rsync + ssh: fails from cron

Itay Furman itayf at
Thu Mar 11 18:48:31 GMT 2004

Thank you for your reply -- it is very helpful and makes things 
clearer to me. I will try the other approach that you have 
suggested, i.e., making the cron jobs part of the same process 

	Thanks again,

On Thu, 11 Mar 2004, Larry Brasfield wrote:

> Itay Furman wrote:
> > Hi,
> Greetings.
> > My ssh set up, on both 'work' and 'home' machines uses the 
> > private-public key authentication (key uses non-empty 
> > passphrase). So from the 'home' shell prompt the following 
> > works without prompting to password or passphrase:
> > 
> > rsync -avz --delete -e ssh $HOME/work
> That most likely works without prompting because somebody
> has caused a key agent to be running on your behalf when
> you log in.  The key agent provides key values sort of
> under the table, without any action on your part.
> > >From cron, however, I am prompted for a password, though.
> The cron process is not part of the group that your key agent
> is running in.  (Assuming you have a key agent!)  The behavior
> you see is by design.  Having a key agent willing to give out
> private keys to any old process that happens to run on the
> same machine would be something beyond a security hole.  It
> would be more like a gaping security canyon.
> > I have seen several posts in this regard on the list. Some 
> > mentioned using keys with no passphrases -- the others I was not 
> > able to understand at all due to my incompetence.
> > 
> > Is there a way to use a key with no passphrase (only for the 
> > purpose of rsyncing my two file systems via cron) _along_ with my 
> > current set up (for the rest of ssh uses)?
> You could specify a ssh substitute, one which gives enough
> arguments to the real ssh to tell it where a non-passphrase-
> protected key can found and used.  You could set setuid on
> it to allow it to read the key.  Of course, that ssh look-
> alike would constitute another security hole, since anyone
> could schedule a similar cron job, perhaps with different
> purposes than you would like to promote.
> > or do I have to give up the passphrase altogether? (isn't it a 
> > security issue, then?)
> It's probably a security issue either way ;-)  Seriously, you
> can set your private key file with permissions such that nobody
> but root and you can get at it.  The hole would be smaller that
> way, at least insofar as you trust root.  But the problem with
> other cron-launched process could remain.  You would need to
> do some work (beyond my competence) to get your cron-launched
> process(es) to run with your authority, so that the key can
> be used without making it more generally available.
> Another approach would be have your scheduled rsync transfers
> happen in the same process group as your key agent runs in.
> HTH.
> -Larry Brasfield

More information about the rsync mailing list