LXF165 Unison tutorial - How to use password ssh with cron?

Comments, suggestions and questions about Linux Format magazine and the coverdiscs

Moderators: ChrisThornett, LXF moderators

LXF165 Unison tutorial - How to use password ssh with cron?

Postby guttagrynna » Sun Dec 09, 2012 6:11 pm

The tutorial on Unison has been really useful for me, but I don't like the idea of not protecting SSH with a password. I first thought it would be easy to use password with SSH by means of gnome-keyring or whatever it's called. But I have since found out that using cron requires a lot of extra configurations not to ask for a password every time it runs the script, and after trawling the internet on the subject I feel it is beyond my current knowledge level to sort this out. I vaguely understand the problem, but can't solve it on my own.

To clarify, I can run the script manually without being promted for a password, but when using cron i need to enter the keyring password every time.

Can anyone offer instructions on this? Or maybe LXF could run a folllow up on the recent article, this time with password for your SSG key.

Best regards,

Mårten
guttagrynna
 
Posts: 3
Joined: Thu Nov 15, 2012 8:41 pm
Location: Stockholm, Sweden

Postby Bruno » Sun Dec 09, 2012 8:05 pm

Hi Mårten,

If you are a subscriber, you will find a tutorial on SSH (and VNC) from LXF 119 by Neil Bothwick in the archive. It will help you with the SSH side of things. If not, I created some notes a while ago to help me. I've pasted them below:

1) SSH Setup:
i) Use OpenSSH, check that the package "openssh" is installed on all client and server machines.
ii) To log into a remote machine via ssh, <hostname> = name of machine running SSHD, this should also be your hub computer, the computer with which all others synchronise:
Code: Select all
$ ssh <hostname>

* This will prompt you for your password on the server machine if not using public key authentication.
* It also logs you in with same user ID with which you are logged into the client machine.
* If you need to log in with a different user name, use this:
Code: Select all
$ ssh <user>@<hostname>


2) Server Configuration
i) Check that the following entries have these settings in the /etc/ssh/sshd_config file and that they are uncommented:
Code: Select all
PermitRootLogin no
Protocol 2

PubkeyAuthentication yes
RSAAuthentication no
AuthorizedKeysFile %h/.ssh/authorized_keys

PasswordAuthentication no*
PermitEmptyPasswords no*
ChallengeResponseAuthentication yes**
UsePAM yes**

Compression no***
X11Forwarding no****

* Always have set to "no".
** Initially set these to "yes" but change to "no" after uploading the authentication key from client (more on this later).
*** This is the best setting for synchronisation over a local network, but you may want compression if you are synchronising over the internet or also using remote desktop access.
**** Change to "yes" if you are also using remote desktop access.
ii) Configure /etc/hosts.allow by adding the following lines:
Code: Select all
sshd  :  127.0.0.1  :  allow
sshd  :  192.168.   :  allow

This will only allow computers on your private network (assuming you it is using IP addresses in the range 192.168.X.X) access to your hub computer via SSH.
iii) Configure /etc/hosts.deny by adding the following line:
Code: Select all
sshd  :  ALL        :  deny

This ensures that only computers that are explicitly allowed (see above) access to you hub computer may connected via SSH.
iv) Enable the service "sshd" to start automatically at boot time. How to do this may be specific to your distro.

3) Client Configuration
i) Check that the following entries have these settings in the /etc/ssh/ssh_config file and that they are uncommented (note: ssh_config, not sshd_config):
Code: Select all
ForwardX11Trusted no
Port 22
Protocol 2
HashKnownHosts yes


4) Preparation for Public Key Authentication and Key Generation
i) Create the following directory and file on the client machine and give them appropriate permissions:
a) /home/<user>/.ssh/
Code: Select all
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh

b) /home/<user>/.ssh/config
Code: Select all
$ touch ~/.ssh/config
$ chmod 644 ~/.ssh/config

ii) Add the hostname and its IP address to the /home/<user>/.ssh/config file:
Code: Select all
$ echo "Host <hostname>" >> ~/.ssh/config ; echo "      Hostname <host_ip_address>" >> ~/.ssh/config

iii) Still on the client machine, type the following in a terminal (supplying your password for the server machine when prompted) to generate keys on the client machine and transfer the public key to the server machine
Code: Select all
$ ssh-keygen
$ ssh-copy-id <user>@<hostname>

iv) On the server machine, disable password logins by editing the /etc/ssh/sshd_config file as described previously and restart sshd

5) Alternative methods for transferring keys to the server (if you have already disabled password access on the server):
i) Copy the file /home/<user>/.ssh/id_rsa.pub onto a USB stick.
ii) On the server machine, type:
Code: Select all
$ cat /media/<stick>/id_rsa.pub >> ~/.shh/authorized_keys

This should set you up nicely on the SSH side of things. Now just create the unison config files from within the unison programme or by hand. My "default.prf" file that sits in /home/<user>/.unison/ looks something like this:
Code: Select all
# Unison preferences file

# For remote synchronisation:
# Roots of the synchronization:
root = /home/<user>/<directory>
root = ssh://<user>@<hostname>/<directory>

# For local synchronisation:
# Roots of the synchronization:
root = /home/<user>/<directory>
root = /media/<external_drive>/<directory>

# Names and paths to ignore:
include common

Note how the path to the remote directory is expressed when connecting via SSH. The line at the bottom just contains a small list of common exceptions and can be omitted.

You should then be able to run Unison as a cron job and not have it ask for a password by invoking:
Code: Select all
$ unison -ui text -auto default.prf

Good luck!
Bruno 8)
User avatar
Bruno
LXF regular
 
Posts: 139
Joined: Tue Sep 18, 2007 6:07 pm
Location: Cambridgeshire, UK

Postby guttagrynna » Sun Dec 09, 2012 8:29 pm

Thanks Bruno,

I will study your instructions. A quick read-through gave me the impression that I would have to give up normal ssh login by password. That's a bit worrying because this is Dreamplug computer with no video output of its own so the only way to access it is over the network, or by a little thingy called jtag.

/Mårten
guttagrynna
 
Posts: 3
Joined: Thu Nov 15, 2012 8:41 pm
Location: Stockholm, Sweden

Postby nelz » Sun Dec 09, 2012 10:09 pm

If you have a key, SSH will try to use that to login. If no suitable key is present, you will be asked for a password, so you can use keys and passwords alongside one another.

For example, I have no keys set up on my phone because it is easily lost or stolen, so connecting from that requires a password, while I can connect from my laptop with no password because that has keys set up.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8493
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Postby MartyBartfast » Mon Dec 10, 2012 10:07 am

Thanks Bruno! ON Friday afternoon a DBA came to me with a problem doing X forwarding on one of his boxes, I had a look and couldn't figure out the problem but it was getting late and he wanted to go home so we left it broken. I thought I'd checked everything and was expecting a real headache when I got in this morning, but then I read your post on Sunday, saw this bit

Bruno wrote:...
2) Server Configuration
i) Check that the following entries have these settings in the /etc/ssh/sshd_config file and that they are uncommented:
Code: Select all
...
X11Forwarding no****


and realised I that I hadn't checked that, so a quick fix as soon as I got in and he's a happy chap.
I have been touched by his noodly appendage.
User avatar
MartyBartfast
LXF regular
 
Posts: 815
Joined: Mon Aug 22, 2005 7:25 am
Location: Hants, UK

Postby Bruno » Mon Dec 10, 2012 1:54 pm

Hi Folks,

Mårten: The keys protect SSH once you have them set up, this is public key authentication. I use password authentication to log into the server computer for the initial transmission of the client computer's public key to the server computer. Once this is done, I disable password access. However, at no time is the SSH connection open to someone who neither has my password on the server nor my private key on their client, so my connection is protected.

Using this method obviates the need to enter a password upon connection to the server and hence allows services that require this connection in order to perform their task to be automated. I suspect the reason why cron won't play nicely with gnome keyring is because cron isn't part of any desktop, so it doesn't know it should go via a desktop application to do authentication.

You will find this route a departure from what you are used to, I did when I started, but work through it and it will pay dividends. Just be sure to back-up any config file you want to edit before committing changes and make sure you always have a way back if you get out of your depth.

MartyBartfast: Thanks, I'm glad my reply was useful. I didn't know how much to include so I thought I'd include everything from my notes, as they are pretty comprehensive. All credit to Nelz, though, for the tutorial in LXF 119, as that navigated me through SSH on my first go.
User avatar
Bruno
LXF regular
 
Posts: 139
Joined: Tue Sep 18, 2007 6:07 pm
Location: Cambridgeshire, UK

Postby nelz » Mon Dec 10, 2012 2:30 pm

There's some more SSH coverage in LXF166.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 8493
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK


Return to Magazine and coverdiscs

Who is online

Users browsing this forum: No registered users and 1 guest