RE: SCP help

• Previous message: Keith Duffin: "Re: SCP help"
• Maybe in reply to: Thotapalli, Ravi: "SCP help"
• Next in thread: Jeff D: "Re: SCP help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Thotapalli, Ravi'" <ravi.thotapalli@eds.com>, <secureshell@securityfocus.com>
Date: Wed, 28 May 2003 09:24:20 -0700

This is just my personal opinion.

First off, by storing a password in a file on your local file system,
you've defeated the purpose of using SCP. I say this because even if
that file is encrypted you have to decrypt somehow, and if you choose to
automate the entire process you have to store the decryption key
somewhere as well (vicious cycle), as such you've essentially rendered
your entire encryption session (not to mention the integrity of the
session, since you can't be sure someone hasn't compromised that file)
null.

Using standard FTP you use .netrc, cool thing, but you have to be really
brave when considering the possible ramifications of using this.

There are a couple of options you have with SCP.

1. Create keys without passwords and use key exchanges rather then
password challenges.
        a. Reference the following URL:
http://www.akadia.com/services/ssh_agent.html for unattended batch jobs,
this will work with SCP as well.

NOTE: This site also references using the ssh-agent, which is actually a
good idea, with a password, this way you can start up trusted hosts
everytime the system reboots, if you have passwords associated with your
private key, the agent will prompt for the password, still manual, but
once the keys are authenticated, key authentication should ensue. Which
means, you'd be able to use SCP without having to deal with a challenge.

2. Host based authentication (which is not a very good idea)
        a. Reference the following URL:
http://www.indiana.edu/~rats/research/steel/ssh2-setup.shtml

Either way you do it, I would highly suggest you do not use a method
that stores a password in some file, using something like expect, would
still require the storage of the password in some format or another, and
to me that just leads to future issues.

IMHO ;-)

-Wesley North
Senior Information Systems Security Engineer
BAE SYSTEMS, MISSION SOLUTIONS
wesley.north@baesystems.com

-----Original Message-----
From: Thotapalli, Ravi [mailto:ravi.thotapalli@eds.com]
Sent: Wednesday, May 28, 2003 7:51 AM
To: 'secureshell@securityfocus.com'
Subject: SCP help

Hi I am trying to write a script using scp in which I would like to pass
the password to the script by means of standard input (via a file) could
anyone let me know if you have tried this already and if it works or
not. I have used the same with ftp and it works but for some reason with
scp I am unable to do that.

thanks
Ravi Thotapalli
Phone (415)-551-5655
Mail ravi.thotapalli@eds.com

• Previous message: Keith Duffin: "Re: SCP help"
• Maybe in reply to: Thotapalli, Ravi: "SCP help"
• Next in thread: Jeff D: "Re: SCP help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]