Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So I was able to successfully install CyberDuck on my MacBook and configure it with my VPS using SSH Authentication Keys and a Passphrase on my Private Key.
It seems to be working well, and I feel like I can trust it when uploading files to my VPS.
But what about downloading?
This may sound dumb, but I am not entirely sure how to securely download things (e.g. Server Backups) from my VPS to my MacBook using CyberDuck...
I've not used CyberDuck but a quick look at the web site confirms my thoughts -- you drag and drop in the same way as uploading.
That is what I assumed, but it just makes me feel so uneasy...
How can I get better reassurance that I will NOT be sending a backup file of my VPS - and user data in my database - blindly across the open Internet??
Is there any thing I can look for visually?
Any way to tell if something is broken and not sending things over SSH?
Or is there a better way to get backups off my VPS and to a remote computer/disk like my laptop?
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by RobInRockCity
That is what I assumed, but it just makes me feel so uneasy...
How can I get better reassurance that I will NOT be sending a backup file of my VPS - and user data in my database - blindly across the open Internet??
Is there any thing I can look for visually?
Any way to tell if something is broken and not sending things over SSH?
Or is there a better way to get backups off my VPS and to a remote computer/disk like my laptop?
Sincerely,
Rob
If the encryption of SSH broke, then the file would not transfer. I don't understand where your anxiety comes from, why would things suddenly be connected without encryption?
If the encryption of SSH broke, then the file would not transfer.
Okay.
Quote:
Originally Posted by 273
I don't understand where your anxiety comes from,
Because every time you hear about a data breach in the news it is because people were not anxious enough like I am!!
Computer stuff breaks all of the time, and the longer you work with technology the more nervous it should make anyone!
Quote:
Originally Posted by 273
why would things suddenly be connected without encryption?
Here is a real-world example...
I have a VPN service - which is turning out to be a piece of crap!
It is VERY common for me to think I am logged into my VPN, but the SSL tunnel was broken because of a microsecond hickup in my free wi-fi connection at the library or McDonalds.
So, I might be at the library doing something that requires privacy and security, and think that my VPN is covering me, when it turns out that I have been surfing the Internet for over an hour over an HTTP connection using Free Wi-Fi!!!
-----
When I dragged my test backup tar from my VPS last night, it appeared that CyberDuck was on and working, but the whole "drag and drop thing" isn't really scientific!!!
I guess I would feel more secure if I had to go into CyberDuck, navigate to my VPS, select the tar I want to transfer, and then click some button. That way I would know CyberDuck is working.
In the end, I am just trying to be REALLY CAREFUL until I master all of this new stuff, because I would feel horrible if I did something negligent and exposed a database with 10,000 people's customer data all because I didn't know how to safely download backups off of my VPS!!!
Sincerely,
Rob
P.S. This is where astrogeek would again probably encourage me to skip the GUI and do all of this via command-line. Probably not a bad idea, but it will take me time to learn, and in the mean-time, I am hoping that CyberDuck is an okay GUI alternative!
Last edited by RobInRockCity; 02-24-2015 at 02:05 PM.
TBH, download and uploading in ssh is cli is almost too easy.
You use scp or Secure CoPy.
Code:
scp hostname:file directory/
will copy file from hostname to directory/
Much of your fear makes sense, especially with so much being broken into or revealed as insecure.
OpenSSH (ssh) however has proved robust. Even the nsa has limited success with breaking it (you can use insecure stuff in ssh, so I wouldn't consider that a big suprise)
Fact is, the more layers above something you place, the more chance you have of it being cracked at some point.
By using the cli, you're pretty using the secure program, and nothing else.
However, to alleviate your fears, rather then being worried all the time I would suggest looking into how ssh works (the details) and decide for yourself if there is anything that could of flawed.
Quote:
encourage me to skip the GUI and do all of this via command-line. Probably not a bad idea, but it will take me time to learn, and in the mean-time, I am hoping that CyberDuck is an okay GUI alternative!
If you're ok with it and it does the job, then it's a ok alternative.
TBH, download and uploading in ssh is cli is almost too easy.
I was wondering when you and astrogeek would come out again!!
Quote:
Originally Posted by Miati
You use scp or Secure CoPy.
Code:
scp hostname:file directory/
will copy file from hostname to directory/
What about a Username and Password???
If things are that simple, then what would stop me from copying something nefarious onto your computer?!
Quote:
Originally Posted by Miati
Much of your fear makes sense, especially with so much being broken into or revealed as insecure.
I am not one to live by "blind faith" when it comes to security.
I have seen too many times where people said, "Don't worry, it'll be okay" and they got nailed!
Since I am a newbie to all of this, I am trying to respect it - which ultimately would lead anyone to be a little fearful!
Quote:
Originally Posted by Miati
OpenSSH (ssh) however has proved robust. Even the nsa has limited success with breaking it (you can use insecure stuff in ssh, so I wouldn't consider that a big suprise)
I trust SSH.
Quote:
Originally Posted by Miati
Fact is, the more layers above something you place, the more chance you have of it being cracked at some point.
By using the cli, you're pretty using the secure program, and nothing else.
A good reminder...
Quote:
Originally Posted by Miati
However, to alleviate your fears, rather then being worried all the time I would suggest looking into how ssh works (the details) and decide for yourself if there is anything that could of flawed.
Again, I am sold on SSH.
My fears include a.) My newbie-ness and ability to easy screw things up, and b.) Suspicion of apps built by others!
Quote:
Originally Posted by Miati
If you're ok with it and it does the job, then it's a ok alternative.
I'm okay with CyberDuck if I am using it correctly to download backups off of my VPS, and if I had a little more reassurance that I would get some sort of an error or warning if I was ever transmitting a file in plain-text. (My stupid VPN service sure doesn't offer that!!!)
If things are that simple, then what would stop me from copying something nefarious onto your computer?!
You already said you set up ssh keys, didn't you? If you did, then it will just work. If you didn't, or if the keys aren't valid (wrong computer, etc.), then it would prompt you for a password as soon as you tried to establish the connection.
If you didn't, or if the keys aren't valid (wrong computer, etc.), then it would prompt you for a password as soon as you tried to establish the connection.
So if the connection ever "dropped" then I would get some sort of an error versus the transfer going through in plain-text, right?
Yes, that's the big difference between tunneling a connection through SSH versus a VPN.
A VPN alters the network settings on your computer so that all traffic goes through the VPN transparently. If the VPN isn't there, it goes through the regular network interface instead. The only way you know which it is is by trying to access a local resource (printer, server, etc.) using a local IP that will fail if you're on the VPN (or a remote IP that will fail if you're not on the VPN), or checking something like whatismyip.net to see where your traffic is originating from.
An SSH tunnel does not route all traffic through itself. It doesn't route ANY traffic through itself. Any connection that you want to pass through the SSH tunnel, rather than through the normal web, has to be explicitly set up to do so. This means that no traffic will go through the SSH tunnel unless you tell it to, and if you DO tell it to go through an SSH tunnel that is not active, it will fail.
SSH Authentication Keys and a Passphrase on my Private Key.
What about a Username and Password???
So if the connection ever "dropped" then I would get some sort of an error versus the transfer going through in plain-text, right?
Read through this to gain a understanding of the handshake of ssh.
ssh connecting or transmitting through plain-text would be against the foundation of it's design. It was designed to replace telnet which does transmit in plain-text.
Yes, that's the big difference between tunneling a connection through SSH versus a VPN.
A VPN alters the network settings on your computer so that all traffic goes through the VPN transparently. If the VPN isn't there, it goes through the regular network interface instead. The only way you know which it is is by trying to access a local resource (printer, server, etc.) using a local IP that will fail if you're on the VPN (or a remote IP that will fail if you're not on the VPN), or checking something like whatismyip.net to see where your traffic is originating from.
An SSH tunnel does not route all traffic through itself. It doesn't route ANY traffic through itself. Any connection that you want to pass through the SSH tunnel, rather than through the normal web, has to be explicitly set up to do so. This means that no traffic will go through the SSH tunnel unless you tell it to, and if you DO tell it to go through an SSH tunnel that is not active, it will fail.
Okay, thanks for the clarification.
Guess I just have to trust that I implemented what you guys taught me correctly and that it is working as it should.
If you hear in the news... "Local Michigan man goes to jail over data breach!!' then you know I screwed something up!!
Read through this to gain a understanding of the handshake of ssh.
ssh connecting or transmitting through plain-text would be against the foundation of it's design. It was designed to replace telnet which does transmit in plain-text.
I looked at that - kinda stuffy! :P
So what about my earlier question about how SCP works?
When I SFTP something from my MacBook to my VPS, I have to enter my VPS's username plus my Private Key's Passphrase.
In the example your SCP, all that was included was the target host, the file being sent over, and and a destination...
Code:
scp hostname:file directory/
Is the reason that nothing else was needed is because SCP runs over SSH? (And if so, in my case, then I guess the whole SSH Key Authentication thing has to work, right?)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.