SCP a file between two servers

Question

I have a Digital Ocean droplet (SERVER A) that uses an SSH key and password for my root account. I created an additional user and added it to a new SFTPUsers group by following this guide:

https://www.digitalocean.com/community/questions/how-do-i-restrict-a-user-to-a-specific-directory

I also have another server on a shared host (not on Digital Ocean) that has nightly backup files. (SERVER B)

I would like to securely copy these nightly backups each night from SERVER B to a directory on my DO server (SERVER A) that my backup user has access to, and would like to do it with a script so that it doesn't ask for a password so it can just run. I'm really confused about where to go from here. I find the more I research, the more confused I get. I generate a public/private key on SERVER B and then copy the public key to server A? Then what happens?

Where do I go from here as far as being able to SCP a file from my one server to the digital ocean server? I'd like to do this using my new user I created. Would really welcome any help / pointers in the right direction. I tried doing reading on SSH / public/private keys but still don't feel like I'm making progress :(

Thanks!

Answer 1

Do I need to create a different SSH key for this user? I would do that on the DO server? I can't even log in as this new user because it says access denied (public key) when I try to login. I can log in as root, however, when I use that key.

You can of course use the same key for everything. However, it would be better use different keys for different users. So I'd recommend generating a key for a non-root-user. (And maybe not entering a passphrase, or else you'll have to understand ssh-agent (see below).) You would generate the key on the DO server and then append the public key... see next step.

How can I ensure the droplet will allow access from this other server? I read that you can copy the public key created on the DO server to the shared server's .ssh dir and then append it to authorized_keys. Is that correct?

You don't have to copy it to the ~/.ssh directory. You just have to append it to authorized_keys in the ~/.ssh directory.

Even if the key is copied over, it would still have a password as well that I would need to type in, no? Where does that get saved to? An environment variable?

Only if you entered a passphrase when you generated your key. You can store passphrases by using ssh-agent. Running ssh-agent will run a background process that takes care of filling in the passphrase when you ssh (or scp etc.) into a different server, but only for keys that you have ssh-added. It will also output a few lines likes this:

$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-mjHm7nFyhJSh/agent.21838; export SSH_AUTH_SOCK;
SSH_AGENT_PID=21839; export SSH_AGENT_PID;
echo Agent pid 21839;

These are shell commands. If you paste them into your shell, you will be able to make use of ssh-agent in that shell. You can also do eval $(ssh-agent) to automatically evaluate ssh-agent's output by the shell. Then you do ssh-add (for the default .ssh/id_rsa key, or ssh-add path/to/key and enter the passphrase once. In that terminal you will now be able to ssh into other servers without entering the passphrase, even if you generated your key with a passphrase.