Inside SSH, Part 4
Pages: 1, 2, 3

Using scp

Many times during the completion of the steps outlined in this article, we have relied on a program that often goes along SSH, called "scp." Much like the "cp" command, it allows you to copy files. However, scp allows you to copy files between hosts and, what's more, in a secure fashion.

If you are already comfortable with cp, scp's syntax should not be too surprising. Essentially, it boils down to:

scp name-of-source name-of-destination

Name-of-source will be one or more files while name-of-destination can be either a file (to copy a file between hosts) or a directory (to place multiple files into directories). Copying multiple files into one file is theoretically possible but the file will be overwritten as the various copying operations take place -- in other words, it's not really something you want to do.

Both name-of-source and name-of-destination should follow the same structure: username@hostname:/path/to/directory. Be careful, though, since scp's syntax is quite flexible; entering a wrong character can cause the program to behave in unexpected and sometimes unwanted ways. For example "cooking@tips.example.com" is a file while "cooking@tips.example.com:" represents the default folder (home) of account "cooking" on the server tips.example.com. I have no idea if these servers or accounts exist, BTW.

A complete scp command would look like this:

scp usernameone@hostone:/path/to/file usernametwo@hosttwo:path/to/file

scp allows you to omit some elements in the command, such as the directory or the user name if you use standard or expected values. However, when getting used to scp, I would recommend that you always enter the full command. This will allow you to learn about SSH more quickly and avoid mistakes -- overwriting a file, for example. However, to download a file, you don't need to enter the full "username@hostname" address in the second part of the command -- simply have a look at the scp commands we used earlier in the article.

By using the "-r" flag, you can instruct scp to copy whole directories as well. Be careful, though. Links, aliases, and directories that loop back to themselves are not good candidates and can cause issues during or after the transfer. What you can do instead is compress the directory in Terminal and then send it as a file over the network.

The "-p" flag will allow you to retain the permissions of the files you copy. However, as a general rule, it's always a good idea to use a command such as "ls -l" to check the permissions of the resulting files on the remote machine.

Going One Step Further: Creating SSH Tunnels

The concept of SSH tunnels is a fun, powerful, and interesting one. Let's imagine what happens when you use a VNC client to connect to a remote computer through a graphical interface. When you establish a connection, a big glass pipe is run between your Mac and the remote computer you are controlling.

This glass pipe is transparent; anybody can see what is going on inside of it and read the information it contains. It is also fragile. Anybody with readily available tools can smash the glass wall and add things to the pipe, right in the middle of the stream.

As you can see, this is far from a secure connection. However, since the material the pipe is made of is decided by the protocol you are using, your only option to secure it is to put this big pipe into another, more robust one. I like to think of it as stainless steel but pick your metal of choice. That way, the outside pipe will protect the inside, fragile one from prying eyes and intrusion tools, while being designed for easy plumbing. Best of all, since both pipes are well-designed, you do not need to modify the inside one. It simply slides right into the metal shell.

This is exactly what SSH can do. If you have to use insecure protocols (glass pipes), you can instruct them to pass through a secure SSH connection that will be wrapped around them (the metal pipe), effectively securing them. The good news is that SSH is, like our metal pipe, entirely transparent to the insecure application and is therefore extremely unlikely to disrupt anything.

SSH tunneling is out of the scope of our discussion, directly at least. There are, however, some great tunneling-related articles on the O'Reilly Network that provide you with step-by-step tutorials. Secure Mail Reading on Mac OS X by Jason McIntosh is an excellent starting point.

Final Thoughts

SSH is a flexible and powerful protocol. Thanks to the Mac OS X engineers, it is also incredibly easy to use on a Mac. By learning a bit about it and practicing in your Terminal, you can bring your computing and networking experience to the next level.

Ben Lindstrom from the OpenSSH group was kind enough to provide me with information regarding some detailed SSH configuration settings. May he find here the expression of my gratitude. Needless to say, any errors or inaccuracies in the preceding pages remain entirely my responsibility.

FJ de Kermadec is an author, stylist and entrepreneur in Paris, France.

---

Return to MacDevCenter.com.