public (using filesystem access permission). That's why it will also ask you for an (optional) password. Don't be too paranoid with that, but just remember *id_rsa* == personal key == private. This key should never ever leave your computer.

The second one is public. It requires a huge amount of computer power to get back your private key from this public certificate (I really mean HUUUUUUGE). This is perfectly safe to share it with the whole world. Even in the very unlikely event that the NSA or the likes really want to spend millions of dollars cracking your public key, your macbook will still be safe … (or not. Thinking about it, if someone wants to spend that much, you are in trouble :)

This public certificate is actually what you will put on the remote server bar.

b) How do I put my public certificate on the server?

Two options.

  1. Use ssh-copy-id if available: bob@foo$ ssh-copy-id bob@bar. Done.

  2. If it is not, copy ~/.ssh/id_rsa.pub to bar:

    bob@foo$ sftp ~/.ssh/id_rsa.pub bob@bar:pub_cert

(here, you copied your public cert id_rsa.pub from .ssh/, in your personal ~ folder to the remote computer bar in the home folder of the user bob. This is the default. Also note that id_rsa.pub has been renamed to pub_cert in the process. I used sftp just to show you that it can be used exactly as scp).

Now, we shall copy this certificate to the right location:

bob@foo$ ssh bob@bar

Now you are in bob's personal folder in bar.

bob@bar$ cat pub_cert >> .ssh/known_hosts

(here, you displayed the content of pub_cert with cat. But instead of printing it to the screen, you redirect this output to a file: .ssh/known_hosts. Note that a redirection with > would mean "replace the content of the file with this stream" while >> means "append the stream at the end of the existing file").

c) Result?

Now you can scp/sftp/ssh to bar as much as you want without having to provide a password. You can also autocomplete local and remote paths using the [tab] key.

d) What about my mac security?

With this way of doing this, you don't even need a running SSH server on your computer. Only an SSH client (the scp/sftp/ssh programs). This is safe for you even if bar is compromised.

e) What did I do exactly with these keys/certificates?

First you generated a couple of files: a private key and a public certificate. You can do a lot of things related to security and authentication with them. But in our case, with a fair bit of simplification, these are used this way:

When you try to connect to bar, you will advertise that you've got a certificate that you can use for the connection. bar will inspect various locations in the system, including ~/.ssh/known_hosts. It will find the certificate that you advertised and use it to send you encrypted data.

Actually, public certificates can encrypt stuff!

Now this is great, but how can foo understand that? Using your private key.

Private keys can decrypt stuff encrypted with the corresponding public certificate!

This is what is called asymmetric encryption.

Then, basically, the server will send a complicated password to you encrypted with your public certificate. You will receive it, decrypt it with your private key and start to use it to encrypt data with the server both ways.

Now, what if you really really want to do the things your way and SCP back to foo?

You are just asking for troubles. But to mitigate the effect of a possible compromission, you can set up a chrooted SFTP-only server. scp and ssh won't work any more, but sftp, Filezilla and stuff are gonna work.

ref: https://www.allthingsdigital.nl/2013/05/12/setting-up-an-sftp-only-account-with-openssh/

Solution 2

If you look at the format of the authorized_keys file, you will notice you can restrict the command allowed to be used with a specific key. This is the method that I have previously used to allow SSH action with a specified key to only a specific command, scp in this case. Look at the man page using man authorized_keys .

Solution 3

You might want to look at https://github.com/scponly/scponly/wiki/Download or you can limit your user to sftp only like so ...

# usermod -s /usr/libexec/openssh/sftp-server whoever

Solution 4

As others I'd suggest you directly copy from your other machine:

bob@foo$ scp bar:/guest/buzz ~

If, for whatever reason, you want to initiate the copy from bar you can create an ssh keypair on foo which allows foo to login to foo. Then you can use ssh agent to pass the key through over the same connection.

bob@foo$ ssh -A bar
password:
bob@bar$ scp /guest/buzz bar:
# no password prompt

You might also copy the public key to bar then there won't be a password prompt, or you might add a passphrase to the key, enter it when ssh'ing into bar then, due to the ssh agent, you won't need it for the connection the other way round while being secure.

Share:
28,435

Related videos on Youtube

Tony Anderson
Author by

Tony Anderson

Automation Engineer Deving all of the Ops in Lehi, Utah. Primarily focused in: Puppet Chef Docker #SOreadytohelp

Updated on September 18, 2022

Comments

  • Tony Anderson
    Tony Anderson over 1 year

    I work from a Mac Book Pro (called foo). I have a server where my customers scp large files to. (called bar). I frequently ssh into bar, and scp a file (called buzz) to my Mac. 

    bob@foo$ ssh bar  
Last login: Fri Aug 23 14:49:32 2013 from foo  
bob@bar$ scp /guest/buzz bob@foo:~
Password:

    I don't want to enter my password every time I scp a file back to my Mac because I'll eventually automate this.
    I know I could setup ssh keys, but I am concerned that if someone hacks bar that they could easily access foo. (Correct me if I'm wrong)

    Is there a way to copy a file from bar to foo, without a password, that wouldn't give someone full shell access to my Mac if the server was compromised?

    Note: I'm thinking setting up a new user on my Mac and disabling shell access for that user might work, but I feel like there is a better way. I'd rather not add users if possible.

    • jasonwryan
      jasonwryan over 10 years
      You are wrong :) Using keys is the securest approach: even if an attacker compromised bar, they would only have foo's public key.
    • user2914606
      user2914606 over 10 years
      no, bar is scping to foo, so foo is the one with the public key. if I understand SSH keys correctly.
    • jasonwryan
      jasonwryan over 10 years
      Only because the OP ssh's into bar to scp back to foo... Using keys, they would just (from foo) scp bar:file .
    • innocent-world
      innocent-world over 10 years
      do you check rsync for your task?
  • coder
    coder over 10 years
    how does one look at 'man authorized_keys'? I typed it in the terminal.. just an error.
  • text
    text over 10 years
    I have Ubuntu and it has this man page. Other Linux versions apparently do not have this man page (from your comment). I'm sure you can use your browser and look for the authorized_keys in google, can't you?
  • IndustryUser1942
    IndustryUser1942 over 3 years
    its documented under man sshd. When man opens, just search for by typing /authorized_keys.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Using a filename with spaces with scp and chmod in bash
How would you go about backing up a remote Ubuntu VPS via SSH?
How does using the tilde work as a shortcut to my home directory?
How to copy a file from a remote network to the local desktop
stty: standard input: Invalid argument error when scping files
Bash: How to copy a file to multiple SSH servers all of which are specified in a list text file?
Are there other commands like scp but for deleting files and folders?
How can I get the scp command to overwrite the destination folder
"Corrupted MAC on input. Packet Corrupt" on file transfer over SSH, SCP, and FTP on Linux Server
Bash script calls expect script with master SSH connection