Hello -

I've a cronjob running for a couple of months that is using password-less key authentication to hop from one server, through another, and the copying data to the destination host.

Cron job is written as -

30 15 * * * /usr/bin/rsync -avz --delete -e 'ssh hostmiddle.domain.com ssh' --bwlimit=50 /opt/data hostdest:/home/user/dest

This works fine, however I'd like to have a bit more security. So today I was trying to set things up with keychain/ssh-agent. I created the keys using ssh-keygen, put the pub key into ~/.ssh/authorized_keys. Did this on both hosts and setup keychain properly. I can now manually do 'ssh hostmiddle' and then 'ssh hostdest' and hop from server to server without having to retype the password (but not with passwordless keys).

Now when I try to run the cron job as written I get the following errors (modified to have verbose output). Has anyone else accomplished something similar? and if so any clues as to why I am receiving the read private key errors? The first leg is working, key is offered and accepted, on the second leg it appears the key is offered successfully but then rejected with the "PEM_read_PrivateKey failed" error. I double check file permissions (and it is working manually so I figured that isn't the issue).

thx
Scott


debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/user/.ssh/identity (0x0)
debug2: key: /home/user/.ssh/id_rsa (0x0)
debug2: key: /home/user/.ssh/id_dsa (0x84f026e0)
debug3: Wrote 64 bytes for a total of 1109
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/user/.ssh/identity
debug3: no such identity: /home/user/.ssh/identity
debug1: Trying private key: /home/user/.ssh/id_rsa
debug3: no such identity: /home/user/.ssh/id_rsa
debug1: Offering public key: /home/user/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug3: Wrote 528 bytes for a total of 1637
debug1: Server accepts key: pkalg ssh-dss blen 433
debug3: sign_and_send_pubkey
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug2: no passphrase given, try next key
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug3: packet_send2: adding 64 (len 48 padlen 16 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug3: Wrote 144 bytes for a total of 1781
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug3: packet_send2: adding 64 (len 48 padlen 16 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug3: Wrote 144 bytes for a total of 1925
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug3: packet_send2: adding 64 (len 48 padlen 16 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug3: Wrote 144 bytes for a total of 2069
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug2: we did not send a packet, disable method
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-with-mic,password).
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.8 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 255
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(359)

seems like its looking for a passphrase on /dev/tty, which usually has a(some) digit(s) behind it, ie dev/ttyS0 or /dev/tty3. shouldnt this be on a /dev/pty or /dev/pts and not tty since its not local?

are you expecting to use a passphrase? -- (be gentle, im new)

this is currently beyond my experience but i plan to simulate this double hop in virtualbox.
did you read the similar threads posted below?

It turns out that the -A flag added to the first ssh command gets me what I was trying to accomplish (at least from the command line).

-A Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file.