Subject: Re: Re: ssh-add and crontab
To: Jukka Salmi <j+nbsd@2005.salmi.ch>
From: Joel CARNAT <joel@carnat.net>
List: netbsd-users
Date: 03/17/2005 15:32:15
Hi,
thanks for the answer !
your script looked a bit complex for me...
so I used the SSH_AUTH_SOCK/SSH_AGENT_PID way of doing it.
for general info, I didn't use find but did it with ".xsession" and "source"
********************
# grep -i SSH .xsession
eval `ssh-agent -s`
ssh-add < /dev/null
ssh-add ~/.ssh/id_rsa < /dev/null
echo "SSH_AGENT_PID=$SSH_AGENT_PID" > ~/.ssh-agent
echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK" >> ~/.ssh-agent
echo "export SSH_AGENT_PID SSH_AUTH_SOCK" >> ~/.ssh-agent
********************
# cat ~/scripts/upload_seti
#!/bin/sh
. ~/.ssh-agent
ssh ...
scp ...
********************
seems to work now :)
Dans l'épisode précédent (Wed, Mar 16 2005 - 12:17), Jukka Salmi nous apprenait que :
> Joel CARNAT --> netbsd-users (2005-03-16 10:44:08 +0100):
> > Hi,
> >
> > I have a "scp -i ~/.ssh/HOME_key ..." in my crontab (to copy seti@HOME
> > results from work to my home machine). I used "ssh-add ~/.ssh/HOME_key"
> > in my .xsession so that I won't need to provide the passphrase each
> > time.
> >
> > When I use the key (in a xterm) to connect (or scp), the ssh-agent is OK
> > (aka, I don't have to provide the passphrase), but the crontab entry
> > fails saying "Permission denied (publickey,keyboard-interactive).".
> >
> > I think the problem is that crontab don't use ssh-agent...
> > I restarted cron after adding the key (just to test) but it doesn't
> > solve anything. Any one knows how to use ssh-agent with crontab ?
>
> The problem seems to be that cron doesn't know about the running ssh-agent,
> i.e. cron's environment doesn't have the SSH_AUTH_SOCK variable set.
>
> If there's only one agent running for your user, you could try to find
> the socket and set SSH_AUTH_SOCK accordingly, i.e. use something like
>
> SSH_AUTH_SOCK=$(find /tmp -name 'agent.*' -user $USER 2>/dev/null);\
> export SSH_AUTH_SOCK; your-scp-command
>
> as the command in your crontab.
>
> A better approach would probably be to use something like the attached
> script. I use it on systems where I often need to access passphrase
> protected private keys, with the following in ~/.profile:
>
> $ grep ssh-agent ~/.profile
> [ -f ~/.ssh-agent ] && . ~/.ssh-agent
> alias ssh-agent-start='. $(ssh-agent-wrapper ~/.ssh/id_[rd]sa)'
>
> After each system reboot I log in, call ssh-agent-start and enter the
> passphrase(s). After logout the file ~/.ssh-agent remains and contains
> information about the ssh-agent process. When I log in again, I let the
> shell reads this file and learn about the agent. No need to enter the
> passphrase again until after the next reboot.
>
> BTW: when running X, I need to set '*VT100*loginShell: true' in
> ~/.Xresources to force xterm to invoke a login shell. Otherwise
> ~/.profile is not read.
>
> For your problem this would mean using
>
> . ~/.ssh-agent; your-scp-command
>
> as the command in your crontab.
>
>
> HTH, Jukka
>
> --
> bashian roulette:
> $ ((RANDOM%6)) || rm -rf ~
> #!/bin/sh
> #
> # Jukka Salmi 2003-01-31
> #
>
> : ${SSH_AGENT_CACHE:=$HOME/.ssh-agent}
>
> is_running()
> {
> ssh-add -l >/dev/null 2>&1
> case $? in
> 0|1) return 0;;
> esac
> return 1
> }
>
> use_x11_askpass()
> {
> local x ap='/usr/X11R6/bin/ssh-askpass /usr/lib/misc/ssh-askpass'
> [ ."$DISPLAY" != . ] || return 1
> for x in $ap; do
> [ -x $x ] && { export SSH_ASKPASS=$x; return 0; }
> done
> return 1
> }
>
> add_ids()
> {
> local stdin
> #ssh-add -D 2>/dev/null
> use_x11_askpass && stdin='</dev/null'
> eval ssh-add "$@" $stdin 2>/dev/null
> }
>
> start_agent()
> {
> #ssh-agent -k 2>/dev/null
> nohup ssh-agent | egrep '^[^#].*(=|export)' >$SSH_AGENT_CACHE
> . $SSH_AGENT_CACHE
> add_ids "$@"
> }
>
> trap '' INT
> umask 077
>
> is_running || start_agent "$@"
> echo "$SSH_AGENT_CACHE"
>
> trap INT
> exit 0
--
,-- This mail runs ---------.
`------------ NetBSD/i386 --'