rsync - Mar 2004 - rsync + ssh: fails from cron

Hi,

My ssh set up, on both 'work' and 'home' machines uses the 
private-public key authentication (key uses non-empty 
passphrase). So from the 'home' shell prompt the following 
works without prompting to password or passphrase:

rsync -avz --delete -e ssh remote.work.machine:publicats $HOME/work
>From cron, however, I am prompted for a password, though.
I have seen several posts in this regard on the list. Some 
mentioned using keys with no passphrases -- the others I was not 
able to understand at all due to my incompetence.

Is there a way to use a key with no passphrase (only for the 
purpose of rsyncing my two file systems via cron) _along_ with my 
current set up (for the rest of ssh uses)?
or do I have to give up the passphrase altogether? (isn't it a 
security issue, then?)

I am aware that it is not strictly an rsync question, but this 
issue of using ssh surfaces up when ssh is _coupled_ to rsync and 
cron.

I would appreciate any suggestions, comments, examples.

	Thanks a lot!
	Itay Furman

--------------------------------------------------------------
itayf@fhcrc.org		Fred Hutchinson Cancer Research Center

Itay Furman wrote:
> Hi,
Greetings.
> My ssh set up, on both 'work' and 'home' machines uses the 
> private-public key authentication (key uses non-empty 
> passphrase). So from the 'home' shell prompt the following 
> works without prompting to password or passphrase:
> 
> rsync -avz --delete -e ssh remote.work.machine:publicats $HOME/work
That most likely works without prompting because somebody
has caused a key agent to be running on your behalf when
you log in.  The key agent provides key values sort of
under the table, without any action on your part.
> >From cron, however, I am prompted for a password, though.
The cron process is not part of the group that your key agent
is running in.  (Assuming you have a key agent!)  The behavior
you see is by design.  Having a key agent willing to give out
private keys to any old process that happens to run on the
same machine would be something beyond a security hole.  It
would be more like a gaping security canyon.
> I have seen several posts in this regard on the list. Some 
> mentioned using keys with no passphrases -- the others I was not 
> able to understand at all due to my incompetence.
> 
> Is there a way to use a key with no passphrase (only for the 
> purpose of rsyncing my two file systems via cron) _along_ with my 
> current set up (for the rest of ssh uses)?
You could specify a ssh substitute, one which gives enough
arguments to the real ssh to tell it where a non-passphrase-
protected key can found and used.  You could set setuid on
it to allow it to read the key.  Of course, that ssh look-
alike would constitute another security hole, since anyone
could schedule a similar cron job, perhaps with different
purposes than you would like to promote.
> or do I have to give up the passphrase altogether? (isn't it a 
> security issue, then?)
It's probably a security issue either way ;-)  Seriously, you
can set your private key file with permissions such that nobody
but root and you can get at it.  The hole would be smaller that
way, at least insofar as you trust root.  But the problem with
other cron-launched process could remain.  You would need to
do some work (beyond my competence) to get your cron-launched
process(es) to run with your authority, so that the key can
be used without making it more generally available.

Another approach would be have your scheduled rsync transfers
happen in the same process group as your key agent runs in.

HTH.

-Larry Brasfield