I need to execute rsync, without it prompting me for password.
I’ve seen in rsync manpage that it doesn’t allow specifying the password as command line argument.
But I noticed that it allows specifying the password via the variable RSYNC_PASSWORD.
So I’ve tried exporting the variable, but rsync keeps asking me for password.
export RSYNC_PASSWORD="abcdef" rsync <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="26544949526617081408150812">[email protected]</a>:/abc /def
What am I doing wrong?
Please consider:
- I understand that this is a bad idea from security aspect
- I must use only
rsync, can’t use other software - I can’t use key-based authentication
- I’ve already read many SE question, e.g.:
how-to-pass-password-for-rsync-ssh-command @ stackoverflow.com
rsync-cron-job-with-a-password @ superuser.com
how-to-setup-rsync-without-password-with-ssh-on-unix-linux @ superuser.com
In other words, I need to have the RSYNC_PASSWORD approach working! 🙂
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
If the rsync daemon isn’t running on the target machine, and you don’t care about exposing passwords to everyone on the local machine (Why shouldn’t someone use passwords in the command line?), you can use sshpass:
sshpass -p "password" rsync <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="7d0f1212093d4c534f534e5349">[email protected]</a>:/abc /def
Note the space at the start of the command, in the bash shell this will stop the command (and the password) from being stored in the history. I don’t recommend using the RSYNC_PASSWORD variable unless absolutely necessary (as per a previous edit to this answer), I recommend suppressing history storage or at least clearing history after. In addition, you can use tput reset to clear your terminal history.
Method 2
This password environment variable appears only to be used when using the rsync protocol:
rsync rsync://<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="661315031408070b032657485448554852">[email protected]</a>:/abc /def
For this to work, you need to run rsync as a daemon as well (--daemon option), which is often done using inetd.conf.
When using this protocol, abc should correspond to a target defined in /etc/rsyncd.conf. The user name should be present in a auth users line for this target, and a password file should be specified with the secrets file option.
It is this secrets file that contains mappings between user names and passwords in the following format:
username:password
And it is this password that you can specify using the RSYNC_PASSWORD environment variable.
Method 3
Very useful for scripting is to use --password-file command line option.
- Create empty file called rsync_pass
- write in password to this file (nothing more)
chmod 600 rsync_passrsync $args --password-file=rsync_pass [email protected]::/share localdirectory
This can be used for scripting and allows to be more secure that just exporting password to system variable.
Method 4
You can use standard ssh identities to do passwordless login. This is handled by default if you have a ~/.ssh/id_rsa or the like, but you can also hardcode your own path to the private key of an authorized keypair.
This allows batching/scripting without exposing passwords, and the public key can be remove from the target server if the private key is ever compromised.
rsync -e"ssh -i /path/to/privateKey" -avR $sourcedir ${ruser}@${rhost}:~/${rdir}/
You can also add arguments like -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null to not force remote host key verification. !Caution – that opens up man in the middle attacks and is general bad practice!
Method 5
This seems to be an evergreen topic. Therefore I would like to propose the solution which worked best for me on an Ubuntu 20.04 machine.
My goal was to create a backup on a 1blu cloud drive, which did not allow SSH key login.
-
First, I created the file
~/.rsync_passand wrote the password of the SSH user into it. -
Then I used the
sshpasscommand with parameter-fto read the password from this file and to pass it to rsync.
sshpass -f ~/.rsync_pass rsync -av /var/www/folder/ <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="275254425567425f464a574b420944484a">[email protected]</a>:/backup
Method 6
For rsyncd protocol, use process substitution for the option --password-file=FILE
rsync --password-file=<(echo "1233456") [email protected]::abc /def
Method 7
I wrote my script inspired by the comments in this post, so I’ll post it here as another source of inspiration. My requirements were, no rsyncd on remote, password login, no exposure of password in history or command line. That’s actually not very difficult:
#!/bin/bash HOST=mymachine.mydomain.com USER=fms LOCAL=/home/fms/Progetti/MyProject/src read -s -p "Password for <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="66423335233426">[email protected]</a>$HOST: " SSHPASS echo sshpass -e rsync -i -r --checksum --delete --chown=nginx:nginx -e "ssh -o PreferredAuthentications=password" $LOCAL/lavori_senato <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4e6a1b1d0b1c0e">[email protected]</a>$HOST:/var/www/drupal/test/web/modules/custom
I needed to alter the default configuration of my ssh so that it wouldn’t try public-key first. The echo after read is just a touch of formatting, since using -s even the end of line is not printed, and the output of rsync overlapped with the password prompt.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0