LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 02-25-2016, 04:31 AM   #1
oliverm2
LQ Newbie
 
Registered: Feb 2016
Posts: 3

Rep: Reputation: Disabled
Question Cert based SSH access and scripts still prompting for a password


Hi

I've set up cert based SSH access between two Ubuntu 14 LTS boxes. This works fine.

On BoxB I have a script that wants to Rscript files from BoxA to BoxB using a user called rsyncuser. This use can access BoxA from BoxB using cert based SSH without being prompted for a password (this I can test).

However when I run my script it immediately asks me for the password to ssh in to BoxA. Clearly this isn't great as the script stops.

To cover myself, I've also enabled cert based SSH for every user involved, the user running the script, the user mentioned in the rsync command line, and also both as sudo.

Any ideas what I've missed?

The rsync command is below, along with the commands I've used to enable cert-based ssh (which I've used before

***
rsync -arv -e "ssh" --exclude-from=/var/www/rsync_excludes.txt rsyncuser@box.b.my.domain:/ /
***

cert-less ssh created using

***
ssh-keygen
ssh-copy-id -i box.b.my.domain
***
 
Old 02-25-2016, 04:50 AM   #2
tshikose
Member
 
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 404

Rep: Reputation: 73
Can you try adding the -i SSH option specifying the key to be used?
 
Old 02-25-2016, 05:05 AM   #3
oliverm2
LQ Newbie
 
Registered: Feb 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
Still prompts for a password. I did this;

su rsyncuser
ssh-keygen
ssh-copy-id -i /home/rsyncuser/.ssh/id_rsa rsyncuser@box.a.my.domain
ssh rsyncuser@box.a.my.domain <<<<---- That works, I don't get a prompt.
exit
rsync -arv -e "ssh" --exclude-from=/var/www/rsync_excludes.txt rsyncuser@box.a.my.domain:/ /
rsyncuser@89.151.82.210's password: <<--- prompts me for the rsyncusers password still.



Is it possible to configure cert-based ssh on a per-machine basis, so for any users from BoxB to BoxA, rather than per-user?

Olly
 
Old 02-25-2016, 05:46 AM   #4
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,522

Rep: Reputation: 398Reputation: 398Reputation: 398Reputation: 398
Tried this?
Code:
su - rsyncuser
script
Quote:
Originally Posted by man su
Code:
      -, -l, --login
           Provide an environment similar to what the user would expect had
           the user logged in directly.

           When - is used, it must be specified before any username. For
           portability it is recommended to use it as last option, before any
           username. The other forms (-l and --login) do not have this
           restriction.
 
Old 02-25-2016, 09:17 AM   #5
Habitual
LQ 5k Club
 
Registered: Jan 2011
Location: Nowhere near you, thank God.
Distribution: High Sierra
Posts: 8,598
Blog Entries: 15

Rep: Reputation: Disabled
Set a password for rsyncuser on boxb
 
Old 02-25-2016, 10:26 AM   #6
fmattheus
Member
 
Registered: Nov 2015
Posts: 104

Rep: Reputation: 38
first you've setup access to rsyncuser@box.a.my.domain and tested that it works.
then you are prompted for the password to rsyncuser@89.151.82.210. Note this is a different user/machine ...

Then you've got a second problem. From machine a, you're trying to sync from machine b to machine c. Rsync doesn't support this. The rsync command needs to either run on machine b or c.
 
Old 02-25-2016, 01:57 PM   #7
michaelk
Moderator
 
Registered: Aug 2002
Posts: 16,430

Rep: Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938
Quote:
Originally Posted by oliverm2 View Post
Still prompts for a password. I did this;
su rsyncuser
ssh-keygen
ssh-copy-id -i /home/rsyncuser/.ssh/id_rsa rsyncuser@box.a.my.domain
ssh rsyncuser@box.a.my.domain <<<<---- That works, I don't get a prompt.
exit
rsync -arv -e "ssh" --exclude-from=/var/www/rsync_excludes.txt rsyncuser@box.a.my.domain:/ /
rsyncuser@89.151.82.210's password: <<--- prompts me for the rsyncusers password still.
I am a bit confused too... You created the keys as rsyncuser on box b and they tested good but then you exited back to another user (I assume). ssh defaults to /home/username/.ssh/id_rsa for private keys so if that other user had no or a key that did not match the server's public key (/home/rsyncuser/.ssh/authorized_keys) it will fallback to passwords.

If you perform the same process as that other user or copy the id_rsa key from rsyncuser to the other user's .ssh directory and change owner/permissions accordingly then keys should work.
 
Old 02-25-2016, 06:18 PM   #8
Habitual
LQ 5k Club
 
Registered: Jan 2011
Location: Nowhere near you, thank God.
Distribution: High Sierra
Posts: 8,598
Blog Entries: 15

Rep: Reputation: Disabled
Try:
Code:
rsync -arv -e "ssh" -i /home/rsyncuser/.ssh/id_rsa --exclude-from=/var/www/rsync_excludes.txt rsyncuser@box.b.my.domain:/ /
 
Old 02-25-2016, 06:38 PM   #9
michaelk
Moderator
 
Registered: Aug 2002
Posts: 16,430

Rep: Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938
Due to permissions users can not access each others home directories. In addition there are strict permissions required for .ssh directory and the private key files.
 
Old 02-25-2016, 06:52 PM   #10
Habitual
LQ 5k Club
 
Registered: Jan 2011
Location: Nowhere near you, thank God.
Distribution: High Sierra
Posts: 8,598
Blog Entries: 15

Rep: Reputation: Disabled
Quote:
Originally Posted by michaelk View Post
Due to permissions users can not access each others home directories. In addition there are strict permissions required for .ssh directory and the private key files.
And I questioned briefly if rsyncuser had privs for /
but I didn't say anything.
 
Old 02-25-2016, 07:57 PM   #11
michaelk
Moderator
 
Registered: Aug 2002
Posts: 16,430

Rep: Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938Reputation: 1938
I have not either and IMHO not a good plan.
 
1 members found this post helpful.
Old 02-26-2016, 09:15 AM   #12
Habitual
LQ 5k Club
 
Registered: Jan 2011
Location: Nowhere near you, thank God.
Distribution: High Sierra
Posts: 8,598
Blog Entries: 15

Rep: Reputation: Disabled
Oliver:
Check out http://rsync.net/resources/howto/rsync.html for some awesome examples and other tidbits.

2 things stick out.
  • rsyncuser will need permission to access to the files/system ("/") on the source and be able to write to the same ("/") at the destination.
  • has be able to "read" the key file.

If the boxes are reasonably secure, an ssh key solely for this activity is reasonable to use.

on BoxB
Code:
sudo ssh-keygen -f /root/.ssh/rsyncuser_key -t rsa -b 4096 -N '' -q
This /root/.ssh/rsyncuser_key will have no password on it and messing with sudo privs is not necessary for this to work.
Then copy /root/.ssh/rsyncuser_key.pub on BoxB into /root/.ssh/authorized_keys on BoxA
Then from BoxB, I'd issue something like
Code:
sudo rsync -arv -e "ssh -i /root/.ssh/rsyncuser_key" --exclude-from=/var/www/rsync_excludes.txt rsyncuser@box.a.my.domain:/ /
#untested

Good Luck.

Last edited by Habitual; 02-26-2016 at 09:28 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh key/id based access vs. password access Skaperen Linux - Security 18 10-03-2012 04:25 PM
ssh without prompting password siva balan Linux - Networking 1 09-28-2010 02:14 AM
Ask openssl | create self sign cert for not prompting password | WorldIsNotFair Linux - Server 2 10-19-2008 11:55 PM
ssh prompting password maooah Linux - Enterprise 4 12-05-2007 09:42 AM
Ssh without prompting for a password deqmacrom Linux - General 2 04-21-2005 03:13 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 02:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration