RE: SCP help

This is just my personal opinion.

First off, by storing a password in a file on your local file system, you've defeated the purpose of using SCP. I say this because even if that file is encrypted you have to decrypt somehow, and if you choose to automate the entire process you have to store the decryption key somewhere as well (vicious cycle), as such you've essentially rendered your entire encryption session (not to mention the integrity of the session, since you can't be sure someone hasn't compromised that file) null.

Using standard FTP you use .netrc, cool thing, but you have to be really brave when considering the possible ramifications of using this.

There are a couple of options you have with SCP.

1. Create keys without passwords and use key exchanges rather then password challenges.
2. Reference the following URL: http://www.akadia.com/services/ssh_agent.html for unattended batch jobs, this will work with SCP as well.

NOTE: This site also references using the ssh-agent, which is actually a good idea, with a password, this way you can start up trusted hosts everytime the system reboots, if you have passwords associated with your private key, the agent will prompt for the password, still manual, but once the keys are authenticated, key authentication should ensue. Which means, you'd be able to use SCP without having to deal with a challenge.

2. Host based authentication (which is not a very good idea)

1. Reference the following URL: http://www.indiana.edu/~rats/research/steel/ssh2-setup.shtml

Either way you do it, I would highly suggest you do not use a method that stores a password in some file, using something like expect, would still require the storage of the password in some format or another, and to me that just leads to future issues.

IMHO ;-)
-Wesley North

Senior Information Systems Security Engineer BAE SYSTEMS, MISSION SOLUTIONS
wesley.north@baesystems.com

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----

From: Thotapalli, Ravi [mailto:ravi.thotapalli@eds.com] Sent: Wednesday, May 28, 2003 7:51 AM
To: 'secureshell@securityfocus.com'
Subject: SCP help

Hi I am trying to write a script using scp in which I would like to pass the password to the script by means of standard input (via a file) could anyone let me know if you have tried this already and if it works or not. I have used the same with ftp and it works but for some reason with scp I am unable to do that.

thanks
Ravi Thotapalli
Phone (415)-551-5655
Mail ravi.thotapalli@eds.com Received on Wed May 28 16:54:01 2003