Table of Contents for
SSH, The Secure Shell: The Definitive Guide, 2nd Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition SSH, The Secure Shell: The Definitive Guide, 2nd Edition by Robert G. Byrnes Published by O'Reilly Media, Inc., 2005
  1. Cover
  2. SSH, the Secure Shell, 2nd Edition
  3. Preface
  4. Protect Your Network with SSH
  5. Intended Audience
  6. Reading This Book
  7. Our Approach
  8. Which Chapters Are for You?
  9. Supported Platforms
  10. Disclaimers
  11. Conventions Used in This Book
  12. Comments and Questions
  13. Safari Enabled
  14. Acknowledgments
  15. 1. Introduction to SSH
  16. What Is SSH?
  17. What SSH Is Not
  18. The SSH Protocol
  19. Overview of SSH Features
  20. History of SSH
  21. Related Technologies
  22. Summary
  23. 2. Basic Client Use
  24. A Running Example
  25. Remote Terminal Sessions with ssh
  26. Adding Complexity to the Example
  27. Authentication by Cryptographic Key
  28. The SSH Agent
  29. Connecting Without a Password or Passphrase
  30. Miscellaneous Clients
  31. Summary
  32. 3. Inside SSH
  33. Overview of Features
  34. A Cryptography Primer
  35. The Architecture of an SSH System
  36. Inside SSH-2
  37. Inside SSH-1
  38. Implementation Issues
  39. SSH and File Transfers (scp and sftp)
  40. Algorithms Used by SSH
  41. Threats SSH Can Counter
  42. Threats SSH Doesn’t Prevent
  43. Threats Caused by SSH
  44. Summary
  45. 4. Installation and Compile-Time Configuration
  46. Overview
  47. Installing OpenSSH
  48. Installing Tectia
  49. Software Inventory
  50. Replacing r-Commands with SSH
  51. Summary
  52. 5. Serverwide Configuration
  53. Running the Server
  54. Server Configuration: An Overview
  55. Getting Ready: Initial Setup
  56. Authentication: Verifying Identities
  57. Access Control: Letting People In
  58. User Logins and Accounts
  59. Forwarding
  60. Subsystems
  61. Logging and Debugging
  62. Compatibility Between SSH-1 and SSH-2 Servers
  63. Summary
  64. 6. Key Management and Agents
  65. What Is an Identity?
  66. Creating an Identity
  67. SSH Agents
  68. Multiple Identities
  69. PGP Authentication in Tectia
  70. Tectia External Keys
  71. Summary
  72. 7. Advanced Client Use
  73. How to Configure Clients
  74. Precedence
  75. Introduction to Verbose Mode
  76. Client Configuration in Depth
  77. Secure Copy with scp
  78. Secure, Interactive Copy with sftp
  79. Summary
  80. 8. Per-Account Server Configuration
  81. Limits of This Technique
  82. Public-Key-Based Configuration
  83. Hostbased Access Control
  84. The User rc File
  85. Summary
  86. 9. Port Forwarding and X Forwarding
  87. What Is Forwarding?
  88. Port Forwarding
  89. Dynamic Port Forwarding
  90. X Forwarding
  91. Forwarding Security: TCP-Wrappers and libwrap
  92. Summary
  93. 10. A Recommended Setup
  94. The Basics
  95. Compile-Time Configuration
  96. Serverwide Configuration
  97. Per-Account Configuration
  98. Key Management
  99. Client Configuration
  100. Remote Home Directories (NFS, AFS)
  101. Summary
  102. 11. Case Studies
  103. Unattended SSH: Batch or cron Jobs
  104. FTP and SSH
  105. Pine, IMAP, and SSH
  106. Connecting Through a Gateway Host
  107. Scalable Authentication for SSH
  108. Tectia Extensions to Server Configuration Files
  109. Tectia Plugins
  110. 12. Troubleshooting and FAQ
  111. Debug Messages: Your First Line of Defense
  112. Problems and Solutions
  113. Other SSH Resources
  114. 13. Overview of Other Implementations
  115. Common Features
  116. Covered Products
  117. Other SSH Products
  118. 14. OpenSSH for Windows
  119. Installation
  120. Using the SSH Clients
  121. Setting Up the SSH Server
  122. Public-Key Authentication
  123. Troubleshooting
  124. Summary
  125. 15. OpenSSH for Macintosh
  126. Using the SSH Clients
  127. Using the OpenSSH Server
  128. 16. Tectia for Windows
  129. Obtaining and Installing
  130. Basic Client Use
  131. Key Management
  132. Accession Lite
  133. Advanced Client Use
  134. Port Forwarding
  135. Connector
  136. File Transfers
  137. Command-Line Programs
  138. Troubleshooting
  139. Server
  140. 17. SecureCRT and SecureFX for Windows
  141. Obtaining and Installing
  142. Basic Client Use
  143. Key Management
  144. Advanced Client Use
  145. Forwarding
  146. Command-Line Client Programs
  147. File Transfer
  148. Troubleshooting
  149. VShell
  150. Summary
  151. 18. PuTTY for Windows
  152. Obtaining and Installing
  153. Basic Client Use
  154. File Transfer
  155. Key Management
  156. Advanced Client Use
  157. Forwarding
  158. Summary
  159. A. OpenSSH 4.0 New Features
  160. Server Features: sshd
  161. Client Features: ssh, scp, and sftp
  162. ssh-keygen
  163. B. Tectia Manpage for sshregex
  164. Regex Syntax: Egrep Patterns
  165. Regex Syntax: ZSH_FILEGLOB (or Traditional) Patterns
  166. Character Sets for Egrep and ZSH_FILEGLOB
  167. Regex Syntax: SSH Patterns
  168. Authors
  169. See Also
  170. C. Tectia Module Names for Debugging
  172. D. SSH-1 Features of OpenSSH and Tectia
  173. OpenSSH Features
  174. Tectia Features
  175. E. SSH Quick Reference
  176. Legend
  177. sshd Options
  178. sshd Keywords
  179. ssh Options
  180. scp Options
  181. ssh and scp Keywords
  182. ssh-keygen Options
  183. ssh-agent Options
  184. ssh-add Options
  185. Identity and Authorization Files, OpenSSH
  186. Identity and Authorization Files, Tectia
  187. Environment Variables
  188. Index
  189. Index
  190. Index
  191. Index
  192. Index
  193. Index
  194. Index
  195. Index
  196. Index
  197. Index
  198. Index
  199. Index
  200. Index
  201. Index
  202. Index
  203. Index
  204. Index
  205. Index
  206. Index
  207. Index
  208. Index
  209. Index
  210. Index
  211. Index
  212. Index
  213. Index
  214. About the Authors
  215. Colophon
  216. Copyright

Secure Copy with scp

The secure copy program, scp, obeys keywords in your client configuration file just as ssh does. In addition, scp provides other features and options that we’ll cover in this section. Remember that scp supports several options for logging and debugging, so you can watch what’s going on when it runs. [7.3]

7.5.1 Full Syntax of scp

So far, we’ve described the syntax of scp only in general: [2.2.1]

    scp name-of-source name-of-destination

Each of the two names, or path specifications, on the command line represents files or directories in the following manner (it is fairly consistent with the behavior of Unix cp or rcp):

  • If name-of-source is a file, name-of-destination may be a file (existing or not) or a directory (which must exist). In other words, a single file may be copied to another file or into a directory.

  • If name-of-source is two or more files, one or more directories, or a combination, name-of-destination must be an existing directory into which the copy takes place.[115] In other words, multiple files and directories may be copied only into a directory.

Both name-of-source and name-of-destination may have the following form from left to right:

  • The username of the account containing the file or directory, followed by @. This part is optional, and if omitted, the value is the username of the user invoking scp.

  • The hostname of the host containing the file or directory, followed by a colon. This part is optional, if the path is present, and the username isn’t; if omitted, the value is localhost. Tectia permits an optional TCP port number for the SSH connection to be inserted between the hostname and the colon, preceded by a hash sign.

  • The directory path to the file or directory. (Optional if the hostname is present.) Relative pathnames are assumed relative to the default directory, which is the current directory (for local paths) or the user’s home directory (for remote paths). If omitted entirely, the path is assumed to be the default directory.

Although each field is optional, you can’t omit them all at the same time, yielding the empty string. Either the hostname (•) or the directory path (•) must be present. Some examples:

MyFile

The file . /MyFile on localhost

MyDirectory

The directory ./MyDirectory on localhost

. (period)

The current directory on localhost

server.example.com:

The directory ~username on server.example.com

server.example.com

A local file named “server.example.com” (Oops: did you forget the trailing colon? This is a common mistake.)

server.example.com:MyFile

The file MyFile in the remote user’s home directory on server.example.com

:

The directory ~bob on server.example.com

A local file named "" (oops; forgot the trailing colon again)

:MyFile

The file ~bob/MyFile on server.example.com

server.example.com:dir/MyFile

The file dir/MyFile in the remote user’s home directory on server.example.com

server.example.com:/dir/MyFile

The file /dir/MyFile on server.example.com (note the absolute path)

The file ~bob/dir/MyFile on server.example.com

The file /dir/MyFile on server.example.com (although you authenticate as bob, the path is absolute)

server.example.com#2000:

The remote user’s home directory on server.example.com, via TCP port 2000 (Tectia only)

Here are a few complete examples:

    $ scp myfile myfile2                   A local copy just like cp
    $ scp myfile bob@host1:                Copy . /myfile to ~bob on host1
    $ scp bob@host1:myfile .               Copy ~bob/myfile on host1 to . /myfile
    $ scp host1:file1 host2:file2          Copy file1 from host1 to file2 on host2
    $ scp bob@host1:file1 jen@host2:file2  Same as above, but copying from bob's to jen's account

Table 7-3 summarizes the syntax of an scp path.

Table 7-3. scp path specifications

Field

Other syntax

Optional?

Default for local host

Default for remote host

a Tectia only.

Username

Followed by @

Yes

Invoking user’s username

Invoking user’s username

Hostname

Followed by :

Only if username is omitted and path is present

None, file is accessed locally

N/A

Port number a

Preceded by #

Yes

22

22

Directory path

N/A

Only if hostname is present

Current (invoking) directory

Username’s remote home directory

7.5.2 Handling of Wildcards

scp for OpenSSH has no special support for wildcards in filenames. It simply lets the shell expand them:

    $ scp *.txt server.example.com:

Watch out for wildcards in remote file specifications, as they are evaluated on the local machine, not the remote. For example, this attempt is likely to fail:

    $ scp server.example.com:*.txt .         Bad idea!

The Unix shell attempts to expand the wildcard before scp is invoked, but the current directory contains no filename matching “server.example.com:*.txt”. The C shell and its derivatives will report “no match” and will not execute scp. Bourne-style shells, noticing no match in the current directory, will pass the unexpanded wildcard to scp, and the copy may succeed as planned, but this coincidental behavior shouldn’t be relied on. Always escape your wildcards so that they are explicitly ignored by the shell and are passed to scp:

    $ scp server.example.com:\*.txt .

Tectia’s scp does its own regular expression matching after shell-wildcard expansion is complete. The sshregex manpage for Tectia (see Appendix B) describes the supported operators. Even so, escape your wildcard characters if you want your local shell to leave them alone.

7.5.3 Recursive Copy of Directories

Sometimes you want to copy not just a single file, but a directory hierarchy. In this case, use the -r option, which stands for recursive. For example, to securely copy the directory /usr/local/bin and all its files and subdirectories to another machine:

    $ scp -r /usr/local/bin server.example.com:

If you forget the -r option when copying directories, scp complains:

    $ scp /usr/local/bin server.example.com:
    /usr/local/bin: not a regular file

Although scp can copy directories, it isn’t necessarily the best method. If your directory contains hard links or soft links, they won’t be duplicated. Links are copied as plain files (the link targets). Other types of special files, such as named pipes, also aren’t copied correctly.[116] A better solution is to use tar, which handles special files correctly, and send it to the remote machine to be untarred, via SSH:

    $ tar cf - /usr/local/bin | ssh server.example.com tar xf -

or rsync, tunneled through SSH:

    $ rsync -e ssh /usr/local/bin server.example.com:

7.5.4 Preserving Permissions

When scp copies files, the destination files are created with certain file attributes. By default, the file permissions adhere to a umask on the destination host, and the modification and last access times will be the time of the copy. Alternatively, you can tell scp to duplicate the permissions and timestamps of the original files. The -p option accomplishes this:

    $ scp -p myfile server.example.com:

For example, if you transfer your entire home directory to a remote machine, you probably want to keep the file attributes the same as the original:

    $ scp -rp $HOME server.example.com:myhome/

Again, scp does not duplicate special files and links, so consider tar or rsync -a instead:

    $ rsync -a -e ssh /usr/local/bin server.example.com:

7.5.5 Automatic Removal of Original File

After copying a file, Tectia’s scp can optionally remove the original if desired. The -u command-line option specifies this:

    # Tectia
    $ scp myfile server.example.com:
    $ ls myfile
    myfile
    $ scp -u myfile server.example.com:
    $ ls myfile
    myfile: No such file or directory

If you’ve ever wanted a “secure move” command in addition to secure copy, you can define one in terms of scp -u:

    # Tectia
    $ alias smv='scp -u'

7.5.6 Safety Features

Tectia’s scp has several features to protect you from running dangerous commands.

7.5.6.1 Directory confirmation

Suppose you want to copy a local file, myfile, to a remote directory. You type:

    $ scp myfile server.example.com:mydir
    $ rm myfile

Then you connect to server.example.com and find, to your horror, that mydir was a file, not a directory, and you just overwrote it! Tectia’s -d option prevents this tragedy. If the destination isn’t a directory, scp complains and exits without copying the file:

    # Tectia
    $ scp -d myfile server.example.com:mydir
    scp: warning: Destination (example.com:mydir) is not a directory.

This option is necessary only if you are copying a single file. If you are copying multiple files or a directory, all the scp implementations check by default that the remote destination is a directory.[117]

7.5.6.2 No-execute mode

Another safety feature of Tectia’s scp is the -n option, which instructs the program to describe its actions but not perform any copying. This is useful for verifying the behavior of scp before executing a potentially risky command.

    # Tectia
    $ scp -n myfile server.example.com:
    Not transferring myfile -> server.example.com:./myfile  (1k)

7.5.6.3 Overwriting existing files

Tectia’s scp will refuse to overwrite existing files if you desire. The -I or --interactive option will prompt you before overwriting a destination file:

    # Tectia
    $ scp -I myfile server.example.com:
    Overwrite destination file './myfile' with '/home/smith/myfile' (yes/yes to all/no/no
    to all/abort) [y/Y/n/N/a]:n

As an alternative, if you know in advance whether you’ll want to overwrite existing files, use the --overwrite option (the default is no):

    # Tectia
    $ scp --overwrite yes myfile server.example.com:   Always overwrite

7.5.7 Batch Mode

If you’re using scp in scripts with passwordless authentication [11.1], you might want to suppress all prompting of the user. That’s what the -B option is for, which enables batch mode. When present, this option suppresses all interaction with the user. [7.4.6.4]

    $ scp -B myfile server.example.com:

7.5.8 User Identity

OpenSSH provides the -i option for scp, as it does for ssh, to specify a particular identity file for authentication. [7.4.2]

    # OpenSSH
    $ scp -i my_favorite_key myfile server.example.com:

Tectia has no option like this, but you can get around this limitation with - o: [7.1.2.1]

    # Tectia
    $ scp -o "IdentityFile my_identity_file" myfile server.example.com:

7.5.9 SSH Protocol Settings

You can downgrade scp to use the SSH-1 protocol with the -1 option, if you are feeling insecure:

    $ scp -1 myfile server.example.com:

or redundantly specify the SSH-2 protocol, which is the default anyway:

    # OpenSSH
    $ scp -2 myfile server.example.com:

7.5.10 TCP/IP Settings

You can specify the remote TCP port contacted by scp with the -P option (OpenSSH):

    # OpenSSH
    $ scp -P 23456 myfile server.example.com:

or by appending a hash mark and port number to the file specification (Tectia):

    # Tectia
    $ scp myfile server.example.com#23456:

Both OpenSSH and Tectia can require the use of IP Version 4 or 6, as ssh does, with the -4 and -6 options. [7.4.5.6]

7.5.11 Encryption Algorithms

You can set the encryption cipher for scp with the -c option, exactly as for ssh. [7.4.9]

7.5.12 Controlling Bandwidth

The -l (lowercase L) option of OpenSSH’s scp command will limit the bandwidth of the connection, in case you want to avoid saturating a slower network.

    # OpenSSH
    $ scp -l 1000 myfile server.example.com:      Limit bandwidth to 1000 kilobits per second

Tectia’s scp command can limit the maximum number of concurrent requests it will issue, with the -N option:

    # Tectia
    $ scp -r -N 5 mydirectory server.example.com:   Limit to five concurrent requests in this recursive directory transfer

Finally, Tectia’s -b option controls the buffer size for the file transfer; the default is 32K:

    # Tectia
    $ scp -b 65536 myfile server.example.com: Set buffer size to 64K

7.5.13 Data Compression

OpenSSH’s scp command can compress the data before sending it, with the -C option, to speed up transfers: [7.4.14]

    # OpenSSH
    $ scp -C myfile server.example.com:

Tectia does not provide a similar option, but you can get around this and enable compression with -o: [7.1.2.1]

    $ scp -o "Compression yes" myfile server.example.com:

7.5.14 File Conversion

Tectia’s scp has several options for changing the files in transit. It can change the destination filenames to all lowercase, with the --force-lower-case option:

    # Tectia
    $ scp --force-lower-case MyFile server.example.com:

The destination file on server.example.com will be named myfile rather than MyFile.

Another Tectia transformation involves the treatment of lines in a text file. scp normally transfers files literally, as binary data. You can choose to treat the files specially as text files—that is, lines of ASCII characters terminated by carriage returns and/or linefeeds—with the -a option. Unix, DOS, and Macintosh operating systems use different standards for terminating lines of text, and scp can convert between these standards.

    # Tectia
    $ scp -a my_text_file server.example.com:

The above command assumes that the SSH client and server can accurately communicate and agree upon the text file standards. If not, you can use a more advanced syntax for -a that specifies the line terminators as unix, dos, or mac. This is done by placing src: (for the source machine) and dst: (for the destination machine) after the -a option. Some examples:

    # Tectia
    $ scp -asrc:unix -adst:dos myfile server.example.com:  Convert from Unix to DOS/Windows format
    $ scp -asrc:dos -adst:mac myfile server.example.com:   Convert from DOS/Windows to Macintosh format
    $ scp -asrc:mac -adst:unix myfile server.example.com:  Convert from Macintosh to Unix format

7.5.15 Optimizations

Tectia’s scp does a few optimizations to avoid transferring unnecessary files and data. Before coping a file, scp compares the file sizes. If they are different, the copy commences, but if they are the same, scp computes an MD5 checksum of the source and destination file. If the checksums are equal, the files are assumed to be identical and no copy takes place, and you’ll see a message like this:

    myfile: complete md5 match -> transfer skipped

If you always want your files copied, even if they are identical (i.e., have equal checksums), you can disable the MD5 test with the --checksum option, providing the value no:

    # Tectia
    $ scp --checksum no myfile server.example.com:   Don't compute checksums for files

Tectia’s scp performs similar checking on individual data blocks to determine whether to transfer them or not. You can control this with the -W or --whole-file options, providing the value yes or no:

    # Tectia
    $ scp --whole-file yes myfile server.example.com:   Always transfer whole files

7.5.16 Statistics Display

As scp copies files, it prints information about its progress, including statistics about the file transfer. You can control this information with various options.

OpenSSH simply lets you suppress the statistics with its -q option:

    # OpenSSH
    $ scp -q myfile server.example.com:

Tectia can likewise suppress statistics with the -Q option (Tectia).

    # Tectia
    $ scp -Q myfile server.example.com:

but permits more control with the --statistics option:

    # Tectia
    $ scp --statistics no myfile server.example.com:   Same as -Q option

    $ scp --statistics simple myfile server.example.com:  Minimal statistics
    /home/smith/myfile |    4B |    4B/s | TOC: 00:00:01

    $ scp --statistics yes myfile server.example.com:  Full statistics
    myfile                                     |    4B |    4B/s | TOC: 00:00:01 | 100%

7.5.17 Locating the ssh Executable

To copy files securely, scp invokes ssh internally. Therefore, scp needs to know where the ssh executable resides on disk. Normally, the path to ssh is made known to scp at compile time (by the compile-time flag --prefix), but you can specify the path manually if you like. [4.3.5.1] For instance, you can test a new version of ssh with an old version of scp. The command-line option -S specifies the path:

    $ scp -S /usr/alternative/bin/ssh myfile server.example.com:

7.5.18 Getting Help

Both OpenSSH and Tectia scp will print a usage message briefly describing all its options:

    $ scp --help

You can get the same effect if you omit all arguments (OpenSSH) or use -h (Tectia). Tectia will also print its version number on request:

    # Tectia
    $ scp --version
    $ scp -V

7.5.19 For Internal Use Only

scp for OpenSSH has two undocumented options, -t and -f, for internal use. Most likely you will never need to use them explicitly. They inform scp of the direction of the copy: from the local to the remote machine, or from remote to local. The -t option means copying to a remote machine and -f means copying from a remote machine.

Whenever you invoke scp, it invisibly runs a second scp process on the remote host that includes either -t or -f on its command line. You can see this if you run scp in verbose mode. If copying from the local to the remote machine, you see:

    $ scp -v myfile server.example.com:
    Executing: host server.example.com, ..., command scp -v -t .
    ...

On the other hand, if you copy from the remote to the local machine, you see:

    $ scp -v server.example.com:myfile .
    Executing: host server.example.com, ..., command scp -v -f .
    ...

Again, it’s likely you’ll never use these options, but they’re useful to know when reading scp’s output in verbose mode.

7.5.20 Further Configuration

You can set any client configuration keywords for scp using the -o option, exactly as for ssh. Additionally, OpenSSH lets you specify an alternative configuration file with -F. [7.1.2.1]


[115] We say “must,” but technically you could specify a file as a destination in some cases. However, this behavior is probably not what you want. As your multiple files get copied into a single destination file, each is overwritten by the next!

[116] These limitations also are true when copying single files, but at least you see the erroneous result quickly. With directories, you can copy a hierarchy incorrectly and not notice.

[117] There’s one degenerate case. If your copy occurs on a single machine, e.g., scp *.c mydir, the scp client doesn’t necessarily check that mydir is a directory.