Learn how to use SCP (Safe Copy) with SSH key authentication

Anybody who administers Linux machines might be conversant in safe shell. With out this software, administering these servers remotely could be fairly difficult. It can additionally turn into harder to maneuver information forwards and backwards, not less than with some safety. That is the place safe copy comes into play. The SCP command lets you copy information to and from a distant Linux server by an encrypted SSH tunnel.

SEE: Learn how to View Your SSH Keys in Linux, macOS, and Home windows

Nevertheless, with the assistance of SSH key authentication, you can also make it much more safe. I wish to present you ways you need to use safe key authentication and SCP to make sure that your information are moved forwards and backwards securely. I’ll reveal on a Elementary working system buyer and Ubuntu 16.04.1 server and assume you’ve gotten a safe shell put in and dealing.

SSH keys

The very first thing to do is to create an SSH key pair. To do that, open a terminal window and problem the command:

ssh-keygen -t rsa

You’ll be prompted to call the file (use the default) and provides the important thing pair a passphrase.

As soon as the important thing’s random prints, your key is able to go.

The following step is to repeat the important thing to the distant server. That is performed with the command:

ssh-copy-id USER@SERVER

The place USER is the username of the distant server, and SERVER is the tackle of the distant server.

You’ll be prompted for the distant person password. When you efficiently authenticate, the general public key might be copied to the server. You might be able to go.

SEE: Safe Linux Coverage (Tech Professional Analysis)

Use SCP together with your key

Now that our keys are in all the correct locations, let’s have a look at how we are able to use them by SCP. Assuming you accepted the default title on your SSH key upon creation, the command to ship a file to your distant server together with your SSH secret is:

scp -i ~/.ssh/id_rsa.pub FILENAME USER@SERVER:/residence/USER/FILENAME

The place LEARNAME is the title of the file, USER is the username on the distant machine, and SERVER is the tackle of the distant server.

Try to be prompted for the SSH key password (not the person password). As soon as verified, the file might be transferred.

The identical applies if it is advisable to pull a file from the distant server. The construction of that project might be:

scp -i ~/.ssh/id_rsa.pub USER@SERVER:/residence/USER/FILENAME /residence/USER/FILENAME

Once more you may be prompted on your SSH key password, and the file might be pulled from the server and copied to the native machine.

SEE: Learn how to add an SSH fingerprint to your known_hosts file in Linux

Neglect that password

As an instance you’re going to bear a protracted session to repeat information to your server. In fact, you may tar them multi function bigger file. However say that they need to all be in several folders. That is quite a lot of typing. You can also make it barely extra environment friendly by utilizing the ssh-agent and ssh-add orders.

That is proper, utilizing the mix of SCP, SSH key authentication, and ssh-agent work effectively This may forestall you from having to kind that SSH key password each time you problem the SCP command. The one caveat is that it is advisable to bear in mind the PID of the agent session and kill it whenever you’re performed.

This is what it is advisable to do.

1. Earlier than issuing the SCP command, consider ssh-agent to start out the session.
2. Make a remark of the method ID you might be given when the session begins.
3. Add your SSH key to the session with the command ssh-add.
4. Begin utilizing SCP to repeat your information.

That is all there’s. Once you’re performed with the session, you should definitely problem the command kill PID (the place PID is the precise quantity given to you whenever you began the ssh-agent session with eval).

SEE: 20 Fast Tricks to Make Linux Networking Simpler (Free PDF) (TechRepublic)

Is SCP nonetheless secure?

Somebody asking if SCP is secure in all probability has the 2019 launch announcement for OpenSSH 8.0, which acknowledged that the SCP protocol was “outdated, rigid, and never readily fastened” and really useful SFTP and Rsync as file switch options.

Previous to OpenSSH 8.0, SCP couldn’t confirm file integrity throughout transfers, leaving customers uncovered to unauthorized overwrites and injection assaults if their server was compromised (CVE-2019-611). Nevertheless, the replace launched stricter filename checking than the default for the SCP command, making it safer, and moved its earlier no-checking habits to the command scp -T.

Then, in OpenSSH 9.0, launched in 2022SFTP has been adopted because the default backend for SCP as a substitute of the legacy SCP/RCP protocol, that means that transfers are actually encrypted and authenticated utilizing the SSH protocol. Though typically thought of secure, customers ought to nonetheless be cautious of different dangers similar to misconfigured servers or outdated software program variations.

What can I exploit as a substitute of SCP?

• SFTP: Whereas SCP defaults to utilizing the SFTP protocol, you might think about using native SFTP purchasers for superior file administration as they permit extra operations similar to viewing directories and deleting information.
• Rsinc: Preferrred for synchronizing information and folders, particularly for incremental backups and huge knowledge units. See TechRepublic’s information on backing up a community with Rsync.
• FTPS: A safe choice for conventional FTP transfers with SSL/TLS encryption, however might be sophisticated to arrange.
• HTTPS based mostly instruments: As curl or wgetfor safe downloads over HTTPS. It is nice for automation, however it does not supply full listing administration like SFTP.

Fiona Jackson up to date this text in January 2025.