1

I'm trying to set up backing up some folder from one server (target server) to another (backup server) using rsync. I also need to call rsync from backup server so it's easier to maintain backup settings for multiple servers in one place.

To achieve this I am trying to add rsync command to crontab on backup server so my files sync periodically. The command looks like the following:

rsync -av --delete target_server_user@target_server:/path/to/directory/ /path/to/directory

As far as I know, rsync uses SSH for transport by default. When I run the command manually, it asks for password for the remote_server_user. While it's OK for one-time manual sync, it apparently doesn't allow for scheduled periodic sync using cron.

So I've created auth key pair on backup server with ssh-keygen, added created identity to target server with ssh-copy-id. But when I try to call rsync it asks for password. Then I found out that I need to add the identity to ssh-agent. And then I found out that the ssh-agent is not even running on backup server using this answer.

Then I've launched it with eval `ssh-agent -s`, added the identity with ssh-add path/to/identity, checked that indentity is added with ssh-add -L and successfully run the rsync command above manually.

However after closing ssh connection to the backup server and connecting again as the same user, I get non-running ssh-agent. And when I start it I see no identities added in output of ssh-add -L. And as a result rsync command asks for password.

Is this a feature of ubuntu server (I have never had to launch ssh-agent manually on my ubuntu desktop)?

And when I fix ssh-agent and I add rsync command above to crontab, will it be able to use the identity added in add-ssh command? If ssh-agent and added identities are only available for the logged in user, it seems like I am going in wrong direction.

Or maybe there is a better way to set up periodic scheduled sync of directory?

I tried to set up rsync in daemon mode with creating all those rsyncd.conf, secrets and so on. But after successfully running that simple rsync command manually, it feels like it does what I need without lots of configuration. Except for non working ssh authorization.

Den Kasyanov
  • 111
  • 5

2 Answers2

1

One work-around people typically use is to create a service specific ssh keypair that is not secured with a passphrase.

For security on the remote server you use the extra options in the ~/.authorized_keys file to place restrictions on what access is granted with that private key.

For instance options can vary from what ip-address access is granted with from="10.9.8.7" and you can restrict that only rsync can be started with command="/bin/rsync" and prevent interactive login sessions and such with no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding and get an enntry that looks like:

~/.ssh/authorized_keys
command="/bin/rsync",from="10.9.8.7",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAxxxxx..more..public..key..data   Comment=This key can only be used for  remote backup
HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • Thank you for your answer, but unfortunately I still can't run rsync command via crontab (and manually after logout) even with unrestricted ssh keypair. – Den Kasyanov Mar 25 '19 at 18:44
0

So I was able to set up sync by explicitly specifying path to identity file in -e flag as follows. The solution is even simpler than I wanted. In this case I don't have to think about managing ssh-agent and adding an identity.

rsync -ave "ssh -i /path/to/key" --delete target_server_user@target_server:/path/to/directory/ /path/to/directory

Helpful answer: https://unix.stackexchange.com/a/127355

Den Kasyanov
  • 111
  • 5