SSH, OPENSSH-SERVER, SCP, encryption keys. Using a tunnel through another shell

scp is a console utility that allows you to securely copy files via ssh between Linux, Mac and Windows.

Introduction

The name scp is derived from secure cp (copy). With this utility you can copy files via ssh protocol. This protocol supports encryption, so using scp safe way copying files.

I usually use scp to copy files to remote server or vice versa. You can also copy files from server to server, without additional traffic through your local computer.

scp is available for Linux, Mac and Windows (WinSCP)

Description of SCP and main parameters

scp [[ user @ ] from - host : ] source - file [[ user @ ] to - host : ][ destination - file ]

from-host- name or IP address of the host on which the file is located (source host). Can be skipped if the host is the local computer on which this command is executed.

user- a user who has rights to access the file and directory that will be copied from the source host. Or a user who has write permissions on the destination host.

source-file- the file or files that will be copied from the source host to the destination host. This can be a directory; for this you need to specify the -r switch when copying to copy the contents of the directory.

destination-file- the name that the file will receive when copied on the destination host. If the parameter is not specified, all files will be copied with the original names.

SCP keys

-q- do not display progress status

-r- recursively copy the contents of a directory if a directory is specified in the source file

-v- show debug messages

-P- non-standard SSH port on the host

SCP Examples

$scp*. txt user @ remote . server. com:/home/user/

all files with the extension .txt will be copied to the /home/use folder on the remote host remote.server.com

$ scp - r user @ 192.168.0.2 :/ home / user / user @ 192.168.0.3 : / home / user /

will copy all files from the user's home directory on host 192.168.0.2 to the user's home directory on host 192.168.0.3 recursively

There are three options for copying files in ssh:

From local host to remote:

$scp somefile username@server:/home/username/

From remote host to local:

$ scp username @ server :/ home / username / file_name / home / local - username / file - name

From remote host to another host:

This is a very practical and interesting feature of scp, because files are copied from one server to another without getting to the computer on which the copying process is running. All traffic goes directly from server to server directly.

$ scp user_name1@server1 :/home/user_name1/file_name user_name2@server2 :/home/user_name2/

SCP tricks

Transfer rate limit

scp - l limit username @ server :/ home / uername /* .

limit indicated in Kbit/s.

Increase transfer speed

scp by default uses the AES-128 algorithm to encrypt data, it is very secure but slow. If speed is important, then you can use the Blowfish or RC4 algorithms.

Changing the encryption algorithm from AES-128 to Blowfish

$ scp - c blowfish user @ server :/ home / user / file .

Using RC4 encryption algorithm, which is the fastest possible

To connect to a remote host without entering a password, you can use the so-called Public key. You need to add a public key entry to the ~/.ssh/authorized_keys file on the remote host. In this case, keys generated on the client side are used for connection. In cygwin you can create a /home directory and .csh in it using

# mkdir -p /home/USER/.ssh

• Using ssh-keygen, we generate a key pair. ~/.ssh/id_dsa - private key, ~/.ssh/id_dsa.pub - public key.
• We copy only the public key to the server and add it to the file ~/.ssh/authorized_keys2, ~/ -home directory.

# ssh-keygen -t dsa -N "" # cat ~/.ssh/id_dsa.pub | ssh you@host-server "cat - >> ~/.ssh/authorized_keys2"

Using a Windows client with ssh.com

The commercial version of the client can be downloaded from the official website: ssh.com. Keys generated using the ssh.com client need to be converted to the OpenSSH server format; this is done using ssh-keygen.

• Create a key pair using the ssh.com client: Settings - User Authentication - Generate New....
• DSA key type; Key length 2048.

You can use both DSA and RSA algorithms. Keep in mind that the keys we generate are not password protected, which is a definite security disadvantage.

Using putty for Windows

Tunneling - Creating a secure SSH tunnel

SSH tunneling allows you to do port forwarding (redirection) through an SSH tunnel, ensuring traffic passes through blocked ports (works only on TCP).

An SSH tunnel is created from a listening socket on a specific localhost port. All connections accepted on the local host/port are then forwarded via SSH to the remote host/port.

# ssh -L localport:desthost:destport user@gate # The destination host will be a local port # ssh -R destport:desthost:localport user@gate # The local port will be forwarded to the specified port of the remote host# ssh -X user@gate # Forced forwarding of X session

Direct forwarding to the gateway

Let's say we need to access CVS (port 2401) and http (port 80) running on a remote host. Below you see a simple example of implementation, we connect to the local port 2401, the corresponding port of the remote host, and to access remote port 80 we use local port 8080. Once an ssh session is opened, all corresponding services of the remote host will be available on local ports.

# ssh -L 2401:localhost:2401 -L 8080:localhost:80 user@gate

Forwarding Netbios and Remote Desktop ports

We have Windows SMB server behind the gateway, and lack of ssh. It is necessary to gain access to shared SMB folders and the remote desktop.

# ssh -L 139:smbserver:139 -L 3388:smbserver:3389 user@gate

The smb share can now be accessed with \\127.0.0.1\, but only if the local share is disabled, because the local share is listening on port 139.
It is possible to keep the local share enabled, for this we need to create a new virtual device with a new IP address for the tunnel, the smb share will be connected over this address. Furthermore the local RDP is already listening on 3389, so we choose 3388. For this example let's use a virtual IP of 10.1.1.1.

• With putty use Source port=10.1.1.1:139. It is possible to create multiple loop devices and tunnel. On Windows 2000, only putty worked for me. On Windows Vista also forward the port 445 in addition to the port 139. Also on Vista the patch KB942624 prevents the port 445 to be forwarded, so I had to uninstall this path in Vista.
• With the ssh.com client, disable "Allow local connections only". Since ssh.com will bind to all addresses, only a single share can be connected.

Now create the loopback interface with IP 10.1.1.1:

• # System->Control Panel->Add Hardware # Yes, Hardware is already connected # Add a new hardware device (at bottom).
• # Install the hardware that I manually select # Network adapters # Microsoft, Microsoft Loopback Adapter.
• Configure the IP address of the fake device to 10.1.1.1 mask 255.255.255.0, no gateway.
• advanced->WINS, Enable LMHosts Lookup; Disable NetBIOS over TCP/IP.
• # Enable Client for Microsoft Networks. # Disable File and Printer Sharing for Microsoft Networks.

I HAD to reboot for this to work. Now connect to the smb share with \\10.1.1.1 and remote desktop to 10.1.1.1:3388.

Debug

If it is not working:

• Are the ports forwarded: netstat -an? Look at 0.0.0.0:139 or 10.1.1.1:139
• Does telnet 10.1.1.1 139 connect?
• You need the checkbox "Local ports accept connections from other hosts".
• Is "File and Printer Sharing for Microsoft Networks" disabled on the loopback interface?

Connecting two clients behind NAT

There are two machines located behind a NAT gateway, the cliadmin client needs to connect to the cliuser client, both have access to the Linux gateway via ssh. Since ports above 1024 will be used, root access will not need. On the gateway we use port 2022.

On the client client:

# ssh -R 2022:localhost:22 user@gate # Forwarding client port 22 to port 2022, gateway

On the cliadmin client:

# ssh -L 3022:localhost:2022 admin@gate # Forwarding client port 3022 to gateway port 2022

Now the administrator can directly connect to cliuser:

# ssh -p 3022 admin@localhost # local:3022 -> gate:2022 -> client:22

Connecting to a desktop behind NAT

Suppose you need to access a Windows client with VNC listening on port 5900. From cliwin to gateway:

#ssh -R 15900:localhost:5900 user@gate

From client cliadmin:

# ssh -L 5900:localhost:15900 admin@gate

Now the administrator can directly connect to the client VNC:

#vncconnect -display:0 localhost

Dig a multi-hop ssh tunnel

Suppose you cannot get direct access to ssh, only through intermediate hosts (for example, due to routing problems), but you need to get a client-server connection, for example, to copy files via SCP or forward a port for SMB.. This can be done by organizing a tunnel from a chain of hosts.
Let's say we need to transfer the ssh port of the client to the server, in two jumps. Once the tunnel is created, a direct client-server connection will be possible.

Creating a tunnel in one shell

client -> host1 -> host2 -> server and dig tunnel 5678

Client> # ssh -L5678:localhost:5678 host1 # 5678 arbitrary port for tunnel host_1> # ssh -L5678:localhost:5678 host2 # link 5678 from host1 to host2 host_2> # ssh -L5678:localhost:22 server # and tsnnel to port 22 of the server

Using a tunnel through another shell

client -> server using tunnel 5678

# ssh -p 5678 localhost # direct client-server connection # scp -P 5678 myfile localhost:/tmp/ # Copy files directly # rsync -e "ssh -p 5678" myfile localhost:/tmp/ # or also directly synchronize files

SCP-860

Object No.: SCP-860

Special containment conditions: SCP-860 is to be kept in a small wooden box in a vault in Sector ██. The object itself is not dangerous, so no special procedures are required.

Description: SCP-860 is a dark blue key with a regular shape. At seemingly random intervals, a set of numbers appears on the key blade, which are coordinates in UTM format. During the time SCP-860 was in Foundation custody, the numbers were changed three times, resulting in coordinates in ██████ (Germany), ██████ (England), and coordinates for Site ██.

SCP-860 can enter any keyed door lock located in the area indicated by these coordinates, and will act like a key that fits that lock. SCP-860 only works if inserted into a door lock, and only if the lock is embedded into the door; it will not work with other locking devices.

If a door is unlocked and opened using SCP-860, the door will not lead to the direction it normally opens. Instead, it opens into a small forest, down the middle of which runs a clearing approximately 80 cm wide, designated SCP-860-1. During each observation of this grove, the presence of a blue fog was noted.

SCP-860-1

Once any person steps into SCP-860-1, the door will automatically close. From the inside of SCP-860-1, the door will be set into an endless concrete wall and locked. Attempts by personnel outside SCP-860-1 to break down the door were unsuccessful. Attempts to break down the door from inside SCP-860-1 resulted in [DATA EXPUNGED]. See Document 860-III for additional details.

The path inside SCP-860-1 usually leads to another door set into another endless concrete wall. This second door opens into the room where the door to which SCP-860 was applied would normally lead.

Personnel conducting research within SCP-860-1 have reported various anomalies. These are described in more detail in Documents 860-I-IV.

Following the events of Study IV (described in Document 860-IV), research with SCP-860 may only be conducted by Level 4 personnel.

Incident 860-██-12: On ██/██/████, ██ days after Study IV, SCP-860 was found on Dr. ███'s desk, ████ m from its location. The locker in which the object was located was not open. Security footage from ██:██ morning showed the key suddenly materializing on the table. It is currently unknown how or why SCP-860 was transferred. The incident had a profound effect on Dr. ███. A psychological evaluation is recommended.

SCP-860

Object No.: SCP-860

Special containment conditions: SCP-860 is to be kept in a small wooden box in a vault in Sector ██. The object itself is not dangerous, so no special procedures are required.

Description: SCP-860 is a dark blue key with a regular shape. At seemingly random intervals, a set of numbers appears on the key blade, which are coordinates in UTM format. During the time SCP-860 was in Foundation custody, the numbers were changed three times, resulting in coordinates in ██████ (Germany), ██████ (England), and coordinates for Site ██.

SCP-860 can enter any keyed door lock located in the area indicated by these coordinates, and will act like a key that fits that lock. SCP-860 only works if inserted into a door lock, and only if the lock is embedded into the door; it will not work with other locking devices.

If a door is unlocked and opened using SCP-860, the door will not lead to the direction it normally opens. Instead, it opens into a small forest, down the middle of which runs a clearing approximately 80 cm wide, designated SCP-860-1. During each observation of this grove, the presence of a blue fog was noted.

SCP-860-1

Once any person steps into SCP-860-1, the door will automatically close. From the inside of SCP-860-1, the door will be set into an endless concrete wall and locked. Attempts by personnel outside SCP-860-1 to break down the door were unsuccessful. Attempts to break down the door from inside SCP-860-1 resulted in [DATA EXPUNGED]. See Document 860-III for additional details.

The path inside SCP-860-1 usually leads to another door set into another endless concrete wall. This second door opens into the room where the door to which SCP-860 was applied would normally lead.

Personnel conducting research within SCP-860-1 have reported various anomalies. These are described in more detail in Documents 860-I-IV.

Following the events of Study IV (described in Document 860-IV), research with SCP-860 may only be conducted by Level 4 personnel.

Incident 860-██-12: On ██/██/████, ██ days after Study IV, SCP-860 was found on Dr. ███'s desk, ████ m from its location. The locker in which the object was located was not open. Security footage from ██:██ morning showed the key suddenly materializing on the table. It is currently unknown how or why SCP-860 was transferred. The incident had a profound effect on Dr. ███. A psychological evaluation is recommended.

WARNING: SCP-370 is a highly contagious memetic infection. There have not yet been any documented cases of employees becoming infected while reading this article, but as a precautionary measure, this document is allowed to be read only in a controlled room with established mechanisms for destroying the reader when the first symptoms appear. Verbal dissemination of any information regarding SCP-370 is grounds for immediate destruction.

Special containment conditions: SCP-370 itself is embedded in a small block of solid lead and is stored inside a durable steel box with walls half a meter thick and without the ability to open it. Under no circumstances should an object be removed from a box or lead bar. If SCP-370 is recovered in whole or in part, blinded personnel will be tasked with searching for it using a metal detector, after which an electromagnet will be used to move the object into a small mold filled with molten lead. Once the lead has hardened, the resulting timber will be returned to the steel box and the box to the containment vault.

The said box is contained in a specially equipped storage facility at Site ██. SCP-370 does not require any maintenance, and all research on it is prohibited. The desire to open the vault to investigate the object or for any other reason is a symptom of SCP-370 infection. Any personnel exhibiting this or any other symptoms must be immediately isolated and, if symptoms continue, terminated.

SCP-370's destructibility has not been determined. No studies have been conducted in this direction, and future studies are prohibited due to the high risk of infection of the personnel involved.

D-Class personnel with strong sadistic or violent tendencies are preferred in all interactions with SCP-370 or potentially contagious data about the object.

Any Foundation Site showing signs of SCP-370 infection is to have all direct contact terminated. They must be reinstated one (1) year after the last instance of SCP-370 infection.

Any personnel assigned to SCP-370 who exhibit a sudden improvement in their general condition are to be isolated and sleep deprived. If any employee continues to show symptoms of "happiness" despite this measure, he must be terminated.

Description: SCP-370 is the key. Material, shape, size and general form object is unknown. Knowledge of these parameters is the main spreader of the SCP-370 infection, therefore all reports that could contain such information were destroyed without review.

The disease caused by SCP-370 has three distinct sets of symptoms, designated SCP-370-a, b, and c. The form of infection that an infected subject exhibits appears to be determined by their personality type.

SCP-370-a manifests most often in individuals who are characterized by their environment as selfish or cowardly. This is the most common manifestation. Subjects afflicted with SCP-370-a show no symptoms of infection. However, these individuals will commit suicide immediately when given the chance to do so with the least amount of suffering (for example, victims of SCP-370-a jumped from heights or shot themselves in the head with a firearm, but did not cut their wrists or hang themselves).

The moment the subject's heart stops beating, the infected body begins to glow brightly and undergo an unknown transformation. Detailed knowledge of the transformation is a spreader of infection, as is direct eye contact with the emitted light. No traces or body parts of the subject were ever found after the transformation.

Most SCP-370-b subjects can generally be described as extroverted altruists, however, similar manifestations of SCP-370-b have been observed in individuals with strong sadistic or violent tendencies. Infected individuals of SCP-370-b will initially become very calm. This stage lasts a few seconds, followed by a sudden, unprovoked attack on the closest person to the infected person, resulting in a series of indiscriminate killings. People killed by an infected subject will begin to glow brightly and undergo an unknown transformation, apparently the same or similar to that of suicides.

Initially, the infected is no more dangerous than a normal violent person, however, after he has killed approximately two (2) or three (3) people, his body will begin to emit a yellow light. Apparently, this light causes a sympathetic nervous response in victims of the infected, preventing them from resisting the attack. After approximately five (5) or six (6) successful kills, the intensity of the light triples and any direct skin contact with the infected becomes fatal. Also, from this moment on, any eye contact with the subject becomes a factor of infection.

After killing an average of twelve (12) individuals (subjects exhibiting violent tendencies prior to infection may require at least fifty (50) victims to reach this stage), the infected will abruptly cease displaying hostility and enter the final stage of SCP-370-b infection. Subject will raise his hands to the sky and, in a slightly amplified voice, shout "████, take me home!" This scream seems to pass through soundproof walls and headphones, but is only slightly muffled. Infection is guaranteed for all people who hear this scream, with the exception of cases of sensory deafness. After screaming, a glow in the visible spectrum forms around the infected person, and the infected person rises a couple of meters above the ground, after which [REDACTED] and disappears. As with SCP-370-a, no trace of the missing subjects has been found.

SCP-370-c manifests itself in individuals with high level intelligence and an analytical or contemplative personality, and this is the most dangerous of the three manifestations. Unfortunately, most Foundation research personnel are predisposed to SCP-370-c. Immediately after infection, subjects close their eyes and spend an average of 30 seconds in silence. If asked what they are doing, the infected will answer that they are “praying.” Any infected with these symptoms must be immediately destroyed by any available means.

Subjects will then behave as usual, but with a significantly increased "sense of well-being". This condition persists even if the infected person is placed in unpleasant conditions. Subjects appear to have a contagious knowledge of the appearance and true nature of SCP-370, regardless of whether they have known any such knowledge before. Infected individuals will actively attempt to covertly spread the SCP-370 infection, especially attempting to cause manifestations of SCP-370-a or SCP-370-c. Distribution methods most commonly include, but are not limited to:
- Mentioning contaminating information about SCP-370 in casual conversation.
- Attempts to remove SCP-370 from containment under the guise of research or disposal.
- Adding carriers of SCP-370 infection to Foundation researchers' notes or other documents, including this page.
- Attempts to spread infectious material on a large scale.

After approximately fifty (50) successful infections, SCP-370-c enters its final stage. During this, the air around the infected person emits a small amount of light in the visible spectrum, forming a dull yellow glow around the subject. This glow causes a "calming" parasympathetic response in observers and has a █% chance of infecting the observer for every minute of eye contact. Regardless of successful infections, for approximately a day after the onset of this radiation, a blazing [DATA EXPUNGED] will burn marks onto or pass through any surfaces it touches, leaving no trace of the infected person. After this event, an invisible piece of infectious space remains, which infects anyone passing through it. The patches disappear in about seven (7) days, but precautions should be avoided for two (2) full weeks.

It has become known that the SCP-370-c infection is being used by some personnel to justify the murder and torture of other Foundation personnel. Persons responsible are to be reclassified to Class D, however due to the severe threat posed by SCP-370-c, the above containment protocols will not be revised.– Dr. ███████

Appendix 370-a:

The circumstances surrounding SCP-370's initial acquisition are unknown. The object was discovered in the ruins of Site █, remote base Fonda in eastern ████. The original containment protocols and the steel box containing SCP-370 were found in a sealed vault, along with a corpse identified as Dr. █████, an open practitioner of Satanism, and the doctor's personal journal, who was found to be an SCP carrier. -370. The rest of the Zone was abandoned, no other dead bodies were found, although signs of struggle were visible everywhere. Other information about SCP-370 in the Site's data storage was erased or destroyed, although several useful notes were found about other recovered objects, especially SCP-███.

Several cases of contamination occurred during removal procedures. They were eliminated with the utmost precaution and it was decided that the infection had stopped. SCP-370 was briefly designated "Safe". However, in light of the recent [DATA EXPUNGED], the Keter designation has been reinstated and anti-memetic security has been increased at all Foundation Sites.

Appendix 370-b:

Dr. █████'s journal has been successfully cleared of memetic infection and is now accessible to authorized personnel. The precautions taken when reading this article also apply to the diary.