register365 and scp

My current hosting provider, hosting365 register365, is a traditional-style shared hosting service, where file upload is still done via FTP with passwords sent as clear text. They provide ssh access on demand, and it has to be manually approved by company’s staff. I don’t understand why don’t they provide shell by default. Maybe it’s part of being a traditional style hosting and trying to avoid the word “shell” or anything like it.

Shell they provide, but what about public key authentication? No, they don’t. As this is turned on by default in all Linux installations, they must have switched this option off. Why did they do that, remains a mystery as public key authentication is no less secure than password entry.

Let’s suppose I want to automate file upload. When using public key authentication, it’s enough to write something like:

scp foo.jpg mylogin@somehost.com:some/directory/images

This doesn’t work with hosting365 register365. Since their server configuration enforces interactive authentication, scp asks for your password. In this session you can see how scp tries two keys (DSA and RSA) and reverts to keyboard interaction:

debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/maciej/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Offering public key: /home/maciej/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /home/maciej/.ssh/identity
debug1: Next authentication method: password
automatthias@web1.hosting365.ie's password:

scp doesn’t have a command-line option for password entry. This is reasonable, as ssh, scp’s core technology, has a non-interactive mechanism in place: public key authentication. If you can’t do public key authentication, it is right to ask you for the password.

I could solve that by using FTP (file transfer protocol) instead and send my passwords in clear text over the big bad Internet. I guess that most people would do that, and this is why I believe disabling public key authentication by hosting provider is a bad thing: it encourages people to risk exposure of their passwords on FTP.

It is however possible to automate the keyboard-interactive password entry, using Python and pexpect module. This script will do the job:

#!/usr/bin/python
import pexpect
import sys
fn = sys.argv[1]
dest = sys.argv[2]
# The password is kept in a separate file, with permissions 0600.
password = open("/some/directory/hosting365-password.txt").read().strip()
print "scp'ing %s to %s" % (fn, dest)
child = pexpect.spawn("scp %s %s" % (fn, dest))
child.expect("password:")
print "sending password"
child.sendline(password)
# Setting timeout to 15 minutes. If your upload needs more time,
# increase this value.
child.expect(pexpect.EOF, timeout = 15 * 60)
print "done."

Here, password is stored in cleartext on your hard disk. It’s important to make this file non-world-readable, and it’s also a good idea to place it on an encrypted filesystem (with, say, dm-crypt) or an encrypted directory (encfs).

UPDATE (2008-09-15): It has been clarified that my provider is register365, not hosting365.

Author: automatthias

You won't believe what a skeptic I am.

2 thoughts on “register365 and scp”

Comments are closed.