ssh-ecurity — Part 8: Along for the free ride...
"Order now and we'll throw in a second deluxe late night TV infomercial item that you don't really need ABSOLUTELY FREE! Just pay shipping and handling!" Doesn't that just sound too good to be true? I too like free stuff, especially if it's useful to me. Two for the price of one deals like those on the late night infomercials are not free. Those offers usually say to me that the item is such crap that you'll be needing a second one as a backup for when the first one fails. What I like are the freebies that come along for the ride; things I get by virtue of some other item. It's an added bonus if that something that comes along for free is truly useful, doesn't duplicate something I already have, makes something I already have better, or it makes my life simpler. With ssh, a couple of things come along for the ride. Free, better and simpler!I've already touched upon one of the come-along-for-the-ride items with ssh; that is sftp. I used it in the installment about public-private keys to securely transfer the generated public key to the remote system. If you are familiar with ftp, you've already got a hand-up on sftp. sftp's usage is very similar to that of its older brethren ftp.
With ftp, you connect to a remote server which has the files you want retrieve or where you want to deposit files. You then authenticate yourself. Once that has been done, you can send files (put), acquire files (get), list the contents of directories, move about in the directory structure, create and remove directories, and delete files. Using sftp, the process is very much the same and many of the commands you are familiar with using under ftp are available with sftp. The only difference is that your session is secured over an encrypted channel.
One of the things I like about sftp is that I do not need to tell the server that I am sending an ASCII file (text mode) or an image file (binary mode) like I did with ftp. In fact, I have, many times, forgotten to set the transfer mode when using ftp and the result was often a file which was not usable. Using sftp, I no longer worry about that. I can put and get files of either type without a problem. In fact, I seldom use ftp today except for those rare occasions where the site I must send or retrieve files to and from as not yet discovered the virtues of ssh and sftp.
Once you have establish yourself with sssh to a remote host, whether it be with host key or public-private key authentication, you are already establish as an sftp user with that same host. You can sftp to that host, supply authentication information if required, and then transfer files to and fro. Nearly all of the ftp commands you already know — put, get, pwd, cd, rm, mkdir — are available for use with sftp. Because this learning curve isn't steep, I'm sure you'll start using sftp straight away.
If you've established public-private key authentication with the host, you can transfer files without supplying a username and password just as you can connect without username and password when using ssh. This is highly useful for automating file transfers from system to system. Because public-private key authentication can be configured without a passphrase, you can place sftp in an OpenVMS command procedure, or a Mac OS X or Linux script. The files you need to transfer to and fro are then listed in a separate file called the batchfile and this file is identified on the sftp command line used to connect to the remote system. This is a very useful feature!
Let's take a look at a silly but simple example of batch sftp in action. Suppose you have several OpenVMS hosts on a network and you maintain the same LOGIN.COM procedure on each. If you edit the LOGIN.COM on one system to add a new symbol definition, you need to distribute it to all of the other systems to maintain parity.
OPNVMS$ EDIT BATCHFILE.TXT
put LOGIN.COM
OPNVMS$ EDIT COPYLOGIN.COM
$ SFTP "-B" BATCHFILE.TXT username@moe.stooges.com
$ SFTP "-B" BATCHFILE.TXT username@larry.stooges.com
$ SFTP "-B" BATCHFILE.TXT username@curly.stooges.com
$ SFTP "-B" BATCHFILE.TXT username@shemp.stooges.com
$ SFTP "-B" BATCHFILE.TXT username@joe.stooges.com
$ SFTP "-B" BATCHFILE.TXT username@curlyjoe.stooges.com
$ @COPYLOGIN
LOGIN.COM | 10kB | 10.4 kB/s | TOC: 00:00:01 | 100%
LOGIN.COM | 10kB | 9.8 kB/s | TOC: 00:00:01 | 100%
LOGIN.COM | 10kB | 12.2 kB/s | TOC: 00:00:01 | 100%
LOGIN.COM | 10kB | 10.2 kB/s | TOC: 00:00:01 | 100%
LOGIN.COM | 10kB | 14.4 kB/s | TOC: 00:00:01 | 100%
LOGIN.COM | 10kB | 15.1 kB/s | TOC: 00:00:01 | 100%
$
Not necessarily the best use for batch sftp, but it does illustrates the point.
For simple, one-off file copies such as in the above example, I really wouldn't use sftp. Instead, I'd use another along-for-the-ride freebie of ssh: scp. scp is secure copy. This command can do all of the above without the intermediary edits to create the batch file. The syntax is fairly simple too:
$ scp from-username@from-hostname:from-filename to-username@to-hostname:to-filename
Thus, using the same example of coping the LOGIN.COM file as above, this becomes:
$ SCP LOGIN.COM username@moe.stooges.com:
login.com | 10kB | 10.4 kB/s | TOC: 00:00:01 | 100%
$ SCP LOGIN.COM username@larry.stooges.com:
login.com | 10kB | 9.8 kB/s | TOC: 00:00:01 | 100%
$ SCP LOGIN.COM username@curly.stooges.com:
login.com | 10kB | 12.2 kB/s | TOC: 00:00:01 | 100%
$ SCP LOGIN.COM username@shemp.stooges.com:
login.com | 10kB | 10.2 kB/s | TOC: 00:00:01 | 100%
$ SCP LOGIN.COM username@joe.stooges.com:
login.com | 10kB | 14.4 kB/s | TOC: 00:00:01 | 100%
$ SCP LOGIN.COM username@curlyjoe.stooges.com:
login.com | 10kB | 15.1 kB/s | TOC: 00:00:01 | 100%
The only issue with scp concerns the copying of files to and from OpenVMS and non-OpenVMS systems. The OpenVMS TCPIP Services implementation of scp does not implement the scp1 protocol which many other SCP clients (Mac OS X and Linux) are still using. The third-party TCP/IP stacks (MultiNet and TCPware) do support it. I simply fall back to sftp when this is the case.
Of course, these were examples for illustration purposes. I don't actually distribute my LOGIN.COM file and, if I did, it wouldn't be something I'd do so readily that I'd have a script devised to handle it. However, I do have several web sites which do need to share content. Using ssh, sftp and scp with public-private key authentication in a web script is one way to conveniently, easily and securely share information with such configurations. Perhaps, in the next installment, I'll explore some things which I've done with respect to employing ssh, sftp and scp.