rsync + ssh: fails from cron

Itay Furman itayf at fhcrc.org
Thu Mar 11 18:48:31 GMT 2004 

Thank you for your reply -- it is very helpful and makes things 
clearer to me. I will try the other approach that you have 
suggested, i.e., making the cron jobs part of the same process 
group.

	Thanks again,
	Itay


On Thu, 11 Mar 2004, Larry Brasfield wrote:

> Itay Furman wrote:
> 
> > Hi,
> Greetings.
> 
> > My ssh set up, on both 'work' and 'home' machines uses the 
> > private-public key authentication (key uses non-empty 
> > passphrase). So from the 'home' shell prompt the following 
> > works without prompting to password or passphrase:
> > 
> > rsync -avz --delete -e ssh remote.work.machine:publicats $HOME/work
> 
> That most likely works without prompting because somebody
> has caused a key agent to be running on your behalf when
> you log in.  The key agent provides key values sort of
> under the table, without any action on your part.
> 
> > >From cron, however, I am prompted for a password, though.
> 
> The cron process is not part of the group that your key agent
> is running in.  (Assuming you have a key agent!)  The behavior
> you see is by design.  Having a key agent willing to give out
> private keys to any old process that happens to run on the
> same machine would be something beyond a security hole.  It
> would be more like a gaping security canyon.
> 
> > I have seen several posts in this regard on the list. Some 
> > mentioned using keys with no passphrases -- the others I was not 
> > able to understand at all due to my incompetence.
> > 
> > Is there a way to use a key with no passphrase (only for the 
> > purpose of rsyncing my two file systems via cron) _along_ with my 
> > current set up (for the rest of ssh uses)?
> 
> You could specify a ssh substitute, one which gives enough
> arguments to the real ssh to tell it where a non-passphrase-
> protected key can found and used.  You could set setuid on
> it to allow it to read the key.  Of course, that ssh look-
> alike would constitute another security hole, since anyone
> could schedule a similar cron job, perhaps with different
> purposes than you would like to promote.
> 
> > or do I have to give up the passphrase altogether? (isn't it a 
> > security issue, then?)
> 
> It's probably a security issue either way ;-)  Seriously, you
> can set your private key file with permissions such that nobody
> but root and you can get at it.  The hole would be smaller that
> way, at least insofar as you trust root.  But the problem with
> other cron-launched process could remain.  You would need to
> do some work (beyond my competence) to get your cron-launched
> process(es) to run with your authority, so that the key can
> be used without making it more generally available.
> 
> Another approach would be have your scheduled rsync transfers
> happen in the same process group as your key agent runs in.
> 
> HTH.
> 
> -Larry Brasfield
>

More information about the rsync mailing list