Subject: Re: ssh-add and crontab
To: None <netbsd-users@netbsd.org>
From: Jukka Salmi <j+nbsd@2005.salmi.ch>
List: netbsd-users
Date: 03/16/2005 12:17:35
--5p8PegU4iirBW1oA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Joel CARNAT --> netbsd-users (2005-03-16 10:44:08 +0100):
> Hi,
>
> I have a "scp -i ~/.ssh/HOME_key ..." in my crontab (to copy seti@HOME
> results from work to my home machine). I used "ssh-add ~/.ssh/HOME_key"
> in my .xsession so that I won't need to provide the passphrase each
> time.
>
> When I use the key (in a xterm) to connect (or scp), the ssh-agent is OK
> (aka, I don't have to provide the passphrase), but the crontab entry
> fails saying "Permission denied (publickey,keyboard-interactive).".
>
> I think the problem is that crontab don't use ssh-agent...
> I restarted cron after adding the key (just to test) but it doesn't
> solve anything. Any one knows how to use ssh-agent with crontab ?
The problem seems to be that cron doesn't know about the running ssh-agent,
i.e. cron's environment doesn't have the SSH_AUTH_SOCK variable set.
If there's only one agent running for your user, you could try to find
the socket and set SSH_AUTH_SOCK accordingly, i.e. use something like
SSH_AUTH_SOCK=$(find /tmp -name 'agent.*' -user $USER 2>/dev/null);\
export SSH_AUTH_SOCK; your-scp-command
as the command in your crontab.
A better approach would probably be to use something like the attached
script. I use it on systems where I often need to access passphrase
protected private keys, with the following in ~/.profile:
$ grep ssh-agent ~/.profile
[ -f ~/.ssh-agent ] && . ~/.ssh-agent
alias ssh-agent-start='. $(ssh-agent-wrapper ~/.ssh/id_[rd]sa)'
After each system reboot I log in, call ssh-agent-start and enter the
passphrase(s). After logout the file ~/.ssh-agent remains and contains
information about the ssh-agent process. When I log in again, I let the
shell reads this file and learn about the agent. No need to enter the
passphrase again until after the next reboot.
BTW: when running X, I need to set '*VT100*loginShell: true' in
~/.Xresources to force xterm to invoke a login shell. Otherwise
~/.profile is not read.
For your problem this would mean using
. ~/.ssh-agent; your-scp-command
as the command in your crontab.
HTH, Jukka
--
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~
--5p8PegU4iirBW1oA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=ssh-agent-wrapper
#!/bin/sh
#
# Jukka Salmi 2003-01-31
#
: ${SSH_AGENT_CACHE:=$HOME/.ssh-agent}
is_running()
{
ssh-add -l >/dev/null 2>&1
case $? in
0|1) return 0;;
esac
return 1
}
use_x11_askpass()
{
local x ap='/usr/X11R6/bin/ssh-askpass /usr/lib/misc/ssh-askpass'
[ ."$DISPLAY" != . ] || return 1
for x in $ap; do
[ -x $x ] && { export SSH_ASKPASS=$x; return 0; }
done
return 1
}
add_ids()
{
local stdin
#ssh-add -D 2>/dev/null
use_x11_askpass && stdin='</dev/null'
eval ssh-add "$@" $stdin 2>/dev/null
}
start_agent()
{
#ssh-agent -k 2>/dev/null
nohup ssh-agent | egrep '^[^#].*(=|export)' >$SSH_AGENT_CACHE
. $SSH_AGENT_CACHE
add_ids "$@"
}
trap '' INT
umask 077
is_running || start_agent "$@"
echo "$SSH_AGENT_CACHE"
trap INT
exit 0
--5p8PegU4iirBW1oA--