>How do I call rsync with -e ssh in a shell script run from cron. SSH
>requires a password. How do I pass the password to it from the script?
>
>V/r
>Jay
The public key method works. I'm a bit more paranoid, however. I
like to enter my password after the machine boots up, so that I don't
have to worry about someone _easily_ gaining access and thus having
control of all my remote rsync archives. (Yes, it's still very
possible with the method below if someone gets access to the live
machine, but it's not possible if they have to reboot the box to get
in.)
JT
#!/bin/sh
#
# auth v1.3 - 2000-10-24 [EMAIL PROTECTED]
#
# Purpose: To allow a machine to use ssh-style commands
# with all automated scripts, while keeping a passphrase
# that only is entered once by the root user upon
# boot of the machine.
#
# This script has to be run every time that the machine
# reboots. The root user has a key (generated by ssh-keygen)
# in /root/.ssh/identity that is distributed to all the remote
# machines in the hierarchy in their /root/.ssh/authorized_keys
# files. This program ("auth") is only ever run on the
# master server. The admin logs in as root, runs the "auth"
# program and enters in the key for the master server. Then,
# all scripts and distributions first do a ". /var/tmp/ssh-agent.dat-root"
# as the first part of their script, and they should be able
# to use ssh to transparently log in/manipulate the remote machine
# without a user intervening to type a passphrase.
#
# I've made provisions for this to be easily run by users other than
# root, but I leave that as an exercise for the reader.
#
# This script assumes OpenSSH or ssh v1 - I haven't tried it with
# v2, but it shouldn't be too difficult to figure out.
#
# Why? I got nervous at the prospect of having machines talk
# to each other by using simple empty passphrases or using
# IP authentication as a security model. If someone breaks
# into one of my "core" servers by brute force, they would
# by proxy have access to all of my remote systems without
# raising a finger, since the remote machines would "trust"
# the central server based on files or traits that were
# permanently stored. If someone reboots a system (boot -s)
# I would very much like to have that system suddenly not
# recognized by my remote machines until I "bless"
# the root account with a keyphrase again, which is what
# the auth script does. Granted, this is not a perfect
# method, nor even close - but it allows me some measure
# of security without compromise of ease-of-use or
# configuration nightmares.
#
#
# Example use:
#
# seraphim# whoami
# root
# seraphim# ssh-keygen
# Generating RSA keys: Key generation complete.
# Enter file in which to save the key ($HOME/.ssh/identity):
/root/.ssh/identity
# Enter passphrase (empty for no passphrase): [passphrase here]
# Enter same passphrase again: [passphrase here again]
# Your identification has been saved in /root/.ssh/identity.
# Your public key is:
# 1024 35 125011433[blahblahblah]37650936701379 root@seraphim
# Your public key has been saved in /root/.ssh/identity.pub
# seraphim#
#
# [Note: I only need to run ssh-keygen ONCE to generate the
# keyfiles. I never need to do this step again as long as I
# remember the passphrase for the root keys. :) ]
#
# [I manually copy through a "secure" method my /root/.ssh/identity.pub
# file and append it to remote.server.com:/root/.ssh/authorized_keys]
#
# seraphim# /usr/local/bin/auth [this script]
# Starting up new ssh-agent...
# Agent pid 8642
# Need passphrase for /home/jtodd/.ssh/identity
# Enter passphrase for jtodd@beater:
# Identity added: /home/jtodd/.ssh/identity (jtodd@beater)
# seraphim#
#
# Now, scripts like this will work automatically out of cron:
#
# #!/bin/sh
# . /var/tmp/ssh-agent.dat-root
# scp -q remote.server.com:/tmp/metallica.rulez.mp3 /tmp
# # end
#
# Make sure to "dry-run" all your scripts by hand first; if you
# are connecting to a new machine that you've never connected
# to before, you'll need to verify the authenticity of the host
# keys once.
#
# Another way to get all you scripts to use ssh with this method
# is to execute the /var/tmp/ssh-agent.dat-root environment-setting
# script out of the .profile for root. In that case, you might even
# be able to 'fake out' older scripts that use rsh by putting a symlink
# between rsh and ssh... use at your own risk.
#
# CHANGELOG:
#
# v1.3 2000/10/24 jtodd
# - chmod'ed $agent_file so the ssh keyfile in /tmp is
# not able to be obtained from the $agent_file output
# v1.2 2000/07/15 jtodd
# - grabbed the username from "/usr/bin/id -un" instead of out
# of the extremely unsafe and changeable $USER variable
# This could be changed to "/usr/bin/whoami" on many systems
# for the same results if "id" is not on your platform.
# - added some more yammering in the comments section
# v1.1 2000/07/13 jtodd
# - put the "grep -v" line in to remove the printout of
# the PID in the ssh-agent.dat file
# - abstracted the "grep" and "cat" locations - probably
# overkill
#
SSH_ADD='/usr/bin/ssh-add'
SSH_AGENT='/usr/bin/ssh-agent'
tmp_directory='/var/tmp'
# user_uid returns the username (i.e.: "root") on OpenBSD platforms
# I am uncertain if this command is the same on all *NIXes.
user_uid=`/usr/bin/id -un`
agent_file=${tmp_directory}/ssh-agent.dat-${user_uid}
cat_file='/bin/cat'
grep_file='/usr/bin/grep'
# end of variables
if [ -f $agent_file ]; then
. $agent_file;
echo "Killing off old ssh-agent...";
$SSH_AGENT -k
fi
echo "Starting up new ssh-agent..."
$SSH_AGENT -s | $grep_file -v echo | $cat_file > $agent_file
. $agent_file
$SSH_ADD
chmod og-wrx $agent_file
# end of auth script - simple, ain't it?
------------------------
#!/bin/sh
# I
#
# rsync-update v1.0 2001-02-12 [EMAIL PROTECTED]
#
# This script synchronizes a bunch of remote machines
# with a prototype box. It's normally run out of cron
# every night. This could just as easily send mail to
# root instead of writing to a logfile. I should really
# re-write this to support directory selection support
# on the command line, but... nah.
#
# Watch out for line wraps below when clipping
# from email.
#
# When generating configs, it's important to remember that the specific
# exclusions/inclusions happen in the machine-specific file, and then
# the generic template gets added on the end. As an example, if you
# always wanted /etc/services to get distributed, you'd put a "/etc/services"
# line in the DEFAULT file. The machine-specific file and the DEFAULT file
# get cat'ed together, and rsync will simply go down the list until
# it hits a match in this "access-list" and then execute.
#
# The directory that my config files are in looks like this:
#
# sparc-proto28:jtodd {102} cd /etc/rsync/configs
# sparc-proto28:configs {103} dir
# total 5
# 2 drwxr-xr-x 3 root wheel 512 Feb 12 04:24 .
# 2 drwxr-xr-x 3 root wheel 512 Feb 12 04:08 ..
# 2 -rw-r--r-- 1 root wheel 124 Feb 11 18:09 .sparc-OpenBSD2.8
# 0 -rw-r--r-- 1 root wheel 0 Feb 8 14:32 209.51.126.131
# 0 -rw-r--r-- 1 root wheel 45 Feb 2 03:58 morf.bloop.com
# 0 -rw-r--r-- 1 root wheel 0 Jan 15 04:03 gleep.splot.com
# 0 -rw-r--r-- 1 root wheel 0 Jan 11 01:23 barf.giggle.net
# sparc-proto28:configs {104}
#
# The machine-specific file should look something like this:
#
# sparc-proto(232)# cat /etc/rsync/configs/morf.bloop.com
# + /etc/krb5.conf
# + /etc/services
# - /root/
# - /usr/src/sys/arch/sparc/compile/
# sparc-proto(233)#
#
#
# The prototype file should look something like this:
# sparc-proto28:configs {104} more .sparc-OpenBSD2.8
# + /usr/src/sys/
# - /usr/src/
# + /bin/
# + /sbin/
# + /root/
# - /root/.ssh/
# + /altroot/
# + /GENERIC
# - /usr/local/ports/
# + /usr/
# - /*
# sparc-proto28:configs {105}
#
# Note that the zero-length files in the config directory simply
# use only those patterns in the .sparc-OpenBSD2.8 file.
# morf.bloop.com has a few exclusions and additions that
# the prototype file doesn't list.
#
# The lines that user the "logger" command simply push out
# a log entry into the remote machine to indicate that the
# sync is happening. They can be removed if your system
# does not support the "logger" command.
#
# See the "rsync" manual page on "Exclude Patterns" for more details.
#
# WARNING: The "x" in the RSYNC_OPTIONS line may cause problems
# for you because it tells the system to stay on the filesystem in
# which it was launched. You may want to remove the "x" but
# be careful with your exclude list!
#
#
# Note: The SITE_DEFAULTS file always must have a "." as the leading
# character, or else the script will pick it up as a machine name
# to which a distribution is being sent. It's an ugly hack, but
# I'm not doing this for the benefit of humanity, only my own
# uses.
#
# Set up various defaults
TEMPLATEDIR=/etc/rsync/configs
RSYNC_CMD=/usr/local/bin/rsync
RSYNC_OPTIONS="-arxvz --delete -e ssh --timeout 1800"
SITE_DEFAULTS=$TEMPLATEDIR/.sparc-OpenBSD2.8
TMP_DIR=/var/tmp
HOST=`hostname`
TIMESTAMP=`date +%Y-%m-%d.%H:%M:%S`
TMP_FILE=$TMP_DIR/rsync-update.$TIMESTAMP
# Get authorized to log into all these machines. See "auth"
# program for details on how I do a one-time password to use
# ssh whenever scripts want and NOT using public or no-password
# keys.
. /var/tmp/ssh-agent.dat-root
# clean up old stragglers in the TMP_DIR area, just to
# be tidy.
cd $TMP_DIR; rm rsync_*
# Start main routine
cd $TEMPLATEDIR;
# remove crap left over from editing files; yes, I use "joe".
# Yes, this is a kludge. I'm sleepy and want to get this done.
touch foo~
rm *~;
echo "-------------------------"
for machine in *
do
echo "Synchronizing this OS load with $machine...";
ssh $machine "logger -t RSYNC-UPDATE Starting file/directory
sync with master=$HOST"
/bin/cat $TEMPLATEDIR/$machine $SITE_DEFAULTS >
$TMP_DIR/rsync_${machine}
echo "Starting $machine..." >>$TMP_FILE
$RSYNC_CMD $RSYNC_OPTIONS --exclude-from=$TMP_DIR/rsync_${machine} \
/ ${machine}:/ >>$TMP_FILE
echo "...ending $machine." >>$TMP_FILE
echo "done."
ssh $machine "logger -t RSYNC-UPDATE Ending file/directory
sync with master=$HOST"
echo "-------------------------"
/bin/rm $TMP_DIR/rsync_${machine}
done
