Friday, March 7, 2008

Securely copy files between servers without password

I've been asked many times to setup a quick, simple method to copy files between servers from within a script (without entering a password), but still maintain a high level of security. IMHO, SSH is the best choice for this since both servers involved have to agree on a cipher which they will use to encrypt/decrypt the data, preventing the data from being sniffed on the wire. So I put together this quick primer on how to do this using two of the most popular distributions of SSH...

Assumptions:
Remote Server is the server you will be copying TO.
Local Server is the server you will be copying FROM.
Your server is Unix running either FSecure or Open SSH. I've done this on Windows as well, and it works fine, but I won't be covering the Windows platform here today.

OpenSSH:

1. From the local server, log in as the user you want to ssh as, run ssh-keygen -t dsa to generate an ssh key. For passwordless ssh/scp, hit enter when prompted for a passphrase.

2. Copy the public key (will have a .pub extension), located in the user's $HOME/.ssh directory, to the remote server to the remote user's $HOME/.ssh directory (create the .ssh directory with read/write permissions if it doesn't already exist).

3. From the remote server, append the contents of the public key file to the file authorized_keys with cat .pub >> authorized_keys. Give the authorized_keys file 600 permissions.

4. From the local server, test the host keys with a passwordless ssh:
ssh user@host

If the keys were setup correctly, you will be dropped to a prompt on the remote server without being prompted for a password.

5. Now you can use either ssh/scp for passwordless connect/copy to the remote host from a script

Fsecure:

1. From the local server, log in as the user you want to ssh as, run ssh-keygen -t dsa to generate an ssh key. For passwordless ssh/scp, hit enter when prompted for a passphrase.

2. Copy the public key (will have a .pub extension), located in the user's $HOME/.ssh2 directory, to the remote server to the remote user's $HOME/.ssh2 directory (create the .ssh2 directory with read/write permissions if it doesn't already exist).

3. From the remote server, give the public key 600 permissions, create a file in the user's $HOME/.ssh2 directory called authorization. In the authorization file, put an entry for Key followed by the location of the public key file, and make the permissions 600 for the authorization file. Example entry:

$ cat authorization
Key /home/test/.ssh2/id_dsa_2048_a.pub
$

4. From the local server, create a file in the user's $HOME/.ssh2 directory called identification, give it 600 permissions, and add an entry called IdKey followed by the location of the private key file. Example entry:

$ cat identification
IdKey /home/test/.ssh2/id_dsa_2048_a
$

5. From the local server, test the host keys with a passwordless ssh:
ssh user@host

Note:
Make sure the file permissions on the key files, authorized_keys (OpenSSH), and identification/authorization files (FSecure) are correct, as the connection failure cause is not apparent from the error message, even with ssh -v (verbose) turned on.

No comments: