This guide is going to provide an overview of how to use SSH and SCP to connect to remote computers, run commands, and transfer files to and from them. ssh allows you to have command-line access to other computers over a relatively secure connection. scp lets you copy files to and from another computer over that same secure connection. If you type just ‘ssh’ into the CL you get one of the more obtuse usage messages that I’ve seen:
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command]
Huh? Before we get too much further lets define our computer setup. We have a notebook we’re typing at (a Macbook Air, for example) and we are ssh’ing into a server (a Mac Mini).
The Macbook Air’s details:
Computer Name: mba Username: josh IP Address: DHCP, on the same local network as the server
The Mac Mini Server’s details:
Computer Name: server Username: admin IP Address: static @ 10.0.1.60
1) Getting yourself logged in
It’s important to note that the usernames for the two computers are different since that’s the first gotcha most people run into when getting started. ssh will ask for a password for the remote computer, but will not ever prompt you for a user name. If not told otherwise ssh will assume the user name on the remote machine will be identical to the user name on the local computer. So typing something like this:
$ ssh 10.0.1.60
will never be able to connect because there is no user named ‘josh’ on the server. How do you specify a user? There are two different ways: Prepend the user name before the servername (user@server) or use the -l switch. Personally I prefer using the @ because it is one less switch that needs to be passed if you choose to pipe the command (which means less chance of something weird happening). Both commands below have the same effect of choosing the admin user.
$ ssh firstname.lastname@example.org $ ssh 10.0.1.60 -l admin
which gives you the successful login message:
Last login: Wed Mar 20 11:51:10 2013 server:~ admin$
If you are working in a bonjour-enabled environment, you could also have typed
$ ssh email@example.com
and that would have gotten you in just the same, but without having to remember the IP address. An IPv4 address isn’t all that hard, but when things go full IPv6 remembering and typing out specific addresses will be tedious.
An interesting little trick is that you can also add commands at the end of a ssh login request if you know exactly what you want to do and don’t need any feedback (creating a folder, running a script, starting a permissions repair, etc.). This is done like so:
$ ssh firstname.lastname@example.org mkdir NEW_FOLDER
This will create a new folder on the remote server in the admin’s home folder.
scp allows you to copy files and folders to and from a remote computer. It uses the same login and data encryption methods as ssh, and therefore just as secure. You can adjust the encryption method manually if you prefer to trade security for speed.
scp [source file] [destination]
Some notes on the following syntax that are universal to terminal:
~ == Start the path at your home folder. ~/Desktop references the specified user's desktop . == . (dot or period) means 'here' as in "copy the file right here, in the folder where I'm at now"
When referencing a remote file you use the same username@server syntax, but append the path to your file separated by a colon. This will copy the local file ‘foo.bar’ from our current working directory to the Desktop of our remote server:
$ scp foo.bar email@example.com:~/Desktop/ $ scp foo.bar firstname.lastname@example.org:~/Desktop/
Note: Both lines have the same outcome, just using a different method to name the remote computer
This will copy the specified file from the remote server to your local computer (note the “.” at the end, indicating it should copy the file to our current working directory):
$ scp email@example.com:~/foo.bar .
scp -r will copy whole folders recursively:
$ scp -r Camera/ firstname.lastname@example.org:~/
scp -p will preserve file time stamps while copying. This may not matter to most people, but useful if you don’t want all of your files looking like they were created a few minutes apart from eachother. The -r and -p switches can be combined to say
$ scp -rp Camera/ email@example.com:~/
For large files or when copying many files/folders recursively scp will display a progress bar:
Biggish_File.dmg 2% 96MB 11.9MB/s 05:30 ETA
If you are transferring a very large file, and are not terribly concerned about security, you can lower the level of encryption, which can speed up scp significantly. Through some research and my own testing, I have found that the ARC4 (or arcfour) cipher is the fastest way to transfer using scp:
$ scp -c arcfour Big_File firstname.lastname@example.org:~/
One other trick is to use /dev/null as a destination if you want to test transfer speeds without filling up the destination drive. This allows you to send multiple gigabyte files without actually storing anything on the remote end. The syntax for this would look like:
$ scp -c arcfour Test_File email@example.com:/dev/null
After trying all those examples you are probably sick of typing in your password over and over and over and over again. Now on to Part 3!
Insert the obligatory ‘be careful when using saved passwords’ warning here. If bad people get access to your computer very bad things could happen. Ok. Warning received. Moving on.
If you are logging in to a remote machine frequently, or want to add ssh functionality into an automated script you can register your two computers together by sending their keys back and forth which does the automatic authentication without the prompt for typing in a password. In an extremely abbreviated explanation keys work in pairs, one public you share with the world, one private you keep well protected. On you own local machine (not ssh’ed in elsewhere) in your terminal window type:
Press enter a few times until you get something like this:
Generating public/private rsa key pair. Enter file in which to save the key (/Users/josh/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/josh/.ssh/id_rsa. Your public key has been saved in /Users/josh/.ssh/id_rsa.pub. The key fingerprint is: 61:FA:KE:HE:XA:DE:CI:MA:LS:65 firstname.lastname@example.org The key's randomart image is: +--[ RSA 2048]----+ | | | pretty | | ascii | | | | art | | goes | | | | here | | | +-----------------+
now do a ls -l .ssh/
$ ls -l .ssh/ -rw------- 1 josh staff 1675 Mar 20 12:05 id_rsa <--- priavte -rw-r--r-- 1 josh staff 403 Mar 20 12:05 id_rsa.pub <--- public -rw-r--r-- 1 josh staff 782 Mar 20 09:24 known_hosts <--- list of previous connections
id_rsa is the file you don’t want ending up in other’s hands. id_rsa.pub is the public file that you’re going to copy to the server you want to have password-less connections to. There is a third file ~/.ssh/authorized_keys2 that ssh stores your public key in. You can have multiple public keys saved in that one ~/.ssh/authorized_keys2 file, if you want to have multiple computers have auto-login access. Now, we could use Finder, filesharing & Textedit to copy our public key over, but we’re better than that!
$ cat .ssh/id_rsa.pub | ssh email@example.com 'cat >> .ssh/authorized_keys2'
cat outputs the contents of a file to standard output (your screen displays standard output). The output of id_rsa.pub is captured by the pipe (|) which routes the output to ssh admin@ 10.0.1.60. We add a command at the end of our ssh login request ‘cat >> .ssh/authorized_keys2’ where the >> means save the output of cat .ssh/id_rsa.pub into this file .ssh/authorized_keys2 and if it exists already, add the new text to the end of the file. A single > would overwrite the whole file clean.
Now try logging in again and huzzah! No password prompt!
Now that we have covered basic file movements with scp and passwordless logins with ssh, there is one more trick up scp’s sleeve: coping from one remote computer to another. There are two ways to make this happen: Directly, and with your computer as a go-between. If you want the two remote computers to communicate directly you first have to setup passwordless logins between the two. Once that is done:
$ scp firstname.lastname@example.org:~/foo.bar email@example.com:~/
If you aren’t able or don’t want to setup automatic logins, the -3 option will transfer from remote1 -> local -> remote3 (-3 is odd notation for switches – they are not typically numerals. scp actually has a few numeral switches. weird.)
$ scp -3 firstname.lastname@example.org:~/foo.bar email@example.com:~/
And there you have it. You are now a master of SSH and SCP. Go forth and prosper!