8 Replies Latest reply: Feb 2, 2009 1:34 PM by sdallas
stevesant Level 1 Level 1 (10 points)

I have a script that goes seomthing like:

today=`date +%Y-%m-%d_%H:%M`
echo "================ BEGIN FILE BACKUP AT "$today" ==================="
rsync -vauze 'ssh -p 522' root@myserver.co.uk:/backup/*.gz /Volumes/Work/vpsbackups

I am trying to run this through a crontab :

* * * * sh /Users/mine/scripts/vpshomedir > /Users/mine/scripts/vpshomedir.log 2>&1

But I am getting the following in the logfile

Permission denied (publickey,gssapi-with-mic,password).

rsync: connection unexpectedly closed (0 bytes received so far) receiver
rsync error: unexplained error (code 255) at /SourceCache/rsync/rsync-35.2/rsync/io.c(452) http://receiver=2.6.9

I expect this is due to environment variables, maybe SSHAUTHSOCK, not being available when run through cron - as the script works fine when I run it from a terminal session...

Can anyone help me out here, as I haven't a clue where to add the necessary arguments to the crontab entry or script - only been scripting unix/linux for 6hrs, so please be noob friendly.


iMac Nov 2007, Mac OS X (10.5.1), It's spelt - Aluminium
  • BobHarris Level 6 Level 6 (16,340 points)
    I think you need to create ssh keys that do not use a pass phrase if you want to use rsync via cron.

    Although there is a recent post about maybe starting ssh-agent in your cron job, but I don't know how you are going get your key pass phrase loaded into ssh-agent.

    Maybe search for ssh-agent will turn something up.
  • Nils C. Anderson Level 4 Level 4 (3,495 points)
    In addition to what Bob wrote, you may want to limit what those keys can be used for on the host that you are rsyncing too. To do this see the "AUTHORIZED_KEYS FILE FORMAT" section of the sshd(1) file. Specifically see the following part:

    Specifies that the command is executed whenever this key is used for authentication. The command sup-
    plied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; other-
    wise it is run without a tty. If an 8-bit clean channel is required, one must not request a pty or
    should specify no-pty. A quote may be included in the command by quoting it with a backslash. This
    option might be useful to restrict certain public keys to perform just a specific operation. An example
    might be a key that permits remote backups but nothing else. Note that the client may specify TCP
    and/or X11 forwarding unless they are explicitly prohibited. The command originally supplied by the
    client is available in the SSHORIGINALCOMMAND environment variable. Note that this option applies to
    shell, command or subsystem execution.
  • Linc Davis Level 10 Level 10 (177,405 points)
    You may be able to make this script work by adding the following line, before the rsync command:

    SSHAUTHSOCK=$( find /tmp/launch-*/Listeners -user foo -type s | head -1 )

    The conditions are:

    (1) You're running Leopard.
    (2) There is always a user named 'foo' logged in who has SSH access to the target server.
    (3) Your script runs either as 'foo' or as root.
  • stevesant Level 1 Level 1 (10 points)
    Thanks, that's done the trick!

    For info, my key did have a passphrase, but the first time I manually opened a connection, and had to enter the passphrase, it was stored into my keychain... I'm assuming that as the cron job is running through my user account that it gets passed whatever credentials it needs to access the private SSH key.

    Have a great Yule
  • noah hoffman1 Level 2 Level 2 (245 points)
    Looks like you've resolved this issue, but it's one that I've run into recently as well. If you want to learn more about automated ssh sessions, I found the following resource to be helpful:

  • stevesant Level 1 Level 1 (10 points)
    I spoke too soon... it worked running from cron as long as I was logged in, but it fails if it runs while I'm logged out... I'll look at the webmonkey article... but failing that I think there must be a way of doing this, but maybe falling back to the base Darwin methods, without relying on any higher OS frameworks. Not something I'm going to be much good at!
  • Linc Davis Level 10 Level 10 (177,405 points)
    Yes, as I wrote above, it only works if the user with the ssh-agent is logged in. Without that there is no way I know of to automate the use of a password-protected key. Just leave the user logged in.
  • sdallas Level 1 Level 1 (0 points)
    Here are detailed instructions on how to set up public/private key pairs so that rsync can login automatically without authentication.


    Note you will have to run this procedure from the account that you want to authenticate, probably root, if you are running the script from the root account. Otherwise if you set up credentials for a XXY account on each machine, you should launch the script with a LaunchAgent plist in the Users/XXY/Library/LaunchAgents folder.

    hope that helps. rsync is a great tool, but it is really difficult to set up properly. This is the one time I wish I had a windows utility: robocopy. It does the same thing, but it is way easier to tell it what you want to do, and to set up authentication. If rsync simply accepted authentication credentials on the command line, that would fix this problem...