rsync + ssh: fails from cron
itayf at fhcrc.org
Thu Mar 11 18:48:31 GMT 2004
Thank you for your reply -- it is very helpful and makes things
clearer to me. I will try the other approach that you have
suggested, i.e., making the cron jobs part of the same process
On Thu, 11 Mar 2004, Larry Brasfield wrote:
> Itay Furman wrote:
> > Hi,
> > My ssh set up, on both 'work' and 'home' machines uses the
> > private-public key authentication (key uses non-empty
> > passphrase). So from the 'home' shell prompt the following
> > works without prompting to password or passphrase:
> > rsync -avz --delete -e ssh remote.work.machine:publicats $HOME/work
> That most likely works without prompting because somebody
> has caused a key agent to be running on your behalf when
> you log in. The key agent provides key values sort of
> under the table, without any action on your part.
> > >From cron, however, I am prompted for a password, though.
> The cron process is not part of the group that your key agent
> is running in. (Assuming you have a key agent!) The behavior
> you see is by design. Having a key agent willing to give out
> private keys to any old process that happens to run on the
> same machine would be something beyond a security hole. It
> would be more like a gaping security canyon.
> > I have seen several posts in this regard on the list. Some
> > mentioned using keys with no passphrases -- the others I was not
> > able to understand at all due to my incompetence.
> > Is there a way to use a key with no passphrase (only for the
> > purpose of rsyncing my two file systems via cron) _along_ with my
> > current set up (for the rest of ssh uses)?
> You could specify a ssh substitute, one which gives enough
> arguments to the real ssh to tell it where a non-passphrase-
> protected key can found and used. You could set setuid on
> it to allow it to read the key. Of course, that ssh look-
> alike would constitute another security hole, since anyone
> could schedule a similar cron job, perhaps with different
> purposes than you would like to promote.
> > or do I have to give up the passphrase altogether? (isn't it a
> > security issue, then?)
> It's probably a security issue either way ;-) Seriously, you
> can set your private key file with permissions such that nobody
> but root and you can get at it. The hole would be smaller that
> way, at least insofar as you trust root. But the problem with
> other cron-launched process could remain. You would need to
> do some work (beyond my competence) to get your cron-launched
> process(es) to run with your authority, so that the key can
> be used without making it more generally available.
> Another approach would be have your scheduled rsync transfers
> happen in the same process group as your key agent runs in.
> -Larry Brasfield
More information about the rsync