Should I be able to scp between two remote hosts? - SSH

Even with ssh-agent running and both private keys activated, I can
never get scp to work directly between two remote hosts, but I can do
it indirectly by copying to and from the local host:


$ scp foo:~/test.txt bar:~/
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).
lost connection

$ scp foo:~/test.txt .
test.txt 100% 1166 1.1KB/s 00:00

$ scp test.txt bar:~/
test.txt 100% 1166 1.1KB/s 00:00


Is the failure of the first command above normal, or have I
misconfigured something?

Thanks,
Adam

>>>>> "AF" == Adam Funk writes:

AF> Even with ssh-agent running and both private keys activated, I can
AF> never get scp to work directly between two remote hosts, but I can
AF> do it indirectly by copying to and from the local host:


AF> $ scp foo:~/test.txt bar:~/ Permission denied, please try again.
AF> Permission denied, please try again. Permission denied
AF> (publickey,password,keyboard-interactive). lost connection

AF> $ scp foo:~/test.txt . test.txt 100% 1166 1.1KB/s 00:00

AF> $ scp test.txt bar:~/ test.txt 100% 1166 1.1KB/s 00:00


AF> Is the failure of the first command above normal, or have I
AF> misconfigured something?

AF> Thanks, Adam

"scp foo:bar baz:blurfl" runs (essentially) "ssh foo scp bar baz:blurfl",
so authentication has to work from foo to bar directly.

--
Richard Silverman
res@qoxp.net

On 2007-12-04, Richard E. Silverman wrote:

>>>>>> "AF" == Adam Funk writes:
>
> AF> Even with ssh-agent running and both private keys activated, I can
> AF> never get scp to work directly between two remote hosts, but I can
> AF> do it indirectly by copying to and from the local host:
>
>
> AF> $ scp foo:~/test.txt bar:~/ Permission denied, please try again.
> AF> Permission denied, please try again. Permission denied
> AF> (publickey,password,keyboard-interactive). lost connection
>
> AF> $ scp foo:~/test.txt . test.txt 100% 1166 1.1KB/s 00:00
>
> AF> $ scp test.txt bar:~/ test.txt 100% 1166 1.1KB/s 00:00
>
>
> AF> Is the failure of the first command above normal, or have I
> AF> misconfigured something?
>
> AF> Thanks, Adam
>
> "scp foo:bar baz:blurfl" runs (essentially) "ssh foo scp bar baz:blurfl",
> so authentication has to work from foo to bar directly.

Aha, I understand. The problem isn't my configuration but that I was
trying to do something that turns out to be unreasonable --- although
man scp makes it sound OK.

Thanks for the explanation.

At 2007-12-03 11:47PM, "Richard E. Silverman" wrote:
> >>>>> "AF" == Adam Funk writes:
> AF> Even with ssh-agent running and both private keys activated, I can
> AF> never get scp to work directly between two remote hosts, but I can
> AF> do it indirectly by copying to and from the local host:
[...]
> "scp foo:bar baz:blurfl" runs (essentially) "ssh foo scp bar baz:blurfl",
> so authentication has to work from foo to bar directly.

The ssh "-A" option for agent forwarding would be useful here. Anyone
know why scp does not have that option?

--
Glenn Jackman
"You can only be young once. But you can always be immature." -- Dave Barry

The "man" page state explicitly that this can be done:

"Any file name may contain a host and user specification to indicate
that the file is to be copied to/from that host. Copies between two
remote hosts are permitted."

I've done it and AFAIK it requires that a) the key used be one of the
defaults, like id_rsa or id_dsa, b) no passphrase, c) all three
servers (the one issuing the command and the two remotes) accept the
default from the other.

Assume SvrA is where the scp command will be issued, SvrB and Svrc are
the remotes that are the source and destination of the copied file.

on SvrA, run "ssh-keygen -t dsa -f ~/.ssh/id_dsa", and hit enter at
both "pass-phrase" prompts.

add id_dsa.pub to ~/.ssh/authorized_keys on SvrA. Copy, by whatever
means you choose, the id_dsa.pub file to both SvrB and SvrC. Add it
to the appropriate "authorized_keys" file on both B and C.

now "slogin" in from A->B, A->C, B->A, B->C, C->A and C->B. This gets
the appropriate info into the "known_hosts" file on each machine.

Once all of the above function properly, on SvrA you should be able to
run:

scp SvrB:/some_source_file SvrC:/some_destination_file


Note that you can extend this to:

scp MyFirstID@SvrB:/source_file MySecondID@SvrC:/dest_file

It's a matter of getting the keys in the the correct files for each
ID / Server you want to use.

There may be other methods...but this is what I've got working.

On 2007-12-04, OldSchool wrote:

> The "man" page state explicitly that this can be done:

That's why I was trying to do it!


> I've done it and AFAIK it requires that a) the key used be one of the
> defaults, like id_rsa or id_dsa, b) no passphrase, c) all three
> servers (the one issuing the command and the two remotes) accept the
> default from the other.

I don't think it's worth having passphrase-free keys just for the rare
occasions when it would be useful to do this remote-remote copying.

Thanks for the explanation.

On 5 Dec, 21:03, Adam Funk wrote:
> On 2007-12-04, OldSchool wrote:
> > The "man" page state explicitly that this can be done:
>
> That's why I was trying to do it!
>
> > I've done it and AFAIK it requires that a) the key used be one of the
> > defaults, like id_rsa or id_dsa, b) no passphrase, c) all three
> > servers (the one issuing the command and the two remotes) accept the
> > default from the other.
>
> I don't think it's worth having passphrase-free keys just for the rare
> occasions when it would be useful to do this remote-remote copying.
>
> Thanks for the explanation.

You can load the keys via ssh-agent for typing free use. That's what
it's for.

In article Glenn Jackman
writes:
>At 2007-12-03 11:47PM, "Richard E. Silverman" wrote:
>> >>>>> "AF" == Adam Funk writes:
>> AF> Even with ssh-agent running and both private keys activated, I can
>> AF> never get scp to work directly between two remote hosts, but I can
>> AF> do it indirectly by copying to and from the local host:
>[...]
>> "scp foo:bar baz:blurfl" runs (essentially) "ssh foo scp bar baz:blurfl",
>> so authentication has to work from foo to bar directly.
>
>The ssh "-A" option for agent forwarding would be useful here. Anyone
>know why scp does not have that option?

Or at least '-oForwardAgent yes', but all -o options are thrown away
when doing remote-to-remote - does anyone know why *that* is? However if
you have (a carefully guarded) 'ForwardAgent yes' in your ssh_config, it
will apply to the initial ssh leg of scp remote-to-remote too... - and
can't be overridden with '-oForwardAgent no' on the commandline, since
that is thrown away...

--Per Hedeland
per@hedeland.org

On 2007-12-06, Nico Kadel-Garcia wrote:

> On 5 Dec, 21:03, Adam Funk wrote:
>> On 2007-12-04, OldSchool wrote:

>> > I've done it and AFAIK it requires that a) the key used be one of the
>> > defaults, like id_rsa or id_dsa, b) no passphrase, c) all three
>> > servers (the one issuing the command and the two remotes) accept the
>> > default from the other.
>>
>> I don't think it's worth having passphrase-free keys just for the rare
>> occasions when it would be useful to do this remote-remote copying.
>>
>> Thanks for the explanation.
>
> You can load the keys via ssh-agent for typing free use. That's what
> it's for.

I do that already. But what OldSchool is saying (I think) is that in
order to do this

local $ scp foo:~/file bar:~/

you have to have on host foo a passphrase-free key to your account on
bar.