What is an SCP server?
SSH is the “Secure Shell,” which incorporates encryption to secure transmissions over unsecured networks. When implementing SCP, you need to create an SSH server. That service takes care of the extra security to make a standard network copy action into a Secure Copy transaction.
There are many protocols that facilitate file transfers over the network. Some of the earlier ones that are still in use today are the File Transfer Protocol and the Trivial File Transfer Protocol (FTP and TFTP). Another, more secure method, is Secure Copy (SCP). While FTP can be made more secure by using Transport Layer Security (TLS), SCP is inherently more secure because it’s really just an SSH session used solely for transferring files. FTP with TLS/SSL is denoted as “FTPS.”
When we talk about an “SCP server,” we really mean “transferring data to an SSH server” which brings all the benefits of SSH’s security, encryption, and confidentiality along with it. As such, there’s no such thing as an SCP “server” per se. Rather, an SSH server is used to perform the file copy.
SCP and SFTP: Secure Alternatives to FTP
Although FTP is still widely used on networks and the internet to this day, it is inherently insecure. Where login credentials are required for a session, the username and password are sent in plain text, meaning that any interceptor could read them.
SCP is one of the two secure alternatives for your FTP tasks. The other option is the Secure File Transfer Protocol (SFTP), also known as SSH FTP because, like SCP, it uses SSH for protection.
The Differences Between SCP and SFTP
The difference between SFTP and SCP is that the later is purely a file transfer system, whereas SFTP includes commands to query and change the remote computer’s directory structure.
FTP over SSH
To add to the confusion of secure FTP alternatives, you may also hear about “FTP over SSH.” This is more of a technique than a protocol. You open a standard FTP session within an SSH session, which is classified as “tunneling.” Once you understand that FTP requires two separate connections to form a session, you start to realize that FTP over SSH can soon get messy.
FTPS adds SSL
The FTPS methodology adds a procedure to include Secure Socket Layer (SSL) protection (replaced by Transport Layer Security) into an FTP session. This combination of protocols has security weaknesses, however, because the commands to begin security measures are sent in plain text and can be intercepted.
Substitute TFTP with SCP for Encryption
TFTP has no security measures at all and should only be used on physically secure private networks. You could substitute SCP for TFTP to add encryption to the distribution of configuration files on your network because it is a more lightweight secure file transfer system than SFTP.
Implementing an SCP Server
SCP gets its name from the Unix command
cp, which is commonly used to copy files. As Secure Copy was developed as “cp with encryption,” it is much easier to encounter it on Unix and Unix-like systems (Linux, Free BSD, and Linux variants). It is also usually implemented as a command. SCP servers, SCP utilities with graphical user interfaces, and SCP for Windows systems are very difficult to source. You can find it as a command in an SSH server package. So, in order to provide you with a list of SCP server options, we have also included SSH servers in this guide.
Here’s a list of the best SCP servers:
- SolarWinds Free SFTP and SCP Server (FREE DOWNLOAD)
- OpenSSH for Windows
- Cygwin for Windows
- OpenSSH SCP Server
- Dropbear SCP
- macOSs native SCP Server
Windows SCP servers
SolarWinds maintains a comprehensive suite of IT tools which includes a combination SFTP/SCP Server. The application runs as a Windows service which means that its basic operation should be familiar to Windows systems administrators.
Unlike Linux-based SCP, SolarWinds SFTP/SCP Server supports the creation of virtual users. These are user accounts which can be used to authenticate into the SCP server for the purpose of copying files. But, the accounts are not native Windows accounts and therefore don’t actually exist on the system. This provides a decent level of security. In the event that an SCP account credential was compromised, it could not be used to log in to the system directly as a user.
The SolarWinds SFTP/SCP Server offers a graphical interface and is focused on SCP rather than being a general SSH server. The alternatives for Windows are either expensive or come from little-known suppliers, which introduces risk.
MORE INFORMATION ON THE OFFICIAL SOLARWINDS SITE:
Since both SFTP and SCP run over SSH, the Bitvise SSH server supports both of these secure file transfer protocols.
Bitvise allows the use of either Windows native user accounts or virtual users. This provides a great deal of flexibility because there’s no need to create full-blown Windows user accounts in order to provide ad-hoc access to secured file directories.
Bitvise also allows systems administrators to restrict connections to SCP only. In many SCP implementations, SCP access implies SSH (shell) access. This is not usually an issue with Unix-like operation systems because those systems have account-level security baked in. But, with Windows systems, this access can inadvertently lead to unintended access to things like Power Shell. With that in mind, Bitvise supports the ability to allow SCP access, but disallow basic shell access.
FreeSSHd is what it sounds like. It is a Free SSH daemon for Windows. In Unix parlance, a daemon is akin to a Windows service.
FreeSSHd can run on any Windows system newer than and including Windows NT 4 (which is pretty much all of them) and creates a very small memory and resource footprint. It supports virtual users and an easy-to-use interface to monitor, and start or stop the service.
Open SSH is the grandaddy of all SSH servers. It has been around since 1999 when it was first released as part of the OpenBSD operating system. Technically, OpenSSH is a suite of tools, but most of the heavy lifting is done by the Open SSH program. It was designed to be ported to other operating system and because of that, it is probably the most widely used SSH server on the planet. Bundled with SSH comes SCP, so Open SSH likely takes the lead in the SCP category as well.
The Microsoft Open SSH server is under development still, but there is a pre-release version available here (as of Oct 17, 2017). It will take some Windows administrator chops as it mainly requires Power Shell command-line skills to get it set up and working.
While it may be in pre-release now, Open SSH has such a strong lineage that it will likely become the defacto SCP server in Windows just as it is in other operating systems now.
*Most Linux systems administrators are aware of an application project named Cygwin. It’s also fair to say that almost nobody else has heard of it, however, many Windows systems administrators can probably benefit from Cygwin.
Cygwin is an open source project that provides a Windows DLL file which contains a really large amount of POSIX API functions. What does this mean? It means that many Linux applications can be recompiled to use Cygwin and therefore those applications can be run on Windows.
Cygwin is mentioned in this article because there are many Linux SSH and SCP servers that ostensibly are only available as Linux packages, but digging a little deeper often reveals that they also have Cygwin packages. Windows systems administrators that are comfortable with a Linux application of any sort should investigate if a Cygwin package is available.
Linux SCP servers
Most Linux distributions come with Open SSH installed, although it usually is not running by default. You’ll likely have to start the Open SSH daemon to allow SSH connections which will, in turn, allow SCP file copies.
The package name in most cases is openssh-server.
$ apt-cache search openssh-server openssh-server - secure shell (SSH) server, for secure access from remote machines
Installing it should be as simple as running your package manager’s install command.
$apt-get install openssh-server
Once the server is installed and running, existing system users will be able to use an SCP client to connect, and copy files to and from directories on the server where they have read permissions. Unlike FTP which is usually set up to allow multiple users access to the same set of upload and download directories, SSH drops users into their home directory by default. You may have to tweak your file system permissions if you would like your users to be able to access other directories on the server.
There may be situations where a full-blown SCP server is not feasible or desirable. In that case, smaller-footprint SCP servers such as Dropbear can help. Dropbear is aimed at embedded systems such as routers that may need SSH or SCP functionality but it can be used as an SCP server on any POSIX compliant platform.
System administrators wishing to customize Dropbear will need to have some moderate skills. Tasks such as disabling basic SSH, but leaving SCP functioning, will require modifications to the Dropbear makefile, and a recompile of the executable.
macOS SCP Servers
7. macOS’s native SCP server
As a Unix-like operating system, macOS has native support for SSH and, therefore, SCP. To enable SSH on your macOS computer, navigate to System Preferences -> Sharing Applet and enable the Remote Login option. This will enable SSH for all the users on the machine.
There are a lot of reasons to choose SCP over FTP and FTPS, but fewer reasons to choose SCP over SFTP. Both SCP and SFTP are actually special types of SSH sessions so they provide the same pros and cons of a standard SSH shell session. In contrast FTP and FTPS are less secure, so if you’re running either of those types of servers, you should migrate to either SCP or SFTP.