←back to thread

Magic Wormhole: get things from one computer to another, safely

(github.com)
816 points tosh | 5 comments | 17 Aug 24 16:59 UTC | HN request time: 0.001s | source
1. matricaria ◴[17 Aug 24 19:39 UTC] No.41277310[source]
Why is this better than rsycn or scp?
replies(1): >>41277551 #
2. lotharrr ◴[17 Aug 24 20:11 UTC] No.41277551[source]
scp/rsync are great tools, but they require pre-coordination of keys. One side is the client, the other is the server. The client needs an account on the server machine (so the human on the client machine must provide an ssh pubkey to the human on the server machine, who must be root, and create a new account with `adduser`, and populate the ~/.ssh/authorized_keys file). And the client needs to know the server's correct hostkey to avoid server-impersonation attacks (so the human on the server machine must provide an ssh host pubkey to the human on the client machine, who puts it in their ~/.ssh/known_hosts file).

Once that's established, and assuming that the two machines can reach each other (the server isn't behind a NAT box), then the client can `scp` and `rsync` all they want.

Magic-wormhole doesn't require that coordination phase. The human sending the file runs `wormhole send FILENAME` and the tool prints a code. The human receiving the file runs `wormhole rx CODE`. The two programs handle the rest. You don't need a new account on the receiving machine. The CODE is much much shorter than the two pubkeys that an SSH client/server pair require, short enough that you can yell it across the room, just a number and two words, like "4-purple-sausages". And you only need to send the code in one direction, not both.

Currently, the wormhole programs don't remember anything about the connection they just established: it's one-shot, ephemeral. So if you want to send a second file later, you have to repeat the tell-your-friend-a-code dance (with a new code). We have plans to leverage the first connection into making subsequent ones easier to establish, but no code yet.

Incidentally, `wormhole ssh` is a subcommand to set up the ~/.ssh/authorized_keys file from a wormhole code, which might help get the best of both worlds, at least for repeated transfers.

replies(1): >>41278051 #
3. InfiniteRand ◴[17 Aug 24 21:18 UTC] No.41278051[source]
But if you already have ssh set up for the target machine, is there any advantage such as speed or recoverability vs scp?
replies(2): >>41278689 #>>41286591 #
4. lotharrr ◴[17 Aug 24 22:53 UTC] No.41278689{3}[source]
Mostly no. ssh/rsync is compiled C code, so might be slightly faster than a Python-based `wormhole`, if you have a really fast connection to take advantage of. And rsync provides that lovely continue-from-interrupted-transfer feature that magic-wormhole currently lacks.

But wormhole has turned out to be more usable in some cases. I've had days where I'm sshed into a bastion host, then sshed from there into a server, then cd'd into a deep directory with lots of spaces and quotes and shell metacharacters in the path, and then found a file that I wanted to copy out. To do that with ssh, I have to first configure ProxyJump to let me reach the internal machine with a single ssh command, and then figure out how to escape the pathname correctly (which somehow never works for me). With `wormhole send` I get to skip all of that, at the cost of having to do it once per file.

5. mistell ◴[19 Aug 24 00:05 UTC] No.41286591{3}[source]
The whole point is wormhole fills in a gap where scp isn’t viable or convenient.