I need to do rsync by ssh and want to do it automatically without the need of passing password for ssh manually.
Use "sshpass" non-interactive ssh password provider utility
On Ubuntu
sudo apt-get install sshpass
Command to rsync
/usr/bin/rsync -ratlz --rsh="/usr/bin/sshpass -p password ssh -o StrictHostKeyChecking=no -l username" src_path dest_path
You should use a keyfile without passphrase for scripted ssh logins. This is obviously a security risk, take care that the keyfile itself is adequately secured.
Instructions for setting up passwordless ssh access
You can avoid the password prompt on rsync command by setting the environment variable RSYNC_PASSWORD to the password you want to use or using the --password-file option.
I got it to work like this:
sshpass -p "password" rsync -ae "ssh -p remote_port_ssh" /local_dir remote_user#remote_host:/remote_dir
If you can't use a public/private keys, you can use expect:
#!/usr/bin/expect
spawn rsync SRC DEST
expect "password:"
send "PASS\n"
expect eof
if [catch wait] {
puts "rsync failed"
exit 1
}
exit 0
You will need to replace SRC and DEST with your normal rsync source and destination parameters, and replace PASS with your password. Just make sure this file is stored securely!
The following works for me:
SSHPASS='myPassword'
/usr/bin/rsync -a -r -p -o -g --progress --modify-window=1 --exclude /folderOne -s -u --rsh="/usr/bin/sshpass -p $SSHPASS ssh -o StrictHostKeyChecking=no -l root" source-path myDomain:dest-path >&2
I had to install sshpass
Use a ssh key.
Look at ssh-keygen and ssh-copy-id.
After that you can use an rsync this way :
rsync -a --stats --progress --delete /home/path server:path
Another interesting possibility:
generate RSA, or DSA key pair (as it was described)
put public key to host (as it was already described)
run:
rsync --partial --progress --rsh="ssh -i dsa_private_file" host_name#host:/home/me/d .
Note: -i dsa_private_file which is your RSA/DSA private key
Basically, this approach is very similar to the one described by #Mad Scientist, however you do not have to copy your private key to ~/.ssh. In other words, it is useful for ad-hoc tasks (one time passwordless access)
Automatically entering the password for the rsync command is difficult. My simple solution to avoid the problem is to mount the folder to be backed up. Then use a local rsync command to backup the mounted folder.
mount -t cifs //server/source/ /mnt/source-tmp -o username=Username,password=password
rsync -a /mnt/source-tmp /media/destination/
umount /mnt/source-tmp
The official solution (and others) were incomplete when I first visited, so I came back, years later, to post this alternate approach in case any others wound up here intending to use a public/private key-pair:
Execute this from the target backup machine, which pulls from source to target backup
rsync -av --delete -e 'ssh -p 59333 -i /home/user/.ssh/id_rsa' user#10.9.9.3:/home/user/Server/ /home/keith/Server/
Execute this from the source machine, which sends from source to target backup
rsync -av --delete -e 'ssh -p 59333 -i /home/user/.ssh/id_rsa' /home/user/Server/ user#10.9.9.3:/home/user/Server/
And, if you are not using an alternate port for ssh, then consider the more elegant examples below:
Execute this from the target backup machine, which pulls from source to target backup:
sudo rsync -avi --delete user#10.9.9.3:/var/www/ /media/sdb1/backups/www/
Execute this from the source machine, which sends from source to target backup:
sudo rsync -avi --delete /media/sdb1/backups/www/ user#10.9.9.3:/var/www/
If you are still getting prompted for a password, then you need to check your ssh configuration in /etc/ssh/sshd_config and verify that the users in source and target each have the others' respective public ssh key by sending each over with ssh-copy-id user#10.9.9.3.
(Again, this is for using ssh key-pairs without a password, as an alternate approach, and not for passing the password over via a file.)
Though you've already implemented it by now,
you can also use any expect implementation (you'll find alternatives in Perl, Python: pexpect, paramiko, etc..)
I use a VBScript file for doing this on Windows platform, it servers me very well.
set shell = CreateObject("WScript.Shell")
shell.run"rsync -a Name#192.168.1.100:/Users/Name/Projects/test ."
WScript.Sleep 100
shell.SendKeys"Your_Password"
shell.SendKeys "{ENTER}"
Exposing a password in a command is not safe, especially when using a bash script, if you tried to work with keyfiles thats will be nice.
create keys in your host with ssh-keygen and copy the public key with ssh-copy-id "user#hostname.example.com and then use rsync addin the option -e "ssh -i $HOME/.ssh/(your private key)" to force rsync using ssh connection via the the private key that you create earlier.
example :
rsync -avh --exclude '$LOGS' -e "ssh -i $HOME/.ssh/id_rsa" --ignore-existing $BACKUP_DIR $DESTINATION_HOST:$DESTINATION_DIR;
Here's a secure solution using a gpg encrypted password.
1.Create a .secret file containing your password in the same folder as your rsync script using the command:
echo 'my-very-secure-password' > .secret
Note that the file is hidden by default for extra security.
2.Encrypt your password file using the following gpg command and follow the prompts:
gpg -c .secret
This will create another file named .secret.gpg. Your password is now encrypted.
3.Delete the plain text password file
rm .secret
4.Finally in your rsync script use gpg and sshpass as follows:
gpg -dq secret.gpg | sshpass rsync -avl --mkpath /home/john user_name#x.x.x.x/home
The example is syncing the entire home folder for the user named john to a remote server with IP x.x.x.x
Following the idea posted by Andrew Seaford, this is done using sshfs:
echo "SuperHardToGuessPass:P" | sshfs -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user#example.com:/mypath/ /mnt/source-tmp/ -o workaround=rename -o password_stdin
rsync -a /mnt/source-tmp/ /media/destination/
umount /mnt/source-tmp
Related
On my linux server I run the command:
sshpass -p 'password' rsync -avz /source/folder/ root#192.168.x.x:/dest/folder
When I run the command without sshpass it will provide me with prompts for authenticity of host and the password.
I need some equivalent to "-o StrictHostKeyChecking=no" (which I use for ssh) that will allow me to run this with no prompts or errors.
Everything I saw from googling was about ssh throwing the error not rsync.
If you want to connect to new server, which public key is not yet in your ~/.ssh/knonwn_hosts, you should not skip this only security check, but rather store the server host key in the known_hosts manually, verify that it is correct and then make the automatic check working.
Simplest way to get the known hosts populated with the server host key is using
ssh-keyscan server-ip >> ~/.ssh/known_hosts
After that, you should not need to use the StrictHostKeyChecking=no workaround.
This is the right command without output errors:
sshpass -p "yourpassword" rsync -rvz -e 'ssh -o StrictHostKeyChecking=no -p 22' --progress root#111.111.111.111:/backup/origin /backup/destination/
I found the following command at cyberciti. This allowed me to do exactly what I needed.
$ rsync --rsh="sshpass -p myPassword ssh -o StrictHostKeyChecking=no -l username" server.example.com:/var/www/html/ /backup/
In some cases sshpass attempts find "assword" as the default password prompt indicator. But rsync can return similar string:
Enter passphrase for key '/home/user/.ssh/private_user_key':
So, try to add '-P' parameter:
sshpass -p "yourpassword" -P 'Enter passphrase for key' rsync 111.111.111.111:/backup/origin /backup/destination/
Path to your private key you can set in /home/user/config or set with -e parameter like that:
sshpass -p "yourpassword" -P 'Enter passphrase for key' rsync -e 'ssh -i /home/user/.ssh/private_user_key' 111.111.111.111:/backup/origin /backup/destination/
More inf about default password prompt indicator:
$ sshpass -V
sshpass 1.06
(C) 2006-2011 Lingnu Open Source Consulting Ltd.
(C) 2015-2016 Shachar Shemesh
This program is free software, and can be distributed under the terms of the GPL
See the COPYING file for more information.
Using "assword" as the default password prompt indicator.
Today I started learning ansible and first thing I came across while trying to run the command ping on remote server was
192.168.1.100 | UNREACHABLE! => {
"changed": false,
"msg": "(u'192.168.1.100', <paramiko.rsakey.RSAKey object at 0x103c8d250>, <paramiko.rsakey.RSAKey object at 0x103c62f50>)",
"unreachable": true
}
so I manually setup the SSH key, I think I faced this as no writeup or Tutorial by any devops explains the step why they don't need it or if they have manually set it up before the writing a tutorial or a video.
So I think it would be great if we can automate this step too..
If ssh keys haven't been set up you can always prompt for an ssh password
-k, --ask-pass ask for connection password
I use these commands for setting up keys on CentOS 6.8 under the root account:
cat ~/.ssh/id_rsa.pub | ssh ${user}#${1} -o StrictHostKeyChecking=no 'mkdir .ssh > /dev/null 2>&1; restorecon -R /root/; cat >> .ssh/authorized_keys'
ansible $1 -u $user -i etc/ansible/${hosts} -m raw -a "yum -y install python-simplejson"
ansible $1 -u $user -i etc/ansible/${hosts} -m yum -a "name=libselinux-python state=latest"
${1} is the first parameter passed to the script and should be the machine name.
I set ${user} elsewhere, but you could make it a parameter also.
${hosts} is my hosts file, and it has a default, but can be overridden with a parameter.
The restorecon command is to appease selinux. I just hardcoded it to run against the /root/ directory, and I can't remember exactly why. If you run this to setup a non-root user, I think that command is nonsense.
I think those installs, python-simplejson and libselinux-python are needed.
This will spam the authorized_keys files with duplicate entries if you run it repeatedly. There are probably better ways, but this is my quick and dirty run once script.
I made some slight variations in the script for CentOS 7 and Ubuntu.
Not sure what types of servers these are, but nearly all Ansible tutorials cover the fact that Ansible uses SSH and you need SSH access to use it.
Depending on how you are provisioning the server in the first place you may be able to inject an ssh key on first boot, but if you are starting with password-only login you can use the --ask-pass flag when running Playbooks. You could then have your first play use the authorized_key module to set up your key on the server.
I want to use Ansible as part of another Python software. in that software I have a hosts list with their user / password.
Is there a way to pass the user / pass of the SSH connection to the Ansible ad-hoc command or write it in any file in encrypted way?
Or do i understand it all wrong, and the only way to do it is with SSH certification?
The docs say you can specify the password via the command line:
-k, --ask-pass.
ask for connection password
Ansible can also store the password in the ansible_password variable on a per-host basis.
you can use --extra-vars like this:
$ ansible all --inventory=10.0.1.2, -m ping \
--extra-vars "ansible_user=root ansible_password=yourpassword"
If you're authenticating to a Linux host that's joined to a Microsoft Active Directory domain, this command line works.
ansible --module-name ping --extra-vars 'ansible_user=domain\user ansible_password=PASSWORD' --inventory 10.10.6.184, all
As mentioned before you can use --extra-vars (-e) , but instead of specifying the pwd on the commandline so it doesn't end up in the history files you can save it to an environment variable. This way it also goes away when you close the session.
read -s PASS
ansible windows -i hosts -m win_ping -e "ansible_password=$PASS"
I used the command
ansible -i inventory example -m ping -u <your_user_name> --ask-pass
And it will ask for your password.
For anyone who gets the error:
to use the 'ssh' connection type with passwords, you must install the sshpass program
On MacOS, you can follow below instructions to install sshpass:
Download the Source Code
Extract it and cd into the directory
./configure
sudo make install
I'm trying to execute this shell with command line
host="192.168.X.XXX"
user="USERNAME"
pass="MYPASS"
sshpass -p "$pass" scp -o StrictHostKeyChecking=no /home/MYPATH/File.import "$user#$host:/"home/MYPATH/
To copy a file from my local server in to remote server. The remote server is a copy of the remote server but when I try to execute this shell I have this error:
**PERMISSION DENIED, PLEASE TRY AGAIN**
I didn't understand why if I try to execute this command in command line is working.
USERNAME#MYSERVER:~$ sshpass -p 'MYPASS' scp -o StrictHostKeyChecking=no /home/MYPATH/File.import USERNAME#192.168.X.XXX:/home/MYPATH/
Somebody have a solution??
Please use a pipe or the -e option for the password anyway.
export SSHPASS=password
sshpass -e ssh user#remote
Your simple command with -e option:
export SSHPASS=password
sshpass -e scp -o StrictHostKeyChecking=no /home/MYPATH/File.import user#192.168.X.XXX:/home/MYPATH/
Please remove the wrong quotes from your command:
sshpass -p "$pass" scp -o StrictHostKeyChecking=no /home/MYPATH/File.import $user#$host:/home/MYPATH/
You should also be able to remove the quotes around $pass.
Please ensure that you have no special characters in your pass variable or escape them correctly (and no typos anywhere).
For simplicity use a ssh command instead of scp for testing
Use the -v or -vvv option for the scp command to check what scp is trying to do. Also check the secure log or auth.log on the remote server
You have to install "sshpass" command then use the below snippet
export SSHPASS=password
sshpass -e sftp user#hostname << !
cd sftp_path
put filename
bye
!
A gotchya that I encountered was escaping special characters in the password which wasn't necessary when entering it in interactive ssh mode.
I'm trying to login to a ssh server and to execute something like:
ssh user#domain.com 'sudo echo "foobar"'
Unfortunately I'm getting an error:
sudo: no tty present and no askpass program specified
Google told me to either set the environment variable SSH_ASKPASS or to set askpass in the sudoers file. My remote machine is running on Debian 6 and I've installed the packages ssh-askpass and ssh-askpass-gnome and my sudoers file looks like this:
Defaults env_reset
Defaults askpass=/usr/bin/ssh-askpass
# User privilege specification
root ALL=(ALL) ALL
user ALL=(ALL) ALL
Can someone tell what I'm doing wrong and how to do it better.
There are two ways to get rid of this error message. The easy way is to provide a pseudo terminal for the remote sudo process. You can do this with the option -t:
ssh -t user#domain.com 'sudo echo "foobar"'
Rather than allocating a TTY, or setting a password that can be seen in the command line, do something like this.
Create a shell file that echo's out your password like:
#!/bin/bash
echo "mypassword"
then copy that to the node you want using scp like this:
scp SudoPass.sh somesystem:~/bin
Then when you ssh do the following:
ssh somesystem "export SUDO_ASKPASS=~/bin/SudoPass.sh;sudo -A command -parameter"
Another way is to run sudo -S in order to "Write the prompt to the standard error and read the password from the standard input instead of using the terminal device" (according to man) together with cat:
cat | ssh user#domain.com 'sudo -S echo "foobar"'
Just input the password when being prompted to.
One advantage is that you can redirect the output of the remote command to a file without "[sudo] password for …" in it:
cat | ssh user#domain.com 'sudo -S tar c --one-file-system /' > backup.tar
Defaults askpass=/usr/bin/ssh-askpass
ssh-askpass requires X server, so instead of providing a terminal (via -t, as suggested by nosid), you may forward X connection via -X:
ssh -X user#domain.com 'sudo echo "foobar"'
However, according to current documentation, askpass is set in sudo.conf as Path, not in sudoers.
How about adding this in the sudoers file:
user ALL=(ALL) NOPASSWD: ALL