Steve Dondley
2020-Dec-09 18:45 UTC
Transferring files between servers on a private network?
Ok, thanks for the insight. Yeah, I was trying to avoid agent forwarding because of the advice I've seen to avoid it, if possible. I'm trying to figure out what the best practice might be so I wanted to see how this could be done in the most secure manner possible. Only other method I can think of is to have a third machine, machine C, that is only available on the private network and contains the private key for all the other machines. So I'd log into machine C via some bastion/jump server. Machine C would hold the private the key used by machine B and machine A and I could use it to transfer files between machines A and B. On Wed, Dec 9, 2020 at 1:14 PM Brian Candler <b.candler at pobox.com> wrote:> On 09/12/2020 17:48, Steve Dondley wrote: > > Though the command works and transfers files between machines, I'm not > sure > > if it does it strictly over the private network. How can I be sure the > file > > isn't going from B to A over the private network and then down to my > local > > machine over the public network and then back up to A over the public > > network and then back to A on the private network? > > It *is* going up to your local client and back again: -3 (third party > copy) does exactly that. It makes separate ssh connections to the two > hosts (which is why the ProxyCommand is required in your case), slurps > the file from the left-hand host and uploads it to the right-hand host. > > If you don't want to do that, then omit the -3. Then it will login to > left-host, and instruct it to copy the given file to right-host. > However you may need to use agent forwarding so that left-host can > authenticate to right-host. > >-- Prometheus Labor Communications, Inc. http://prometheuslabor.com 413-572-1300 UnionConnect Phone App for Labor Unions http://unionconnect.com
Brian Candler
2020-Dec-09 19:39 UTC
Transferring files between servers on a private network?
On 09/12/2020 18:45, Steve Dondley wrote:> Ok, thanks for?the insight. > > Yeah, I was trying to avoid agent forwarding?because of the advice > I've seen to?avoid it, if possible.As far as I know, you'd mainly want to avoid it if you don't trust the left-hand machine (i.e. the source, the one you called "B").? A malicious administrator on that host could connect to your agent socket and authenticate, as you, to any other machine that trusts your key. But to be honest, if a machine is malicious, I wouldn't want to ssh into it in the first place.? It could do plenty of other nasty things, such as logging my keystrokes.> > Only other method I can think of is to have a third machine, machine > C, that is only available?on the private network and contains the > private key for all the other machines. So I'd log into machine C via > some bastion/jump server. Machine C would hold the private the > key?used by machine B and machine A and I could use it to transfer > files between machines A and B.Copying your private key onto other machines is, in general, way less secure than using agent forwarding. You could ssh to C (that you trust), with agent forwarding enabled, and use it to third-party copy between B and A (*without* enabling agent forwarding from C to B or C to A)