2

When I need to copy some files between two remote servers, I usually

scp -3 user@server1:path user@server2:path

unfortunately, since that routes traffic through my machine, that is very slow when the files are "big" and the servers "near" one another...

Do you know of any way to have the "direct transfer" behaviour of the regular scp (ie: no -3), while delegating authentication to my machine (ie: like -3)?

..maybe with some scp alternative?

giorgiga
  • 225
  • 1
  • 2
  • 6
  • How about not using the `-3` flag **and** making sure that you've got the ssh authentication agent working, and are passing the connection appropriately? That still delegates all the authentication to you, but has the copy done directly. – MadHatter Jul 31 '14 at 15:55
  • Not sure I'm doing this right (I confess my ignorance), but when I "scp server1:samplefile server2:samplefile" it says "Host key verification failed. lost connection"... I have public key auth to both hosts from my machine, so I always thought that meant scp was trying to authenticate from server1 to server2 and it failed because server1 has no credentials to access server2 (nor I want it to) – giorgiga Jul 31 '14 at 16:05
  • @giorgiga You are mostly right about the "scp was trying to authenticate from server1 to server2" part. The error message you are getting is a bit earlier in the process though, as it is not about credentials, but rather about the host key. You'd have to manually `ssh` from `server1` to `server2` or vice-versa once to store the host key in `~/.ssh/known_hosts` or copy the relevant line from the client. – kasperd Jul 31 '14 at 16:10
  • @giorgiga You say you don't want `server1` to have credentials to access `server2`. Is it the same the other way? I.e. would it be ok for `server2` to have credentials to access `server1`? Is it ok, if the server has the credentials only temporarily, so they can be used for the duration of the copy and not after that? – kasperd Jul 31 '14 at 16:14
  • kasperd, thanks for the point about `Host key verification failed`. As for the access to credentials, if he has the authentication agent working **neither** server1 **nor** server2 have access to the secret key. – MadHatter Jul 31 '14 at 16:15
  • I just tried and I can confirm known_hosts doesn't help ("Permission denied (publickey). lost connection"). But.. nice catch @kasperd! I dind't realize known_hosts was blocking me! – giorgiga Jul 31 '14 at 16:19

2 Answers2

3

The closest suggestion I can come up with is using ssh-agent

  1. Start an agent, if you don't already have one: ssh-agent bash
  2. Load a key: ssh-add
  3. ssh to one host and have it initiate a copy to/from the other: scp user@server1:path user@server2:path

Instead of using scp without the -3 flag, you can explicitly ssh to one host and start scp, then you get to decide if you will ssh to server1 or server2. With the command I gave above, scp will choose one for you.

From a security perspective there is a danger in using ssh-agent, as the server will have full access to using keys in your agent even for other purposes than this file transfer.

If you don't want to trust either server with access to the other, but want to ensure that only the client host has access to the keys and the servers communicate securely with each other, but will only transfer the file you have specified and do nothing else, then you are going to need some different tool. I don't think that can be achieved with scp.

kasperd
  • 30,455
  • 17
  • 76
  • 124
0

Why you can't use public key authentication, ForwardAgent yes in .ssh/config and just scp user@server1:path user@server2:path ? I've try and it works for me.

Vladislav Kononenko
  • 161
  • 1
  • 3