SCP Between Servers

1 minute read

TL;DR - This won’t work:

scp remote.example.com:file.txt other.example.com:

This will work, but is slow:

scp -3 remote.example.com:file.txt other.example.com:

We can do better.

The scp command securely copies files between computers on the network. Commonly it’s used to copy files to and from the computer you are logged into:

scp file.txt remote.example.com:
scp remote.example.com:file.txt . # "." meaning "current directory"

If you read man page, it would seem like you could also use scp locally to initiate a copy between two remote servers:

scp remote.example.com:file.txt other.example.com:

However, that doesn’t actually work. Or, at least it shouldn’t. Under the hood a request with two remote servers is translated into:

ssh remote.example.com scp file.txt other.example.com:

which is to say “SSH to ‘remote.example.com’ and then run ‘scp file.txt other.example.com:’.”

Unless ‘remote.example.com’ can connect to ‘other.example.com’ without a password, which would be a bad thing, the remote scp fails.

ssh has the -A option enables authentication forwarding, basically allowing the remote host authenticate SSH connections using your local SSH keys. If your SSH keys let you in to both “remote.example.com” “other.example.com” then the following will work:

ssh -A remote.example.com other.example.com

There is a security caveat when using -A. Your private key is never exposed, but a malicious user with root privileges could use your connection to authenticate to other servers as well. Only use -A when you trust the intermediary server.

While -A would seem to solve our problem, scp doesn’t have this option and it’s not going to get it

No worries, there’s a work around, scp does have a -o option which can be used to pass options to ssh. -o takes keyword arguments instead of flags, and a quick man ssh_config shows the setting we want is ForwardAgent and we need to set it to yes, so:

scp -oForwardAgent=yes remote.example.com:file.txt other.example.com:

works!

If you don’t trust the remote with your keys, there is another option, -3. This tells scp to copy the file through the local host. This works, but means the file is transferred twice which will likely take twice as long.

scp -3 remote.example.com:file.txt other.example.com:

Comments