simple rsync in crontab without password
I would like to run the following: (Centos 5.4)
rsync -avz /source_folder 192.168.1.1:/destination_folder
right now I'm running it from CLI but eventually I would like to run it from crontab (user:root).
when I run it, it always asks me to enter root password. I want to skip the password. I've seen a few of the answers regarding this but it either doesn't work or I'm not sure I understand completely how to do it. can someone assist?
Solution 1:
As others have said you can do this with passphrase-less ssh keys. This is inherently insecure and you need to take additional steps to add some security back into the process. What I do is restrict the key's use to a host and a command. I've written this up from my notes, I don't think I've missed any steps out.
The first thing to do is to generate a public key pair that will be used solely for this backup process. When prompted for a pass phrase just press enter twice.
ssh-keygen -t rsa -b 2048 -C "For Backup use only"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/root/.ssh/id_rsa): /root/.ssh/backup.id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/backup.id_rsa.
Your public key has been saved in /root/.ssh/backup.id_rsa.pub.
The key fingerprint is:65:c0:cb:2b:9e:18:ff:b2:59:d4:b5:e8:ae:84:32:2b
Transfer the public key /root/.ssh/backup.id_rsa.pub to the remote host and add it to the /root/.ssh/authorized_keys file.
On the remote host restrict the use of the public key by adding from= and command= restrictions. Edit the /root/.ssh/authorized_keys file, locate the backup key and add the address/name of the host that will be running the cron job as well as a command to run. This command will be run when something logs in with this key e.g.
from="192.168.254.207",command="/root/checkrsync",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3N...
You can only use this key from 192.168.254.207 and you can only run the command /root/checkrsync and other functionality has been removed too.
Edit the file /root/checkrsync like this
echo $SSH_ORIGINAL_COMMAND >/tmp/rsync.cmd
save it and make it executable
chmod 700 /root/checkrsync
We'll change /root/checkrsync later once we know what $SSH_ORIGINAL_COMMAND is.
On the host where we'll be running the cron job run the rsync command interactively
/usr/bin/rsync -avz -e "/usr/bin/ssh -i /root/.ssh/backup.id_rsa" /source_folder [email protected]:/destination_folder
Don't worry about any error messages we only want to generate the /tmp/rsync.cmd file on the remote host
On the remote host make an exact note of the contents of the /tmp/rsync.cmd file (it will be something like rsync --server -vlogDtprze.iLs . /destination_folder).
On the remote host edit /root/checkrsync and change it to
if [[ "$SSH_ORIGINAL_COMMAND" == "rsync --server -vlogDtprze.iLs . /destination_folder" ]]
then
$SSH_ORIGINAL_COMMAND
fi
where the right hand side of the if statement is what was in /tmp/rsync.cmd.
Test the setup. On the host where we'll be running the cron job run the rsync command interactively again
/usr/bin/rsync -avz -e "/usr/bin/ssh -i /root/.ssh/backup.id_rsa" /source_folder [email protected]:/destination_folder
Now it should run correctly if it does then install it into your crontab.
crontab -e
* 1 * * * /usr/bin/rsync -avz -e "/usr/bin/ssh -i /root/.ssh/backup.id_rsa" /source_folder [email protected]:/destination_folder
Solution 2:
You need to set up passphrase-less ssh key authentication.
Bear in mind security concerns when setting this up. I recommend using a host access list to restrict the source IP using the key.
Solution 3:
Check following link for seting up SSH keys. SSh keys will help you to setup password less ssh login.
http://techtrunch.com/linux/ssh-keys
Setting up CRON:
- Login as root
-
Open a terminal and type
crontab -e, then enter following1 * * * * rsync -avz /source_folder 192.168.1.1:/destination_folder
Note
This will run on every hour.