As others have said you can do this with passphrase-less ssh keys. This is inherently insecure and you need to take additional steps to add some security back into the process. What I do is restrict the key's use to a host and a command. I've written this up from my notes, I don't think I've missed any steps out.
The first thing to do is to generate a public key pair that will be used solely for this backup process. When prompted for a pass phrase just press enter twice.
ssh-keygen -t rsa -b 2048 -C "For Backup use only"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/root/.ssh/id_rsa): /root/.ssh/backup.id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/backup.id_rsa.
Your public key has been saved in /root/.ssh/backup.id_rsa.pub.
The key fingerprint is:65:c0:cb:2b:9e:18:ff:b2:59:d4:b5:e8:ae:84:32:2b
Transfer the public key /root/.ssh/backup.id_rsa.pub
to the remote host and add it to the /root/.ssh/authorized_keys
file.
On the remote host restrict the use of the public key by adding from=
and command=
restrictions. Edit the /root/.ssh/authorized_keys
file, locate the backup key and add the address/name of the host that will be running the cron job as well as a command to run. This command will be run when something logs in with this key e.g.
from="192.168.254.207",command="/root/checkrsync",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3N...
You can only use this key from 192.168.254.207 and you can only run the command /root/checkrsync and other functionality has been removed too.
Edit the file /root/checkrsync like this
echo $SSH_ORIGINAL_COMMAND >/tmp/rsync.cmd
save it and make it executable
chmod 700 /root/checkrsync
We'll change /root/checkrsync
later once we know what $SSH_ORIGINAL_COMMAND is.
On the host where we'll be running the cron job run the rsync command interactively
/usr/bin/rsync -avz -e "/usr/bin/ssh -i /root/.ssh/backup.id_rsa" /source_folder root@remote.host:/destination_folder
Don't worry about any error messages we only want to generate the /tmp/rsync.cmd file on the remote host
On the remote host make an exact note of the contents of the /tmp/rsync.cmd file (it will be something like rsync --server -vlogDtprze.iLs . /destination_folder
).
On the remote host edit /root/checkrsync
and change it to
if [[ "$SSH_ORIGINAL_COMMAND" == "rsync --server -vlogDtprze.iLs . /destination_folder" ]]
then
$SSH_ORIGINAL_COMMAND
fi
where the right hand side of the if statement is what was in /tmp/rsync.cmd.
Test the setup. On the host where we'll be running the cron job run the rsync command interactively again
/usr/bin/rsync -avz -e "/usr/bin/ssh -i /root/.ssh/backup.id_rsa" /source_folder root@remote.host:/destination_folder
Now it should run correctly if it does then install it into your crontab.
crontab -e
* 1 * * * /usr/bin/rsync -avz -e "/usr/bin/ssh -i /root/.ssh/backup.id_rsa" /source_folder root@remote.host:/destination_folder