Rsync password asked even after generating key (while ssh works passwordless)

Turbocapitalist · 06-17-2013, 04:50 AM

The remote server should need no special configuration. Nor should rsync ask for the password. It should ask for the passphrase if it is using the key. Can you post a sanitized version of what you are currently typing with rsync? What is the remote user, not root I hope?

frsechet · 06-17-2013, 05:03 AM

Right now my rsync command is:

Code:

sync -ave ssh --exclude /home/owncloud /home remote_IP::NetBackup/VPS_backup

The remote user for which the key is setup is root... Why does it matter?

But then, if I do:

Code:

sync -ave ssh --exclude /home/owncloud /home user@remote_IP::NetBackup/VPS_backup

It asks me for a password twice:

Code:

user@remote_IP's password: 
Password: 
sending incremental file list
[...]
sent 1932570 bytes  received 10699 bytes  117773.88 bytes/sec
total size is 3868894202  speedup is 1990.92

The first password because I don't use a key for this user, and the second being...?????

Turbocapitalist · 06-17-2013, 05:49 AM

'sync' is different than 'rsync', maybe that's a typo.

If you're using the key, that needs to be specified with ssh using -i, if that is missing then it will ask you for the password to the account instead of the passphrase for the key. See the examples above for the syntax.

About logging in remotely as root, it's generally discouraged. If you are insistent upon it, you can make it use keys only by setting 'PermitRootLogin' to “without-password”, “forced-commands-only”, or “no”.

frsechet · 06-17-2013, 06:04 AM

Yes, rsync, not sync, it was a typo (didn't go all the way copy-pasting...).

Still, using the code below with ssh -i, it still asks me for the 2nd password...

Code:

rsync -ave "ssh -i /root/.ssh/id_rsa" --exclude /home/owncloud /home remote_IP::NetBackup/VPS_backup

Turbocapitalist · 06-17-2013, 06:28 AM

You have set up the public key in /root/.ssh/authorized_keys, all on a single line with no breaks?

pix9 · 06-17-2013, 06:32 AM

why don't you simply try

Code:

#rsync -ar <source-file> user@<ip-of-remote-server>:/path/to/destination/folder

to the best of my knowledge rsync by defaults uses ssh protocol encryption for transfering stuff over network. I don't understad why are you again telling the command to use ssh protocol?

Regards.

frsechet · 06-17-2013, 06:37 AM

When I do this (single colon), I get this error:

Code:

rsync -ar --exclude /home/owncloud /home remote_IP:/NetBackup/VPS_backup
rsync: mkdir "/NetBackup/VPS_backup" failed: No such file or directory (2)
rsync error: error in file IO (code 11) at main.c(615) [Receiver=3.0.8]
rsync: connection unexpectedly closed (9 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(601) [sender=3.0.7]

And with double colon :: it also asks for a password! I still think this has nothing to do with SSH (which works great without ever entering any password) but with rsync somewhere inside the remote server.

@Turbocapitalist: yes.

pix9 · 06-17-2013, 06:52 AM

Code:

rsync: mkdir "/NetBackup/VPS_backup" failed: No such file or directory (2)

this line in error is indicating that there is no directory by that name on remote host on which you are trying to copy file.

make sure you have that directory on remote server server.

for the other part of error, I didn't understood much but you can try to fix atleast known problem.

regards

frsechet · 06-17-2013, 06:56 AM

The thing is, the directory does exist, and everything works perfectly when I use the double colon. I only used single colon because you suggested so...
Rsync works on that exact directory but only with the double colon.

What I'm trying to do is being able to use rsync as a cronjob, without having to enter the second password (as we have I think proved that the problem doesn't come from the first password, the one that says "user@remote_ip's password"...)
My opinion is that the NAS has modified rsync somehow, and the result is that I have to enter my root password each time I'm trying to connect to the module (not just the server!).

lleb · 06-17-2013, 11:34 AM

one thing ive noticed on all of your copy/paste for code frsechet is that you are still not putting in the USER@ in your rsycn command.

this very well could be a cause of your issue. again go back to my first example and follow that format. copy/paste the full redacted output.

frsechet · 06-17-2013, 11:52 AM

Hi Lieb,

Alright, here we go, this time with user@...
It doesn't make any difference at all (user is root whether I specify the user or not).

Code:

rsync -r -e  'ssh -va' /test root@remote_IP::NetBackup/test
OpenSSH_5.5p1 Debian-6+squeeze3, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to remote_IP port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1-hpn13v11
debug1: match: OpenSSH_5.8p1-hpn13v11 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'remote_IP' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: rsync --server --daemon .
Password: 
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 2888, received 2896 bytes, in 3.0 seconds
Bytes per second: sent 949.4, received 952.0
debug1: Exit status 0

As you can see, the "Password" line happens well after I SSH into the remote server, right after it sends the rsync command.

If I connect as any other user (not root, without a rsa key), here is what happens:

Code:

rsync -r -e  'ssh -va' /test user@remote_IP::NetBackup/test
OpenSSH_5.5p1 Debian-6+squeeze3, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to remote_IP port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1-hpn13v11
debug1: match: OpenSSH_5.8p1-hpn13v11 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'remote_IP' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
user@remote_IP's password: 
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: rsync --server --daemon .
Password: 
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 2392, received 2640 bytes, in 2.3 seconds
Bytes per second: sent 1033.0, received 1140.0
debug1: Exit status 0

As you can see, it asks me twice for a password, which is not normal. The first one is quite logically the password of the user on that machine, the second one is the root password of the remote server. I think that the remote server is checking if that particular user has the right to use the service/module, because I just tried with a low-level user (that has a very limited access to the server), and sure enough, immediately after the second password is asked I get:

Code:

@ERROR: service disabled
rsync error: error starting client-server protocol (code 5) at main.c(1524) [sender=3.0.7]

lleb · 06-17-2013, 04:52 PM

please print the results of ls -laF (those are lower case Ls, not ones) from both systems of ~/.ssh/ directories.

the above is looking like a permissions issue, not a key issue.

should look something like the following:

Code:

[user@server ~]$ ls -laF ~/.ssh/
total 48
drwx------.  2 ray ray 4096 Mar 14 15:23 ./
drwx------. 19 ray ray 4096 Jun 17 13:39 ../
-rw-------.  1 ray ray 4466 Mar 12 10:30 authorized_keys
-rw-r--r--.  1 ray ray  175 Jan  5 12:23 config
-r--------.  1 ray ray 3243 Jan  5 12:14 id_rsa
-rw-r--r--.  1 ray ray  741 Jan  5 12:14 id_rsa.stuff.pub
-rw-r--r--.  1 ray ray  741 Jan  5 12:14 id_rsa.pub
-rw-r--r--.  1 ray ray  752 Jan  5 17:08 id_rsa.pub.remote
-rw-r--r--.  1 ray ray  741 Jan 22 12:22 id_rsa.pub.foo
-rw-r--r--.  1 ray ray  749 Jan  6 19:14 id_rsa.pub.foo2
-rw-r--r--.  1 ray ray 1842 Jun 13 14:35 known_hosts

frsechet · 06-17-2013, 06:23 PM

Alright, here's on my source server:

Code:

total 28
drwxr-xr-x 2 root root 4096 Jun 17 23:55 ./
drwx------ 5 root root 4096 Jun 17 18:40 ../
-rw------- 1 root root 1862 Jun 17 13:31 authorized_keys
-rw-r--r-- 1 root root  507 Mar  3 11:32 authorized_keys2
-rw------- 1 root root 1679 May 30 12:09 id_rsa
-rw-r--r-- 1 root root  395 May 30 12:09 id_rsa.pub
-rw-r--r-- 1 root root  884 Mar 17 16:14 known_hosts

and on my remote server

Code:

-rw-------    1 root     root           395 May 30 12:15 authorized_keys
-rw-r--r--    1 root     root           173 Nov  2  2012 known_hosts

lleb · 06-17-2013, 07:37 PM

Quote:

Originally Posted by frsechet

Alright, here's on my source server:

Code:

total 28
drwxr-xr-x 2 root root 4096 Jun 17 23:55 ./
drwx------ 5 root root 4096 Jun 17 18:40 ../
-rw------- 1 root root 1862 Jun 17 13:31 authorized_keys
-rw-r--r-- 1 root root  507 Mar  3 11:32 authorized_keys2
-rw------- 1 root root 1679 May 30 12:09 id_rsa
-rw-r--r-- 1 root root  395 May 30 12:09 id_rsa.pub
-rw-r--r-- 1 root root  884 Mar 17 16:14 known_hosts

and on my remote server

Code:

-rw-------    1 root     root           395 May 30 12:15 authorized_keys
-rw-r--r--    1 root     root           173 Nov  2  2012 known_hosts

i bolded your problem. your permissions are to lose for your private key.

frsechet · 06-18-2013, 03:54 AM

Still no.
Following what I think is the problem (something to do with rsync on the remote server because Synology modified it somehow, and not ssh), I found this. It didn't work (I still need to enter a 2nd password), but it seems to confirm that there is a password needed for using the rsync module, which has nothing to do with ssh.