Sending files via scp is failing

[davepusey]

I have the following command in a script that is run via cron...

Code:

scp -2 -4 -B /root/backups/* xxxxx@ch-s011.rsync.net:VPS02/

If i run it from the terminal (as root) without the -B flag it runs fine.

If i run it in a script via root's crontab, with the -B flag, it errors with the following...

Code:

Permission denied (publickey,keyboard-interactive).
lost connection

[chriss]

I'd suggest 'scp -v' on both and compare the output to narrow down the search area.

[edit]
Do you even need the '-B' option, since I'm guessing you're using passwordless key auth anyways?
Try the cron one without -B

[davepusey]

I need the -B or it'll just hang waiting for the password.

[chriss]

Ok, so how does cron get and send this password?

[davepusey]

It doesn't - i didn't think it would need one seeing as it is running as root.

[chriss]

In this instance, root is the local user, but the scp password being required is either:
a.) for the user xxxxx@ch-s011.rsync.net (the remote end)
b.) for the passphrase to root's keyfile (local end)

depending on how you've set up your ssh authentication.

When you run it as root from the terminal, it still asks you for the password, doesn't it?

[davepusey]

When you run it as root from the terminal, it still asks you for the password, doesn't it?

Yes it does.

[chriss]

I think you'll find this useful: Password-less logins with OpenSSH

[davepusey]

Followed those instructions and now it connects, but doesnt prompt for password at all.

This is perfect for what I want, but how secure is this?

[chriss]

This is perfect for what I want, but how secure is this?

I think the article comments say it all.

It's a toss up between security and convenience.

It depends a lot on how you use it. If you use it for the one purpose only, then only that one purpose is potentially insecure.

I understand that there are other ways to achieve the same objective (ssh-agent ?) but the principles are still the same, even though the implementation may be different.

I think it's really hard to achieve automation and security without having to hand off your password or store it in some way.

It's up to you to weigh up the risks vs. the benefits and decide if it's what you really want.

There's that old adage that the only secure computer is one that's powered off, completely disconnected and stored in the vault. But how useful is it?