So I have an SSH key-pair set up on my computer to access my Google Cloud hosting via SFTP.

I want to give access to an SEO company. Can I just send them the two key files FileZilla generated, and tell them my username to log on?

I don't quite now how to add a new user with their own SSH key pair, but my set up works fine. I just want to mirror this.

Is this possible? Any simple advice is greatly appreciated thanks.

OR, what I'd like to do is just give them a standard FTP logon. I have an FTP firewall rule set up GC, but when I try to connect I just get the connection refused message.

Any ideas on this solution would also be greatly appreciated.

What are my options here that are the most simple in terms of execution?

    You should not put plain old unencrypted FTP in place at all. `man useradd` for how to add a user, then have them provide a public key and put it in `/home/your-new-user/.ssh/authorized_keys`. – ceejayoz Nov 20 '17 at 16:40
  • Plenty of web hosts offer plain FTP as a way to access files, this is what I'd like to do. Is this not possible with Google Cloud at all? I'm sure it is. What's the easiest way they can generate a public key, and will I also need to ask them to set up a private one on their computers? –  Nov 20 '17 at 16:56
    Plenty of web hosts do horrible things, including offering FTP access to servers. It's a common way for sites on these hosts to get compromised. Yes, you *can* setup unencrypted FTP on Google Cloud, but it should *never, **ever*** be used unless the data and/or credentials being transferred are public knowledge. – ceejayoz Nov 20 '17 at 17:01
    Plenty of web hosts offer PHP 5.3, too. Doesn't make it a good idea. They can generate a public/private key pair with `ssh-keygen` on any Linux/OSX box. Putty can be used on Windows. – ceejayoz Nov 20 '17 at 17:02
  • Could I just pass on both of my private/public keys for them to log in as me, without needing to create a new user or directory? Essentially copying my filezilla stored logon for them to use? –  Nov 20 '17 at 17:10
    You should never, ever share your private key with someone else. You could add their public key to your existing user's `authorized_keys` file, but you should note that this will give them full access, including the ability to remove *your* key. SEO's sleazy enough that I'd personally never permit that. – ceejayoz Nov 20 '17 at 17:23

If you are not familiar with the Linux shell, you could make use of the Google Console to make your life a bit easier.

First of all you need a new pair of keys. Run from the Cloud shell:

ssh-keygen -t rsa -C "username@example.com"

At this point you will have two keys:

  • id_rsa: this is the private key that will be used to access your files and that you should give to the SEO in a safe way. Therefore do not send it in plain text or as an attachment of an email. Consider that the best practise should be that the SEO itself run the command and send you the public key.

  • id_rsa.pub: the public key. You can post it in edit page of your Google Cloud Compute Engine instance in the “SSH Keys” tab. In this way it will be created for you an account for “username” with the public key already saved inside the “~/.ssh/authorized_keys”. Therefore the biggest part of the work will be done for you.

Note that by making use of SFTP you will have permission only on the file the account you are using to login has permission on. Therefore if you want to share the files inside your home with the SO, you should take care that those files and any subdirectories can be accessed by his/her account checking the permissions.

    This is what I ended up doing, but I feel bad for literally just dumping it on them and saying 'You have to do it'. I don't see why such a big stance on being ultra secure is needed.. it's a bit... 'tin foil hat' if you ask me. I'm wondering if it's worth it at all to be honest. This is like creating a mountain out of a mole hill. –  Nov 21 '17 at 15:35
  • My answer will be useful for the next guy reading your question then! By the way the amount of security you need depends on the value of your data for you and for the other people. And 'tin foil hat' by the way is an awesome expression I've never heard before! – GalloCedrone Nov 21 '17 at 15:45
  • 1
    @Lee If your SEO company isn't technologically capable of using an SSH key, you really shouldn't be using them. It's an absolutely basic requirement for anyone doing modern web development work. Nothing tinfoil hat about it - secure methods exist because the insecure ones **were** actively compromised. – ceejayoz Nov 21 '17 at 19:26