[SOLVED] Backup with rsnapshot and ssh has passphraseless public key authentication failure
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Backup with rsnapshot and ssh has passphraseless public key authentication failure
I am trying to setup rsnapshot to take backups of a remote server using public key authentication without passphrase and as root user. I think the public key authentication fails as I am asked for the root user password when I run "rsnapshot hourly" .
Here is the console output,
Code:
require Lchown
Lchown module loaded successfully
Setting locale to POSIX "C"
echo 16391 > /var/run/rsnapshot.pid
mv /.snapshots/hourly.5/ /.snapshots/_delete.16391/
mv /.snapshots/hourly.4/ /.snapshots/hourly.5/
mv /.snapshots/hourly.3/ /.snapshots/hourly.4/
mv /.snapshots/hourly.2/ /.snapshots/hourly.3/
mv /.snapshots/hourly.1/ /.snapshots/hourly.2/
mv /.snapshots/hourly.0/ /.snapshots/hourly.1/
mkdir -m 0755 -p /.snapshots/hourly.0/ZW-JOSH/
/usr/bin/rsync -avvv --delete --rsh="/usr/bin/ssh -vvv" \
root@zw-josh.local.josh.com:/etc/ /.snapshots/hourly.0/ZW-JOSH/etc/
opening connection using: /usr/bin/ssh -vvv -l root zw-josh.local.josh.com rsync --server --sender -vvvlogDtpre.is . /etc/
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to zw-josh.local.josh.com [10.71.68.112] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 135/256
debug2: bits set: 493/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'zw-josh.local.josh.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug2: bits set: 501/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-with-mic,password
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address 10.71.68.112.
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@zw-josh.local.josh.com's password:
On the remote host I have configured the sshd to PermitRootLogins=forced-commands-only . And also the public key generated was copied to the authorized_keys2 file and a symlink authorized_keys was created that links to the aforementioned file.
The private key on the rsnapshot server is in the /root/cron directory, and there is a config file in /root/.ssh/ that has the details as below,
There is no id_dsa (or id_rsa , or identity) file inside /root/.ssh . And I am using ssh protocol 2.
Does anyone have any idea why public key authentication is not working? And also, if possible, does anyone know how what arguements I can give to ssh to only try public key authentication ? Thanks.
Why would you create an authorized_keys2 file and symlink to it? Do you have any particular reason for that? SSH is very strict about permissions on the files. What are the permissions on your identity file? I'd check permissions on both files, remove the symlink and use what's to be used (authorized_keys).
Looking forward to your participation in the forums. Have fun with Linux.
On the rsnapshot server, some of the permissions are as follows,
Code:
drwx------ 2 root root 4096 Mar 5 18:01 .ssh
# ls -l .ssh/
total 8
-rw------- 1 root root 90 Mar 5 18:02 config
-rw-r--r-- 1 root root 1231 Feb 28 17:25 known_hosts
The identity file is /root/cron/localhost-rsnapshot-key , here are it's permissions,
Code:
/root/cron
drwxr-xr-x 2 root root 4096 Feb 28 14:59 cron
/root/cron/localhost-rsnapshot-key
-rw------- 1 root root 668 Feb 28 14:59 localhost-rsnapshot-key
I implemented your suggestion and tried it out, but I got the same result, and exactly the same output on console as in the previous case. Shall I bring back the authorized_keys2 file and the symlink, or should I leave it as it is with just the authorized_keys file?
As a side note, I checked whether setting PermitRootLogin=yes works, and it did work perfectly.
Last edited by j0sh-linux; 03-06-2012 at 02:58 AM.
Did you also specify a ForceCommand for the root user? I would assume that it won’t work this way with rsnapshot, as the command line is assembled on the fly and can’t be defined beforehand (unless you use some kind of wrapper to get the original command line options). It might work with PermitRootLogin=without-password setting.
A quick look shows that you don't have enabled pubkey auth.
Uncomment the lines to enable and restart SSHD.
Quote:
Originally Posted by j0sh-linux
Here is the sshd_config file parameters on the remote host
Code:
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
Of course you will need to copy the pubkeys (LQ guide) to this server into user's .ssh/ directory to make them work. (skip the process generating ssh keys as you already have a key)
A quick look shows that you don't have enabled pubkey auth.
Uncomment the lines to enable and restart SSHD.
Of course you will need to copy the pubkeys (LQ guide) to this server into user's .ssh/ directory to make them work. (skip the process generating ssh keys as you already have a key)
good luck
Tried it and it still did not work. Now I suspect the problem may be somewhere else. But first, I would have to explain the complete picture which I probably should have done before.
The rsnapshot server will be using cron to do automated logins and take backup. And then when the authentication process takes place, I have PermitRootLogins=forced-commands-only. So on the remote host in the authorized_keys file, I have the following before the public key data,
So if only the IP address of the rsnapshot server is recognized, then the "validate-rsync" script will be run. See here for the script --> validate-sync
I suspect after looking at this Ubuntuforum topic that cron is having issues using ssh.
Last edited by j0sh-linux; 03-12-2012 at 03:46 AM.
Reason: better explained
Finally figured out what the problem was, with some help from the author of Using Rsnapshot and SSH. Judging from the logs below, it seems like ssh was not able to find the correct private key file.
Code:
...
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
...
So I had to correct the /etc/.ssh/config file which had the info about where the private key was, so earlier it was,
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
After this, the public key was found and used successfully. But I had another problem where the authentication was failing. Turns out there was a "newline" in the /root/.ssh/authorized_keys file on the remote server. The trick is to look into the log file of sshd on the remote server (/var/log/secure) for the error,
Code:
error: buffer_get_ret: trying to get more bytes 4 than in buffer 0
Please refer to this website for more info on this matter. It seems that the newline is a default action because of using ssh-copy-id. This newline is not visible in editor like nano . Found it with the vi editor. Basically there needs to be just spaces between fields, so my /root/.ssh/authorized_keys file starts with,
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.