Re: how to automate scp

From: Maarten (subscriptions@hartsuijker.com)
Date: 11/07/02


From: "Maarten" <subscriptions@hartsuijker.com>
To: <security-discuss@linuxsecurity.com>
Date: Thu, 7 Nov 2002 20:50:16 +0100

Hi Gurdeep,

What I like to do is create a keypair and transfer files using those for
authentication. With this concept, you have strong encryption and a good
form of authentication (using public/privat keys).

An example to help you get going:
1. Create the a keypair on the server from where you want to initiate your
session.
ssh-keygen -t rsa -b 4096 # (yes, I am quite a paranoid kind of guy)
Generating public/private rsa key pair.
If it is asking for a password, use enter for not protecting your privat key
with a password. In general, this is not good practise, but it is impossible
to automate your transfers if you assign a password to your privat key.
2. You now have a public/privat keypair in the .ssh directory of the user
you used to create the keys. Copy the public key (.pub) to the server you
want to exchange files with.
3. To gain access to this server, you have to put the public keys in the
"authorized_keys" file of the user that will be used to access the server.
It is good practise to create a seperate user for this function.
example:
useradd copy
passwd copy (very strong and unrememberable, since you do not need this
password after your done)
cd /home/copy
mkdir .ssh
chmod 700 .ssh
cd .ssh
mv id_rsa.pub authorized_keys
chmod 600 authorized_keys

Now you can access the server without a password to copy files (only from
the account you used to create the keypair!!!). What I like to do is
minimize the access rights for public/privat key authentication. You can add
several options to your "authorized_keys" file to disable port forwarding or
force the source IP. I also like to force the file that can be received or
send. Unfortunately, I did not succeed to allow several files to be received
or send by one public/privat keypair :-(. Of course you can set up multiple
accounts to achieve that and still have the security...

hth, maarten

> Can anyone guide me on automating SCP.

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.