| View previous topic :: View next topic |
| Author |
Message |
gpeangel
Tux's lil' helper
Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA
|
 Posted: Thu Jun 10, 2004 8:01 pm Post subject: SSH/rsync cmd works from the prompt, not from cron [SOLVED] |
 |
|
I have a command prompt / cron issue.
I have keychain set up and working properly. I can ssh to the target box and not be prompted for a password.
When run from the command prompt (as root):
| Code: | | ( rsync -ave ssh [IP Address]:/home/common/ /archives/sysbackup/home/common/ ) 2>&1 | mail -s "Rsync Home Directory" me@mydomain.com |
The result e-mail shows:
| Quote: | receiving file list ... done
path/to/file1
path/to/file2
wrote 11288 bytes read 160243 bytes 12706.00 bytes/sec
total size is 516820252 speedup is 3012.98 |
Yet when run from cron (vixie-cron):
| Code: | 0 14 * * * ( rsync -ave ssh [IP Address]:/home/common/ /archives/sysbackup/home/common/ ) 2>&1 | mail -s "Rsync Home Directory" me@mydomain.com
|
The result e-mail shows:
| Quote: | Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).
rsync: connection unexpectedly closed (0 bytes read so far)
rsync error: error in rsync protocol data stream (code 12) at io.c(342) |
The logs are not shedding any light. Permissions all appear to be correct. Is there someplace else I can look?
Many thanks,
Greg
Last edited by gpeangel on Fri Jun 11, 2004 2:17 pm; edited 1 time in total |
|
| Back to top |
|
 |
nathandial
n00b
Joined: 25 May 2004
Posts: 22
Location: Birmingham, AL USA
|
| Posted: Thu Jun 10, 2004 8:47 pm Post subject: |
|
|
when you do it on the command line, does it ask you for your password on the other system? Or do you have keys setup to auto-authenticate you?
If it asks you for a password then the problem is, it can't ask cron for a password. If you've got keys setup then it's probably because cron isn't using the pre-setup keys or is running as a different user.
At least that's what I'd guess if it was happening to me. |
|
| Back to top |
|
|
gymer
n00b
Joined: 10 Jun 2004
Posts: 28
Location: Denmark
|
| Posted: Thu Jun 10, 2004 8:53 pm Post subject: |
|
|
You need to generate a key without a password for this to succed. Or try making the rsync in a shell script and set cron to do the script. However i think its the key isue you have to look at
_________________
/gymer |
|
| Back to top |
|
|
screwloose
Tux's lil' helper
Joined: 07 Feb 2004
Posts: 94
Location: Toon Town, Canada
|
| Posted: Thu Jun 10, 2004 9:01 pm Post subject: |
|
|
Edit: I'm a dumbass
_________________
If something can go wrong it probably already has. You just don't know it yet. ~Henry's Modified version of Murphy's Law |
|
| Back to top |
|
|
gpeangel
Tux's lil' helper
Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA
|
| Posted: Thu Jun 10, 2004 9:08 pm Post subject: |
|
|
| nathandial wrote: | when you do it on the command line, does it ask you for your password on the other system? Or do you have keys setup to auto-authenticate you?
If it asks you for a password then the problem is, it can't ask cron for a password. If you've got keys setup then it's probably because cron isn't using the pre-setup keys or is running as a different user.
At least that's what I'd guess if it was happening to me. |
I am not prompted for the password. When keychain is set up properly, the key is read from memory and authentication happens withou any user input. I have this working. I can type
| Quote: | | # ssh username@targetservername |
the go right to targetservername's command prompt.
I may be wrong, but if I setup contab while logged on as root, for example, then cron runs that crontab file as root, yes?
Greg |
|
| Back to top |
|
|
gpeangel
Tux's lil' helper
Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA
|
| Posted: Thu Jun 10, 2004 9:13 pm Post subject: |
|
|
| gymer wrote: | | You need to generate a key without a password for this to succed. Or try making the rsync in a shell script and set cron to do the script. However i think its the key isue you have to look at |
Actually, no. My id_rsa and id_dsa keys use a passphrase. I use keychain to manage these in memory. I have to enter the passphrases when I first log in as the user who owns those keys and from then on, they are available in memory. I shouldn't have to re-enter passphrases unless the box is rebooted or the keys otherwise cleared.
ref: http://www.gentoo.org/proj/en/keychain.xml |
|
| Back to top |
|
|
gpeangel
Tux's lil' helper
Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA
|
| Posted: Thu Jun 10, 2004 9:18 pm Post subject: |
|
|
I have some additional information. From the log:
| Quote: | Jun 10 14:58:00 targetserver sshd[1498]: Connection from ::ffff:[IP Address] port 32863
Jun 10 14:58:00 targetserver sshd[1498]: debug1: Client protocol version 2.0; client software version OpenSSH_3.8p1
Jun 10 14:58:00 targetserver sshd[1498]: debug1: match: OpenSSH_3.8p1 pat OpenSSH*
Jun 10 14:58:00 targetserver sshd[1498]: debug1: Enabling compatibility mode for protocol 2.0
Jun 10 14:58:00 targetserver sshd[1498]: debug1: Local version string SSH-2.0-OpenSSH_3.8p1
Jun 10 14:58:01 targetserver sshd[1498]: debug1: PAM: initializing for "root"
Jun 10 14:58:01 targetserver sshd[1498]: debug1: PAM: setting PAM_RHOST to "[IP Address]"
Jun 10 14:58:01 targetserver sshd[1498]: debug1: PAM: setting PAM_TTY to "ssh"
Jun 10 14:58:01 targetserver sshd[1498]: Failed none for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:01 targetserver sshd[1498]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Jun 10 14:58:01 targetserver sshd[1498]: debug1: trying public key file /root/.ssh/authorized_keys
Jun 10 14:58:01 targetserver sshd[1498]: debug1: matching key found: file /root/.ssh/authorized_keys, line 2
Jun 10 14:58:01 targetserver sshd[1498]: Found matching RSA key: ---
Jun 10 14:58:01 targetserver sshd[1498]: debug1: restore_uid: 0/0
Jun 10 14:58:01 targetserver sshd[1498]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Jun 10 14:58:01 targetserver sshd[1498]: debug1: trying public key file /root/.ssh/authorized_keys
Jun 10 14:58:01 targetserver sshd[1498]: debug1: matching key found: file /root/.ssh/authorized_keys, line 1
Jun 10 14:58:01 targetserver sshd[1498]: Found matching DSA key: ---
Jun 10 14:58:01 targetserver sshd[1498]: debug1: restore_uid: 0/0
Jun 10 14:58:01 targetserver sshd(pam_unix)[1500]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[IP Address] user=root
Jun 10 14:58:03 targetserver sshd[1498]: error: PAM: Authentication failure
Jun 10 14:58:03 targetserver sshd[1498]: Failed keyboard-interactive/pam for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:04 targetserver sshd(pam_unix)[1501]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[IP Address] user=root
Jun 10 14:58:06 targetserver sshd[1498]: error: PAM: Authentication failure
Jun 10 14:58:06 targetserver sshd[1498]: Failed keyboard-interactive/pam for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:06 targetserver sshd(pam_unix)[1502]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[IP Address] user=root
Jun 10 14:58:08 targetserver sshd[1498]: error: PAM: Authentication failure
Jun 10 14:58:08 targetserver sshd[1498]: Failed keyboard-interactive/pam for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:09 targetserver sshd[1498]: Failed password for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:09 targetserver sshd[1498]: Failed password for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:09 targetserver sshd[1498]: Failed password for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:09 targetserver sshd[1498]: debug1: do_cleanup
Jun 10 14:58:09 targetserver sshd[1498]: debug1: PAM: cleanup |
There appears to be some type of issue with PAM authenticaton on the target server.
Greg |
|
| Back to top |
|
|
gymer
n00b
Joined: 10 Jun 2004
Posts: 28
Location: Denmark
|
| Posted: Thu Jun 10, 2004 9:21 pm Post subject: |
|
|
The passphrases has been saved for you "session" but when the cron job starts its "a new session" without you passphrases. Thats why rsync call fails.
To use rsync via ssh in cronjob im pretty sure you have to have keypairs without password.
_________________
/gymer |
|
| Back to top |
|
|
gpeangel
Tux's lil' helper
Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA
|
| Posted: Thu Jun 10, 2004 9:33 pm Post subject: |
|
|
| gymer wrote: | The passphrases has been saved for you "session" but when the cron job starts its "a new session" without you passphrases. Thats why rsync call fails.
To use rsync via ssh in cronjob im pretty sure you have to have keypairs without password. |
I still don't think this is correct. I can fire up a second sesson, give my logon password and see:
| Quote: | Last login: Thu Jun 10 10:26:21 2004 from [IP Address]
KeyChain 2.3.0; http://www.gentoo.org/projects/keychain
Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL
* Found running ssh-agent (29679)
* Key: /root/.ssh/id_rsa
* Key: /root/.ssh/id_dsa
server1 username # |
Then enter:
| Quote: | | server1 username # ssh [targetserver] |
and, without being prompted for a password or any kind, go directly to:
| Quote: | Last login: Thu Jun 10 14:51:42 2004 from [server1]
KeyChain 2.3.0; http://www.gentoo.org/projects/keychain
Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL
* Found running ssh-agent (465)
* Key: /root/.ssh/id_rsa
* Key: /root/.ssh/id_dsa
targetserver username # |
I'm thinking the problem is somewhere else. ps aux show cron running as root:
| Quote: | root 5339 0.0 0.0 1516 644 ? S 14:15 0:00 /usr/sbin/cron
|
As posted prevously, the problem appears to be with the target server:
| Quote: | Jun 10 14:58:01 targetserver sshd(pam_unix)[1500]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[IP Address] user=root
Jun 10 14:58:03 targetserver sshd[1498]: error: PAM: Authentication failure
Jun 10 14:58:03 targetserver sshd[1498]: Failed keyboard-interactive/pam for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:04 targetserver sshd(pam_unix)[1501]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[IP Address] user=root
Jun 10 14:58:06 targetserver sshd[1498]: error: PAM: Authentication failure
Jun 10 14:58:06 targetserver sshd[1498]: Failed keyboard-interactive/pam for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:06 targetserver sshd(pam_unix)[1502]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[IP Address] user=root
Jun 10 14:58:08 targetserver sshd[1498]: error: PAM: Authentication failure
Jun 10 14:58:08 targetserver sshd[1498]: Failed keyboard-interactive/pam for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:09 targetserver sshd[1498]: Failed password for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:09 targetserver sshd[1498]: Failed password for root from ::ffff:[IP Address] port 32863 ssh2
Jun 10 14:58:09 targetserver sshd[1498]: Failed password for root from ::ffff:[IP Address] port 32863 ssh2 |
Greg
Last edited by gpeangel on Thu Jun 10, 2004 9:48 pm; edited 1 time in total |
|
| Back to top |
|
|
gymer
n00b
Joined: 10 Jun 2004
Posts: 28
Location: Denmark
|
| Posted: Thu Jun 10, 2004 9:46 pm Post subject: |
|
|
| Quote: | | Above, drobbins logs in to dev.gentoo.org, and keychain (called from ~/.bash_profile) starts up |
From http://www.gentoo.org/proj/en/keychain.xml
The problem is that the cronjob doesn't call the keychain program.
Try making af shell program:
| Code: | #!/bin/sh
keychain
(rsync -ave ssh [IPAddress]:/home/common/ /archives/sysbackup/home/common/ )2>&1
|
Then change you cronjob to
| Code: | | 0 14 * * * bash /path/to/shellscript | mail -s "Rsync Home Directory" me@mydomain.com |
Something like that should work
_________________
/gymer |
|
| Back to top |
|
|
gymer
n00b
Joined: 10 Jun 2004
Posts: 28
Location: Denmark
|
| Posted: Thu Jun 10, 2004 9:48 pm Post subject: |
|
|
I asume you add the cron job to you user.
By running
| Code: | | crontab -u username -e |
as root or
running as your local user
_________________
/gymer |
|
| Back to top |
|
|
gpeangel
Tux's lil' helper
Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA
|
| Posted: Thu Jun 10, 2004 9:56 pm Post subject: |
|
|
| gymer wrote: | | Quote: | | Above, drobbins logs in to dev.gentoo.org, and keychain (called from ~/.bash_profile) starts up |
From http://www.gentoo.org/proj/en/keychain.xml
The problem is that the cronjob doesn't call the keychain program.
Try making af shell program:
| Code: | #!/bin/sh
keychain
(rsync -ave ssh [IPAddress]:/home/common/ /archives/sysbackup/home/common/ )2>&1
|
Then change you cronjob to
| Code: | | 0 14 * * * bash /path/to/shellscript | mail -s "Rsync Home Directory" me@mydomain.com |
Something like that should work |
Unfortunately, this didn't work. I beleve cron is using the keys, at least the target server is recognizing them:
| Quote: | Jun 10 14:58:01 targetserver sshd[1498]: debug1: trying public key file /root/.ssh/authorized_keys
Jun 10 14:58:01 targetserver sshd[1498]: debug1: matching key found: file /root/.ssh/authorized_keys, line 2
Jun 10 14:58:01 targetserver sshd[1498]: Found matching RSA key: ---
Jun 10 14:58:01 targetserver sshd[1498]: debug1: restore_uid: 0/0
Jun 10 14:58:01 targetserver sshd[1498]: debug1: temporarily_use_uid: 0/0 (e=0/0)
Jun 10 14:58:01 targetserver sshd[1498]: debug1: trying public key file /root/.ssh/authorized_keys
Jun 10 14:58:01 targetserver sshd[1498]: debug1: matching key found: file /root/.ssh/authorized_keys, line 1
Jun 10 14:58:01 targetserver sshd[1498]: Found matching DSA key: --- |
Greg |
|
| Back to top |
|
|
davidblewett
Apprentice
Joined: 15 Feb 2004
Posts: 274
Location: Indiana
|
| Posted: Thu Jun 10, 2004 11:12 pm Post subject: |
|
|
According to Daniel Robbins, the author of keychain, the script that cron calls must source the ssh-agent file or it will not know the socket to find the key on. This line should be added to the file:
source ~/.ssh-agent
ref: http://www-106.ibm.com/developerworks/library/l-keyc2/
The 3 pages that series consist of are the best intro to using pubkey with SSH I've found on the web. Go Dan!
_________________
No guilt in life, no fear in death
this is the power of Christ in me
From lifes first cry to final breath
Jesus commands my destiny
-- Newsboys, "In Christ Alone", "Adoration: The Worship Album" |
|
| Back to top |
|
|
gpeangel
Tux's lil' helper
Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA
|
| Posted: Fri Jun 11, 2004 1:55 am Post subject: |
|
|
| davidblewett wrote: | According to Daniel Robbins, the author of keychain, the script that cron calls must source the ssh-agent file or it will not know the socket to find the key on. This line should be added to the file:
source ~/.ssh-agent
ref: http://www-106.ibm.com/developerworks/library/l-keyc2/ |
 Gad. I read this series of articles, just not close enough. My setup is a little different and I didn't make the proper translations. What I had to do is add the following to the beginning of the script:
| Code: | | source ~/.keychain/carbon-sh |
Now it appears to be working. The next few days will tell for sure.
Many thanks to all who pitched in...
Greg |
|
| Back to top |
|
|
davidblewett
Apprentice
Joined: 15 Feb 2004
Posts: 274
Location: Indiana
|
| Posted: Fri Jun 11, 2004 12:30 pm Post subject: |
|
|
If it does end up working, please mark the topic subject solved so that people know to look here for a fix.
_________________
No guilt in life, no fear in death
this is the power of Christ in me
From lifes first cry to final breath
Jesus commands my destiny
-- Newsboys, "In Christ Alone", "Adoration: The Worship Album" |
|
| Back to top |
|
|
gpeangel
Tux's lil' helper
Joined: 02 Jan 2003
Posts: 132
Location: Colorado, USA
|
| Posted: Fri Jun 11, 2004 2:16 pm Post subject: |
|
|
| davidblewett wrote: | | If it does end up working, please mark the topic subject solved so that people know to look here for a fix. |
Yes, thanks for the reminder. I usually try to do this  , but in some cases need to see the result run for a few days to be confident it's a fix related to the thread.
The cron job ran successfully overnight, so I'll call this solved unless problems show up over the next few days.
Thanks again to all who posted.
Greg |
|
| Back to top |
|
|
|
Networking & Security
