Mailing List Archive: Transferring files between servers on a private network?

Transferring files between servers on a private network?

sdondley at gmail

Dec 9, 2020, 9:48 AM

Post #1 of 7 (826 views)

This command transfers a file from Machine B to Machine A:

scp -3 -o StrictHostKeyChecking=no -i ~/.ssh/secret.pem -o \
ProxyCommand="ssh -o StrictHostKeyChecking=no \
-i ~/.ssh/secret.pem -W %h:%p admin@7.7.7.7" \
admin@192.168.1.20:/home/admin/file.pdf admin@192.168.1.10:/home/admin

Machine A has the public IP of 7.7.7.7 and a private IP of 192.168.10.

Machine B has the private IP of 192.168.1.20.

The goal of the command is to log into Machine A on the public network at
7.7.7.7 and then transfer files from from B to A strictly across the
private network.

Though the command works and transfers files between machines, I'm not sure
if it does it strictly over the private network. How can I be sure the file
isn't going from B to A over the private network and then down to my local
machine over the public network and then back up to A over the public
network and then back to A on the private network? Is there an easy way to
trace the path of the file between machines?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Transferring files between servers on a private network? [ In reply to ]

b.candler at pobox

Dec 9, 2020, 10:14 AM

Post #2 of 7 (825 views)

On 09/12/2020 17:48, Steve Dondley wrote:
> Though the command works and transfers files between machines, I'm not sure
> if it does it strictly over the private network. How can I be sure the file
> isn't going from B to A over the private network and then down to my local
> machine over the public network and then back up to A over the public
> network and then back to A on the private network?

It *is* going up to your local client and back again: -3 (third party
copy) does exactly that. It makes separate ssh connections to the two
hosts (which is why the ProxyCommand is required in your case), slurps
the file from the left-hand host and uploads it to the right-hand host.

If you don't want to do that, then omit the -3. Then it will login to
left-host, and instruct it to copy the given file to right-host.
However you may need to use agent forwarding so that left-host can
authenticate to right-host.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Transferring files between servers on a private network? [ In reply to ]

sdondley at gmail

Dec 9, 2020, 10:45 AM

Post #3 of 7 (825 views)

Ok, thanks for the insight.

Yeah, I was trying to avoid agent forwarding because of the advice I've
seen to avoid it, if possible. I'm trying to figure out what the best
practice might be so I wanted to see how this could be done in the most
secure manner possible.

Only other method I can think of is to have a third machine, machine C,
that is only available on the private network and contains the private key
for all the other machines. So I'd log into machine C via some bastion/jump
server. Machine C would hold the private the key used by machine B and
machine A and I could use it to transfer files between machines A and B.

On Wed, Dec 9, 2020 at 1:14 PM Brian Candler <b.candler@pobox.com> wrote:

> On 09/12/2020 17:48, Steve Dondley wrote:
> > Though the command works and transfers files between machines, I'm not
> sure
> > if it does it strictly over the private network. How can I be sure the
> file
> > isn't going from B to A over the private network and then down to my
> local
> > machine over the public network and then back up to A over the public
> > network and then back to A on the private network?
>
> It *is* going up to your local client and back again: -3 (third party
> copy) does exactly that. It makes separate ssh connections to the two
> hosts (which is why the ProxyCommand is required in your case), slurps
> the file from the left-hand host and uploads it to the right-hand host.
>
> If you don't want to do that, then omit the -3. Then it will login to
> left-host, and instruct it to copy the given file to right-host.
> However you may need to use agent forwarding so that left-host can
> authenticate to right-host.
>
>

--
Prometheus Labor Communications, Inc.
http://prometheuslabor.com
413-572-1300

UnionConnect Phone App for Labor Unions
http://unionconnect.com
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Transferring files between servers on a private network? [ In reply to ]

b.candler at pobox

Dec 9, 2020, 11:39 AM

Post #4 of 7 (825 views)

On 09/12/2020 18:45, Steve Dondley wrote:
> Ok, thanks for the insight.
>
> Yeah, I was trying to avoid agent forwarding because of the advice
> I've seen to avoid it, if possible.

As far as I know, you'd mainly want to avoid it if you don't trust the
left-hand machine (i.e. the source, the one you called "B"). A
malicious administrator on that host could connect to your agent socket
and authenticate, as you, to any other machine that trusts your key.

But to be honest, if a machine is malicious, I wouldn't want to ssh into
it in the first place. It could do plenty of other nasty things, such
as logging my keystrokes.

>
> Only other method I can think of is to have a third machine, machine
> C, that is only available on the private network and contains the
> private key for all the other machines. So I'd log into machine C via
> some bastion/jump server. Machine C would hold the private the
> key used by machine B and machine A and I could use it to transfer
> files between machines A and B.

Copying your private key onto other machines is, in general, way less
secure than using agent forwarding.

You could ssh to C (that you trust), with agent forwarding enabled, and
use it to third-party copy between B and A (*without* enabling agent
forwarding from C to B or C to A)

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Transferring files between servers on a private network? [ In reply to ]

sdondley at gmail

Dec 9, 2020, 11:49 AM

Post #5 of 7 (825 views)

Very interesting food for thought. So let me make sure I understand what I
need to do here as I try to reverse 2 decades of cluelessness (I literally
never heard of agent forwarding until last night):

So I'll add the pem file with ssh-add on my local machine and then I'll be
able to log into C and then once in C I can run the scp command to move
files between B and A via the private network. Have I got that right?

On Wed, Dec 9, 2020 at 2:39 PM Brian Candler <b.candler@pobox.com> wrote:

> On 09/12/2020 18:45, Steve Dondley wrote:
> > Ok, thanks for the insight.
> >
> > Yeah, I was trying to avoid agent forwarding because of the advice
> > I've seen to avoid it, if possible.
>
> As far as I know, you'd mainly want to avoid it if you don't trust the
> left-hand machine (i.e. the source, the one you called "B"). A
> malicious administrator on that host could connect to your agent socket
> and authenticate, as you, to any other machine that trusts your key.
>
> But to be honest, if a machine is malicious, I wouldn't want to ssh into
> it in the first place. It could do plenty of other nasty things, such
> as logging my keystrokes.
>
> >
> > Only other method I can think of is to have a third machine, machine
> > C, that is only available on the private network and contains the
> > private key for all the other machines. So I'd log into machine C via
> > some bastion/jump server. Machine C would hold the private the
> > key used by machine B and machine A and I could use it to transfer
> > files between machines A and B.
>
> Copying your private key onto other machines is, in general, way less
> secure than using agent forwarding.
>
> You could ssh to C (that you trust), with agent forwarding enabled, and
> use it to third-party copy between B and A (*without* enabling agent
> forwarding from C to B or C to A)
>
>
>

--
Prometheus Labor Communications, Inc.
http://prometheuslabor.com
413-572-1300

UnionConnect Phone App for Labor Unions
http://unionconnect.com
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Transferring files between servers on a private network? [ In reply to ]

b.candler at pobox

Dec 9, 2020, 12:04 PM

Post #6 of 7 (825 views)

On 09/12/2020 19:49, Steve Dondley wrote:
> Very interesting food for thought. So let me make sure I understand
> what I need to do here as I try to reverse 2 decades of cluelessness
> (I literally never heard of agent forwarding until last night):
>
> So I'll add the pem file with ssh-add on my local machine and then
> I'll be able to log into C and then once in C I can run the scp
> command to move files between B and A via the private network. Have I
> got that right?

Yep, as long as you've enabled agent forwarding (-A) when you login to C.

With agent forwarding, an agent socket appears on host C. Any command
you type there (such as "ssh B" or "scp B:foo A:bar") is able to talk to
the agent socket, as if ssh-agent were running on host C.

But in reality, the agent messages are passed back and forth over the
ssh connection between your local host and C, to the ssh-agent running
on your local host. Hence your private key never leaves your local host.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: Transferring files between servers on a private network? [ In reply to ]

sdondley at gmail

Dec 9, 2020, 12:14 PM

Post #7 of 7 (825 views)

OK, very good. Thanks so much for your help and time and giving me some
peace of mind.

I guess my next step is to now figure out how to get Rex (a tool for
running commands on a remote machine) to make ssh calls as a forwarding
agent. I'm pretty sure this can be done so I should be good.

On Wed, Dec 9, 2020 at 3:04 PM Brian Candler <b.candler@pobox.com> wrote:

> On 09/12/2020 19:49, Steve Dondley wrote:
> > Very interesting food for thought. So let me make sure I understand
> > what I need to do here as I try to reverse 2 decades of cluelessness
> > (I literally never heard of agent forwarding until last night):
> >
> > So I'll add the pem file with ssh-add on my local machine and then
> > I'll be able to log into C and then once in C I can run the scp
> > command to move files between B and A via the private network. Have I
> > got that right?
>
> Yep, as long as you've enabled agent forwarding (-A) when you login to C.
>
> With agent forwarding, an agent socket appears on host C. Any command
> you type there (such as "ssh B" or "scp B:foo A:bar") is able to talk to
> the agent socket, as if ssh-agent were running on host C.
>
> But in reality, the agent messages are passed back and forth over the
> ssh connection between your local host and C, to the ssh-agent running
> on your local host. Hence your private key never leaves your local host.
>
>

--
Prometheus Labor Communications, Inc.
http://prometheuslabor.com
413-572-1300

UnionConnect Phone App for Labor Unions
http://unionconnect.com
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev