# ssh connection in fcrontab (solved)

## hika

I have a syncronisation job with unison, which runs perfectly on the commandline, but won't run in fcrontab.

It connects through ssh with rsa-certificate and the passfrase in keychain.

To exclude possibilities I switched the certificate temporarily for one without passphrase and told fcrontab explicitly to run as root

I still get an access denied response.

It seems it can't find the certificate or is maybe ssh not allowing it?

Can anybody tell me what goes wrong.

HikaLast edited by hika on Thu Mar 04, 2010 3:44 pm; edited 1 time in total

----------

## richard.scott

can you post the cron entry (or conents of the script if its a script) and the error output it creates?

----------

## hika

I tried several things. But the error is I get by mail is

```
Permission denied (publickey,keyboard-interactive).

Fatal error: Lost connection with the server
```

My fcrontab:

```
SHELL=/bin/bash

!runas(root)

# $Header: /var/cvsroot/gentoo-x86/sys-process/fcron/files/fcrontab,v 1.1 2006/07/31 02:10:49 wschlich Exp $

# Script for checking system crontabs and creating the fcron systab.

# Runs every 10 minutes, does not mail output, doesn't log job runs

# except for errors.

@mail(false),nolog(true) 10 /usr/sbin/check_system_crontabs -s 0

# 30 4 * * * /root/unison/sync-nwusers.sh

15 15 * * * /root/unison/sync-dkw.sh

# 10 19 * * * /root/mount-users.sh

# 30 19 * * * /usr/bin/unison dkw

# 15 4 * * * /usr/bin/unison vb

# 30 4 * * * /usr/bin/unison websites

# 45 4 * * * /usr/bin/unison mail

# 0 8 * * * /root/umount-users.sh

# 10 23 * * * scp /root/dead.letter ultra2.trev:/root/

```

The marked out entries are trials and in essence the contents of the first script

The last script I tried

```
#%/bin/bash

/root/mount-users.sh

unison dkw

ncpumount /home/samba/nwusers

```

As said to eliminate an error with keychain I temporarily replaced the key for one without passphrase.

The scripts work ok on the commandline.

The root privileges are ok for else it couldn't read the scripts and also the ncpmount works.

And the error looks like one from ssh, so either it can't find the key or ssh on the other site doesn't accept it in this situation.

The error log on the receiving server ultra2 shows

```
Mar  4 15:15:02 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gentooserver.dkw  user=root

Mar  4 15:15:04 [sshd] error: PAM: Authentication failure for root from gentooserver.dkw

Mar  4 15:15:04 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gentooserver.dkw  user=root

Mar  4 15:15:06 [sshd] error: PAM: Authentication failure for root from gentooserver.dkw

Mar  4 15:15:06 [sshd] pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gentooserver.dkw  user=root

Mar  4 15:15:08 [sshd] error: PAM: Authentication failure for root from gentooserver.dkw

Mar  4 15:37:35 [sshd] Accepted publickey for root from 192.168.222.49 port 2159 ssh2

Mar  4 15:37:35 [sshd] pam_unix(sshd:session): session opened for user root by (uid=0)

```

The later one is me dropping in to check the log

Hika

----------

## richard.scott

I don't know if the "!runas(root) " is not running commands as root?

Either try removing this, or try using this in your scripts:

```
ssh -i /root/.ssh/id_rsa [command]
```

That will make the scripts use roots authentications details to logon to the remote server with.

Rich

----------

## hika

I added that "!runas(root) later while testing, but it didn't matter.

The ssh switch I have in my unison script.

```
rshargs= -Ci /root/.ssh/id-gentoo
```

Since unison calls ssh I cannot directly add the switch

Could it be that I should separate the two switches? I know some programs do want that. I try anyway without the compression switch.

Hika

----------

## richard.scott

you could try putting it in speach marks i.e.

```
rshargs=" -Ci /root/.ssh/id-gentoo"
```

I'm not sure if that would help.

Can you get ssh to connect via cron (outside of your script). For example can you run this via cron:

```
ssh ls -alh /tmp
```

that would test if its a unison thing, or an ssh thing

Rich

----------

## hika

I was thinking the same. Without the C it doesn't work.

How can I use ssh in a cron job. I tried scp, but that gave the same error.

Hika

----------

## richard.scott

add this to your crontab:

```
1 * * * * ssh {remotehostname} ls -al /tmp
```

That will send you an email every min with the output from the ls command.

It will also send you an email of the authentication fails too

Rich

----------

## hika

I found it. rshargs is depricated and should be sshargs. I just missed that in the manual. And on the commandline it finds the key automatically.

Thanks I was starting to stare at a blind wall and sombody elses perspective than often helps to find the blind spot.

Now checking if it also works with keychain!

Hika

----------

## hika

It works, but only with a key without passphrase. For some reason it doesn't look at ssh-agent/keychain for the passphrase. Even if I include keychain activation to the script.

```
eval '/usr/bin/keychain --agents ssh --eval id_rsa'
```

Anybody any ideas?

Hika

----------

