On Sun, Mar 06, 2011 at 11:29:53PM +0000, Richard Lewis wrote:
Chris G wrote:
More to the point my rsync backup to cheddar.halon.org.uk that runs as a cron job has also stopped working, it's expecting a passwordless login to cheddar.halon.org.uk but like the ssh login from a console it's failing because cheddar.halon.org.uk is asking for a password.
Did this used to work using ssh-agent? The only way I've ever found to make my ssh-agent-dependent cron jobs work is to set SSH_AUTH_SOCK as part of the cron job, e.g.:
SSH_AUTH_SOCK="$(find /tmp/ssh*/ -type s -user richard -group richard -name 'agent*' | head -n 1)" cmd...
It's all a bit more complicated than that as it turns out.
My original intent was that the passphraseless key should allow *only* rsync and that there was another key (with a passphrase) for logging in and doing things.
I *had* a file ~/.ssh/config (now removed) which had a specific Host entry for cheddar.halon.org.uk that set the IdentityFile to one without a key just for the rsync. However I had obviously screwed something up completely in my original configuration such that the rsync backup wasn't using the passphraseless key, it was using (presumably) the ssh-agent environment. I also had the format of the authorized_keys file wrong such that the rsync didn't work if it attempted to use the passphraseless key.
In addition it appears that if you have a ~/.ssh/config file with a specific host setting for an IdentityFile in it then *only* that identity will be used so again my original set-up couldn't work.
So, to sort all this out I have fixed the passphraseless entry in in ~/.ssh/authorized_keys to have :- command="rsync --server -vlogDtpr backups",no-pty,no-port-forwarding in front of it. When I first tried setting this up I hadn't realised that it required this full rsync command rather than just 'command="rsync"' so, as I said, my original set-up could never have worked as intended.
I now have a complety normal ssh (with ssh-agent and key with passphrase) for normal ssh login access to cheddar.halon.org.uk. My backup script has:- export RSYNC_RSH="ssh -i /home/chris/.ssh/np_id_rsa" rsync ...... so that it picks up and uses the passphraseless key and thus uses the 'rsync only' authorized_keys entry at cheddar.halon.org.uk.
Phew! :-)