Weblog entry #3 for debstar

Shell scripting sftp.
Posted by debstar on Wed 20 Feb 2013 at 18:45
For someone who used and abused ftp, now living with sftp suddenly reminds me how insecure was ftp.
When scripting a linux ftp client, we use redirection to send the commands.
Not only the commands but also the credentials are in clear text.
With sftp, the commands can be saved in a batch file. However, sftp doesn't allow us to send the credentials via this batch file to enforce us to use a more secure encrypted authentication method.

Here is the shell script to automate a sftp session and it should run unattended.

#!/bin/bash
# transfer.sh - sftp auto session
cat << EOF > tmp$$
cd /upload
put report.csv
cd /download
get access.log
quit
EOF
sftp -b tmp$$ -i $HOME/.ssh/id_rsa stranger@citadel
rm -f tmp$$

The batch file is tmp$$ and the shell script creates it on the fly as a temporary file which will be discarded at the end.

The -i parameter indicates the private key.
The default location of the private key is $HOME/.ssh/id_rsa and sftp will search here if we don't specify it.
Actually in the script, we don't need to specify it.
But if we consider to add this script to the crontab, forgetting to specify the absolute path may give unintended result.

Obviously, the remote hostname is citadel and the remote login is stranger.

The next step is to create a public/private key pair.

debstar:~$ ssh-keygen -t rsa -f ~/.ssh/id_rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/debstar/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh/id_rsa.
Your public key has been saved in .ssh/id_rsa.pub.
The key fingerprint is:
c1:21:e 3:01:26:0d:f7:ec:52:0e:0c:90:9b:6e:d8:47 debstar@debadmin

Again, the parameter -f ~/.ssh/id_rsa is redundant because it's the default location.

Then, we have to copy the public key to the remote server.
Precisely its content has to be inserted into the remote file /home/stranger/.ssh/authorized_keys.
We can copy it manually with scp or sftp, but there is an utility called ssh-copy-id to do it painless.

debstar:~$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub stranger@citadel

At this time, if we run the script, it will not ask the password for the remote user but it will ask for the passphrase of the private key.
The solution is to cache somewhere this passphrase with the help of an agent.
To use this agent, we have to run it and add our passphrase into its cache.
debstar:~$ ssh-agent -s > /tmp/ssh.agent
debstar:~$ . /tmp/ssh.agent && rm -f /tmp/ssh.agent
debstar:~$ ssh-add $HOME/.ssh/id_rsa

The passphrase is asked once and for all.
Now we can run the script without typing a passphrase or a password.

... and one more thing, Linux rocks.