Problem :
I have a Digital Ocean droplet (SERVER A) that uses an SSH key and password for my root account. I created an additional user and added it to a new SFTPUsers group by following this guide:
https://www.digitalocean.com/community/questions/how-do-i-restrict-a-user-to-a-specific-directory
I also have another server on a shared host (not on Digital Ocean) that has nightly backup files. (SERVER B)
I would like to securely copy these nightly backups each night from SERVER B to a directory on my DO server (SERVER A) that my backup user has access to, and would like to do it with a script so that it doesn’t ask for a password so it can just run. I’m really confused about where to go from here. I find the more I research, the more confused I get. I generate a public/private key on SERVER B and then copy the public key to server A? Then what happens?
Where do I go from here as far as being able to SCP a file from my one server to the digital ocean server? I’d like to do this using my new user I created. Would really welcome any help / pointers in the right direction. I tried doing reading on SSH / public/private keys but still don’t feel like I’m making progress 🙁
Thanks!
Solution :
Do I need to create a different SSH key for this user? I would do that on the DO server? I can’t even log in as this new user because it says access denied (public key) when I try to login. I can log in as root, however, when I use that key.
You can of course use the same key for everything. However, it would be better use different keys for different users. So I’d recommend generating a key for a non-root-user. (And maybe not entering a passphrase, or else you’ll have to understand ssh-agent (see below).) You would generate the key on the DO server and then append the public key… see next step.
How can I ensure the droplet will allow access from this other server? I read that you can copy the public key created on the DO server to the shared server’s .ssh dir and then append it to authorized_keys. Is that correct?
You don’t have to copy it to the ~/.ssh directory. You just have to append it to authorized_keys in the ~/.ssh directory.
Even if the key is copied over, it would still have a password as well that I would need to type in, no? Where does that get saved to? An environment variable?
Only if you entered a passphrase when you generated your key. You can store passphrases by using ssh-agent. Running ssh-agent will run a background process that takes care of filling in the passphrase when you ssh (or scp etc.) into a different server, but only for keys that you have ssh-added. It will also output a few lines likes this:
$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-mjHm7nFyhJSh/agent.21838; export SSH_AUTH_SOCK;
SSH_AGENT_PID=21839; export SSH_AGENT_PID;
echo Agent pid 21839;
These are shell commands. If you paste them into your shell, you will be able to make use of ssh-agent in that shell. You can also do eval $(ssh-agent) to automatically evaluate ssh-agent‘s output by the shell. Then you do ssh-add (for the default .ssh/id_rsa key, or ssh-add path/to/key and enter the passphrase once. In that terminal you will now be able to ssh into other servers without entering the passphrase, even if you generated your key with a passphrase.