This is the second part of a Google Cloud Platform series. With a preconfigured web server up and running our last task is to access the server with a SSH client like WinSCP. Until now the deployment of the server didn’t require any more IT knowledge than the average user should bring. To spoil the show: this will change now. If you are new to SSH: our goal today is to access the server and copy custom content to the server. By custom we mean any software, or website content (scripts, stylesheets, images) that is not available via Googles Click-to-Deploy mechanism.
To achieve this we need to configure a SSH connection in WinSCP and therefore generate a public/private key pair for authentification.
For a SFTP connection we do not only have to configure our tool – we choose WinSCP for now – but also the web server at Google Cloud Platform (GCP). Instead of using user names and passwords we will generate a public/private key pair. The public key has to be registered in Googles developer console, the private key is used in the WinSCP connection. Let’s begin!
In case you do not have a SSH tool by hand, download WinSCP here. There also is a portable version available if you want to store it on a USB stick.
Generating the key pair
Key pairs are used to encrypt and decrypt data, email or other messages and so on. A private key is always bundled with a corresponding public key. As the names suggest: While you should keep your private key secret and only use it to configure software (like WinSCP or your mailing software), feel free to let your friends and business partners know you have a public key.
The keys only work together. When you loose your private key then your public key is useless. The other way around you can always recover the public from the private key.
A tool named PUTTYgen comes bundled with WinSCP and it’s used to generate key pairs. Just hit the „Generate“ button to start the process. You will have to actively particpiate in the key generation: To gather random salt PUTTYgen is monitoring your mouse movement. So send your mouse pointer on a weird journey all over the screen. It all should take less than 10 seconds.
After that save both keys to separate files (using the „Save public key“ / „Save private key“ buttons).
Configure Google Cloud Platform
GCP makes it easy to store your public key using the Developer Console. The correct byte-by-byte value can be obtained from PUTTYgen. With your key information still open in the program, just change the „Key comment“ field and enter the same email address that you used for GCP registration. Google expects a form only containing letters and underscores, so every special character including @ has to be replaced. For example email@example.com gets your_email_gmail_com.
In case you have already closed PUTTYgen, reopen it and load your private key file to get all information back.
Open the Google Developer Console and navigate to Compute > Compute Engine > Metadata and choose the „SSH Keys“ tab. You will find 2-3 keys preconfigured Just add another one and use as key the content of PUTTYgens field named „Public key for pasting into OpenSSH authorized_keys file“; the value should begin with „ssh-rsa“ and end with your email address in the format mentioned above.
Add a new site in WinSCP
Open WinSCP and hit the „New site“ button. Choose SFTP as protocol on port 22. Host name resolves to the public IP of your server. In case you do not remember the IP, find it under Compute > Compute Engine > VM Instances in the Developer Console. Once again take the letter/underscore version of your mail address as user name. No password needed.
You can not enter your private key in this form. Instead go to the advanced settings and find SSH > Authentification. Upload your private key file and keep hitting enter/save until everything is set.
Connecting for th first time
When you establish a connection for the first time, WinSCP tells you it can not find the server fingerprint in its cache. Verify the fingerprint by comparing it to the one your see on the online SSH interface in the Google Developer Console.
TO open the SSH interface one last time open the developer console, navigate to Compute > Compute Engine > VM Instances, and hit the SSH button to the right of your server name. The fingerprint to compare is written in the very first line:
Connected, host fingerprint: ssh rsa 2048 ...
When both fingerprints match, everything is fine. Don’t be surprised to never ever be asked for a password. This is exactly what we wanted to achieve with the keys.
Handling Linux permissions
Actually everything is set up and a connection is established. However file transfer is not yet possible. Your user does not have the write permission for the /lamp directory where all your web content is stored. The reason is the configuratoin of the servers Linux OS. It is not specific to GCP. It only takes a single line of code in the online SSH console to fix that:
sudo chown ihre_email_gmail_com /lamp
This command makes your user the owner of the /lamp directory. It’s the easiest way to solve the problem withour further notice of Linux commands. The command takes effect immediately so you should be able to transfer files with WinSCP right away.