Prevent rsync from trying to ask for a password - ssh

How do I prevent rsync from trying to ask for a password for the remote server login?
Note: I am not asking how to set up public key authenticated SSH. I know how to set up public key authenticated SSH. What I am asking is how to prevent rsync from trying to ask for a password if public key authentication fails, like what scp's -B flag does. I am using rsync in a script here, so if it tries to ask for a password, my script will hang, waiting for input that will never come. I want the rsync command to instead fail, so my script can detect the failure and exit gracefully.

Just pass options to the underlying ssh command used by rsync:
rsync -e 'ssh -oBatchMode=yes [other ssh options]' [rest of rsync command]
From the rsync manual:
-e, --rsh=COMMAND specify the remote shell to use
From the ssh manual:
BatchMode
If set to “yes”, passphrase/password querying will be disabled.
This option is useful in scripts and other batch jobs where no
user is present to supply the password. The argument must be
“yes” or “no”. The default is “no”.
This emulates the bahavior os scp -B.

Related

Can't use RSYNC daemon via SSH connection

I have a problem while trying to use RSYNC with daemon and SSH connection.
What I wan't to do is simply login to rsync without pass and be able to use the rsync daemon.
Here is my conf file (/etc/rsyncd.conf):
uid = rsync
gid = rsync
[yxz]
path = /home/pierre/xyz
read only = false
auth users = rsync
hosts allow = <myIP>
/home/pierre/xyz has gid wich rsync user can reach.
This is working (but is not using the daemon):
rsync -rzP --stats --ignore-existing --remove-sent-files rsync#mydomain.fr:/home/pierre/xyz/ /media/xyz --include="*.cfg" --exclude="*"
This is not working (using the daemon), but rsync asks me for pass and then says "#ERROR: auth failed on module xyz" because I don't have configure authentification this way :
rsync -rzP --stats --ignore-existing --remove-sent-files rsync://rsync#mydomain.fr/xyz/ /media/xyz --include="*.cfg" --exclude="*"
This is not working (using the daemon):
rsync -rzP -e "ssh -l rsync" --stats --ignore-existing --remove-sent-files rsync://rsync#mydomain.fr/xyz/ /media/xyz --include="*.cfg" --exclude="*"
Here is the error message:
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(605) [Receiver=3.0.9]
With -v option to the ssh command, it says connection is allowed, so I suppose rsync is the problem, not ssh.
Any idee ?
Thanks for your help :)
Make sure that you stop and disable the rsync system service. E.g. if you are using systemd: systemctl disable --now rsync.
Remove -l rsync from the rsync command
rsync -rzP -e "ssh" --stats --ignore-existing --remove-sent-files rsync://mydomain.fr/xyz/ /media/xyz --include="*.cfg" --exclude="*"
Remove auth users = rsync from rsyncd.conf
I found that if I was not using root, I had to also add use chroot = no in rsyncd.conf.
Great it works, but what sort of authentification is made ?
The connection is authenticated as usual for the ssh command (specifically, the same as ssh mydomain.fr).
This does not involve the system service rsync. Instead it uses SSH to start and communicate with an instance of rsync --server --daemon .. You can see this command being started if you replace -e "ssh" with -e "ssh -v".
The problem with using the system service rsync is that it does not encrypt the network connection, so the network is able to intercept and modify the data in transit. This somewhat defeats the point of using any authentication.
Often this approach is used with a dedicated SSH key, using the command="" option in authorized_keys to restrict it to rsync only. A side-benefit of doing so is that it overrides the command rsync tries to use, so you can force it to use --config=~/rsyncd.conf instead of creating a global /etc/rsyncd.conf. IMO this is useful to avoid confusion IMO. It is good practice because if you create the global config file, there is some risk that you will accidentally run the insecure system service. For example Debian 9 enables the rsync system service by default, and will start it automatically at boot if you have created /etc/rsyncd.conf.
https://gist.github.com/trendels/6582e95012f6c7fc6542
https://indico.cern.ch/event/577279/contributions/2354037/attachments/1366772/2071442/Hepsysman-keeping-in-sync.pdf
https://serverfault.com/questions/6367/cant-get-rsync-to-work-in-daemon-over-ssh-mode
Unusual variant using a dedicated user with a custom shell, instead of command="" / ForceCommand, for some reason: http://mennucc1.debian.net/howto-ssh-rsyncd.html
To use rsync daemon without a password, you should remove auth users line from your config file.
uid = rsync
gid = rsync
[yxz]
path = /home/pierre/xyz
read only = false
hosts allow = <myIP>
After starting the daemon, you can refer the module either using :: syntax or using rsync:// prefix as follows
rsync -rzv rsync#mydomain.fr::xyz/ /media/xyz
rsync -rzv rsync://rsync#mydomain.fr/xyz/ /media/xyz
More info: man rsyncd.conf

How to do remote ssh non-interactively

I am trying to connect to a remote host from my local host through the below command.But there was a setting in the remote host that soon after we login it will prompt to enter a badge ID,password and reason for logging in, because it was coded like that in profile file on remote-host How can I overcome those steps and login directly non-interactively, without disturbing the code in profile.
jsmith#local-host$ ssh -t -t generic_userID#remote-host
Enter your badgeID, < exit > to abort:
Enter your password for <badgeID> :
Enter a one line justification for your interactive login to generic_userID
Small amendment: to overcome remote server expect approach is required, but in case local script connects to bunch of remote servers, which configuration may be broken, just use SSH options:
ssh -f -q -o BatchMode=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null USER#TARGETSYSTEM
This will omit ask for password in case there is no ssh_key setup, exit silently and continue with script/other hosts.
Puts ssh to background with -f, which is required when calling ssh command from sh (batch) file to remove local console redirect to remote input (implies -n).
Look into setting up a wrapper script around expect. This should do exactly what you're looking for.
Here are a few examples you can work from.
I have upvoted Marvin Pinto's answer because there is every reason to script this, in case there are other features in the profile that you need, such as Message of the Day motd.
However, there is a quick and dirty alternative if you don't want to make a script and you don't want other features from the profile. Depending on your preferred shell on the remote host, you can insist that the shell bypasses the profile files. For example, if bash is available on the remote host, you can invoke it with:
ssh -t -t generic_userID#remote-host bash --noprofile
I tested the above on the macOS 10.13 version of OpenSSH. Normally the command at the end of the ssh invocation is run non-interactively, but the -t flag allows bash to start an interactive shell.
Details are in the Start-up files section of the Bash Reference Manual.

script to ssh to a unix server

It will be helpful if somebody could tell me how to connect to a unix server using username and password as arguments.my username and password is "anitha".
How can i create a shell script which automatically connect to my unix server with this username and password?
I guess you want to remotely connect to your *nix server from network. Base on my guess, to:
connect to remote *nix server, everybody is using SSH
ssh anitha#anitha ip-to-unix-server
automatically connect, write simple bash shell wrap around your ssh connect command and do something, not suggested, you should use ssh password less login (aka public/private key)
#!/usr/bin/env bash
ip=172.16.0.1 #replace 172.16.0.1 with your unix server's ip
username=anitha #your ssh username
password=anitha #your ssh password
command=who #what do you want to do with remote server
arguments= #arguments for your command
expect -c 'spawn ssh $username#$ip ; expect password ; send "$password\n" ; interact'
connect without typing password, you may need to use SSH password less login
Use sshpass if you really need to use non-interactive keyboard-interactive authentication (pun intended) or better switch to using pubkey-based authentication.
Note that passing the password in clear to the ssh client is very lame as the password gets exposed in the publicly-readable process list where it can be read by anyone. sshpass works around this problem by creating a pseudo-terminal and communicating with the ssh client using it, so at least the password is not exposed at runtime.
Step 1:
jsmith#local-host$ [Note: You are on local-host here]
jsmith#local-host$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):[Enter key]
Enter passphrase (empty for no passphrase): [Press enter key]
Enter same passphrase again: [Pess enter key]
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is:
33:b3:fe:af:95:95:18:11:31:d5:de:96:2f:f2:35:f9 jsmith#local-host
Step 2:
From Local-host, run this One liner for password less ssh connectivity.
cat ~/.ssh/id_dsa.pub | ssh useronanotherserver#anotherservername 'cat >> ~/.ssh/authorized_keys'
You should use expect, which is an extension of tcl that was made specifically for automating login tasks.
Basic ssh login question: could not able to spawn(ssh) using expect
How to interact with the server programattically after you have established the session: Expect Script to Send Different String Outputs

How to run automated rsync using ssh2

i am trying to setup rsync between two machines over ssh2 protocol.
Earlier we used ssh1 for automated rsync without any passphrase, but recently we migrated to ssh2 and running rsync with ssh2 prompts for passphrase.
I generated a new SSH2-RSA key and that too without passphrase, but it still asks me for the passphrase.Here is the command that i run for ssh
/usr/bin/ssh -2 -i /usr/local/www-rsync-key fsuser#xyz
What steps do you have to do to get an ssh2 key with a null password to work? I'm guessing there are certain settings in /etc/ssh/sshd_config you have to set, but I can't figure out what!
This question appeared on Superuser, discussing the topic of ssh without a password.
If you're getting prompted for a password, check that you've added the public key to the correct file on the far side (could be authorized_keys2 now), and that the directory permissions are correct (.ssh and its contents shouldn't have any group or world permissions set).

Disabling unidentified host confirmation when connecting to Amazon EC2 instances using SSH

I am writing a script using boto and Python to automatically launch an Amazon EC2 instance and interact with it using SSH. Everything works fine except that every time I establish the connection, SSH prompts me to confirm the authenticity of the host like this:
The authenticity of host 'ec2-174-129-121-25.compute-1.amazonaws.com (174.129.121.25)' can't be established.
RSA key fingerprint is 26:09:bd:21:4f:55:20:3f:0d:fc:5f:cc:3e:08:30:db.
Are you sure you want to continue connecting (yes/no)?
My SSH command is:
ssh -i ssh2.pem root#ec2-174-129-121-25.compute-1.amazonaws.com
Since every EC2 instance is a new host, I have to confirm this every time, but I want an automatic script without any user input. What is the best solution?
Use -O StrictHostKeyChecking=no and, optionally, set the KnownHostsFile of /dev/null (if you want to be totally insecure about things). But remember, you're bypassing security measures meant to protect you!
edit and probably CheckHostIP=no too. man ssh and see all the gory bits.
For PuTTY and windows you can use
echo y | plink -pw yourpassword root#yourservername.com