[Tgcmgroup] file transfer between hao and scd supers

Ben Foster foster at hao.ucar.edu
Tue May 11 16:17:23 MDT 2004

Hi tgcmgroup:

This outlines methods for file transfer (secure copy, or "scp") 
between hao and scd systems for use by the hao TISO group (or
anyone else at hao). Scp replaces the insecure rcp command we 
have used in the past.  

This message assumes you are able to login to the scd supers from 
hao using "ssh -X roy.ucar.edu" and the CryptoCard.

Basic use of scp (secure copy) (see also "man scp"):

1. The scp command must be initiated from an scd server 
   (never from the hao workstation).

2. The basic form of the scp command is (same as rcp): 

   scp source destination

   where either source or destination is the remote file user at host:path, 
   depending on the direction of the copy, e.g.:

   scd-prompt> scp test cedar.hao:test   # put file test on cedar
   scd-prompt> scp cedar.hao:test test   # get file test from cedar

   You will have to provide your hao password for each scp command
   (see steps below to setup unattended scp)

3. If you are working from an hao Sun system and scp does not work,
   it may be that the ssh daemon is not running on your workstation.
   Send mail to hao "trouble" and ask to have sshd started on your

Steps to set up unattended scp file transfer, i.e., scp without a password:
(s.a., http://www.scd.ucar.edu/docs/access/transfer.html and "man ssh-keygen")

1. Issue the following command from the scd server (dave in this case):

   dave-prompt> ssh-keygen -t dsa -b 1024 -C 'user at dave' -P ''

   Where: ssh-keygen is the command to set up public/private key paired files.
          -t dsa   means type DSA encryption
          -b 1024  means the keys will be 1024 bytes
          -C '...' is a comment to accompany the keys
          -P ''    means a null password
          "user"   is your login name

   You can hit return when it asks where to put the key files (i.e., in ~/.ssh).
   This command should create 2 files on dave:
     ~/.ssh/id_dsa      # the private key (rw only by owner)
     ~/.ssh/id_dsa.pub  # the public key  (generally readable)

2. Now scp the public key ~/.ssh/id_dsa.pub from dave to ~/.ssh on your hao
   workstation. Then rename it authorized_keys (or, if authorized_keys
   already exists, append id_dsa.pub to authorized_keys). The original
   id_dsa.pub can be removed from dave.

3. Next copy the private key ~/.ssh/id_dsa on dave to your home on dave.
   I have been told by consultants that scd may occaisionally overwrite
   files in ~/.ssh, so this is to save the private key in your home.

4. Scp should now work without a password. By default, scp will use the
   private key ~/.ssh/id_dsa. If you want/need to use the copy in your
   home, use "scp -i ~/id_dsa ...". You can also alias scp to scp -i ~/id_dsa.
   Once its working on dave, it will also work on blackforest, since bf and
   dave use the same file system.

5. You must follow this procedure on each scd server from which you wish
   to use scp (e.g., bluesky, dataproc, chinook, etc). When you get the 
   public key for each machine, just append it to ~/.ssh/authorized_keys 
   at hao.


Ben Foster		      	High Altitude Observatory (HAO)
foster at ucar.edu			phone: 303-497-1595  fax: 303-497-1589  
Nat. Center for Atmos. Res.     P.O. Box 3000 Boulder CO 80307 USA

More information about the tgcmgroup mailing list