Setting Up Google 2F Authentication for Automated (Crontab) rsync


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
# 1  
Setting Up Google 2F Authentication for Automated (Crontab) rsync

Dear All,

I have Google Two Factor (2F) Authentication enabled for sshd on most of my Linux servers. This works well and I highly recommend it.

My question is:

Has anyone set this up for rsync which runs in a crontab?

For example, supposed we have this simple crontab script:

Code:
/usr/bin/rsync -qpavzh --rsh="/usr/bin/sshpass -f '/var/local/.secure' ssh -o StrictHostKeyChecking=no -l user" user@myserver.com:/var/data/dumps/ /var/data/dumps/

This works fine, of course, when syncing some backup files across the net without 2FA; but I want to do the same thing using Google Authenticator for 2FA.

Has anyone set this up on any of their servers?

Thanks.
This User Gave Thanks to Neo For This Post:
# 2  
A non-interactive password/passphrase/key authentication requires full trust of the involved tools.
Openssl/Openssh? Okay, can be trusted. But Google? And do you trust the 2nd factor device?
This User Gave Thanks to MadeInGermany For This Post:
# 3  
Quote:
Originally Posted by MadeInGermany
A non-interactive password/passphrase/key authentication requires full trust of the involved tools.
Openssl/Openssh? Okay, can be trusted. But Google? And do you trust the 2nd factor device?
Hi MIG,

I use the same Google Authentication PAM module which most everyone else uses (on Linux) , and I'm OK with it.

Code:
sudo apt install libpam-google-authenticaton

This is a well established PAM lib enabled by adding the following to the end of the /etc/pam.d/sshd file

Code:
...
auth required pam_google_authenticator.so

and then we simply modify the /etc/ssh/sshd_config file as follows:

Code:
...
ChallengeResponseAuthentication yes
...

and then we restart sshd:

Code:
sudo systemctl restart sshd.service

and run:

Code:
google-authenticator

in the user account which sets everything up for the user and we add the details to the Google Authenticator app.

This is well established and well documented on the net.

I was going to use Symantec VIP Access but those libs are not freely available for the server side.

I'm not worried about the integrity of this method.

I am only concerned about how to pass the 2FA token in a cron file for rsync and so I asked if anyone had done the same, as I could not find anyone (on the net) who has passed the 2FA token and the password using rsync in cron.

It's not a big deal, as I can set up a user for only rsync and use pam_succeed_if.so to permit that user account to bypass 2FA, but I was looking for a solution to pass the 2FA token instead of bypassing for a single user on the server as we do with sshpass in this example:

Code:
/usr/bin/rsync -qpavzh --rsh="/usr/bin/sshpass -f '/var/local/.secure' ssh -o StrictHostKeyChecking=no -l user" user@myserver.com:/var/data/dumps/ /var/data/dumps/

But so far, I cannot find a solution by someone else who has done with this rsync and libpam-google-authentication.

I'm OK with having a special, restricted userid which bypasses 2FA; but I would prefer not to do this and send the 2FA token along with the username and password in the rsync cron script. That's way I asked "has anyone else done this" and posted the rsync example.
# 4  
As a temporary measure I used this line before the auth required pam_google_authenticator.so line in /etc/pam.d/sshd

Code:
auth [success=done default=ignore] pam_succeed_if.so uid = 3333

This effectively permits the user with uid 3333 to bypass 2FA.

I will keep working / looking for / thinking about a different solution which does not bypass 2FA and instead passes the 2FA token for rsync.
This User Gave Thanks to Neo For This Post:
# 5  
Update:

I think I have a potential "better" solution than sending the 2FA token with rsync.

What I did was I created a bypass for the rsync user process in /etc/pam.d/sshd as above (earlier post) and then added 2FA to /etc/pam.d/sudo as follows:

Code:
auth required pam_google_authenticator.so

So, now even if the rsync user account is compromised, 2FA authentication is required to sudo for all users.

However, the good and bad news is that this also means that 2FA is required for all sudo processes, so I might have to carefully implement this solution since other automated Linux processes rely on sudo (I think, need to confirm) and will need to configure 2FA for those situations.
# 6  
OK... for final (now testing) implementation I just looked in /etc/sudoers and added all the required 2FA bypass like this in /etc/pam.d/sudo , for example:

Code:
auth [success=done default=ignore] pam_succeed_if.so debug uid = 2222
auth [success=done default=ignore] pam_succeed_if.so debug user ingroup root admin sudo
auth required pam_google_authenticator.so

Seems to work fine after (admittedly short) testing and with the debug option, can check system logging as well.

Update: Testing has been very successful so far.
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Crontab authentication failure

Dear all, I noticed in syslog that i receive authentication failure from cron: Mar 11 23:19:01 s1 CRON28789]: Authentication failure Mar 11 23:19:01 s1 cron: Authentication failure Mar 11 23:19:01 s1 cron: Authentication failure Mar 11 23:19:01 s1 CRON: Authentication failure Mar 11... (3 Replies)
Discussion started by: mydove
3 Replies

2. Shell Programming and Scripting

Crontab setting

Hi All, Can anyone tell me how to schedule the dbshell.sh script to run on sunday. I have scheduled as 1 19 7 * * /home/svr/dbshell.sh. kindly confirm confirm whether coded "7" or it should set to '0'. unix:$ crontab -l 0 19 6 * * /home/svr/dbemail.sh 1 19 7 * * /home/svr/dbshell.sh (2 Replies)
Discussion started by: arun888
2 Replies

3. Linux

Trouble setting up basic user authentication on apache2 web server

Hey guys! So I decided to set up some basic user authentication on my apache2 server, and I am running into some problems. I followed the documentation provided by apache on their website, but I cant create the password file for some reason. I did a little trouble shooting myself, and found... (40 Replies)
Discussion started by: LinuxIntern445
40 Replies

4. UNIX for Dummies Questions & Answers

Crontab setting

Hi Team, Please help me to set one script in crontab. I have one script and inside script, its creating one log file for saving ouptut of script. i have to out that script in crontab. When i put the script in cronatab, it executed and log file created but no data in log. like this i put in... (3 Replies)
Discussion started by: shivshankar
3 Replies

5. UNIX for Advanced & Expert Users

Error while running Rsync through Crontab

hi All, i have implemented Rsync in my source and destination server. while running through command prompt it is working fine: ksh rsync_bravo_db.ksh usa0300uz1252.apps.mc.xerox.com /uv1402/u207/home/bravodba/bin/rsync-3.0.9/config/mrsx_rsync.cfg but later on i created a another ksh and... (4 Replies)
Discussion started by: lovelysethii
4 Replies

6. UNIX for Dummies Questions & Answers

Need some help on setting up rsync

I need to "sync" a directory from a prod server to a test server. Rsync is working but it prompts for a password and I'd like to automate the process. The directory on the prod/source server is owned by root, and some subdirectories are only readable by root. On the test/destination servers, I can... (1 Reply)
Discussion started by: LAToro
1 Replies

7. Shell Programming and Scripting

Crontab setting error

Hi All, I have created crontab using following steps- 1) crontab -e (edited the file with) 0 10 * * 1-5 /home/user01/exercise/cron.sh 2) then saved this file with :wq 3) cron.sh contains the code- #!/bin/bash DAY=`date +%a` mkdir abc_${DAY} 4) done the execut permision... (3 Replies)
Discussion started by: pspriyanka
3 Replies

8. Linux

Setting up crontab, still cant get it to work

OK I have been working on this simple action for a while and I cannot get it to work. First off im new to the linux command line world. I feel like I am missing something simple. What I am trying to achieve is that I want this command: tcpdump -s2000 -w'flowroute-%H%M.pcap' -G900 -W36 &to... (13 Replies)
Discussion started by: Nasasdge
13 Replies

9. Shell Programming and Scripting

Setting crontab

Hey all, I would like to know how to set a cron job to run from 8:15 am to 4:00 pm? Or do I have to do this in 2 seperates cron? Thanks! (4 Replies)
Discussion started by: mpang_
4 Replies

Featured Tech Videos