Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

unattended sftp?

It's trivial to write a script to run ftp and put the script in cron so that you can transfer files without having to be there to type in a password with your actual fingers. But ftp is also laughably insecure and we should use sftp. But I can't figure out how to get sftp in a script so that you don't have to go type in a password every time you want to run it. I can log in with SFTP on the command line just fine, but of course I put in the account password when SFTP asks me for it. I have found some vague offhand statements that it is easy to script by generating a key, but I can't find any actual instructions.


So, can anyone give me the SFTP on Mac For Dummies short course?


Can I do all of the work on my computer and not need an account on the computer that I am transferring from/to?


Do I run a program on my computer to generate key(s)? If yes, what is the program called and how do I run it? Is it already on my mac or do I need to download something? What are the resulting key files named? Where do I put them?


...yeah, I'm feeling stupid because I'm missing something that everyone else thinks is trivial... 😝

Posted on Mar 4, 2015 1:05 PM

Reply
8 replies

Mar 4, 2015 1:18 PM in response to cathy fasano

If you have sftp support, then you should also have scp support, as it all depends on sshd running on the remote system.


man scp


scp file.to.send username@host.address:destination/path/relative/to/login/home/directory


scp file.to.send username@host.address:/absolute/destination/path


scp username@host.address:relative/or/absolute/path/to/source/file relative/or/absolute/path/to/destination


You will be prompted for password, unless you have man ssh-keygen keys implemented and distributed to source and destination.


ssh-keygen instructions can be had by Googling "ssh-keygen examples" and "passwordless ssh"

Mar 4, 2015 6:26 PM in response to cathy fasano

You would need public-key authentication to be enabled on the server. The password of your private DSA or RSA key will be stored in the keychain, and when you're logged in, will be available to ssh(1) via a socket—but not if the session is started from cron. After that it gets more complicated. The simplest approach would be to wrap the sftp task in an Automator script and schedule it as a calendar event.

Mar 5, 2015 6:30 AM in response to cathy fasano

Password less ssh/scp/sftp logins require you use the command

ssh-keygen


To create a key without a password you would do something like the following:

ssh-keygen


Generating public/private rsa key pair.

Enter file in which to save the key (/Users/username/.ssh/id_rsa): <just hit return>

Enter passphrase (empty for no passphrase): <just hit return>

Enter same passphrase again: <just hit return>

Your identification has been saved in /Users/username/.ssh/id_rsa.

Your public key has been saved in /Users/username/.ssh/id_rsa.pub.

The key fingerprint is:

67:90:0b:c7:1f:1b:8e:e7:75:00:46:d2:cd:03:8a:90 username@hostname

The key's randomart image is:

+--[ RSA 2048]----+

| .. .o=+ |

| E. o =..+ |

| o * o .. |

| o * + . |

| S B . . |

| = . . |

| . |

| |

| |

+-----------------+

NOTE: The above was just an example, and I DO NOT actually use this generated key. I threw it away as soon as it was generated for my own safety.


ssh-keygen will create 2 files in the .ssh subdirectory under your home directory. id_rsa and id_rsa.pub

ls -la $HOME/.ssh

You keep the id_rsa private and never let it out of your control as that is the file that gives you access to other systems and if anyone gets control of rsa_id they can get into any other system you have setup to allow you passwordless ssh/scp/sftp access. If you do not setup any systems for passwordless access, then it is just a meaningless file.


The id_rsa.pub file can be safely viewed by others, which is why it is named .pub for public.


You need to copy the id_rsa.pub file to any remote system that you wish to have passwordless ssh/scp/sftp access.


In your account on the remote system you store contents of the id_rsa.pub file in your remote home directory .ssh/authorized_keys file. If the remote system does not have a .ssh directory yet, the BEST way to create one is to issue an ssh, scp, or sftp command even if the command does not go anywhere. Just executing one of these commands on your remote system will create a .ssh subdirectory in your remote system account, and it will be created with all the correct ownership and permissions (ssh, scp, sftp are very sensitive to correct ownership and permissions on some key files and directories to maintain their secure connections, so letting ssh, scp, or sftp create the initial .ssh subdirectory is the best way to go).


So anyway, on the remote system, after you have transferred your id_rsa.pub file to it, you use the following command to establish your passwordless login to that system:

cat id_rsa.pub >>$HOME/.ssh/authorized_keys

What you have just done, is arranged for the remote system to accept ssh, scp, or sftp connection requests from your Mac user account. The private id_rsa file you keep on your Mac will be used to cryptically sign a message to the remote system. The remote system will use your id_rsa.pub information it has stored in your remote account's authorized_keys file to decrypt the message and verify it is really you. Once that is verified, you will be connected and can do whatever you want to do using ssh, scp or sftp without needing a password.


NOTE: Storing your id_rsa.pub file contents on the remote system DOES NOT give the remote system any special access to your Mac. So your Mac is going to remain secure. Even if you loose control of the id_rsa file, your Mac remains secure. What is in danger if you loose control of the rsa_id file is the remote system that trusts anyone that has your id_rsa file.


If AND ONLY IF for some reason you do need the remote system to have similar access to your Mac, then you reverse the ssh-keygen process, and generate keys on the remote system, transfer the .pub to your Mac, and store it in your authorized_keys file. BUT ONLY IF you need the remote system to be able to access your Mac. And even then there could be other hurdles to cross to get to your Mac through your home router, so unless you need that kind of remote to you access, just pretend I never said anything.


I prefer writing scripts using scp to transfer files as it is much easier to script than sftp, which is better for interactive exploring and transfer.

Mar 5, 2015 6:57 AM in response to cathy fasano

It is a bit confusing because "sftp" really isn't "ftp" at all. The sftp command line tool is an interactive interface to scp that BobHarris mentioned above.


However, I strongly advise you not to use a Google search. Most of the instructions you will find via Google are wrong and insecure. To make matters worse, your are attempting something a bit more difficult with cron. There are extra hoops you need to jump through.


So here are two sets of instructions. The first set is what a Mac user should normally do, if you weren't using cron.


Do the following:

1) Launch Terminal

2) Type the following:

ssh-keygen -t dsa

3) At the prompt "Enter passphrase (empty for no passphrase): " enter a strong passphrase. Most instructions say to provide an empty passphrase. On a Mac, you don't have to do that. You can use a more secure key with a passphrase, but still enjoy convenient use. The first time you attempt to use this key, you will be asked to provide the passphrase. When you do that, you have an option to store it in your Keychain. You should do that and get extra security.

4) At the prompt, re-enter your passphrase.

5) This will create a private key named "id_dsa" in a hidden folder named ".ssh" in your home directory. It will also create a public key named "id_dsa.pub" in the same place. Coyp the contents of "id_dsa.pub" file to the "authorized_keys" file in the ".ssh" folder of the remote machine you are connecting to.


The problem is that using a passphrase with your Keychain requires you to be logged in. If you want to use a fully automated process, you will need a less secure key with an empty passphrase. To create one of those, do this:

1) Launch Terminal

2) Type the following:

ssh-keygen -t dsa -f ~/.ssh/cron_dsa

3) At the prompt "Enter passphrase (empty for no passphrase): " press return for no passphrase

4) At the next prompt, press enter again for no passphrase

5) This will create a private key named "cron_dsa" in a hidden folder named ".ssh" in your home directory. It will also create a public key named "cron_dsa.pub" in the same place. Copy the "cron_dsa.pub" file to the "authorized_keys" file in the ".ssh" folder of the remote machine you are connecting to.


Now, when you write your unattended script, pass "-i ~/.ssh/cron_dsa" to use your key without a passphrase dedicated to this task.


Caveats:

1) cron is a bit problematic on a Mac. It can be done, but launchd directly supports this. See "man launchd.plist"

2) It may be possible to use ssh-agent or another method to have an unattended session with a non-empty passphrase. I've never tried this. I would just accept the reduction in security for the convenience. If you want to dig into this, here is a link: http://www.snailbook.com/faq/no-passphrase.auto.html


Of course, you can always just create a key with an empty passphrase with the default settings and use that. It is just that I hate to see Mac users lose security and functionality just because they are following instructions written for Linux, which doesn't have great, easy-to-use facilities like the Keychain.

Mar 5, 2015 8:29 AM in response to Linc Davis

Linc Davis wrote:


You don't need to, and should not, create a key with an empty passphrase.

Absolutes are so...absolute. Real life is a bit more muddy.


While I strongly recommend a passphrase, the OP specifically asked for a cron-compatible solution. Using a passphrase would require a logged-in user. A key with an empty passphrase is not ideal security, but better than leaving a machine logged in, but unattended. If you know of an unattended solution that works with a passphrase and does not require a logged in user, I would love to know about it.

Mar 5, 2015 8:44 AM in response to etresoft

I'm with Etresoft on the this. I do have cron jobs that use ssh to make remote connections (at work). Various nightly jobs that do rsync backups between different Unix systems and my Mac.


Then again at work all the developers have sudo access for all the other development systems (not every system, just the ones we use to write and test code), so worrying about passwordless ssh is not worth it, when someone can ssh into my system, have NIS automount their /home directory over NFS and then issue sudo su - and do anything they want to my test system.


And NO I do not what the company to take away sudo, becuase it would make it very difficult to write the file system code my team is developing.

Mar 5, 2015 9:28 AM in response to BobHarris

I don't develop file system code, so I haven't usually needed sudo as a regular part of my work. But I used to do an awful lot of moving files between systems and it was all automated. In most cases, the needed paths were mounted via NFS. But in some cases, we needed to use scp. We had dedicated, restricted accounts just for that purpose and used keys without passphrases. But for my own use, on my Mac, I always have a passphrase.

unattended sftp?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.