Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: how to "sudo ssh/rsync" a remote host using a user's keyfiles?

  1. #1
    Join Date
    Apr 2013
    Beans
    124
    Distro
    Ubuntu 14.04 Trusty Tahr

    how to "sudo ssh/rsync" a remote host using a user's keyfiles?

    Hi, everyone.

    I am trying to run a script as root using /etc/crontab.

    Code:
    X Y  * * *   root    /some-path/script.sh
    The first part of the script needs local root priviledges and runs fine.

    The other half needs a regular user priviledges, but the job is run by user root in crontab and it fails.

    Basically, the second part of the script is trying to access a remote directory using a regular user's credentials (keyfiles), not the root's ones. That is because the root doesn't have keyfiles on the local or on the remote host. The user test does have remote access to that host however, but only when ssh and rsync are run by user test (non sudo command).

    So a command like

    Code:
    "ssh test@remotehost"
    works just fine.

    However, the script fails when it tries to execute these two commands:

    Code:
    sudo ssh -fnx4 -l test -i /home/test/.ssh/id_rsa.pub test@remotehost "mkdir /home/test/somedirectory"
    This actually asks me the passphrase for the public key...

    Code:
    Enter passphrase for key '/home/test/.ssh/id_rsa.pub':
    And there is no password for the public key...

    The second command is this:

    Code:
    sudo rsync -avzl -e "ssh -l test" /home/test/Desktop/somefile test@remotehost:/home/test/somedirectory
    And the output is "Permission denied (publickey).

    Adding "-i /path/to/public_keyfile" leads to the same output as when using ssh:

    Code:
    Enter passphrase for key '/home/test/.ssh/id_rsa.pub':
    Is it possible to make ssh and rsync login using another user credentials when they are started with root privileges by sudo?

    Thank you.

  2. #2
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: how to "sudo ssh/rsync" a remote host using a user's keyfiles?

    Are you completely sure the key has no passphrase? It would just log you in if that was the case instead of prompting you to enter the passphrase.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  3. #3
    Join Date
    Apr 2013
    Beans
    124
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: how to "sudo ssh/rsync" a remote host using a user's keyfiles?

    Absolutely. I am connecting to that host a dozen of times a day and there is no password required, nor the keys were created using any password, nor the ssh server will accept any connection using a password. I am wondering too what password does it ask for?

  4. #4
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: how to "sudo ssh/rsync" a remote host using a user's keyfiles?

    That's odd.

    I've connected to other boxes via ssh using another user's credentials with no problem before.

    You could try running ssh with -vvv and see what it spits out.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #5
    Join Date
    Apr 2013
    Beans
    124
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: how to "sudo ssh/rsync" a remote host using a user's keyfiles?

    I'll give it a try later and post back the results.

    Thank you.

  6. #6
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: how to "sudo ssh/rsync" a remote host using a user's keyfiles?

    However, the script fails when it tries to execute these two commands:

    Code:
    sudo ssh -fnx4 -l test -i /home/test/.ssh/id_rsa.pub test@remotehost "mkdir /home/test/somedirectory"
    There you're running ssh under sudo to no real gain. If you are already running the script as root then sudo is redundant (unless used with -u). But it alone should not cause the line to fail. What might cause it to fail is that you are using the public key (id_rsa.pub) where you should be using the private key (id_rsa) The private key stays on the client and shouldn't leave.

    The second command is this:
    Code:
    sudo rsync -avzl -e "ssh -l test" /home/test/Desktop/somefile test@remotehost:/home/test/somedirectory
    That one might be for two reaons. First, you also have to specify the key inside the -e option unless it is already in the agent:

    -e "ssh -l test -i /home/test/.ssh/id_rsa"

    Second, again, the client end uses id_rsa and not id_rsa.pub. The public key (id_rsa.pub) is the only one that belongs on the server in authorized_keys.

  7. #7
    Join Date
    Apr 2013
    Beans
    124
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: how to "sudo ssh/rsync" a remote host using a user's keyfiles?

    Quote Originally Posted by Lars Noodén View Post
    There you're running ssh under sudo to no real gain.
    Indeed, in the script there is no sudo for these two commands, but I had to simulate the root perspective when running them separately, trying to find out what's wrong.

    Quote Originally Posted by Lars Noodén View Post
    What might cause it to fail is that you are using the public key (id_rsa.pub) where you should be using the private key (id_rsa) The private key stays on the client and shouldn't leave.
    Thank you, Sir! Thank you!

    I spent a few good hours and I simply didn't realise that I so was stupid to use a public key to authenticate against the same key which was already on the server...

    Dear everyone, don't do the same mistake.

    The two commands are working just fine in the previous specified circumstances if they are used properly (as follows):

    Code:
    test@localhost:~$ sudo rsync -azvl -e "ssh -l test -i /home/test/.ssh/id_rsa" /home/test/Desktop/test-backup test@remotehost:/home/test/backup/test1/
    sending incremental file list
    test-backup
    
    sent 1074265999 bytes  received 31 bytes  11613686.81 bytes/sec
    total size is 1073741824  speedup is 1.00
    and...

    Code:
    test@localhost:~$ sudo ssh -fnx4 -l test -i /home/test/.ssh/id_rsa test@remotehost "mkdir /home/test/backup/IT-WORKS"
    I'll leave this thread open for a little more because I want to test the commands with the script, too. I think everything will be fine, but just to make sure...



    CharlesA, thank you, too for your time.
    Last edited by clearski; November 24th, 2013 at 04:03 PM. Reason: forgot to thank CharlesA :)

  8. #8
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 16.04 Xenial Xerus

    Re: how to "sudo ssh/rsync" a remote host using a user's keyfiles?

    Wow, I totally missed that one. Nice job, Lars!
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  9. #9
    Join Date
    Apr 2013
    Beans
    124
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: how to "sudo ssh/rsync" a remote host using a user's keyfiles?

    Testing the commands with the script & with crontab -> success.

    Solved.

  10. #10
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: how to "sudo ssh/rsync" a remote host using a user's keyfiles?

    Glad it's working.

    By the way, if you're working with a number of keys, it won't hurt to rename the files. You can do that when the keys are created with "ssh-keygen -f" or after the fact by just renaming the files. That can tell you at a glance what the keys are for when you see them in the directory.

    Also, the very last data field in the public key is actually a comment and it is a good idea to put something descriptive there. By default it ends up with an email address-like string, but it's better to replace that, at least on the public key you keep on your client. Some graphical key management programs use that string to describe the key pair.

    Both can help remind you of what the key is for.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •