SSH, SCP, and SFTP
Light at the End
The secure shell gives you an option for securing other Internet services against sniffing via tunneling. To secure an otherwise-unencrypted protocol (such as POP3), forwarding TCP/IP connections to a remote machine by means of an encrypted protocol makes sense. The use of SSH as a SOCKS proxy is another elegant application that lets users transfer encrypted data via a web browser. Setting up a tunnel to a proxy also avoids web content censorship, which is a useful feature in countries that block some websites. If you have a shell account on a machine in a less restrictive country, this approach can give you unimpeded web access.
To start, enable the proxy with the SSH -D option, and at the same time pass in a freely selectable port number. In this scenario, the -f and -N parameters also are useful. The former pushes ssh into the background after logging in and before executing commands, and the latter tells ssh that no commands are to follow; for example:
$ ssh -fN -D 1080 Proxy
After entering the password, the prompt reappears and the shell is ready to accept further instructions. That's all there is to it – the SOCKS proxy is waiting for something to do.
The next step is to set up the SSH client as a SOCKS proxy in the network configuration for the program in question. If this is the Firefox web browser, you can select Edit | Preferences and go to General | Network.
In Connection, click Settings, enable the manual proxy configuration, enter the IP address 127.0.0.1 and the port you previously selected in the SOCKS Host field. SOCKS versions 4 and 5 are available; when in doubt, check the ssh man page to see which version your SSH installation supports. After accepting these changes in Firefox, you can type an address in your browser's address box to verify the connection: http://www.myipaddress.com/; you should see the IP for the remote machine.
Interactive with sftp
In contrast to scp, users work interactively with sftp, just as in any "normal" ftp session. Secure ftp does not expect an ftp server at the other end of the connection, but rather an SSH daemon and, thus, a shell account. As with SSH, set up a connection to the target computer at the command line:
$ sftp huhn@macnugget
After entering your password, you will see the sftp> prompt, which tells you that the program is ready and waiting for further input.
The sftp program is not much different from those used by other shell-based ftp clients; however, you can't set the transfer mode (ASCII or binary) before transferring data because files are sent as-is across the network.
Secure ftp also has some advanced functions for modifying file permissions and ownership. For a comprehensive overview of the available commands, see the help command.
Some practical command-line options facilitate working with sftp. For example, the -C parameter for enabling data compression not only is available for ssh and scp, but also for sftp. The -b <file> option lets you pass in a batch file with the commands you want to run to sftp; however, this will work only if you do not need to enter a password to log in.
If you are interested in a graphical client for sftp, the answer is quite simple: Both KDE's Konqueror and Gnome's Nautilus support sftp perfectly. Just enter the following in the address line of either application,
and then authenticate with the correct password to use sftp, just like your local file manager.
- Free SSH implementation, OpenSSH: http://openssh.org
Buy this article as PDF
HP's annual Cyber Risk report offers a bleak look at the state of IT.
But what do the big numbers really mean?
.NET Core execution engine is the basis for cross-platform .NET implementations.
The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.
Spammers go low-volume, and 90% of IE browsers are unpatched.
Adobe scrambles to release patches for vulnerable Flash Player.
Four-inch-long computer on a stick lets you boot a full Linux system from any HDMI display device.
New statute would require companies to report break-ins to consumers.
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.