How To Use SCP (Secure Copy) With SSH Key Authentication

Anybody who administers Linux machines doubtless is aware of safe shell. With out this instrument, administering these servers remotely can be fairly difficult. It could additionally turn into more durable to maneuver recordsdata forwards and backwards, a minimum of with a modicum of safety. That’s the place safe copy comes into play. With the SCP command, you’ll be able to copy recordsdata to and from a distant Linux server via an encrypted SSH tunnel.

SEE: Easy methods to View Your SSH Keys in Linux, macOS, and Home windows

Nevertheless, with the assistance of SSH key authentication, you may make that much more safe. I wish to present you the way you should utilize safe key authentication and SCP so you’ll be able to relaxation assured your recordsdata are being moved forwards and backwards securely. I’ll show on an Elementary OS shopper and Ubuntu 16.04.1 server and assume you have got a safe shell put in and dealing.

SSH keys

The very first thing that have to be carried out is to create an SSH key pair. To do that, open up a terminal window and challenge the command:

ssh-keygen -t rsa

You can be requested to call the file (use the default) and provides the keypair a passphrase.

As soon as the important thing’s randomart prints, your key is able to go.

The subsequent step is to repeat the important thing to the distant server. That is carried out with the command:

ssh-copy-id USER@SERVER

The place USER is the username of the distant server, and SERVER is the tackle of the distant server.

You can be prompted for the distant consumer password. When you efficiently authenticate, the general public key will probably be copied to the server. You’re able to go.

SEE: Securing Linux coverage (Tech Professional Analysis)

Utilizing SCP together with your key

Now that our keys are in all the fitting locations, let’s see how we will use them via SCP. Assuming you accepted the default identify on your SSH key upon creation, the command to ship a file to your distant server utilizing your SSH secret is:

scp -i ~/.ssh/id_rsa.pub FILENAME USER@SERVER:/residence/USER/FILENAME

The place FILENAME is the identify of the file, USER is the username on the distant machine, and SERVER is the tackle of the distant server.

Try to be prompted for the SSH key password (not the consumer password). As soon as authenticated, the file will probably be transferred.

The identical holds true if it’s essential to pull a file from the distant server. The construction of that command can be:

scp -i ~/.ssh/id_rsa.pub USER@SERVER:/residence/USER/FILENAME /residence/USER/FILENAME

Once more, you can be requested on your SSH key password, and the file will probably be pulled from the server and copied to the native machine.

SEE: Easy methods to Add an SSH Fingerprint to Your known_hosts File in Linux

Neglect that password

Let’s say you might be about to bear an extended session of copying recordsdata to your server. Positive, you could possibly tar all of them up into one larger file. However say they should all be positioned in several directories. That’s loads of typing. You can also make this barely extra environment friendly through the use of the ssh-agent and ssh-add instructions.

That’s proper, utilizing the mixture of SCP, SSH key authentication, and ssh-agent works properly. This can preserve you from having to sort that SSH key password each time you challenge the SCP command. The one caveat is that you could keep in mind the PID of the agent session and kill it if you’re carried out.

Right here’s what it’s a must to do.

1. Earlier than issuing the SCP command challenge eval ssh-agent to begin the session.
2. Make an observation of the Course of ID you might be given when the session begins.
3. Add your SSH key to the session with the command ssh-add.
4. Begin utilizing SCP to repeat your recordsdata.

That’s all there may be to it. While you’re carried out with the session, guarantee to challenge the command kill PID (the place PID is the precise quantity given to you if you began the ssh-agent session with eval).

SEE: 20 fast tricks to make Linux networking simpler (free PDF) (TechRepublic)

Is SCP nonetheless safe?

Somebody asking if SCP is safe has doubtless learn the 2019 launch announcement for OpenSSH 8.0, which acknowledged that the SCP protocol is “outdated, rigid and never readily mounted” and beneficial SFTP and Rsync as options for file switch.

Earlier than OpenSSH 8.0, SCP couldn’t confirm file integrity throughout transfers, leaving customers uncovered to unauthorized overwrites and injection assaults if their server was compromised (CVE-2019-611). Nevertheless, the replace launched stricter filename checking because the default for the SCP command, making it safer, and moved its earlier non-checking conduct to the command scp -T.

Then, in OpenSSH 9.0, launched in 2022, SFTP was adopted because the default backend for SCP as a substitute of the legacy SCP/RCP protocol, that means that transfers are actually encrypted and authenticated with the SSH protocol. Whereas broadly thought to be safe, customers ought to nonetheless be cautious of different dangers like misconfigured servers or outdated software program variations.

What can I exploit as a substitute of SCP?

• SFTP: Whereas SCP defaults to utilizing the SFTP protocol, you’ll be able to think about using native SFTP shoppers for superior file administration because it permits for extra operations, equivalent to viewing directories and file deletion.
• Rsync: Ideally suited for synchronizing recordsdata and directories, particularly for incremental backups and huge datasets. See TechRepublic’s information on how you can again up a community utilizing Rsync.
• FTPS: A safe choice for conventional FTP transfers with SSL/TLS encryption, however it may be complicated to configure.
• HTTPS-based instruments: Comparable to curl or wget, for safe downloads over HTTPS. That is nice for automation, however they don’t present full listing administration like SFTP.

Fiona Jackson up to date this text in January 2025.