Subject: Re: ssh-add and crontab
To: None <>
From: Jukka Salmi <>
List: netbsd-users
Date: 03/16/2005 12:17:35
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Joel CARNAT --> netbsd-users (2005-03-16 10:44:08 +0100):
> Hi,
> I have a "scp -i ~/.ssh/HOME_key ..." in my crontab (to copy seti@HOME
> results from work to my home machine). I used "ssh-add ~/.ssh/HOME_key"
> in my .xsession so that I won't need to provide the passphrase each
> time.
> When I use the key (in a xterm) to connect (or scp), the ssh-agent is OK
> (aka, I don't have to provide the passphrase), but the crontab entry
> fails saying "Permission denied (publickey,keyboard-interactive).".
> I think the problem is that crontab don't use ssh-agent...
> I restarted cron after adding the key (just to test) but it doesn't
> solve anything. Any one knows how to use ssh-agent with crontab ?

The problem seems to be that cron doesn't know about the running ssh-agent,
i.e. cron's environment doesn't have the SSH_AUTH_SOCK variable set.

If there's only one agent running for your user, you could try to find
the socket and set SSH_AUTH_SOCK accordingly, i.e. use something like

	SSH_AUTH_SOCK=$(find /tmp -name 'agent.*' -user $USER 2>/dev/null);\
	export SSH_AUTH_SOCK; your-scp-command

as the command in your crontab.

A better approach would probably be to use something like the attached
script. I use it on systems where I often need to access passphrase
protected private keys, with the following in ~/.profile:

	$ grep ssh-agent ~/.profile
	[ -f ~/.ssh-agent ] && . ~/.ssh-agent
	alias ssh-agent-start='. $(ssh-agent-wrapper ~/.ssh/id_[rd]sa)'

After each system reboot I log in, call ssh-agent-start and enter the
passphrase(s). After logout the file ~/.ssh-agent remains and contains
information about the ssh-agent process. When I log in again, I let the
shell reads this file and learn about the agent. No need to enter the
passphrase again until after the next reboot.

BTW: when running X, I need to set '*VT100*loginShell: true' in
~/.Xresources to force xterm to invoke a login shell. Otherwise
~/.profile is not read.

For your problem this would mean using

	. ~/.ssh-agent; your-scp-command

as the command in your crontab.

HTH, Jukka

bashian roulette:
$ ((RANDOM%6)) || rm -rf ~

Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=ssh-agent-wrapper

# Jukka Salmi   2003-01-31

: ${SSH_AGENT_CACHE:=$HOME/.ssh-agent}

	ssh-add -l >/dev/null 2>&1
	case $? in
		0|1) return 0;;
	return 1

	local x ap='/usr/X11R6/bin/ssh-askpass /usr/lib/misc/ssh-askpass'
	[ ."$DISPLAY" != . ] || return 1
	for x in $ap; do
		[ -x $x ] && { export SSH_ASKPASS=$x; return 0; }
	return 1

	local stdin
	#ssh-add -D 2>/dev/null
	use_x11_askpass && stdin='</dev/null'
	eval ssh-add "$@" $stdin 2>/dev/null

	#ssh-agent -k 2>/dev/null
	nohup ssh-agent | egrep '^[^#].*(=|export)' >$SSH_AGENT_CACHE
	add_ids "$@"

trap '' INT
umask 077

is_running || start_agent "$@"

trap INT
exit 0