Using SCP with a null password to copy files from a Symantec Network Security node

Article:TECH112500  |  Created: 2004-01-05  |  Updated: 2007-01-18  |  Article URL http://www.symantec.com/docs/TECH112500
Article Type
Technical Solution

Product(s)

Issue



Symantec Network Security 7100 Series or Symantec Network Security 4.0 may require that you safely copy log files, report files, and other files from a Symantec Network Security appliance node or software node. This document provides instructions for how to use a Secure Shell (SSH®) connection to copy files with Secure Copy (SCP®) and without a password.

Symptoms
Using SCP with a null password to copy files from a Symantec Network Security node Symantec Network Security 7100 Series or Symantec Network Security 4.0 may require that you safely copy log files, report files, and other files from a Symantec Network Security appliance node or software node. This document provides instructions for how to use a Secure Shell (SSH?) connection to copy files with Secure Copy (SCP?) and without a password.



Solution



Though you can use SCP with a password or with encryption keys, the encryption keys provide more security. When you use a password, you supply the password during the copy process. When you use encryption keys, the copy process does not prompt for a password. Instead, the process automatically accesses the encryption keys as needed.

To enable Symantec Network Security to use encryption keys, you generate two keys at the Symantec Network Security node, a private key and a public key. You install the public key to the destination computer and configure Symantec Network Security to use SCP and the keys.

Each of these steps is described below:


Before you begin: To use an SSH connection, the SSH Client must be installed to both computers (source and destination). The default SSH installation includes the SSH Client. To install SSH, consult your SSH documentation. Note that the following procedures use ssh protocol 2.


  • To generate the keys, read the "To generate the SSH keys" section in this document or read the "Generating SSH keys" section on pages 342 and 343 in the latest Symantec Network Security Administrator's Guide. The instructions in this document use a manual method to generate the keys. The instructions in the guide use the Network Security Console to generate the keys.
  • To install the public key, use the "To install the SSH keys" section in this document or read the instructions that are displayed when you use the "Generating SSH keys" section in the Symantec Network Security Administrator's Guide.
  • To configure Symantec Network Security to use SCP and the key, read the "Transferring via SCP" section on pages 297-301 in the latest Symantec Network Security Administrator's Guide.


To generate the SSH keys
  1. Log in to the Symantec Network Security node with root privileges.
  2. Type the following command and answer the prompts.

    ssh-keygen -t rsa

    When you answer the prompts, leave the passphrase blank. A non-null passphrase may cause the script to fail.

    This command creates two keys and stores them in the /.ssh/ directory on the Symantec Network Security node. If the .ssh directory does not already exist, the command creates the directory. The private key is id_dsa and the public key is id_dsa.pub
  3. If you want to make the private key readable only by you, type:

    chmod 600 .ssh/id_dsa

    This step is optional.

To install the SSH keys
  1. Copy the public key to the user's home directory on the destination computer.
    For instance, if the name of the destination computer is logserver, type the following command to copy the file from the node to the user's home directory at the logserver computer:

    scp .ssh/id_dsa.pub @logserver:

    Include the trailing colon (:). Without this colon, the command does not work. This command may request the user's password. After you type the password, the command copies the id_dsa.pub file to the user's home directory on the logserver computer. This user should not be root.
  2. Log in to the destination computer and go to the user's home directory.
  3. At the destination computer, if the .ssh directory does not exist, create it.
  4. To append the public key to the authorized_keys file, type:

    cat id_dsa.pub >> .ssh/authorized_keys

    If the authorized_keys file does not already exist, this command creates the file.

    This command authorizes the user at the destination computer to receive the files. You can now remove the id_dsa.pub file from this directory on the destination computer.
  5. If you want to restrict the permissions on the .ssh directory on the destination computer, type:

    chmod 4755 .ssh

    This step is optional.

To check the connection
To verify that the connection uses the public key that you just installed, read the "To find out whether the current SSH installation uses a public key" procedure. If the connection is successful and you are not prompted for a password, the connection used the public key.
    To copy a file
    To copy a file, log on to the Symantec Network Security node with root privileges, make sure that the Symantec Network Security node can connect to the destination computer, and type the following command:

    scp user@host:

    in which is the name of a file that you want to copy and user@host is the name of the Symantec Network Security node, written in the user@host format. Use the same name for the Symantec Network Security node as you use when you export archived logs or scheduled reports. For example, do not refer to the Symantec Network Security node by its FQDN in one place, and by its IP address in another place.

    This command requires that you have write permissions for the destination directory. If this command prompts for a password, it may be necessary to change the write permissions for the authorized_keys file or for your home directory to prevent others from having write permissions. In this situation, consult your network administrator for help to set up SCP for trusted transfers.

    If you are not prompted for a password, then the copy was successful.
    To find out whether the current SSH installation uses a public key
    If SSH is already installed, you can find out whether the connection with the destination computer uses a public key. From the Symantec Network Security appliance or software node, open a shell and type:

    ssh @logserver  
     

    In this command, change logserver to the name of the destination computer. If the command prompts you for a password, the destination does not have an installed SSH public key. If you type the password and the connection is successful, type exit to cancel the connection before you start any of the procedures in this document.




    Technical Information
    To find out whether the current SSH installation uses a public key

    If SSH is already installed, you can find out whether the connection with the destination computer uses a public key. From the Symantec Network Security appliance or software node, open a shell and type:

    ssh @logserver   

    In this command, change logserver to the name of the destination computer. If the command prompts you for a password, the destination does not have an installed SSH public key. If you type the password and the connection is successful, type exit to cancel the connection before you start any of the procedures in this document.



    Legacy ID



    2004080515122453


    Article URL http://www.symantec.com/docs/TECH112500


    Terms of use for this information are found in Legal Notices