How to securely copy files between Linux hosts using SCP and SFTP

Recently, we looked at the rsync command for syncing files between locations, and we discussed the similarity of usage and syntax when duplicating files and directories with the cp command. In that article, we looked at moving the bits back and forth on the same box, between filesystems, or between devices. In an upcoming article, we'll look more at rsync as a tool to keep remote filesystems in sync with a local or backup version. In this article, I want to take a look at one of the most useful and used tools in the Linux sysadmin toolbox—the scp command.

What is SCP?

Secure Copy, or scp, is a secure version of the older rcp tool (which is still used, but less common) included in the OpenSSH suite of tools.

OpenSSH started as a BSD fork of the original SSH secure communications protocol, which has since become re-licensed as "non-free" and thus not generally available for Linux. OpenSSH is still maintained under the BSD license and is available for a wide range of platforms. It includes several common tools for secure remote access, including key generation, scp, and sftp (a secure version of FTP, which we'll get to in a bit).

Recently, OpenSSH developers have indicated that they consider scp to be deprecated (they believe it is "Outdated, inflexible and not easily fixed"). It is unclear when it will cease to be available in future releases of OpenSSH, though it's hard to imagine that it will be dropped anytime soon.

Use SCP

The usefulness of scp lies in its simplicity. I use it to quickly move files to a remote filesystem from the shell:

skipworthy ~ scp ./enable/foo/testfoo showme:/home/skipworthy/enable

skipworthy@showme's password:

testfoo 100% 25 8.0KB/s 00:00

Easy as pie. I can get a file from a remote location, too:

skipworthy ~ scp showme:/home/skipworthy/enable/demofoo ~/enable/

skipworthy@showme's password:

demofoo 100% 0 0.0KB/s 00:00

 skipworthy ~ ls ./enable

bar demofoo foo

The available connection options are the same as with ssh. For example:

skipworthy ~ scp -P 2020 -i ~/.ssh/id_rsa ./test.txt showme:/home/skipworthy/enable/

test.txt 100% 0 0.0KB/s 00:00    

-P specifies the port for the ssh connection, -i specifies an ssh id key to use for authentication: Both these options are useful for scripts. Note that the scp -P differs from the ssh -p for specifying the port. In the example above, I set the location of an ssh key (~/.ssh/id_rsa)—which I also generated using the OpenSSH toolkit—to authenticate access to the remote device. Learn about SSH file copies here.

So you can see scp is a really useful tool to have at your fingertips. There is some discussion of the wisdom of using this tool in a secure environment, so YMMV. I'd suggest doing some reading and deciding for yourself.

[ You might also like: Sysadmin tools: Using rsync to manage backup, restore, and file synchronization ]

Alternatives

What if, for whatever reason, we can't use scp? I recommend two other options that are pretty easy to use: rsync, which we have talked about here and will discuss in more depth in another article, and sftp. While neither of these options is as convenient as scp, both have some useful features.

sftp is pretty much what it sounds like: Secure FTP. It acts like FTP over an SSH-managed connection. While it's not as simple to use as the "one and done" scp command, it offers a range of more sophisticated filesystem options and the ability to connect to a remote filesystem interactively. It does require that the target filesystem be configured for sftp access.

Let’s connect to an sftp server interactively:

skipworthy ~ sftp enable@ganymede

enable@ganymede's password:

Connected to ganymede.

sftp> pwd

Remote working directory: /upload

sftp> mkdir test

sftp> ls -al

drwxr-xr-x 3 1002 1002 18 Nov 24 21:53 .

drwxr-xr-x 3 0 1002 20 Nov 24 21:33 ..

drwxr-xr-x 2 1002 1002 6 Nov 24 21:53 test

If we hit Tab twice, we can see a list of commands available at the shell:

sftp>

bye cd chdir chgrp chmod chown df dir       

exit get help lcd lchdir lls lmkdir ln        

lpwd ls lumask mkdir mget mput progress put       

pwd quit reget rename reput rm rmdir symlink   

version ! ?         

So you can see it's possible to interact with the remote filesystem. Again, the main disadvantages are the target has to be configured for sftp access and access to a specific directory has to be configured and limited by the admin of that system. This makes it a more secure, if less convenient, option than scp. Also, note that while it's not really possible to do impromptu file transfers like scp, it is possible to write scripts and insert shell aliases to make this work more smoothly if that's your jam.

[ Thinking about security? Check out this free guide to boosting hybrid cloud security and protecting your business. ] 

Wrap up

Final note: Both these tools rely on the SSH toolbox, which is a very important part of Linux systems administration, so I highly recommend getting comfortable with it. Consider these excellent articles by Enable Sysadmin writers:

• How SSH establishes secure communication
• Eight ways to protect SSH access on your system
• Passwordless SSH using public-private key pairs