SSH avec Cron: key RSA non acceptée

J'essaye d'get ssh pour travailler dans cron , et il semble que j'ai essayé toutes les astuces standard sans succès du tout. Je peux exécuter un ssh non interactif en utilisant

 >./some_script_with_ssh 

dans bash. C'est seulement quand j'essaie de l'utiliser dans cron qu'il échoue. Toute aide que je pourrais get serait grandement appréciée.

Voici quelques-unes des données demandées dans des questions similaires:

Crontab de mon user

 PATH = /home/zach/.ssh/:/usr/bin 52 * * * * ssh -vvv my_account@my_remote "touch temp.temp" 

Impression à partir de l'e-mail cron m'a envoyé

 OpenSSH_7.3p1 Ubuntu-1, OpenSSL 1.0.2g 1 Mar 2016 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: resolving "my_remote" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to my_remote [IP_HERE] port 22. debug1: Connection established. debug1: identity file /home/zach/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/zach/.ssh/id_rsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version ssortingng SSH-2.0-OpenSSH_7.3p1 Ubuntu-1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2 debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to my_remote:22 as 'my_account' debug3: hostkeys_foreach: reading file "/home/zach/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/zach/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from my_remote debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,[email protected],zlib debug2: compression stoc: none,[email protected],zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 debug2: compression ctos: none,[email protected] debug2: compression stoc: none,[email protected] debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: ecdh-sha2-nistp256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: aes128-ctr MAC: [email protected] compression: none debug1: kex: client->server cipher: aes128-ctr MAC: [email protected] compression: none debug3: send packet: type 30 debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:K8vzLDbyV5JKlcnHsIj6BK/yR4OTJaY4fFuHpsg0FdE debug3: hostkeys_foreach: reading file "/home/zach/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/zach/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from my_remote debug3: hostkeys_foreach: reading file "/home/zach/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/zach/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys from 128.97.70.146 debug1: Host 'my_remote' is known and matches the ECDSA host key. debug1: Found key in /home/zach/.ssh/known_hosts:1 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug2: set_newkeys: mode 0 debug1: rekey after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS received debug2: key: /home/zach/.ssh/id_rsa (0x55f6f6440f50) debug3: send packet: type 5 debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive debug3: start over, passed a different list publickey,gssapi-with-mic,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/zach/.ssh/id_rsa debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp SHA256:jsePXa9FO8c9f0bVwdgvXMJQ2GyHVqz5spaO13EQ0/M debug3: sign_and_send_pubkey: RSA SHA256:jsePXa9FO8c9f0bVwdgvXMJQ2GyHVqz5spaO13EQ0/M debug1: read_passphrase: can't open /dev/tty: No such device or address debug2: no passphrase given, try next key debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 debug1: read_passphrase: can't open /dev/tty: No such device or address debug3: send packet: type 61 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 debug1: read_passphrase: can't open /dev/tty: No such device or address debug3: send packet: type 61 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 debug1: read_passphrase: can't open /dev/tty: No such device or address debug3: send packet: type 61 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,gssapi-with-mic,password,keyboard-interactive). 

Autorisations sur datatables RSA locales

 >ls -l ~/.ssh/ total 12 -rw------- 1 zach zach 1766 Dec 22 13:47 id_rsa -rw-r--r-- 1 zach zach 419 Dec 4 2015 id_rsa.pub -rw-r--r-- 1 zach zach 1332 Dec 21 13:51 known_hosts 

Autorisations sur la maison locale

 >ls -l ~/.. total 20 drwx------ 2 root root 16384 Jul 17 2015 lost+found drwx------ 67 zach zach 4096 Dec 22 16:05 zach 

Autorisations sur le dossier local ~ / .ssh

 drwx------ 2 zach zach 4096 Dec 22 15:11 .ssh 

Autorisations sur la maison éloignée

 drwx------ 31 my_account grad 4096 Dec 22 13:57 my_account 

Autorisations sur datatables RSA distantes

 > ls -l ~/.ssh/ total 12 -rwx------ 1 my_account grad 419 Dec 4 2015 authorized_keys -rw------- 1 my_account grad 36 Dec 20 22:45 config -rw------- 1 my_account grad 223 Sep 10 14:51 known_hosts 

Autorisations sur le dossier ~ / .ssh distant

 > ls -l ~ drwx------ 2 my_account grad 4096 Dec 20 22:45 .ssh 

Local /etc/ssh/ssh_config

 host * passwordauthentication no ssortingcthostkeychecking no identityfile ~/.ssh/id_rsa sendenv lang lc_* hashknownhosts yes 

Remote /etc/ssh/ssh_config

 > cat /etc/ssh/ssh_config Host * Protocol 2 ServerAliveInterval 120 TCPKeepAlive no ConnectTimeout 5 NoHostAuthenticationForLocalhost yes PreferredAuthentications gssapi-with-mic,publickey,keyboard-interactive,password GSSAPIAuthentication yes SendEnv "LOGNAME LANG LC_*" ForwardX11Trusted yes 

Ma key ssh n'est pas protégée par un mot de passe.

 >env | grep SSH SSH_AGENT_LAUNCHER=gnome-keyring SSH_AUTH_SOCK=/run/user/1000/keyring/ssh (I am user 1000) 

J'ai aussi essayé d'utiliser les options -n , -T , -t et -t -t pour ssh sans différence notable.

 debug1: Offering RSA public key: /home/zach/.ssh/id_rsa debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg ssh-rsa blen 279 debug2: input_userauth_pk_ok: fp SHA256:jsePXa9FO8c9f0bVwdgvXMJQ2GyHVqz5spaO13EQ0/M debug3: sign_and_send_pubkey: RSA SHA256:jsePXa9FO8c9f0bVwdgvXMJQ2GyHVqz5spaO13EQ0/M debug1: read_passphrase: can't open /dev/tty: No such device or address debug2: no passphrase given, try next key 

Votre key est protégée par mot de passe, mais vous n'avez probablement pas remarqué, car vous utilisez gnome-keyring qui s'en charge. Alors quelles sont les possibilités:

  • Utilisez une key séparée, qui n'est pas cryptée pour les tâches cron, parce que vous n'avez toujours pas un moyen raisonnable et sécurisé de fournir une phrase secrète dans le travail cron. Ceci est préféré.

  • Si cela ne vous dérange pas de stocker le mot de passe en text clair, utilisez sshpass :

     sshpass -p your_passhprase -vvv my_account@my_remote "touch temp.temp" 
  • Autre possibilité est d'essayer de "détourner" la connection à votre gnome-keyring (en utilisant la variable d'environnement SSH_AUTH_SOCK ). Mais notez que cela pourrait ne pas fonctionner toujours (une fois que vous vous déconnectez de votre session graphique, le gnome-keyring ne fonctionnera plus et vous verrez les échecs à nouveau:

     SSH_AUTH_SOCK=/run/user/1000/keyring/ssh ssh -vvv my_account@my_remote "touch temp.temp"