0

This problem is occurring on a MacStudio running Monterey 12.6. I have a ksh script that issues an ssh command to connect to a NAS server. The script runs fine from terminal command line. It runs fine in cron when the Mac is not sleeping. If I put the Mac to sleep (or if the cron runs overnight after my screen locks), it fails with:

Permission denied, please try again.
Permission denied, please try again.
AdminID@10.0.0.135: Permission denied (publickey,password).

I created the cron job in my user ID which has admin authority. The ssh key was setup with a passphrase by my user ID using ssh-keygen. The key passphrase is in the 'local items' keychain. I've setup the associated public key on the NAS for the NAS AdminID (e.g. AdminID on NAS is just an alias for MyUserID). My .ssh/config file looks like:

Host *
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/id_rsa
  User MyUserID

The script has code as follows:

if [[ $SSH_AGENT_SOCK == "" ]]; then
  export SSH_AGENT_SOCK=$(/usr/sbin/lsof -a -w -p $(pgrep ssh-agent) -U -F -n | \ 
         sed -n 's/^n//p')
fi
ssh -v -p 123 AdminID@10.0.0.135 exit

The mail that cron sent has the following:

Subject: Cron <MyUserID@MacStudio1> /Users/MyUserID/bin/BackupTasks.sh Test
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=MyUserID>
X-Cron-Env: <USER=MyUserID>
Message-Id: <20221023215731.617631C11C66@MacStudio1.localdomain>
Date: Sun, 23 Oct 2022 14:57:01 -0700 (MST)

CheckAccess: Error: Cannot ssh to AdminID@10.0.0.135::NetBackup/MacStudio1 

OpenSSH_8.6p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/MyUserID/.ssh/config
debug1: /Users/MyUserID/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to 10.0.0.135 [10.0.0.135] port 123.
debug1: Connection established.
debug1: identity file /Users/MyUserID/.ssh/id_rsa type 0
debug1: identity file /Users/MyUserID/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2
debug1: compat_banner: match: OpenSSH_8.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.0.0.135:123 as 'AdminID'
debug1: load_hostkeys: fopen /Users/MyUserID/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:1cNPPyeN3o/ncJlhdJWlzP8BSYmX1i3UX+pqTX8zAcU
debug1: load_hostkeys: fopen /Users/MyUserID/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: checking without port identifier
debug1: load_hostkeys: fopen /Users/MyUserID/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '10.0.0.135' is known and matches the ED25519 host key.
debug1: Found key in /Users/MyUserID/.ssh/known_hosts:1
debug1: found matching key w/out port
debug1: check_host_key: hostkey not known or explicitly trusted: disabling UpdateHostkeys
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/MyUserID/.ssh/id_rsa RSA SHA256:/fsQmP5UzRhE7Z08P3J5p362K3jPotWq3JxnVPccIMs explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /Users/MyUserID/.ssh/id_rsa RSA SHA256:/fsQmP5UzRhE7Z08P3J5p362K3jPotWq3JxnVPccIMs explicit
debug1: Server accepts key: /Users/MyUserID/.ssh/id_rsa RSA SHA256:/fsQmP5UzRhE7Z08P3J5p362K3jPotWq3JxnVPccIMs explicit
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: Device not configured
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
NBadmin@10.0.0.10: Permission denied (publickey,password).

So it appears that I have connected to the ssh agent (SSH_AUTH_SOCK is the same as while in Terminal - i.e /private/tmp/com.apple.launchd.mwxteEeOeKa/Listeners ), so it appears the agent didn't shut down because the Mac is sleeping. I believe the above is saying it cannot get the passphrase from the keychain.

I'm not a keychain expert, but my understanding is there are three classes of keychain service:

  1. Key is always accessible
  2. Key is available from last login until next reboot.
  3. Key is available while logged in.

I guessing my ssh key passphrase is in the third class mentioned above and that is why the passphrase is inaccessible.

So, anyway, I guess I'm looking for a reasonably secure way to run a cron job that needs an ssh key. I'm not sure whether I get logged out when the screen locks or not. Assuming I'm not logged out, I think I would be OK if the key remained accessible from last login to reboot (which is generally all the time - I don't shutdown). But I'm not sure how to get my ssh key into that class or whether this is not secure. This is a home computer and I'm basically the only user. The computer and NAS are on a local network behind an Xfinity gateway/modem.

Update: I tried setting the Energy Saver to Prevent Automatically Sleep When display is off, and then ran after locking the screen. It didn't help.

Things I haven't done:

  • Use a key without a passphase. (Not best for security - and then the key ends up in Time Machine and is set to the NAS and then the cloud - though planning on encrypting the data sent to cloud.)
  • Set up an SSH key for root and run the cron in root. (Probably not great to run in root in general).

Can anyone suggest a path forward?

ric982
  • 1
  • 2
  • You could try to unlock the Keychain from script. There's a `security unlock-keychain ` tool that can do this for you. It requires a password input – Bram Oct 24 '22 at 07:49
  • Well to automate that, I would have to put the password in the script which is not a good thing for security (it shows in commands like ps). And if that password got exposed then all the keys in the key ring would be exposed. And the script with the password would be in backup data sent to the NAS. – ric982 Oct 26 '22 at 02:54
  • Poking around I've read about doing some things on the remote server side in ssh/config to limit which host can access with a given key and what commands they can issue and then leaving the key in the clear on the local host. If I was just doing harmless stuff (like queries), this would work. If I created a script that provided the accessor functions I wanted that limited the scope of what could be done and only allowed that script, it might be pretty safe. In my case, one of the commands is rsync in deamon mode and I'm not sure how I would limit things in that case. – ric982 Oct 26 '22 at 02:57
  • I've also read something about the error complaining there is no input defined for the script. If you search around, you might find a way to set your $TTY environment variable, which might solve your issue – Bram Oct 26 '22 at 09:48
  • I can see that ssh is trying to get to the key chain, so I don't think it is a tty problem. At this point, the only thing really I need to schedule is "sudo tmutil enable' and 'sudo tnutil disable' which don't need ssh, but I wanted to use sftp to push a touch file on to the NAS to show that they had run (e.g. one place to look for status). I'm doing this with the windows backup tasks I run automated, but can't get this to work in cron when I'm looged off. For now, I've just disabled the touch file part and am living with the log file I have on the mac to make sure it is running OK. – ric982 Oct 30 '22 at 16:43

0 Answers0