Try this solution. In your sudoers file (
/etc/sudoers) setup your user like this:
username ALL= NOPASSWD:/usr/bin/rsync
sudo that when your user runs
/usr/bin/rsync or just
rsync that no password is needed.
Then your original
--rsync-path="sudo rsync" should work.
This is the solution I came up with:
rsync -R -avz -e ssh --rsync-path="echo mypassword | sudo -S mkdir -p /remote/lovely/folder && sudo rsync" /home/ubuntu/my/lovely/folder [email protected]:/remote/lovely/folder --delete
Bit of a mission!
The solution on this blog worked really well for me: http://www.pplux.com/2009/02/07/rsync-root-and-sudo/.
stty -echo; ssh [email protected]_SERVER "sudo -v"; stty echo rsync -avze ssh --rsync-path="sudo rsync" [email protected]_SERVER:/REMOTE_PATH/ LOCAL_PATH
The first line allows for interactive password entry, without showing the password on the screen. Works great for me on Ubuntu 9.04.
I’m amazed by the complexity of the existing answers! It’s far easier and convenient to configure your systems (your PC and the remote host) so that you can connect as root to the remote host without using a password. And although it sounds scary it is quite secure.
- On the remote host make sure that /etc/ssh/sshd_config has this line “PermitRootLogin without-password” (in many distributions it’s there by default). This allows root to get an ssh shell using any authentication method except the insecure password prompt.
- (If you don’t already know how) follow any of the many tutorials on how to obtain passwordless login via ssh
- Use rsync as you would normally do and without any password prompts.
Just don’t forget that as long as the line in /root/.ssh/authorized_keys of the remote host is there that machine accepts root commands from your PC.
You need a method to supply the password to
askpass program is designed to ask for passwords when the normal mechanisms aren’t available. Setting up
sudo to not require a password to run
rsync as your userid is one option.
I normally configure key based login with appropriate restrictions for cases like this. If you configure a restricted key that an only run
rsync as root then this kind of thing gets easier to do. Another alternative is to use an
rsycnd process to handle the remote requests. The configuration provides a variety of restrictions that can be applied.
EDIT: I included a script to setup keys for key based loings in the Creating Userids on Clients section of my post on Setting up BackupPC on Linux. See also the documenation for ssh_config which details some of the things you can do with resticting key usage as shown in the script.
on remote machine
sudo apt install ssh-askpass which ssh-askpass
then on local machine
rsync -av -e 'ssh -X' --rsync-path="SUDO_ASKPASS=/usr/libexec/openssh/ssh-askpass sudo -A rsync" /some/local/path [email protected]:/some/remote/path
substitute path to ssh-askpass with actual path on remote machine
Here is what worked for me, considering that I want to keep password authentication (so I don’t want to use
NOPASSWD or keys) – on Ubuntu 14.04:
- “Open up”
sudoon remote machine by disabling
tty_ticketsthrough a temporary file in
/etc/sudoers.d/(which should be supported on Debian, see
/etc/sudoers.d/README), and “Update the user’s cached credentials”, which “extends the sudo timeout for another 15 minutes”
- Run the
sudoas shown in other answers
- “Close down”
sudoon remote machine by removing the temporary file in
/etc/sudoers.d/, which re-enables
… or, with command lines:
ssh -t $REMOTEPC 'echo "Defaults !tty_tickets" | sudo tee /etc/sudoers.d/temp; sudo -v' rsync -aP -e 'ssh' '--rsync-path=sudo rsync' /etc/pulse/client.conf $REMOTEPC:/etc/pulse/client-copy.conf ssh -t $REMOTEPC 'sudo rm -v /etc/sudoers.d/temp; sudo -v'
These are the responses I get when running these commands on the local machine:
$ ssh -t $REMOTEPC 'echo "Defaults !tty_tickets" | sudo tee /etc/sudoers.d/temp; sudo -v' [email protected]$REMOTEPC's password: [sudo] password for remoteuser: Defaults !tty_tickets Connection to $REMOTEPC closed. $ rsync -aP -e 'ssh' '--rsync-path=sudo rsync' /etc/pulse/client.conf $REMOTEPC:/etc/pulse/client-copy.conf [email protected]$REMOTEPC's password: sending incremental file list client.conf 1269 100% 0.00kB/s 0:00:00 (xfr#1, to-chk=0/1) $ ssh -t $REMOTEPC 'sudo rm -v /etc/sudoers.d/temp; sudo -v' [email protected]$REMOTEPC's password: removed ‘/etc/sudoers.d/temp’ [sudo] password for remoteuser: Connection to $REMOTEPC closed.
sudo -v should be ran after each time files in
/etc/sudoers.d/, so the changes therein are accepted.
Another method is to get around the permissions restrictions by initiating rsync on the remote machine. Instead of:
rsync /home/ubuntu/my/lovely/folder [email protected]:/remote/lovely/folder
You can do:
ssh [email protected] 'rsync [email protected]:/home/ubuntu/my/lovely/folder /remote/lovely/folder'
y.y.y.y is your local machine’s IP address. This only works if your local machine can act as an SSH server.
My workuround is to add
--rsync-path="echo PASSWORD | sudo -Sv && sudo rsync"
rsync -avz -e ssh /home/ubuntu/my/lovely/folder [email protected]:/remote/lovely/folder --delete --rsync-path="echo <PASSWORD> | sudo -Sv && sudo rsync"
It usually isn’t a good idea to put passwords into a command line one-liner; they become visible in the process tree, for example. I sometimes replace the actual password in this type of statement with $( cat my_password.txt ) which is slightly better
rsync -avz -e ssh /home/ubuntu/my/lovely/folder [email protected]:/remote/lovely/folder --delete --rsync-path="cat my_password.txt | sudo -Sv && sudo rsync"
Run as cronjob in the background
Ok, so you have a few options here.
The ones above are pretty good when it comes to rsync as a normal user with sudo permissions on (both) other side(s).
I had this same problem, the only difference was that I wanted to run this as a cronjob at night.
I work with ssh-keys (this makes it possible to login to a remote host without password authentication while still being very secure!!)
- Create a ssh-key on your source computer (server) with the following command:
You will be prompted a few options, just press enter every time (do not (enter) set a password!!).
This command creates 2 different keys.
1. An id_rsa_pub key: this key needs to be copied to the remote (destination server) host.
2. An id_rsa: this is a private key and you do not want to mess with this key. Make sure no one can see this key (read permissions). Only you should have the right to see this key.
- The moment you have generated the keys, it is time to copy the id_rsa_pub key to the remote computer (server). You can do this with the following command:
ssh-copy-id [email protected]
You will be prompted to fill in your password for default ssh access. Just enter your password and the ssh-copy-id command will do the rest for you.
Time to test
- Now, ssh into the remote server (the destination you used with the ssh-copy-id command).
You can consider the test successful if you do not get to see a prompt to enter a password.
Now you can do rsync commands to a remote host without having to fill in a password all the time! Also you can autocomplete on the destination host from within your source host. That is pretty neat if you ask me (example ssh 192.168.1.100: “press two time the tab button to autocomplete the rest of the command. Note that the ip address 192.168.1.100 is the ip address of the destination server).
Now you can do a rsync command from a cronjob with a normal “sudo” user (no need for root access on both servers for ssh for using user root).
Just do the same as described above, but add one option:
sudo rsync --rsync-path="sudo rsync" -az --delete -e "ssh -p 1022 -l **buser** -i /home/**buser**/.ssh/id_rsa" /path/to/rsync [email protected]:
Note that buser (BackupUSER, is my user who uses the ssh-key to login through ssh without being prompted for a password). Change buser to your username who uses the ssh-key login method.
Note the last character in the command ends with a “:”
This means that you are copying files to the home folder of the remote user. If you want to deviate to another location outside your home directory, you can achieve this by adding the absolute path after the “:” For example:
sudo rsync --rsync-path="sudo rsync" -az --delete -e "ssh -p 1022 -l **buser** -i /home/**buser**/.ssh/id_rsa" /path/to/rsync [email protected]:/srv/backup_folder
Explaining the option “ssh -p 1022 -l username -i /home/username/.ssh/id_rsa”
ssh -p 1022 ssh uses the default port 22. I deviate from the default port because my ssh-server listens to port 1022.
-l username the user defined who can login to the remote host with the ssh-key authentication method. In my case, this is the user BUSER.
-i (stands for Identity) uses the private key which we created with the ssh-keygen command. It points to where this key is stored. The default location is in the users home folder in a hidden directory called ssh (/home/username/.ssh/id_rsa).
I hope this will help other users to automate their backup through cron in a secure matter.
From the source machine (server), make sure you execute your command (script) as the ROOT user (if you make a cronjob, you have to make sure that you are the user root (#) when creating the cronjob)
Make sure the user on the destination server has sudo rights.
Make sure you have done the visudo as Keith describes in his answer!