SSH, SCP, and SFTP
Light at the End
The secure shell gives you an option for securing other Internet services against sniffing via tunneling. To secure an otherwise-unencrypted protocol (such as POP3), forwarding TCP/IP connections to a remote machine by means of an encrypted protocol makes sense. The use of SSH as a SOCKS proxy is another elegant application that lets users transfer encrypted data via a web browser. Setting up a tunnel to a proxy also avoids web content censorship, which is a useful feature in countries that block some websites. If you have a shell account on a machine in a less restrictive country, this approach can give you unimpeded web access.
To start, enable the proxy with the SSH -D option, and at the same time pass in a freely selectable port number. In this scenario, the -f and -N parameters also are useful. The former pushes ssh into the background after logging in and before executing commands, and the latter tells ssh that no commands are to follow; for example:
$ ssh -fN -D 1080 Proxy
After entering the password, the prompt reappears and the shell is ready to accept further instructions. That's all there is to it – the SOCKS proxy is waiting for something to do.
The next step is to set up the SSH client as a SOCKS proxy in the network configuration for the program in question. If this is the Firefox web browser, you can select Edit | Preferences and go to General | Network.
In Connection, click Settings, enable the manual proxy configuration, enter the IP address 127.0.0.1 and the port you previously selected in the SOCKS Host field. SOCKS versions 4 and 5 are available; when in doubt, check the ssh man page to see which version your SSH installation supports. After accepting these changes in Firefox, you can type an address in your browser's address box to verify the connection: http://www.myipaddress.com/; you should see the IP for the remote machine.
Interactive with sftp
In contrast to scp, users work interactively with sftp, just as in any "normal" ftp session. Secure ftp does not expect an ftp server at the other end of the connection, but rather an SSH daemon and, thus, a shell account. As with SSH, set up a connection to the target computer at the command line:
$ sftp huhn@macnugget
After entering your password, you will see the sftp> prompt, which tells you that the program is ready and waiting for further input.
The sftp program is not much different from those used by other shell-based ftp clients; however, you can't set the transfer mode (ASCII or binary) before transferring data because files are sent as-is across the network.
Secure ftp also has some advanced functions for modifying file permissions and ownership. For a comprehensive overview of the available commands, see the help command.
Some practical command-line options facilitate working with sftp. For example, the -C parameter for enabling data compression not only is available for ssh and scp, but also for sftp. The -b <file> option lets you pass in a batch file with the commands you want to run to sftp; however, this will work only if you do not need to enter a password to log in.
If you are interested in a graphical client for sftp, the answer is quite simple: Both KDE's Konqueror and Gnome's Nautilus support sftp perfectly. Just enter the following in the address line of either application,
and then authenticate with the correct password to use sftp, just like your local file manager.
- Free SSH implementation, OpenSSH: http://openssh.org
Buy this article as PDF
Kernel king admits his tone has alienated volunteers, but says the demands of the process require directness.
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.