Subject: Re: Re: ssh-add and crontab
To: Jukka Salmi <j+nbsd@2005.salmi.ch>
From: Joel CARNAT <joel@carnat.net>
List: netbsd-users
Date: 03/17/2005 15:32:15
Hi,

thanks for the answer !
your script looked a bit complex for me...
so I used the SSH_AUTH_SOCK/SSH_AGENT_PID way of doing it.

for general info, I didn't use find but did it with ".xsession" and "source"
********************
# grep -i SSH .xsession
eval `ssh-agent -s`
ssh-add < /dev/null
ssh-add ~/.ssh/id_rsa < /dev/null
echo "SSH_AGENT_PID=$SSH_AGENT_PID" > ~/.ssh-agent
echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> ~/.ssh-agent
echo "export SSH_AGENT_PID SSH_AUTH_SOCK" >> ~/.ssh-agent
********************
# cat ~/scripts/upload_seti
#!/bin/sh
. ~/.ssh-agent
ssh ...
scp ...
********************

seems to work now :)

Dans l'épisode précédent (Wed, Mar 16 2005 - 12:17), Jukka Salmi nous apprenait que :
> Joel CARNAT --> netbsd-users (2005-03-16 10:44:08 +0100):
> > Hi,
> > 
> > I have a "scp -i ~/.ssh/HOME_key ..." in my crontab (to copy seti@HOME
> > results from work to my home machine). I used "ssh-add ~/.ssh/HOME_key"
> > in my .xsession so that I won't need to provide the passphrase each
> > time.
> > 
> > When I use the key (in a xterm) to connect (or scp), the ssh-agent is OK
> > (aka, I don't have to provide the passphrase), but the crontab entry
> > fails saying "Permission denied (publickey,keyboard-interactive).".
> > 
> > I think the problem is that crontab don't use ssh-agent...
> > I restarted cron after adding the key (just to test) but it doesn't
> > solve anything. Any one knows how to use ssh-agent with crontab ?
> 
> The problem seems to be that cron doesn't know about the running ssh-agent,
> i.e. cron's environment doesn't have the SSH_AUTH_SOCK variable set.
> 
> If there's only one agent running for your user, you could try to find
> the socket and set SSH_AUTH_SOCK accordingly, i.e. use something like
> 
> 	SSH_AUTH_SOCK=$(find /tmp -name 'agent.*' -user $USER 2>/dev/null);\
> 	export SSH_AUTH_SOCK; your-scp-command
> 
> as the command in your crontab.
> 
> A better approach would probably be to use something like the attached
> script. I use it on systems where I often need to access passphrase
> protected private keys, with the following in ~/.profile:
> 
> 	$ grep ssh-agent ~/.profile
> 	[ -f ~/.ssh-agent ] && . ~/.ssh-agent
> 	alias ssh-agent-start='. $(ssh-agent-wrapper ~/.ssh/id_[rd]sa)'
> 
> After each system reboot I log in, call ssh-agent-start and enter the
> passphrase(s). After logout the file ~/.ssh-agent remains and contains
> information about the ssh-agent process. When I log in again, I let the
> shell reads this file and learn about the agent. No need to enter the
> passphrase again until after the next reboot.
> 
> BTW: when running X, I need to set '*VT100*loginShell: true' in
> ~/.Xresources to force xterm to invoke a login shell. Otherwise
> ~/.profile is not read.
> 
> For your problem this would mean using
> 
> 	. ~/.ssh-agent; your-scp-command
> 
> as the command in your crontab.
> 
> 
> HTH, Jukka
> 
> -- 
> bashian roulette:
> $ ((RANDOM%6)) || rm -rf ~

> #!/bin/sh
> #
> # Jukka Salmi   2003-01-31
> #
> 
> : ${SSH_AGENT_CACHE:=$HOME/.ssh-agent}
> 
> is_running()
> {
> 	ssh-add -l >/dev/null 2>&1
> 	case $? in
> 		0|1) return 0;;
> 	esac
> 	return 1
> }
> 
> use_x11_askpass()
> {
> 	local x ap='/usr/X11R6/bin/ssh-askpass /usr/lib/misc/ssh-askpass'
> 	[ ."$DISPLAY" != . ] || return 1
> 	for x in $ap; do
> 		[ -x $x ] && { export SSH_ASKPASS=$x; return 0; }
> 	done
> 	return 1
> }
> 
> add_ids()
> {
> 	local stdin
> 	#ssh-add -D 2>/dev/null
> 	use_x11_askpass && stdin='</dev/null'
> 	eval ssh-add "$@" $stdin 2>/dev/null
> }
> 
> start_agent()
> {
> 	#ssh-agent -k 2>/dev/null
> 	nohup ssh-agent | egrep '^[^#].*(=|export)' >$SSH_AGENT_CACHE
> 	. $SSH_AGENT_CACHE
> 	add_ids "$@"
> }
> 
> trap '' INT
> umask 077
> 
> is_running || start_agent "$@"
> echo "$SSH_AGENT_CACHE"
> 
> trap INT
> exit 0


-- 
,-- This mail runs ---------.
`------------ NetBSD/i386 --'