Home

Using rsync from cron with ssh keys that have a passphrase

It took me some time to figure this one out, as everybody is using rsync and ssh-keys without passphrases, but I insist that an ssh-key should have a passphrase.

In my first attemts I got this error messages mailed to me by crontab:

Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

Here are the steps to automate a backup initiated from crontab using rsync, SSH and ssh-keys with a passphrase:

  1. Make a set of SSH keys.
  2. Setup SSH to use the agent automatically.
  3. Login once as the user who's cron will run the backup script. You will be asked for a passphrase. When the machine reboots, you will need to login once more, to enter the passphrase again.
  4. Make a backup script that includes some SSH variables.
    This script could be as simple as this:
    . /home/username/.ssh/variables
    rsync -avz --delete /data/ example.com:data

    N.B. This variables file only contains these lines:
    SSH_AUTH_SOCK=/tmp/ssh-DmFcb18036/agent.18036; export SSH_AUTH_SOCK;
    SSH_AGENT_PID=18037; export SSH_AGENT_PID;
    echo Agent pid 18037;
  5. Put that script in crontab.

That should do it for you, as it works like a charm for me!

Comments

Wed, 07/09/2014 - 16:31 — jdr (not verified)

If you're doing this on your

If you're doing this on your workstation, then you will need to change the variables at every logon, so this may work better :

PID=$(pgrep -fo bash)
for i in $(strings /proc/$PID/environ); do
        (echo $i | grep SSH) && export "$i"
done

Essentially, it's grabbing the environemtn variables from another bash process.

Sun, 08/22/2010 - 16:21 — Anonymous (not verified)

it's a very good solution. I

it's a very good solution. I am only wondering about the PID if I should reedit the file to update it. isn't and id that should change over reboots?

Fri, 08/27/2010 - 10:48 — Robert de Bock

That is correct; if a machine

That is correct; if a machine reboots, that process (ssh-agent) is gone, so you'd have to add the key again after a reboot.

Most people take an ease approach; just don't give a passphrase to the key. But; it's a little less secure.

Thanks for your feedback!

About Consultancy Articles Contact
References Red Hat Certified Architect By Robert de Bock Robert de Bock
Curriculum Vitae By Fred Clausen +31 6 14 39 58 72
By Nelson Manning [email protected]