Linux Format forums Forum Index Linux Format forums
Help, discussion, magazine feedback and more
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

LXF165 Unison tutorial - How to use password ssh with cron?

 
Post new topic   Reply to topic    Linux Format forums Forum Index -> Magazine and coverdiscs
View previous topic :: View next topic  
Author Message
guttagrynna



Joined: Thu Nov 15, 2012 8:41 pm
Posts: 3
Location: Stockholm, Sweden

PostPosted: Sun Dec 09, 2012 6:11 pm    Post subject: LXF165 Unison tutorial - How to use password ssh with cron? Reply with quote

The tutorial on Unison has been really useful for me, but I don't like the idea of not protecting SSH with a password. I first thought it would be easy to use password with SSH by means of gnome-keyring or whatever it's called. But I have since found out that using cron requires a lot of extra configurations not to ask for a password every time it runs the script, and after trawling the internet on the subject I feel it is beyond my current knowledge level to sort this out. I vaguely understand the problem, but can't solve it on my own.

To clarify, I can run the script manually without being promted for a password, but when using cron i need to enter the keyring password every time.

Can anyone offer instructions on this? Or maybe LXF could run a folllow up on the recent article, this time with password for your SSG key.

Best regards,

Mårten
Back to top
View user's profile Send private message
Bruno
LXF regular


Joined: Tue Sep 18, 2007 7:07 pm
Posts: 139
Location: Cambridgeshire, UK

PostPosted: Sun Dec 09, 2012 8:05 pm    Post subject: Reply with quote

Hi Mårten,

If you are a subscriber, you will find a tutorial on SSH (and VNC) from LXF 119 by Neil Bothwick in the archive. It will help you with the SSH side of things. If not, I created some notes a while ago to help me. I've pasted them below:

1) SSH Setup:
i) Use OpenSSH, check that the package "openssh" is installed on all client and server machines.
ii) To log into a remote machine via ssh, <hostname> = name of machine running SSHD, this should also be your hub computer, the computer with which all others synchronise:
Code:
$ ssh <hostname>

* This will prompt you for your password on the server machine if not using public key authentication.
* It also logs you in with same user ID with which you are logged into the client machine.
* If you need to log in with a different user name, use this:
Code:
$ ssh <user>@<hostname>


2) Server Configuration
i) Check that the following entries have these settings in the /etc/ssh/sshd_config file and that they are uncommented:
Code:
PermitRootLogin no
Protocol 2

PubkeyAuthentication yes
RSAAuthentication no
AuthorizedKeysFile %h/.ssh/authorized_keys

PasswordAuthentication no*
PermitEmptyPasswords no*
ChallengeResponseAuthentication yes**
UsePAM yes**

Compression no***
X11Forwarding no****

* Always have set to "no".
** Initially set these to "yes" but change to "no" after uploading the authentication key from client (more on this later).
*** This is the best setting for synchronisation over a local network, but you may want compression if you are synchronising over the internet or also using remote desktop access.
**** Change to "yes" if you are also using remote desktop access.
ii) Configure /etc/hosts.allow by adding the following lines:
Code:
sshd  :  127.0.0.1  :  allow
sshd  :  192.168.   :  allow

This will only allow computers on your private network (assuming you it is using IP addresses in the range 192.168.X.X) access to your hub computer via SSH.
iii) Configure /etc/hosts.deny by adding the following line:
Code:
sshd  :  ALL        :  deny

This ensures that only computers that are explicitly allowed (see above) access to you hub computer may connected via SSH.
iv) Enable the service "sshd" to start automatically at boot time. How to do this may be specific to your distro.

3) Client Configuration
i) Check that the following entries have these settings in the /etc/ssh/ssh_config file and that they are uncommented (note: ssh_config, not sshd_config):
Code:
ForwardX11Trusted no
Port 22
Protocol 2
HashKnownHosts yes


4) Preparation for Public Key Authentication and Key Generation
i) Create the following directory and file on the client machine and give them appropriate permissions:
a) /home/<user>/.ssh/
Code:
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh

b) /home/<user>/.ssh/config
Code:
$ touch ~/.ssh/config
$ chmod 644 ~/.ssh/config

ii) Add the hostname and its IP address to the /home/<user>/.ssh/config file:
Code:
$ echo "Host <hostname>" >> ~/.ssh/config ; echo "      Hostname <host_ip_address>" >> ~/.ssh/config

iii) Still on the client machine, type the following in a terminal (supplying your password for the server machine when prompted) to generate keys on the client machine and transfer the public key to the server machine
Code:
$ ssh-keygen
$ ssh-copy-id <user>@<hostname>

iv) On the server machine, disable password logins by editing the /etc/ssh/sshd_config file as described previously and restart sshd

5) Alternative methods for transferring keys to the server (if you have already disabled password access on the server):
i) Copy the file /home/<user>/.ssh/id_rsa.pub onto a USB stick.
ii) On the server machine, type:
Code:
$ cat /media/<stick>/id_rsa.pub >> ~/.shh/authorized_keys

This should set you up nicely on the SSH side of things. Now just create the unison config files from within the unison programme or by hand. My "default.prf" file that sits in /home/<user>/.unison/ looks something like this:
Code:
# Unison preferences file

# For remote synchronisation:
# Roots of the synchronization:
root = /home/<user>/<directory>
root = ssh://<user>@<hostname>/<directory>

# For local synchronisation:
# Roots of the synchronization:
root = /home/<user>/<directory>
root = /media/<external_drive>/<directory>

# Names and paths to ignore:
include common

Note how the path to the remote directory is expressed when connecting via SSH. The line at the bottom just contains a small list of common exceptions and can be omitted.

You should then be able to run Unison as a cron job and not have it ask for a password by invoking:
Code:
$ unison -ui text -auto default.prf

Good luck!
Bruno Cool
Back to top
View user's profile Send private message
guttagrynna



Joined: Thu Nov 15, 2012 8:41 pm
Posts: 3
Location: Stockholm, Sweden

PostPosted: Sun Dec 09, 2012 8:29 pm    Post subject: Reply with quote

Thanks Bruno,

I will study your instructions. A quick read-through gave me the impression that I would have to give up normal ssh login by password. That's a bit worrying because this is Dreamplug computer with no video output of its own so the only way to access it is over the network, or by a little thingy called jtag.

/Mårten
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8368
Location: Warrington, UK

PostPosted: Sun Dec 09, 2012 10:09 pm    Post subject: Reply with quote

If you have a key, SSH will try to use that to login. If no suitable key is present, you will be asked for a password, so you can use keys and passwords alongside one another.

For example, I have no keys set up on my phone because it is easily lost or stolen, so connecting from that requires a password, while I can connect from my laptop with no password because that has keys set up.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
MartyBartfast
LXF regular


Joined: Mon Aug 22, 2005 8:25 am
Posts: 806
Location: Hants, UK

PostPosted: Mon Dec 10, 2012 10:07 am    Post subject: Reply with quote

Thanks Bruno! ON Friday afternoon a DBA came to me with a problem doing X forwarding on one of his boxes, I had a look and couldn't figure out the problem but it was getting late and he wanted to go home so we left it broken. I thought I'd checked everything and was expecting a real headache when I got in this morning, but then I read your post on Sunday, saw this bit

Bruno wrote:

...
2) Server Configuration
i) Check that the following entries have these settings in the /etc/ssh/sshd_config file and that they are uncommented:
Code:

...
X11Forwarding no****


and realised I that I hadn't checked that, so a quick fix as soon as I got in and he's a happy chap.
_________________
I have been touched by his noodly appendage.
Back to top
View user's profile Send private message
Bruno
LXF regular


Joined: Tue Sep 18, 2007 7:07 pm
Posts: 139
Location: Cambridgeshire, UK

PostPosted: Mon Dec 10, 2012 1:54 pm    Post subject: Reply with quote

Hi Folks,

Mårten: The keys protect SSH once you have them set up, this is public key authentication. I use password authentication to log into the server computer for the initial transmission of the client computer's public key to the server computer. Once this is done, I disable password access. However, at no time is the SSH connection open to someone who neither has my password on the server nor my private key on their client, so my connection is protected.

Using this method obviates the need to enter a password upon connection to the server and hence allows services that require this connection in order to perform their task to be automated. I suspect the reason why cron won't play nicely with gnome keyring is because cron isn't part of any desktop, so it doesn't know it should go via a desktop application to do authentication.

You will find this route a departure from what you are used to, I did when I started, but work through it and it will pay dividends. Just be sure to back-up any config file you want to edit before committing changes and make sure you always have a way back if you get out of your depth.

MartyBartfast: Thanks, I'm glad my reply was useful. I didn't know how much to include so I thought I'd include everything from my notes, as they are pretty comprehensive. All credit to Nelz, though, for the tutorial in LXF 119, as that navigated me through SSH on my first go.
Back to top
View user's profile Send private message
nelz
Site admin


Joined: Mon Apr 04, 2005 12:52 pm
Posts: 8368
Location: Warrington, UK

PostPosted: Mon Dec 10, 2012 2:30 pm    Post subject: Reply with quote

There's some more SSH coverage in LXF166.
_________________
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
Back to top
View user's profile Send private message
View previous topic :: View next topic  
Display posts from previous:   
Post new topic   Reply to topic    Linux Format forums Forum Index -> Magazine and coverdiscs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Linux Format forums topic RSS feed 


Powered by phpBB © 2001, 2005 phpBB Group


Copyright 2011 Future Publishing, all rights reserved.


Web hosting by UKFast