If I scp a file through an intermediate server, is the file stored temporarily on the server?

0

For the sake of simplicity (I find it easier to remember names than arbitrary letters), I will dispense with letters and use names to refer to the machines in this scenario.

Say I have two machines, applejack and pinkie-pie, each on their own separate LANs and not in the same physical location. I also have a server, cadance, with a direct Internet-facing connection. I want to copy a file from applejack to pinkie-pie, so to avoid dealing with port forwarding and such, I set up an ssh tunnel from pinkie-pie to cadance (ssh -R etc cadance). Now I can connect to pinkie-pie from anywhere, by connecting to cadance and specifying an alternate port to use. I can also easily copy files to pinkie-pie with scp -P $that_port $some_file cadance:$some_path.

My understanding of how it works is this:

  1. A secure connection is made from applejack to cadance
  2. I am authenticated to cadance
  3. A secure connection is made from applejack to pinkie-pie that spans the existing reverse tunnel and the new connection from step 1.
  4. I am authenticated to pinkie-pie
  5. Files are copied directly from applejack to pinkie-pie over this connection.

Am I correct here? How secure is this approach?

If I'm wrong…are files copied this way decrypted at cadance before being passed on to pinkie-pie? Is there a possibility that traces of unencrypted data could remain on cadance?

Blacklight Shining

Posted 2012-11-19T03:57:10.053

Reputation: 2 127

Answers

0

Actually your understanding is not completely right. If I understood correctly, you are doing that last command (scp -P $that_port $some_file cadance:$some_path) from applejack. In that case, you are not authenticating to cadance (step 2), but merely connecting to the reverse tunnel to pinkie-pie.

The secure connection goes directly from applejack to pinkie-pie; there is no secure connection between applejack and cadance (step 1). cadance is in principle able to read the cleartext that passes over the reverse tunnel, but that cleartext in itself is another encrypted channel, so it'd have to break it.

So you have an end-to-end encrypted channel between applejack and pinkie-pie, just as if you had connected them directly. The reverse tunnel just serves as a convoluted way of routing the traffic.

Vucar Timnärakrul

Posted 2012-11-19T03:57:10.053

Reputation: 671

0

In a tunnel of any sort there will be temporary holding of data, thats where data can be intercepted, but if the intermidiate server is picking up encrypted data and sending it on then it shouldnt be able to do anything with it. So yes there is a point where the middle man gets the data because otherwise he wouldnt be a middle man.

Trevor Rudolph

Posted 2012-11-19T03:57:10.053

Reputation: 2 021

2Just to note: Whilst someone could pretend to be cadence with an open port for you to connect to, they wouldn't have the signature for pinkie-pie and so the SSL library ought to warn you about the 'bad things' that are happening. – Morphit – 2012-12-10T03:11:06.263

Asked: 2012-11-19T03:57:10.053

Viewed: 145 times

Active: 2012-12-15T15:21:57.673