Home / server / Questions / 144216
Accepted
corsiKa
Asked: 2010-05-22 11:20:07 +0800 CST

Determine if the "yes" is necessary when doing an SCP

  • 772

I'm writing a Groovy script to do an SCP. Note that I haven't ran it yet, because the rest of it isn't finished. Now, if you're doing an scp for the first time, have to authenticate the fingerprint. Future times, you don't.

My current solution is, because I get 3 tries for the password, and I really only need 1 (it's not like the script will mistype the password... if it's wrong, it's wrong!) is to pipe in "yes" as the first password attempt. This way, it will accept the fingerprint if necessary, and use the correct password as the first attempt. If it didn't need it, it puts yes as the first attempt and the correct as the second.

However, I feel this is not a very robust solution, and I know if I were a customer I would not like seeing "incorrect password" in my output. Especially if it fails for another reason, it would be an incredibly annoying misnomer.

What follows is the appropriate section of the script in question. I am open to any tactics that involve using scp (or accomplishing the file transfer) in a different way. I just want to get the job done. I'm even open to shell scripting, although I'm not the best at it.

def command = []
command.add('scp')
command.add(srcusername + '@' + srcrepo + ':' + srcpath)
command.add(tarusername + '@' + tarrepo + ':' + tarpath)

def process = command.execute()
process.consumeOutput(out)
process << "yes" << LS << tarpassword << LS
process << "yes" << LS << srcpassword << LS
process.waitfor()

Thanks so much,

glowcoder

scp fingerprint

3 Answers

  1. Woefully insecure answer: http://linuxcommando.blogspot.com/2008/10/how-to-disable-ssh-host-key-checking.html

    (Basically feed the ssh command options directives that make it look at /dev/null for host keys & ignore the fact that it's never seen the key before -- Fixes the problem, but throws away any security precautions & leaves you open to password or private key harvesting attacks)

    • 1

  2. Why not write a wrapper for ssh that basically performs a ssh-keyscan and then checks for the presence of the hostkey in ~/.ssh/known_hosts? If it's not in known_hosts, then expect the yes.

    • 1
  3. Best Answer
    man ssh_config

    "... StrictHostKeyChecking If this flag is set to yes'', ssh(1) will never automatically add host keys to the ~/.ssh/known_hosts file, and refuses to connect to hosts whose host key has changed. This provides maximum protection against trojan horse attacks, though it can be annoying when the /etc/ssh/ssh_known_hosts file is poorly main‐ tained or when connections to new hosts are frequently made. This option forces the user to manually add all new hosts. If this flag is set tono'', ssh will automatically add new host keys to the user known hosts files. If this flag is set to ask'', new host keys will be added to the user known host files only after the user has confirmed that is what they really want to do, and ssh will refuse to connect to hosts whose host key has changed. The host keys of known hosts will be verified automatically in all cases. The argument must beyes'', no'', orask''. The default is ``ask''. ..."

    • 1