Environment: centos7 + mariadb5.5.64.
Let me show the installation info on screen when to run mysql_secure_installation.
# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
I write an automation expect script to install mariadb.
vim secure.exp
set timeout 60
spawn mysql_secure_installation
expect {
"Enter current password for root (enter for none): " {send "\r";exp_continue}
"Set root password? [Y/n] " {send "y\r";exp_continue}
"New password:" {send "123456\r";exp_continue}
"Re-enter new password:" {send "123456\r";exp_continue}
"Remove anonymous users? [Y/n]" {send "y\r";exp_continue}
"Disallow root login remotely? [Y/n]" {send "y\r";exp_continue}
"Remove test database and access to it? [Y/n]" {send "y\r";exp_continue}
"Reload privilege tables now? [Y/n]" {send "y\r";exp_continue}
}
To execute /usr/bin/expect secure.exp, i come across the error:
spawn mysql_secure_installation
invalid command name "Y/n"
while executing
"Y/n"
invoked from within
"expect {
"Enter current password for root (enter for none): " {send "\r";exp_continue}
"Set root password? [Y/n] " {send "y\r";exp..."
(file "secure.exp" line 3)
It is no use to write as below:
set timeout 60
spawn mysql_secure_installation
expect {
"Enter current password for root (enter for none): " {send "\r";exp_continue}
"Set root password? \\[Y/n] " {send "y\r";exp_continue}
"New password:" {send "123456\r";exp_continue}
"Re-enter new password:" {send "123456\r";exp_continue}
"Remove anonymous users? \\[Y/n]" {send "y\r";exp_continue}
"Disallow root login remotely? \\[Y/n]" {send "y\r";exp_continue}
"Remove test database and access to it? \\[Y/n]" {send "y\r";exp_continue}
"Reload privilege tables now? \\[Y/n]" {send "y\r";exp_continue}
}
Same error:
invalid command name "Y/n"
while executing
"Y/n"
invoked from within
"expect {
"Enter current password for root (enter for none): " {send "\r";exp_continue}
"Set root password? \\[Y/n] " {send "y\r";exp_conti..."
(file "secure.exp" line 3)
How to fix my exp script then?
These scripts wait to receive optional output (timeout -1 means "no timeout") and they can tell apart different responses, as it is required by yum install and mysql_secure_installation. With #!/bin/expect -f as shebang, the scripts can be executed, when they were set to chmod +x.
A) To begin with, mariadb_yum.exp (requires su or sudo):
#!/bin/expect -f
set timeout 30
if {[llength $argv] == 0} {
send_user "Usage: mariadb_yum.exp \[linux sudo password\]\n"
exit 1
}
set USERNAME "[exec whoami]"
set PASSWORD [lindex $argv 0];
# optionally, redirect output to log file (silent install)
# log_user 0
# log_file -a "/home/$USERNAME/mariadb_install.log"
spawn sudo yum -y install MariaDB-server
set yum_spawn_id $spawn_id
# On GCE it will never ask for a sudo password:
expect -ex "\[sudo\] password for $USERNAME: " {
exp_send "$PASSWORD\r"
}
expect {
# when the package was already installed
-ex "Nothing to do" {
send_user "package was already installed\n"
}
# when the package had been installed
-ex "Complete!" {
send_user "package had been installed\n"
}
}
expect eof
close $yum_spawn_id
exit 0
B) And then mariadb_sec.exp (doesn't require sudo):
#!/bin/expect -f
set timeout 1
if {[llength $argv] == 0} {
send_user "Usage: mariadb_sec.exp \[mysql root password\]\n"
exit 1
}
set PASSWORD [lindex $argv 0];
spawn mysql_secure_installation
set mysql_spawn_id $spawn_id
# optionally, redirect output to log file (silent install)
# log_user 0
# log_file -a "/home/[exec whoami]/mariadb_install.log"
# when there is no password set, this probably should be "\r"
expect -ex "Enter current password for root (enter for none): "
exp_send "$PASSWORD\r"
expect {
# await an eventual error message
-ex "ERROR 1045" {
send_user "\nMariaDB > An invalid root password had been provided.\n"
close $mysql_spawn_id
exit 1
}
# when there is a root password set
-ex "Change the root password? \[Y/n\] " {
exp_send "n\r"
}
# when there is no root password set (could not test this branch).
-ex "Set root password? \[Y/n\] " {
exp_send "Y\r"
expect -ex "New password: "
exp_send "$PASSWORD\r"
expect -ex "Re-enter new password: "
exp_send "$PASSWORD\r"
}
}
expect -ex "Remove anonymous users? \[Y/n\] "
exp_send "Y\r"
expect -ex "Disallow root login remotely? \[Y/n\] "
exp_send "Y\r"
expect -ex "Remove test database and access to it? \[Y/n\] "
exp_send "Y\r"
expect -ex "Reload privilege tables now? \[Y/n\] "
exp_send "Y\r"
expect eof
close $mysql_spawn_id
exit 0
For debugging purposes - or to validate the answer, one can run expect with log-level strace 4. This is probably as reputable as a source can get, when it comes to writing expect scripts, as it nicely displays what is going on and most importantly, in which order the things happen:
expect -c "strace 4" ./mariadb_yum.exp [linux sudo password]
expect -c "strace 4" ./mariadb_sec.exp [mysql root password]
Instruction set exp_internal 1 can be used to get output for the regex-matching.
A possible source of confusion might be, where one spawns the processes - as one can spawn several process on various hosts, eg. ssh locally and then yum and mysql_secure_installation remotely. Added $spawn_id to the script; the bottom one close call might be redundant, since it is already EOF (just to show how to spawn & close processes):
Thanks for using MariaDB!
1 close $mysql_spawn_id
1 exit 0
2 rename _close.pre_expect close
Conclusion: The mariadb_sec.exp script probably could be improved further, eg. when at first sending no password and seeing what happens - then sending the password on ERROR 1045 (when a password had already been set previously). It may be save to assume, that one has to set the password when the server just has been installed (except that yum reinstall delivers the same result). Just had no blank CentOS container to test all the cases. Unless running in a root shell, passing both kinds of passwords into one script would be required to automate this from installation until post-installation.
Probably worth noting is that on GCE, sudo would not ask for a password; there are indeed minor differences based upon the environment, as these CentOS container images behave differently. In such case (since there is no su or container-image detection in place), the mariadb_yum.exp script might get stuck for 30 seconds and then continue.
The most reputable sources I can offer are the expect manual, written by Don Libes # NIST and the TCL/TK manual for expect, along with it's SourceForge project coincidentally called expect.
Not only are square brackets used for command substitution, but they are also special for glob patterns.
You can either use the -exact switch while escaping the square brackets in quotes:
spawn mysql_secure_installation
expect {
...
-exact "Set root password? \[Y/n\] " {send "y\r";exp_continue}
...
}
Or use braces instead of quotes:
spawn mysql_secure_installation
expect {
...
{Set root password? \[Y/n\] } {send "y\r";exp_continue}
...
}
FYI you can have the expect script generated for you by using autoexpect:
autoexpect ./mysql_secure_installation
This will generate an expect script called script.exp in your present working directory.
Related
I am creating a restricted user without shell for port forwarding only and I need to execute a script on login via pubkey, even if the user is connected via ssh -N user#host which doesn't asks SSH server for a shell.
The script should warn admin on connections authenticated with pubkey, so the user connecting shouldn't be able to skip the execution of the script (e.g., by connecting with ssh -N).
I have tried to no avail:
Setting the command at /etc/ssh/sshrc.
Using command="COMMAND" in .ssh/authorized_keys (man authorized_keys)
Setting up a script with the command as user's shell. (chsh -s /sbin/myscript.sh USERNAME)
Matching user in /etc/ssh/sshd_config like:
Match User MYUSERNAME
ForceCommand "/sbin/myscript.sh"
All work when user asks for shell, but if logged only for port forwarding and no shell (ssh -N) it doesn't work.
The ForceCommand option runs without a PTY unless the client requests one. As a result, you don't actually have a shell to execute scripts the way you might expect. In addition, the OpenSSH SSHD_CONFIG(5) man page clearly says:
The command is invoked by using the user's login shell with the -c option.
That means that if you've disabled the user's login shell, or set it to something like /bin/false, then ForceCommand can't work. Assuming that:
the user has a sensible shell defined,
that your target script is executable, and
that your script has an appropriate shebang line
then the following should work in your global sshd_config file once properly modified with the proper username and fully-qualified pathname to your custom script:
Match User foo
ForceCommand /path/to/script.sh
If you only need to run a script you can rely on pam_exec.
Basically you reference the script you need to run in the /etc/pam.d/sshd configuration:
session optional pam_exec.so seteuid /path/to/script.sh
After some testing you may want to change optional to required.
Please refer to this answer "bash - How do I set up an email alert when a ssh login is successful? - Ask Ubuntu" for a similar request.
Indeed in the script only a limited subset on the environment variables is available:
LANGUAGE=en_US.UTF-8
PAM_USER=bitnami
PAM_RHOST=192.168.1.17
PAM_TYPE=open_session
PAM_SERVICE=sshd
PAM_TTY=ssh
LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8
PWD=/
If you want to get the user info from authorized_keys this script could be helpful:
#!/bin/bash
# Get user from authorized_keys
# pam_exec_login.sh
# * [ssh - What is the SHA256 that comes on the sshd entry in auth.log? - Server Fault](https://serverfault.com/questions/888281/what-is-the-sha256-that-comes-on-the-sshd-entry-in-auth-log)
# * [bash - How to get all fingerprints for .ssh/authorized_keys(2) file - Server Fault](https://serverfault.com/questions/413231/how-to-get-all-fingerprints-for-ssh-authorized-keys2-file)
# Setup log
b=$(basename $0| cut -d. -f1)
log="/tmp/${b}.log"
function timeStamp () {
echo "$(date '+%b %d %H:%M:%S') ${HOSTNAME} $b[$$]:"
}
# Check if opening a remote session with sshd
if [ "${PAM_TYPE}" != "open_session" ] || [ $PAM_SERVICE != "sshd" ] || [ $PAM_RHOST == "::1" ]; then
exit $PAM_SUCCESS
fi
# Get info from auth.log
authLogLine=$(journalctl -u ssh.service |tail -100 |grep "sshd\[${PPID}\]" |grep "${PAM_RHOST}")
echo ${authLogLine} >> ${log}
PAM_USER_PORT=$(echo ${authLogLine}| sed -r 's/.*port (.*) ssh2.*/\1/')
PAM_USER_SHA256=$(echo ${authLogLine}| sed -r 's/.*SHA256:(.*)/\1/')
# Get details from .ssh/authorized_keys
authFile="/home/${PAM_USER}/.ssh/authorized_keys"
PAM_USER_authorized_keys=""
while read l; do
if [[ -n "$l" && "${l###}" = "$l" ]]; then
authFileSHA256=$(ssh-keygen -l -f <(echo "$l"))
if [[ "${authFileSHA256}" == *"${PAM_USER_SHA256}"* ]]; then
PAM_USER_authorized_keys=$(echo ${authFileSHA256}| cut -d" " -f3)
break
fi
fi
done < ${authFile}
if [[ -n ${PAM_USER_authorized_keys} ]]
then
echo "$(timeStamp) Local user: ${PAM_USER}, authorized_keys user: ${PAM_USER_authorized_keys}" >> ${log}
else
echo "$(timeStamp) WARNING: no matching user in authorized_keys" >> ${log}
fi
I am the author of the OP; I came to the conclusion that what I need to achieve is not possible using SSH only to the date (OpenSSH_6.9p1 Ubuntu-2, OpenSSL 1.0.2d 9 Jul 2015), but I found a great piece of software that uses encrypted SPAuthentication to open SSH port and it's new version (to the date of this post, it's GitHub master branch) has a feature to execute a command always that a user authorizates successfully.
FWKNOP - Encrypted Single Packet Authorization
FWKNOP set iptables rules that allow access to given ports upon a single packet encrypted which is sent via UDP. Then after authorization it allow access for the authorized user for a given time, for example 30 seconds, closing the port after this, leaving the connection open.
1. To install on an Ubuntu linux:
The current version (2.6.0-2.1build1) on Ubuntu repositories to the date still doesn't allow command execution on successful SPA; (please use 2.6.8 from GitHub instead)
On client machine:
sudo apt-get install fwknop-client
On server side:
sudo apt-get install fwknop-server
Here is a tutorial on how to setup the client and server machines
https://help.ubuntu.com/community/SinglePacketAuthorization
Then, after it is set up, on server side:
Edit /etc/default/fwknop-server
Change the line START_DAEMON="no" to START_DAEMON="yes"
Then run:
sudo service fwknop-server stop
sudo service fwknop-server start
2. Warning admin on successful SPA (email, pushover script etc)
So, as stated above the current version present in Ubuntu repositories (2.6.0-2.1build1) cannot execute command on successful SPA. If you need this feature as of the OP, but it will be released at fwknop version (2.6.8), as can it is stated here:
https://github.com/mrash/fwknop/issues/172
So if you need to use it right now you can build from github branch master which have the CMD_CYCLE_OPEN option.
3. More resources on fwknop
https://help.ubuntu.com/community/SinglePacketAuthorization
https://github.com/mrash/fwknop/ (project on GitHub)
http://www.cipherdyne.org/fwknop/ (project site)
https://www.digitalocean.com/community/tutorials/how-to-use-fwknop-to-enable-single-packet-authentication-on-ubuntu-12-04 (tutorial on DO's community)
I am the author of the OP. Also, you can implement a simple logwatcher as the following written in python3, which keeps reading for a file and executes a command when line contains pattern.
logwatcher.python3
#!/usr/bin/env python3
# follow.py
#
# Follow a file like tail -f.
import sys
import os
import time
def follow(thefile):
thefile.seek(0,2)
while True:
line = thefile.readline()
if not line:
time.sleep(0.5)
continue
yield line
if __name__ == '__main__':
logfilename = sys.argv[1]
pattern_string = sys.argv[2]
command_to_execute = sys.argv[3]
print("Log filename is: {}".format(logfilename))
logfile = open(logfilename, "r")
loglines = follow(logfile)
for line in loglines:
if pattern_string in line:
os.system(command_to_execute)
Usage
Make the above script executable:
chmod +x logwatcher.python3
Add a cronjob to start it after reboot
crontab -e
Then write this line there and save it after this:
#reboot /home/YOURUSERNAME/logwatcher.python3 "/var/log/auth.log" "session opened for user" "/sbin/myscript.sh"
The first argument of this script is the log file to watch, and the second argument is the string for which to look in it. The third argument is the script to execute when the line is found in file.
It is best if you use something more reliable to start/restart the script in case it crashes.
I am trying to ssh through .tcl script from ActiveState TCL 'tclsh' window.
Having WINDOWS OS system.
#!/bin/sh
# \
exec tclsh "$0" ${1+"$#"}
package require Expect
set user [lindex $argv 0]
set password [lindex $argv 1]
set DeviceIpAddr [lindex $argv 2]
set DeviceHostName [lindex $argv 3]
foreach DeviceIp $DeviceIpAddr HostName $DeviceHostName {
spawn ssh $DeviceIp
expect "login as:"
send "$user\r"
expect "Password:"
send "$password\r"
expect "$HostName ~]#"
}
I see below error while execute in tclsh(ActiveTCL)
% tclsh Test.tcl root 321 17.250.217.151 lb02va
The system cannot find the file specified.
while executing
"spawn ssh root#$DeviceIp"
("foreach" body line 3)
invoked from within
"foreach DeviceIp $DeviceIpAddr HostName $DeviceHostName {
spawn ssh root#$DeviceIp
expect "login as:"
send "$user\r"
expect "Password:"
send..."
(file "Test.tcl" line 12)
child process exited abnormally
Kindly assist me resolving this.
Thank you.
First, make sure that you have ssh installed. From the bash prompt (Mac, Linux, Cygwin) or cmd prompt (Windows), type:
ssh
If you see an error, try to fix it. The most likely cause is ssh not installed, or not in the path.
Next, in your script, you did not use the $user variable, instead you use the hard-coded root. Fix that:
spawn ssh $user#$DeviceIp
The final problem: you already specified the user name from the command line, the ssh program will not ask for user again, so you must delete these two lines:
expect "login as:"
send "$user\r"
After that, hopefully everything will go as planned.
I want to make a shellscript to install Wine on a Mac
and i want the user to enter his/her password so the script can use it later on to make the installation unattended by automatically entering the password on "sudo" commands. This is what i got for now:
clear
echo Wine Installer v1.0
echo -------------------
echo by Sydcul
sleep 4
clear
echo "Please enter your OS X user password."
echo "It is needed in some parts of the installation."
read PASSWORD
echo "Wine installation starting."
echo "Please do not shut down your system."
mkdir winetmp
cd winetmp
curl -O https://distfiles.macports.org/MacPorts/MacPorts-2.0.3.tar.bz2
tar xjvf MacPorts-2.0.3.tar.bz2
cd MacPorts-2.0.3
echo $PASSWORD | ./configure && make && sudo make install
echo $PASSWORD | sudo port -v selfupdate
echo $PASSWORD | sudo port -v install xorg
echo $PASSWORD | sudo port -v install wine
rm -rf ~/winetmp
clear
echo "Wine is successfully installed and ready for use!"
But at a certain point is still asks for the password.
How can i fix this?
Honestly, I would drop all that $PASSWORD stuff and remove the sudo from all your commands. You are writing an installation script, which should be run with elevated privileges. Have your users execute your script with sudo ./installwine.sh, and then run the commands in the script without sudo. All your port -v stuff will inherit the elevated privileges.
If you'd like to offer your user a nice error message if they forget to run the script with sudo (rather than just having your first call to port fail cryptically), you could check to see if the effective user ID ($EUID) is 0, and print the error message and exit otherwise. See https://askubuntu.com/questions/30148/how-can-i-determine-whether-a-shellscript-runs-as-root-or-not.
You can prompt the user for the password for the first time and then save it in a file (and don't forget to encrypt it).
The next time when you need it you can easily read it from the same file and store it in a variable and then use this command
echo $variablename | sudo -S command
Actually I think sudo doesn't accept password from stdin (you need to specify -S parameter to enable this).
As workaround you can execute sudo su to gain root privileges for all commands.
UPD: I'm not recommend to save password to file cause it is very bad solution from security point.
UPD2: You forget about Xcode, if it is not installed this script fails on compile stage :)
Why don't you just use the custom prompt option for sudo, and let it ask for the password if it needs it?
You start by checking if they're already root or not like this:
SUDO=""
if [[ 0 == $(id -u) ]]
then
SUDO="sudo "
fi
$SUDO command 1
$SUDO command arg arg arg
and then optionally combine that with the ability to customize the sudo prompt using the -p option.
then
SUDO="sudo -p \"I need elevated access for this part. Please enter %u's password:\" "
fi
You still get control over the interface, but don't prompt for a password unless you need it. Some people may have sudo set up for nopassword operation, for example. Others might run your installer as root. Or maybe their pasword is already cached with sudo. Etc. It's best to let sudo manage prompting, possibly using an askpass program (see the -A option) if necessary.
I've written a little script to supply a password to sshfs, but for some reason sshfs isn't grabbing the password. Any pointers? (PS I know ssh keys are better/safer, but politics where I work prevents key based authentication being setup on the target server - sigh... ).
#!/usr/bin/expect
# NOT WORKING!!
exp_internal 1
spawn sshfs server:/export/pc_storage /home/sonia/mnt/server
expect {
"assword:" {
send "secret\r\r"
send_user "\n"
}
timeout {
send_user "timed out!\n"
}
}
To terminate the password, I've tried \r \n \r\r - none work.
Debugging output, showing that password prompt is triggering:
spawn sshfs server:/export/pc_storage /home/sonia/mnt/server
parent: waiting for sync byte
parent: telling child to go ahead
parent: now unsynchronized from child
spawn: returns {17532}
expect: does "" (spawn_id exp6) match glob pattern "assword:"? no
pcuser#server's password:
expect: does "pcuser#server's password: " (spawn_id exp6) match glob pattern "assword:"? yes
expect: set expect_out(0,string) "assword:"
expect: set expect_out(spawn_id) "exp6"
expect: set expect_out(buffer) "pcuser#server's password:"
send: sending "secret\r\r" to { exp6 }
% uname -a
Linux zapote 2.6.38-10-generic-pae #46-Ubuntu SMP Tue Jun 28 16:54:49 UTC 2011 i686 i686 i386 GNU/Linux
% sshfs -V
SSHFS version 2.2
FUSE library version: 2.8.4
fusermount version: 2.8.4
using FUSE kernel interface version 7.12
SOLVED:
(I can't post an answer as I don't have 100 points - double sigh)
I need to fix this up a bit... For example I hard coded PS1 in my .bashrc to "bash_prompt" (I use zsh by default).
#!/usr/bin/expect
# FIX: get homedir from env, set bash prompt somehow...
set timeout 30
spawn /bin/bash
expect "bash_prompt"
send_user "Shell spawned.\n"
send -- "sudo umount /home/sonia/mnt/server &> /dev/null\r"
expect "bash_prompt"
send -- "sshfs server:/export/pc_storage /home/sonia/mnt/server\r"
expect {
"assword:" {
send "secret\r"
send_user "\n"
}
timeout {
send_user "timed out!\n"
}
}
expect "bash_prompt"
Rather than use Expect, you can just supply the password directly.
Try this:
echo your-password | sshfs server:/export/pc_storage /home/sonia/mnt/server -o password_stdin
Not sure if you can make this work with your password policies, but its worth a shot.
I need to fix this up a bit... For example I hard coded PS1 in my .bashrc to "bash_prompt" (I use zsh by default).
#!/usr/bin/expect
# FIX: get homedir from env, set bash prompt somehow...
set timeout 30
spawn /bin/bash
expect "bash_prompt"
send_user "Shell spawned.\n"
send -- "sudo umount /home/sonia/mnt/server &> /dev/null\r"
expect "bash_prompt"
send -- "sshfs server:/export/pc_storage /home/sonia/mnt/server\r"
expect {
"assword:" {
send "secret\r"
send_user "\n"
}
timeout {
send_user "timed out!\n"
}
}
expect "bash_prompt"
\r\r does not seem right. Have you tried \r\n?
I want to use rsync to my remote server for which I have SSH access. I use the following command:
rsync -e 'ssh -p 22222' -rtz --delete content_dir/ user#example.com:/home/user/public_html
After entering the command, it asks for the password for the remote location. When I type it, it exits with the message,
stdin: is not a tty
How do I supply the password to rsync? The method suggested should also work when I use it in a shell script.
You need to add:
[ -z "$PS1" ] && return
to the beginig of .bashrc that is located in your home dir.
The password is being accepted here, as you've stated yourself the operation does happen.
The error message "stdin: is not a tty" is due to something in the startup script on your server attempting to process an action that should only happen for interactive logins (when you connect with ssh direct to the server, etc).
[ -z "$PS1" ] && return solves the problem but it checks whether the prompt string length equals to zero and if it does then exits. Although $PS1 will not be set in a non-interactive shell, $PS1 being of zero length doesn't ultimately mean that the shell is not interactive.
Better approach is to check the shell's current options using $-. For example [[ $- != *i* ]] && return.
In case a simple return doesn't do the job, here's another approach taken from this blog article:
if `tty -s`; then
mesg n
fi
tty -s checks if there's a TTY attached (the -s tells it to do so silently and just exit with the appropriate return code). tty returns the tty attached (e.g. "/dev/pts/1"). This should be safer than checking some shell variable ;)
mesg controls the write access to your terminal (msg n disallows writing to the (in our case non-existing) terminal), and thus requires one to be present.
On some systems (in my case Debian Jessie, but there are also reports on Ubuntu) mesg n1 is set unconditionally in either ~/.bashrc or ~/.profile. So if it exists that way, this might be the culprit.
As with the other examples, you can of course make that a one-liner: [[ $(tty -s ) ]] && mesg n. And nobody keeps you from combining the two:
if [[ $(tty -s ) ]]; then
mesg n
else
return
fi
Btw: According to the linked article, this fragment should go to the .bashrc of the machine you connect to (the "remote") – so if that's johndoe#somehost, this should be applied at the start of /home/johndoe/.bashrc on somehost. In my case I only got rid of the message after having applied this change on the "calling host" as well.
PS: Also check the .profile if it has a stand-alone msg n command (it did in my case). If it does, wrap it there.
1: mesg n is used to prevent other users on the machine writing to your current terminal device, which per se is a good thing – but not helpful for some rsync job ;)