I work from a Mac Book Pro (called foo). I have a server where my customers scp large files to. (called bar). I frequently ssh into bar, and scp a file (called buzz) to my Mac.
bob@foo$ ssh bar
Last login: Fri Aug 23 14:49:32 2013 from foo
bob@bar$ scp /guest/buzz bob@foo:~
Password:
I don't want to enter my password every time I scp a file back to my Mac because I'll eventually automate this.
I know I could setup ssh keys, but I am concerned that if someone hacks bar
that they could easily access foo
. (Correct me if I'm wrong)
Is there a way to copy a file from bar to foo, without a password, that wouldn't give someone full shell access to my Mac if the server was compromised?
Note: I'm thinking setting up a new user on my Mac and disabling shell access for that user might work, but I feel like there is a better way. I'd rather not add users if possible.
Best Answer
Ok, you messed things up.
From what I've understood, you just want to copy a file from bar to foo:
In order to do just that, you first
ssh
to bar thenscp
file to foo:then:
If you are doing like this, you are doing it insecurely and wrong. All you have to do is scp the file back to you directly:
in other words:
Now there are a couple of problems to be solved …
How to know where the file is?
a) Use SSH in another terminal
Just open a second terminal, SSH to bar, find your file and copy/paste the path to the first one.
b) Use SFTP
SFTP (not related to FTP nor FTPS in any way!) is implemented in OpenSSH and is available by default. Just SFTP to the server and use the FTP-like commands to find you files and
get
them.c) Use a GUI
Filezilla or Nautilus for instance can browse remote SFTP/SSH shares.
d) Set up certificates
When you set up certificate connection, you can do tab completion on the local side as well as on the remote side! For instance, with your
buzz
example, you can do:and wait a little for the list of files contained in the remote /guest/ folder.
How to set up SSH with certificates?
a) If not already done, generate your personal RSA key pair
If you've installed OpenSSH client, you can do it by typing
(look at the manual or online for all the available options). It may ask you for a password. This is not your local account password but an optional password that can be used to encrypt the private key you are about to generate.
Actually, you will generate 2 files:
The first one, *id_rsa* ought to be private. By default,
ssh-keygen
will do everything it can to avoid making it public (using filesystem access permission). That's why it will also ask you for an (optional) password. Don't be too paranoid with that, but just remember *id_rsa* == personal key == private. This key should never ever leave your computer.The second one is public. It requires a huge amount of computer power to get back your private key from this public certificate (I really mean HUUUUUUGE). This is perfectly safe to share it with the whole world. Even in the very unlikely event that the NSA or the likes really want to spend millions of dollars cracking your public key, your macbook will still be safe … (or not. Thinking about it, if someone wants to spend that much, you are in trouble :)
This public certificate is actually what you will put on the remote server bar.
b) How do I put my public certificate on the server?
Two options.
ssh-copy-id
if available:bob@foo$ ssh-copy-id bob@bar
. Done.If it is not, copy
~/.ssh/id_rsa.pub
to bar:bob@foo$ sftp ~/.ssh/id_rsa.pub bob@bar:pub_cert
(here, you copied your public cert
id_rsa.pub
from.ssh/
, in your personal~
folder to the remote computer bar in the home folder of the user bob. This is the default. Also note thatid_rsa.pub
has been renamed topub_cert
in the process. I usedsftp
just to show you that it can be used exactly asscp
).Now, we shall copy this certificate to the right location:
Now you are in bob's personal folder in bar.
(here, you displayed the content of pub_cert with
cat
. But instead of printing it to the screen, you redirect this output to a file:.ssh/known_hosts
. Note that a redirection with>
would mean "replace the content of the file with this stream" while>>
means "append the stream at the end of the existing file").c) Result?
Now you can
scp
/sftp
/ssh
to bar as much as you want without having to provide a password. You can also autocomplete local and remote paths using the [tab] key.d) What about my mac security?
With this way of doing this, you don't even need a running SSH server on your computer. Only an SSH client (the
scp
/sftp
/ssh
programs). This is safe for you even if bar is compromised.e) What did I do exactly with these keys/certificates?
First you generated a couple of files: a private key and a public certificate. You can do a lot of things related to security and authentication with them. But in our case, with a fair bit of simplification, these are used this way:
When you try to connect to bar, you will advertise that you've got a certificate that you can use for the connection. bar will inspect various locations in the system, including
~/.ssh/known_hosts
. It will find the certificate that you advertised and use it to send you encrypted data.Actually, public certificates can encrypt stuff!
Now this is great, but how can foo understand that? Using your private key.
Private keys can decrypt stuff encrypted with the corresponding public certificate!
This is what is called asymmetric encryption.
Then, basically, the server will send a complicated password to you encrypted with your public certificate. You will receive it, decrypt it with your private key and start to use it to encrypt data with the server both ways.
Now, what if you really really want to do the things your way and SCP back to foo?
You are just asking for troubles. But to mitigate the effect of a possible compromission, you can set up a chrooted
SFTP
-only server.scp
andssh
won't work any more, butsftp
, Filezilla and stuff are gonna work.ref: https://www.allthingsdigital.nl/2013/05/12/setting-up-an-sftp-only-account-with-openssh/