5

I would like to run the following: (Centos 5.4)

rsync -avz /source_folder 192.168.1.1:/destination_folder

right now I'm running it from CLI but eventually I would like to run it from crontab (user:root).

when I run it, it always asks me to enter root password. I want to skip the password. I've seen a few of the answers regarding this but it either doesn't work or I'm not sure I understand completely how to do it. can someone assist?

user9517
  • 114,104
  • 20
  • 206
  • 289
edotan
  • 1,786
  • 12
  • 37
  • 57

4 Answers4

14

As others have said you can do this with passphrase-less ssh keys. This is inherently insecure and you need to take additional steps to add some security back into the process. What I do is restrict the key's use to a host and a command. I've written this up from my notes, I don't think I've missed any steps out.

The first thing to do is to generate a public key pair that will be used solely for this backup process. When prompted for a pass phrase just press enter twice.

ssh-keygen -t rsa -b 2048 -C "For Backup use only"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/root/.ssh/id_rsa): /root/.ssh/backup.id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/backup.id_rsa.
Your public key has been saved in /root/.ssh/backup.id_rsa.pub.
The key fingerprint is:65:c0:cb:2b:9e:18:ff:b2:59:d4:b5:e8:ae:84:32:2b

Transfer the public key /root/.ssh/backup.id_rsa.pub to the remote host and add it to the /root/.ssh/authorized_keys file.

On the remote host restrict the use of the public key by adding from= and command= restrictions. Edit the /root/.ssh/authorized_keys file, locate the backup key and add the address/name of the host that will be running the cron job as well as a command to run. This command will be run when something logs in with this key e.g.

from="192.168.254.207",command="/root/checkrsync",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3N...

You can only use this key from 192.168.254.207 and you can only run the command /root/checkrsync and other functionality has been removed too.

Edit the file /root/checkrsync like this

echo $SSH_ORIGINAL_COMMAND >/tmp/rsync.cmd

save it and make it executable

chmod 700 /root/checkrsync

We'll change /root/checkrsync later once we know what $SSH_ORIGINAL_COMMAND is.

On the host where we'll be running the cron job run the rsync command interactively

/usr/bin/rsync -avz -e "/usr/bin/ssh -i /root/.ssh/backup.id_rsa" /source_folder root@remote.host:/destination_folder

Don't worry about any error messages we only want to generate the /tmp/rsync.cmd file on the remote host

On the remote host make an exact note of the contents of the /tmp/rsync.cmd file (it will be something like rsync --server -vlogDtprze.iLs . /destination_folder).

On the remote host edit /root/checkrsync and change it to

if [[ "$SSH_ORIGINAL_COMMAND" == "rsync --server -vlogDtprze.iLs . /destination_folder" ]]
then
     $SSH_ORIGINAL_COMMAND
fi

where the right hand side of the if statement is what was in /tmp/rsync.cmd.

Test the setup. On the host where we'll be running the cron job run the rsync command interactively again

/usr/bin/rsync -avz -e "/usr/bin/ssh -i /root/.ssh/backup.id_rsa" /source_folder root@remote.host:/destination_folder 

Now it should run correctly if it does then install it into your crontab.

crontab -e 

* 1 * * *  /usr/bin/rsync -avz -e "/usr/bin/ssh -i /root/.ssh/backup.id_rsa" /source_folder root@remote.host:/destination_folder
Jim L.
  • 645
  • 4
  • 10
user9517
  • 114,104
  • 20
  • 206
  • 289
  • With the "from=" restriction, is there an ability to restrict to any ip in a particular range? i.e. 196.168.1.1 - 196.168.1.255 – thames Jan 09 '14 at 22:33
  • @thames: What you can do is detailed in the man pages http://man.he.net/man5/authorized_keys not it also refers to the PATTERNS section of http://man.he.net/man5/ssh_config – user9517 Jan 09 '14 at 22:56
4

You need to set up passphrase-less ssh key authentication.

Bear in mind security concerns when setting this up. I recommend using a host access list to restrict the source IP using the key.

jamespo
  • 1,698
  • 12
  • 12
2

Check following link for seting up SSH keys. SSh keys will help you to setup password less ssh login.

http://techtrunch.com/linux/ssh-keys

Setting up CRON:

  1. Login as root
  2. Open a terminal and type crontab -e, then enter following

    1 * * * * rsync -avz /source_folder 192.168.1.1:/destination_folder

Note

This will run on every hour.

Suku
  • 2,006
  • 13
  • 15
0

For ssh without password (or rsync over ssh), you'll need a key pair without a passphrase.

You can generate your the pair (private & public key) on your source machine by ssh-keygen -t rsa (to ~/.ssh/id_rsa), then add your public key (contents of ~/.ssh/id_rsa.pub) to the destination machine to ~/.ssh/authorized_keys.

Read the whole article on cron rsync backups: https://medium.com/@deltazero/linux-remote-backup-rsync-chroot-d797ba6babe5