New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Questions to ssh connection with keys
Hi,
I think of using sftp as transfer for backups and using keys instead of passwords. I understand it works this way:
I've got 2 servers: server1 and backup I want server1 to connect to backup and upload a file. So I do this on server1: ssh-keygen ssh-copy-id user@backup and then I can doo sftp user@backup without passwords.
Is that right? And when I do ssh-keygen what do I have to write as passphrase? And what should I save on my computer as backup? The identification public key, key fingerprint and key's randomart image?
Regards and thank you 
Comments
https://www.digitalocean.com/community/articles/how-to-copy-files-with-rsync-over-ssh
Thanks but I want to understand things a bit. So it would be nice if I would get answers to my questions :P
You just leave the passphrase blank. Save both the public key idrsa.pub and the private key idrsa (by default). You only need to copy the public key to the backup server and add it to ~/.ssh/authorized_keys ssh-copy-id does this for you, assuming you have password authentication enabled.
Some info you are looking may be more clear here:
https://www.digitalocean.com/community/articles/how-to-create-ssh-keys-with-putty-to-connect-to-a-vps
It is usually recommended to fetch backups (in read only) rather than pushing them.
+1 you dont want someone to take over some random node of users and delete all ur backups. Normally i have my node move data to be backed up to a directory on some sort of timer cron is for simple stuff. And then the backup node has read only pervlages in this folder and it will read the data and then since the atime has changed since the last time i pushed data into that folder the node will delete the data in that folder (assuming thats how i want the last step to work)
You might not want to store unencrypted backups on a VPS. If you like to keep data private you could use software like www.duplicati.com
Hrm, I usually just pull my data from my VPS to my home server with the home server initiating the connection via an rsync script and cron. That way if the VPS is compromised, my home server isn't owned too.
duplicati is great for a lot of stuff
i have 3 frieds using my ownCloud server, i use duplicati to backup all user files to Backupsy.
I read the Digital Oceans article. But I don't understand the whole way how these keys work. So I generate two keys: public and private one. With the public key I can encrypt things, with the private key I can decrypt them again. So but what Keys does my backup and live server need? I want my live server to connect to the backupserver, so does both server have both public and private keys? Thank you
Have a read: https://help.ubuntu.com/community/SSH/OpenSSH/Keys
You keep the private key, well private and put the public key on the server you want to access. When you try to connect, the keys are compared and if they match, you are either prompting for the passphrase (if one is there) or logged into the system.
You'd need the private key on live system, public key on backup system.
Thank you
So I want to have access from live server to backup system:
I create keys on backup server, copy public key to the live server and then the live server can access my backupserver?
You can either create the keys on the live server, and copy the public key to the backup server and have the live server initiate the connection to copy files to/from the backup server. Or you can do the reverse - create the keys on the backup server, add public key to the live server and initiate the connection from the backup server.
I prefer attempting to keep access limited if I have to use a passphraseless key, so I have my home server (that isn't open to the public internet) initiate the connection to my VPS.
You can also lock down a specific key so it will only run rsync in authorized_keys, but I don't recall what the syntax for that is off the top of my head.
Here are a few tips about Public/Private keys. Please excuse the simplifications, but these are the essential details:
Public and private keys come as a matched set. They are created together at the same time.
Each public/private key pair is unique. If you create a new public/private key pair, it will be different than anyone else's public/private key pair, or any previous public/private key pair you created in the past.
If you encrypt (scramble) data with the public key, then ONLY the matching private key can decrypt it. The public key won't help, nor will any other non-matching private key.
If you digitally sign something with the private key, then anyone with a copy of the matching public key can verify the signature. The verification proves two assertions - (1) the data has not been altered and (2) only the person who has the matching private key could have signed the data.
When you use public/private keys to authenticate an SSH connection, the side that initiates the connection uses the private key to sign some data that is "agreed upon" as the session is being "negotiated". The receiving side uses the public key to verify the signature, which authenticates the connection. (That is a vast oversimplification, but hopefully it helps.)