Setup Pubic/Private Keys and login to SFTP server on remote MacOS

I would very much appreciate if someone could walk me through the steps in connecting Duplicati on my Windows 10 office machine to a remote MacOS sftp server at my home set as the backup destination. I have successfully backed up files to the local windows machine and have turned on SFTP on the mac. I have tried altering settings in /private/etc/ssh/sshd.config without luck. I have then tried creating keys on the mac sftp server but still i’m missing something. Port 22 is open and I can get duplicati to see the server, but I keep getting permission denied and other errors. I have scoured the web for various command line options and I’m still missing something. MacOS terminal is relatively new to me. FWIW I am coming from CrashPlan and will be backing up medical records and X-rays.

Specific command line instructions would help tremendously to
#1 create private public keys on the mac and share the public key
#2 alter the sshd_config file properly for remote login from the duplicati server
#3 setup duplicati backup properly for the backup destination and advanced options and login credentials

Thank you in advance!

Hello @caddyshack, welcome to the forum!

Sorry for the delayed response - somehow your post slipped by me.

Lets start by isolating some of the possible issues. I’m going to ask some questions which might sound basic or really advanced - it’s just my way of figuring out what’s going on and how much you know. Feel free to answer as many / few of them as you want.

1. Have you used SFTP before outside of Duplicati?
2. Have you set up SSH before?
3. Have you tried a test connection using a password? (This tests possible key problems.)
4. Have you tried connecting from the Mac TO the Mac using the local IP? (This tests possible routing issues.)
5. Are you at all familiar with the Linux terminal? (The MacOS terminal is very similar.)
6. Can you post some the actual “permission denied and other” errors?

Once we get you working we can use that experience to write the #howto you probably wish was available to you.

1. Have you used SFTP before outside of Duplicati? NO
2. Have you set up SSH before? NO
3. Have you tried a test connection using a password? YES not working
4. Have you tried connecting from the Mac TO the Mac using the local IP? YES not working
5. Are you at all familiar with the Linux terminal? A LITTLE, but easy learner. Windows command YES
6. Can you post some the actual permission denied and other errors? “Failed to connect: Permission denied (password).” in Duplicati “Permission denied (publickey,password,keyboard-interactive).” in Mac Terminal when trying to log in to localhost. I used ‘sftp bradleyswanson@localhost’

I have reset my sshd_config back to its original settings.

Thanks for all the detail!

I’d suggest we first get an SSH connection working from / to the Mac, that way we know the sshd_config is set up correctly.

The “Permission denied (password)” error suggests you’re trying to connect with either the wrong user or password. Did you set up “bradleyswanson” as an SSH user or is it just a Mac login?

just a mac login…I assume I’ll need to make a dedicated user…but I was concerned that I had to be logged in as the SSH user for the server to be reachable.

I generally only have access to a Mac one day a week, so it may take me a while to test and help out with getting SSH going. I’m willing to do it, but you might get faster results checking elsewhere on the web (just for the SSH part) or hoping another MacOS user might be around that can help (I’m not sure if @Pectojin knows much SSH stuff or not).

That being said, I don’t know that a dedicated user is needed, but it might be more secure. I like SSH (I use it myself) but keep in mind that you are technically opening a tiny hole on your computer up to the internet so it makes sense to ensure good security from the start. Personally I’d create a “Duplicati” user that only has access to your backups folder.

If you mean you had to be logged into the Mac for the SSH server to be running, then no - that’s not correct. Assuming you’re using the build in remote SSH access features, that runs as a daemon / service - meaning it will start even if nobody logs into the physical machine.

I’ll try to give a precise description of the 3 requested steps in the original post, but I’m including some additional info which may or may not be useful to you (for the sake of making it #HowTo-able )

#1
You can generate the key-set for MacOS using ssh-keygen. I usually just press enter the entire way through to create an unprotected private key. It’s up to you.

Assuming defaults the keyset is now in /Users/user/.ssh/ called id_rsa and id_rsa.pub.

Next, you need to tell the SSHD service that this key is allowed, so you update the authorized_keys file

cat /Users/user/.ssh/id_rsa.pub >> /Users/user/.ssh/authorized_keys

You will need to copy id_rsa from the server to the machine running Duplicati in order to set it up.
You can either use WinSCP to download the file, or just plain open the file and copy the contents out of it using vim /Users/user/.ssh/id_rsa

#2
SSH should be enabled first. It looks like it is on your system, but if it’s not it can be done by going into System Preferences -> Sharing and then enabling Remote Login.

After ensuring SSH is enabled on the destination you need to make sure it supports the login method you want to use. I like to fail the SSH handshake as the SSH server will tell you what methods it expects (allows).

# ssh user@server -o PreferredAuthentications=none 
user@server: Permission denied (publickey,password,keyboard-interactive).

If your desired option is not allowed (eg publickey or password) it needs to be tweaked in the SSHD config, there’s another thread here which may help SSH into Mac- no authentication method found

#3
To configure Duplicati for SFTP (SSH), you need the usual servername, port, path, username, and password. Username is whatever user you have on the MacOS server. Password can be omitted if you’re using a private key without password protection.

In addition to the above settings, you need a few more settings, when using private keys, under the Advanced Options

Either set ssh-keyfile to the path of the id_rsa file on your machine running Duplicati, or use ssh-key to paste the key inline.
Note: ssh-key requires you to URL encode the id_rsa file contents

ssh-fingerprint also needs to be defined, or omitted with ssh-accept-any-fingerprints.
Luckily, Duplicati will give you the option to simply press yes to add the ssh-fingerprint option when you press Test connection, so I recommend doing that.

After adding the fingerprint and ssh-key you should be able to successfully test the connection and create the remote folder (if it’s missing) and you’re ready to use SFTP for backups

Ok, I got it to work. Thank you! I’m not sure where it went wrong originally. I had to delete the .SSH folder, restart remote login and start from scratch before it worked.

1. Where/How do you add the sshkey:// prefix to the public key? Before or after URL encoding? Do you just type sshkey:// right before the ---------BEGIN RSA PRIVATE KEY---------

2. Should I add another User to my mac for the server to prevent brute force entries? And then change the config to prevent root login? $PermitRootLogin no $AllowUsers username2 (I’m guessing i would need to create a new keyset for this user and add it to the authorized_keys)?

Big question…is Minio or SSH safer when transferring over the internet? I have both protocols working.

Thank you kindly for all your help!

Good

Yep, just plain sshkey:/---------BEGIN RSA PRIVATE KEY---------.

You can add a service account for good measure. Someone with access to Duplicati on your system would be able to SSH into the MacOS server, so if you’re logging in with a user that only has access to your backup you greatly limit the vulnerability there.

Disabling root is always a good idea. And limited AllowedUsers to the user(s) you want to be able to SSH is also a good idea. You can in principle use the same keyset for multiple users, but then you’re back to basically being as secure as just using one user

If you’re exposing SSH over the internet I would strongly recommend disabling password login PasswordAuthentication no. Private keys are much harder to crack than passwords and exposed SSH ports will be attacked by random people on the internet at some point.

Of course the Minio could be attacked as well, so it should also be properly protected with good password, but it’s probably less of a target

Beyond that, they’re fairly similar in security, assuming of course Minio is using HTTPS. Both use full end to end encryption. Both HTTPS and SSL can be tweaked to use different encryption ciphers or key strenghts, but by default they’re both sufficiently secure.