rsync - Oct 2005 - rsync through multiple ssh hops with password authentication prompt

Hi, I have searched the whole internet and mailing list and I was unable 
to find a clear answer to this. The method described in the FAQ [1] are 
not useful for me.

Three machines source, middle, target. ssh into middle from source 
requires password pass_middle. ssh into target from middle  requires 
password pass_target. One cannot reach target from source. So I can do:

source $ ssh middle
middle's password: pass_middle
middle $ ssh target
target's password: pass_target
target $

Also I can do it in one step:

source $ ssh -t middle ssh target
middle's password: pass_middle
target's password: pass_target
target $

Now, I want to transfer files from source to target.

source $ rsync -e "ssh -t middle ssh target" :/path/to/remote/file .
Pseudo-terminal will not be allocated because stdin is not a terminal.
middle's password:
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).
rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(359)

This doesn't work. Neither does:

source $ rsync -e "ssh -t -t middle ssh target" :/path/to/remote/file
.
middle's password:
tcgetattr: Invalid argument
protocol version mismatch - is your shell clean?
(see the rsync man page for an explanation)
rsync error: protocol incompatibility (code 2) at compat.c(60)

Finally, the simplest form also won't work.

source $ rsync -e "ssh middle ssh target" :/path/to/remote/file .
middle's password:
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).
rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(359)

Both ask the first password but they generate an error before asking for 
the second one.

I know for sure that if you can ssh into target from middle without a 
password (using keys or whatever), then the second rsync command works 
perfectly.

I wish to know if there is a way to achieve this, that is, rsync asks 
for both passwords and then transfers the files. In case it is not 
currently possible, would it ever be possible, that is, should I fill a 
bug report or feature request report? Otherwise, it would be interesting 
to update the rsync FAQ [1] to state that this is clearly impossible and 
one must use a passwordless authentication method in the second hop.

Thanks for your help,

	Manuel.

(Please CC me in the reply since I am not subscribed to the list)


[1] http://samba.anu.edu.au/rsync/FAQ.html#6

		
______________________________________________ 
Renovamos el Correo Yahoo! 
Nuevos servicios, m?s seguridad 
http://correo.yahoo.es

Manuel,

The trouble in all three cases is that rsync expects to have the SSH
data stream to "middle" all to itself, but you need to slip a password
into this stream first so that the connection to "target" can be made.

Here's what I think would be easiest.  If ssh's input is not a terminal,
but $DISPLAY is set, it tries to use a graphical password-prompting
program specified by $SSH_ASKPASS.  Put such a program on "middle" if
you don't already have one, and configure "middle" so that
$SSH_ASKPASS
will be appropriately set even though the shell that handles the second
SSH command will not be a login shell (this means ~/.bashrc or
~/.ssh/environment, not ~/.bash_profile).  Then, enable X forwarding on
the connection to "middle".  The second SSH will pop up a graphical
password prompt, which will rattle through the first SSH to your screen.

This would be the command:
	rsync -e "ssh -X middle ssh target" :/path/to/remote/file .
However, I consider the following more elegant because the -e argument
specifies not the remote machine but the way of getting there:
	rsync -e "ssh -X middle ssh" target:/path/to/remote/file .

I successfully used this technique to pull a file to my computer from a
computer on my school's network via an intermediary on that network.
-- 
Matt McCutchen, ``hashproduct''
hashproduct@verizon.net -- http://mysite.verizon.net/hashproduct/

On 2005-10-19 17:36:55 +0100, Manuel L?pez-Ib??ez wrote:
> source $ ssh middle
> middle's password: pass_middle
> middle $ ssh target
> target's password: pass_target
> target $
Use keys and ssh-agent. :-)

[...]
> Now, I want to transfer files from source to target.
Check out ssh's forwarding options.

Best
    Martin
-- 
                    http://www.tm.oneiros.de

Matt McCutchen wrote:
> On Thu, 2005-10-20 at 00:05 +0100, Manuel López-Ibáñez wrote:
> 
>>I understand completely that it's not rsync's job to handle ssh
password
>>prompts, however, isn't it the first password prompt handled by
rsync?
>>Why the other password prompts cannot be handled in a similar way? This 
>>is jut curiosity, feel free to NOT answer if you are very busy.
> 
> 
> Even though the stdin and stdout of the first SSH are connected to rsync
> (so rsync can talk to the rsync on the other end), it can still access
> its "controlling terminal" directly (using /dev/tty) to prompt
you for
> the password.  The second SSH, however, does not have a working
> controlling terminal, which is why it cannot prompt similarly.
> 
I am not sure if I understood all, why the second ssh does not have a 
working controlling terminal? I tried forcing a terminal allocation 
using rsync -e "ssh -t -t middle ssh -t -t target" and several 
combinations, but none worked.

man ssh(1)
-t      Force pseudo-tty allocation.  This can be used to execute arbi-
         trary screen-based programs on a remote machine, which can be
         very useful, e.g., when implementing menu services.  Multiple -t
         options force tty allocation, even if ssh has no local tty.
> Based on the output in your first message, I'm guessing the second SSH
> is falling back to using its standard error (which is coming back to
> your terminal) and its standard input (which is the rsync data stream)
> to prompt for and obtain the password.  Perhaps the it is trying to
> interpret the beginning of the rsync data stream as a password, which is
> why it fails three times in a row; does that "Permission denied"
message
> mean "wrong password" on BSD?
I think you are right. I have no idea about OpenBSD and, actually, 
target is Debian GNU/Linux. I did some experiments. "Permission
denied"
messages are produced by middle (OpenBSD) if you provide wrong password. 
However, the weird thing is that if you ssh into target (GNU/Linux) from 
middle, it asks 6 times for the password, the first three times it just 
asks again if the password was wrong, the other three times gives the 
"Permission denied, try again" error.

Also, ¿how is the error message reaching me if rsync is not forwarding 
the output of the second SSH?


Cheers,

	Manuel.

		
______________________________________________ 
Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es

Matt McCutchen wrote:
> Martin Schröder's suggestion of ssh-agent might be better in the long
> term or if the X business doesn't work, but I got the impression you
> didn't want to set up any kind of special SSH authentication.
> 
Yes, that is precisely the point.

There is a FAQ section (which I linked in my first message) explaining 
how to do this using keys. That is not the point. For example, isn't it 
possible for the root of middle (or some attacker) to get my keys and 
use them? That won't be the same using passwords. Yes, you can encrypt 
the keys with a passphrase, but then you will end up in the same 
situation as with passwords (from the point of view of using rsync), 
isn't it?

So the point is "rsync through multiple ssh hops with password 
authentication". And now I will add "without X forwarding". Since
the
sshd server in middle does not allow X forwarding (and there are not X 
libraries or programs there, for example no xauth available).

Perhaps it is just impossible or just too complicated. Those are a valid 
answers. :-)

Cheers,
	Manuel.

		
______________________________________________ 
Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es

> This setup seems to work well--perhaps it could be added to the rsync
> FAQ page as Method 2b.  The only annoyance is that one might still get
> two indistinguishable "Password:" prompts; could someone tell me
how to
> configure SSH so the prompt reveals the target
Well, actually, I get "Password: " prompts when a ssh into linux 
machines and "user (at) hostname's password: " when I log into
OpenBSD.
I have not been able to find any option to configure the prompt in man 
pages ssh_config and sshd_config, so I would assume that it is an 
implementation issue.

The OpenBSD machine has OpenSSH_4.1 and GNU/Linux has OpenSSH_3.9, so 
maybe the introduced it between those versions. I really think it is 
nice that it tells the hostname so perhaps we can ask the OpenSSH guys. 
There is a Usenet newsgroup comp.security.ssh and a mailing list 
secureshell@securityfocus.com

If I have time in the following weeks, I will ask them (unless someone 
is really curious about this and is willing to ask soon).

Cheers,

	Manuel.


		
______________________________________________ 
Renovamos el Correo Yahoo! 
Nuevos servicios, m?s seguridad 
http://correo.yahoo.es