Location: Asia Pacific, Cyberspace, in the Dark Dystopia
Posts: 19,118
Thanks Given: 2,351
Thanked 3,359 Times in 1,878 Posts
Setting Up Google 2F Authentication for Automated (Crontab) rsync
Dear All,
I have Google Two Factor (2F) Authentication enabled for sshd on most of my Linux servers. This works well and I highly recommend it.
My question is:
Has anyone set this up for rsync which runs in a crontab?
For example, supposed we have this simple crontab script:
This works fine, of course, when syncing some backup files across the net without 2FA; but I want to do the same thing using Google Authenticator for 2FA.
A non-interactive password/passphrase/key authentication requires full trust of the involved tools.
Openssl/Openssh? Okay, can be trusted. But Google? And do you trust the 2nd factor device?
This User Gave Thanks to MadeInGermany For This Post:
Location: Asia Pacific, Cyberspace, in the Dark Dystopia
Posts: 19,118
Thanks Given: 2,351
Thanked 3,359 Times in 1,878 Posts
Quote:
Originally Posted by MadeInGermany
A non-interactive password/passphrase/key authentication requires full trust of the involved tools.
Openssl/Openssh? Okay, can be trusted. But Google? And do you trust the 2nd factor device?
Hi MIG,
I use the same Google Authentication PAM module which most everyone else uses (on Linux) , and I'm OK with it.
This is a well established PAM lib enabled by adding the following to the end of the /etc/pam.d/sshd file
and then we simply modify the /etc/ssh/sshd_config file as follows:
and then we restart sshd:
and run:
in the user account which sets everything up for the user and we add the details to the Google Authenticator app.
This is well established and well documented on the net.
I was going to use Symantec VIP Access but those libs are not freely available for the server side.
I'm not worried about the integrity of this method.
I am only concerned about how to pass the 2FA token in a cron file for rsync and so I asked if anyone had done the same, as I could not find anyone (on the net) who has passed the 2FA token and the password using rsync in cron.
It's not a big deal, as I can set up a user for only rsync and use pam_succeed_if.so to permit that user account to bypass 2FA, but I was looking for a solution to pass the 2FA token instead of bypassing for a single user on the server as we do with sshpass in this example:
But so far, I cannot find a solution by someone else who has done with this rsync and libpam-google-authentication.
I'm OK with having a special, restricted userid which bypasses 2FA; but I would prefer not to do this and send the 2FA token along with the username and password in the rsync cron script. That's way I asked "has anyone else done this" and posted the rsync example.
Location: Asia Pacific, Cyberspace, in the Dark Dystopia
Posts: 19,118
Thanks Given: 2,351
Thanked 3,359 Times in 1,878 Posts
Update:
I think I have a potential "better" solution than sending the 2FA token with rsync.
What I did was I created a bypass for the rsync user process in /etc/pam.d/sshd as above (earlier post) and then added 2FA to /etc/pam.d/sudo as follows:
So, now even if the rsync user account is compromised, 2FA authentication is required to sudo for all users.
However, the good and bad news is that this also means that 2FA is required for all sudo processes, so I might have to carefully implement this solution since other automated Linux processes rely on sudo (I think, need to confirm) and will need to configure 2FA for those situations.
Location: Asia Pacific, Cyberspace, in the Dark Dystopia
Posts: 19,118
Thanks Given: 2,351
Thanked 3,359 Times in 1,878 Posts
OK... for final (now testing) implementation I just looked in /etc/sudoers and added all the required 2FA bypass like this in /etc/pam.d/sudo , for example:
Seems to work fine after (admittedly short) testing and with the debug option, can check system logging as well.
Dear all,
I noticed in syslog that i receive authentication failure from cron:
Mar 11 23:19:01 s1 CRON28789]: Authentication failure
Mar 11 23:19:01 s1 cron: Authentication failure
Mar 11 23:19:01 s1 cron: Authentication failure
Mar 11 23:19:01 s1 CRON: Authentication failure
Mar 11... (3 Replies)
Hi All,
Can anyone tell me how to schedule the dbshell.sh script to run on sunday.
I have scheduled as 1 19 7 * * /home/svr/dbshell.sh. kindly confirm confirm whether coded "7" or it should set to '0'.
unix:$ crontab -l
0 19 6 * * /home/svr/dbemail.sh
1 19 7 * * /home/svr/dbshell.sh (2 Replies)
Hey guys!
So I decided to set up some basic user authentication on my apache2 server, and I am running into some problems. I followed the documentation provided by apache on their website, but I cant create the password file for some reason. I did a little trouble shooting myself, and found... (40 Replies)
Hi Team,
Please help me to set one script in crontab.
I have one script and inside script, its creating one log file for saving ouptut of script. i have to out that script in crontab. When i put the script in cronatab, it executed and log file created but no data in log.
like this i put in... (3 Replies)
hi All,
i have implemented Rsync in my source and destination server. while running through command prompt it is working fine:
ksh rsync_bravo_db.ksh usa0300uz1252.apps.mc.xerox.com /uv1402/u207/home/bravodba/bin/rsync-3.0.9/config/mrsx_rsync.cfg
but later on i created a another ksh and... (4 Replies)
I need to "sync" a directory from a prod server to a test server. Rsync is working but it prompts for a password and I'd like to automate the process. The directory on the prod/source server is owned by root, and some subdirectories are only readable by root. On the test/destination servers, I can... (1 Reply)
Hi All,
I have created crontab using following steps-
1) crontab -e
(edited the file with) 0 10 * * 1-5 /home/user01/exercise/cron.sh
2) then saved this file with :wq
3) cron.sh contains the code-
#!/bin/bash
DAY=`date +%a`
mkdir abc_${DAY}
4) done the execut permision... (3 Replies)
OK I have been working on this simple action for a while and I cannot get it to work.
First off im new to the linux command line world. I feel like I am missing something simple.
What I am trying to achieve is that I want this command:
tcpdump -s2000 -w'flowroute-%H%M.pcap' -G900 -W36 &to... (13 Replies)