Rsync via SSH running as a cron job - permissions failure problem

Question

Level 1

10 points

Rsync via SSH running as a cron job - permissions failure problem

Hi,

I have a script that goes seomthing like:

#!/bin/sh
today=`date +%Y-%m-%d_%H:%M`
echo "================ BEGIN FILE BACKUP AT "$today" ==================="
rsync -vauze 'ssh -p 522' root@myserver.co.uk:/backup/*.gz /Volumes/Work/vpsbackups

I am trying to run this through a crontab :

* * * * sh /Users/mine/scripts/vpshomedir > /Users/mine/scripts/vpshomedir.log 2>&1

But I am getting the following in the logfile

Permission denied (publickey,gssapi-with-mic,password).

rsync: connection unexpectedly closed (0 bytes received so far) receiver
rsync error: unexplained error (code 255) at /SourceCache/rsync/rsync-35.2/rsync/io.c(452) http://receiver=2.6.9

I expect this is due to environment variables, maybe SSH AUTHSOCK, not being available when run through cron - as the script works fine when I run it from a terminal session...

Can anyone help me out here, as I haven't a clue where to add the necessary arguments to the crontab entry or script - only been scripting unix/linux for 6hrs, so please be noob friendly.

Thanks.

iMac Nov 2007, Mac OS X (10.5.1), It's spelt - Aluminium

Posted on Dec 24, 2008 10:08 AM

Reply

Answer 1

BobHarris

Level 9

53,117 points

Dec 24, 2008 2:25 PM in response to stevesant

I think you need to create ssh keys that do not use a pass phrase if you want to use rsync via cron.

Although there is a recent post about maybe starting ssh-agent in your cron job, but I don't know how you are going get your key pass phrase loaded into ssh-agent.

Maybe search for ssh-agent will turn something up.

Reply

Answer 2

Dec 24, 2008 4:45 PM in response to BobHarris

In addition to what Bob wrote, you may want to limit what those keys can be used for on the host that you are rsyncing too. To do this see the "AUTHORIZED_KEYS FILE FORMAT" section of the sshd(1) file. Specifically see the following part:


 command="command"
 Specifies that the command is executed whenever this key is used for authentication. The command sup-
 plied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; other-
 wise it is run without a tty. If an 8-bit clean channel is required, one must not request a pty or
 should specify no-pty. A quote may be included in the command by quoting it with a backslash. This
 option might be useful to restrict certain public keys to perform just a specific operation. An example
 might be a key that permits remote backups but nothing else. Note that the client may specify TCP
 and/or X11 forwarding unless they are explicitly prohibited. The command originally supplied by the
 client is available in the SSHORIGINALCOMMAND environment variable. Note that this option applies to
 shell, command or subsystem execution.

Reply

Answer 3

Linc Davis

Level 10

209,547 points

Dec 25, 2008 5:33 PM in response to stevesant

You may be able to make this script work by adding the following line, before the rsync command:

SSH AUTHSOCK=$( find /tmp/launch-*/Listeners -user foo -type s | head -1 )

The conditions are:

(1) You're running Leopard.
(2) There is always a user named 'foo' logged in who has SSH access to the target server.
(3) Your script runs either as 'foo' or as root.

Reply

Answer 4

stevesant Author

Level 1

10 points

Dec 26, 2008 1:07 AM in response to Linc Davis

Thanks, that's done the trick!

For info, my key did have a passphrase, but the first time I manually opened a connection, and had to enter the passphrase, it was stored into my keychain... I'm assuming that as the cron job is running through my user account that it gets passed whatever credentials it needs to access the private SSH key.

Have a great Yule 🙂

Reply

Answer 5

Dec 28, 2008 9:55 PM in response to stevesant

Looks like you've resolved this issue, but it's one that I've run into recently as well. If you want to learn more about automated ssh sessions, I found the following resource to be helpful:

http://www.webmonkey.com/tutorial/Automatea_Remote_Login_UsingSSH-Agent

Reply

Answer 6

stevesant Author

Level 1

10 points

Dec 29, 2008 12:46 AM in response to noah hoffman1

I spoke too soon... it worked running from cron as long as I was logged in, but it fails if it runs while I'm logged out... I'll look at the webmonkey article... but failing that I think there must be a way of doing this, but maybe falling back to the base Darwin methods, without relying on any higher OS frameworks. Not something I'm going to be much good at!

Reply

Answer 7

Linc Davis

Level 10

209,547 points

Dec 29, 2008 5:48 AM in response to stevesant

Yes, as I wrote above, it only works if the user with the ssh-agent is logged in. Without that there is no way I know of to automate the use of a password-protected key. Just leave the user logged in.

Reply

Answer 8

sdallas

Level 1

9 points

Feb 2, 2009 1:34 PM in response to stevesant

Here are detailed instructions on how to set up public/private key pairs so that rsync can login automatically without authentication.

http://www.bombich.com/mactips/rsync.html

Note you will have to run this procedure from the account that you want to authenticate, probably root, if you are running the script from the root account. Otherwise if you set up credentials for a XXY account on each machine, you should launch the script with a LaunchAgent plist in the Users/XXY/Library/LaunchAgents folder.

hope that helps. rsync is a great tool, but it is really difficult to set up properly. This is the one time I wish I had a windows utility: robocopy. It does the same thing, but it is way easier to tell it what you want to do, and to set up authentication. If rsync simply accepted authentication credentials on the command line, that would fix this problem...

-phillip

Reply