How to avoid password prompt with rsync (and without using public keys)?

Question

I need to execute rsync, without it prompting me for password.

I've seen in rsync manpage that it doesn't allow specifying the password as command line argument.
But I noticed that it allows specifying the password via the variable RSYNC_PASSWORD.

So I've tried exporting the variable, but rsync keeps asking me for password.

export RSYNC_PASSWORD="abcdef"
rsync root@1.2.3.4:/abc /def

What am I doing wrong?

Please consider:

I understand that this is a bad idea from security aspect
I must use only rsync, can't use other software
I can't use key-based authentication
I've already read many SE question, e.g.:
how-to-pass-password-for-rsync-ssh-command @ stackoverflow.com
rsync-cron-job-with-a-password @ superuser.com
how-to-setup-rsync-without-password-with-ssh-on-unix-linux @ superuser.com

In other words, I need to have the RSYNC_PASSWORD approach working! :-)

Not always an option, but one can use the mirror option with lftp to do this over SFTP. See here — Sean Breckenridge, Jun 29 '20 at 04:51

Graeme · Answer 1 · 2018-07-14T21:14:34.693

115

If the rsync daemon isn't running on the target machine, and you don't care about exposing passwords to everyone on the local machine (Why shouldn't someone use passwords in the command line?), you can use sshpass:

 sshpass -p "password" rsync root@1.2.3.4:/abc /def

Note the space at the start of the command, in the bash shell this will stop the command (and the password) from being stored in the history. I don't recommend using the RSYNC_PASSWORD variable unless absolutely necessary (as per a previous edit to this answer), I recommend suppressing history storage or at least clearing history after. In addition, you can use tput reset to clear your terminal history.

edited Jul 14 '18 at 21:14

answered Jan 29 '14 at 20:23

Graeme

34,027

3

Why would you suggest adding password clear text on a command, that's bad linux admin 101. – Eddie Mar 22 '15 at 12:34
Super handy.. been searching for an approach to this for a while. Thank you. – Isaac Gregson Feb 26 '16 at 18:55
7

While this is bad to add the password as clear text, this is currently the only reasonably simple way to this. – Weston Ganger Jun 24 '16 at 16:34
28

you can always do something like this: sshpass -p $(cat passFile) .. to hide clear pass in bash history,, and chmod 400 on passFile to secure it – Kresimir Pendic Jan 02 '17 at 16:27
Best answer right here. Achieves what one should be able to achieve with only rsync. – etech Jan 06 '17 at 14:54
6

I know that this is old, but for the sake of newer readers, please quote the password — passwords can contain special characters and spaces. -p "$RSYNC_PASSWORD" – Paddy Landau Jul 14 '18 at 15:54
@PaddyLandau, I edited the answer. I don't actually recommend using the RSYNC_PASSWORD variable. But if it is used then, yes I agree it should be quoted. – Graeme Jul 14 '18 at 21:06
One might also consider sshpass -f passFile, it interprets first line of the file as password – zawuza Apr 02 '21 at 10:44
Not a big deal if the target account has minimal access restriction just to a folder of backups – Hayden Thring Sep 27 '21 at 10:28
A better way to solve the problem stated in OP, than the (also good) direct answer provided earlier. – BobHy Jun 08 '22 at 18:17

score 24 · Accepted Answer · edited May 01 '22 at 15:44

This password environment variable appears only to be used when using the rsync protocol:

rsync rsync://username@1.2.3.4:/abc /def

For this to work, you need to run rsync as a daemon as well (--daemon option), which is often done using inetd.conf.

When using this protocol, abc should correspond to a target defined in /etc/rsyncd.conf. The user name should be present in a auth users line for this target, and a password file should be specified with the secrets file option.

It is this secrets file that contains mappings between user names and passwords in the following format:

username:password

And it is this password that you can specify using the RSYNC_PASSWORD environment variable.

a quicky way to run an rsync server is with https://s3.amazonaws.com/skaperen/rsend — Skaperen, Mar 22 '15 at 13:54

score 21 · Answer 3 · edited May 01 '22 at 15:46

21

Very useful for scripting is to use --password-file command line option.

Create empty file called rsync_pass
write in password to this file (nothing more)
chmod 600 rsync_pass
rsync $args --password-file=rsync_pass user@rsynchost::/share localdirectory

This can be used for scripting and allows to be more secure that just exporting password to system variable.

edited May 01 '22 at 15:46

Cristian Ciupitu

2,510

answered Feb 22 '15 at 13:22

Arunas Bart

811
6
13

13

Note to reader: this also requires an rsync daemon running on the server. I really was hoping that ssh keys would be sufficient for passwordless rsync. – Sridhar Sarnobat Nov 02 '15 at 07:01
1

IMHO this is the only correct way to do it if one doesn't want to use ssh. – diestl May 08 '16 at 09:51
You can use SSH keys. I have done this on my systems. You put the authorized key in the .ssh folder on the side you are trying to ssh to. In my case it is /root/.ssh/authorized_keys and on the side running the rsync command use the -e parameter to specify the ssh settings. In my case it is -e "ssh -i /path/to/ssh-key" for example. – Glenn J. Schworak Dec 26 '19 at 22:37
1

The main point was using rsyncd directly, thus ssh key doesn't play a role. It was stated in question 'without using public key authentication' – Arunas Bart Dec 28 '19 at 20:19

score 18 · Answer 4 · edited Apr 10 '19 at 01:50

18

You can use standard ssh identities to do passwordless login. This is handled by default if you have a ~/.ssh/id_rsa or the like, but you can also hardcode your own path to the private key of an authorized keypair.

This allows batching/scripting without exposing passwords, and the public key can be remove from the target server if the private key is ever compromised.

rsync -e"ssh -i /path/to/privateKey" -avR $sourcedir ${ruser}@${rhost}:~/${rdir}/

You can also add arguments like -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null to not force remote host key verification. !Caution - that opens up man in the middle attacks and is general bad practice!

edited Apr 10 '19 at 01:50

muru

72,889

answered Dec 23 '14 at 20:04

Eddie

300
2
7

1

This is especially useful if you're using the new Bash shell for Windows 10. I was wondering why rsync wasn't working passwordlessly. I realized it was using the ~/.ssh folder inside the shell (where rsync lives). Once I used -e to point to the key inside /mnt/c/Users/MyUsername/.ssh, it worked as expected. (Thanks. :D) – Toby Deshane Oct 25 '16 at 14:06
1

While helpful in general for promptless access, the original question explicitly asked about not using key-based auth. – ND Geek Jul 21 '20 at 21:04

score 6 · Answer 5 · answered Oct 08 '21 at 16:10

6

This seems to be an evergreen topic. Therefore I would like to propose the solution which worked best for me on an Ubuntu 20.04 machine.

My goal was to create a backup on a 1blu cloud drive, which did not allow SSH key login.

First, I created the file ~/.rsync_pass and wrote the password of the SSH user into it.
Then I used the sshpass command with parameter -f to read the password from this file and to pass it to rsync.

sshpass -f ~/.rsync_pass rsync -av /var/www/folder/ user@example.com:/backup

answered Oct 08 '21 at 16:10

Marco

61

1

Thanks. Exactly the answer I looked for. I wished to retrieve backups from VM containing Sangoma FreePBX and Asterisk. But that VM is running using limited resources, thus it was not very wise to keep rsyncD running. Using sshpass and the credentials file does the job as intended. – Troublemaker-DV Sep 05 '22 at 02:03

score 1 · Answer 6 · edited Dec 30 '20 at 11:20

1

For rsyncd protocol, use process substitution for the option --password-file=FILE

rsync --password-file=<(echo "1233456") root@1.2.3.4::abc /def

edited Dec 30 '20 at 11:20

Archemar

31,554

answered Dec 30 '20 at 07:32

user3435576

11

Hm, idk if I'm doing something wrong, but I couldn't get that to work. Path '1233456' does not exist. I'm assuming the string is intended to be the password anyway. – leetNightshade Dec 22 '23 at 01:13

score 0 · Answer 7 · answered Apr 01 '20 at 13:18

I wrote my script inspired by the comments in this post, so I'll post it here as another source of inspiration. My requirements were, no rsyncd on remote, password login, no exposure of password in history or command line. That's actually not very difficult:

#!/bin/bash

HOST=mymachine.mydomain.com
USER=fms
LOCAL=/home/fms/Progetti/MyProject/src

read -s -p "Password for $USER@$HOST: " SSHPASS
echo

sshpass -e rsync -i -r --checksum --delete --chown=nginx:nginx -e "ssh -o PreferredAuthentications=password" $LOCAL/lavori_senato $USER@$HOST:/var/www/drupal/test/web/modules/custom

I needed to alter the default configuration of my ssh so that it wouldn't try public-key first. The echo after read is just a touch of formatting, since using -s even the end of line is not printed, and the output of rsync overlapped with the password prompt.

score 0 · Answer 8 · answered Sep 27 '23 at 07:47

For me, it was as simple as ensuring that keys are added to the agent after first successful connection:

In my ~/.ssh/config, I have the following entry:

Host *
    AddKeysToAgent=yes

This ensures that for all hosts, the key is added to the agent after initial connect.

With this enabled, I no longer saw discrepancies between normal ssh and when rsync does its ssh

score 0 · Answer 9 · answered Oct 22 '23 at 01:48

The only safe and feasible solution that I found over time consists of:

Generate a new ssh key specifically for passwordless backups only. Do not use a passphrase with it;
Upload it to the server as your normal ssh user. Do not create another user for it, or upload it as www-data as www-data must not be able to login to the system;
Change that uploaded key in authorized_keys to run a bash script rather than provide the user with a terminal on ssh login. An example would be to replace
```
ssh-rsa AAAAB3Nza......k1y0=
```
with something like this
```
command="script.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3Nza......k1y0=
```
In script.sh, you would have something like this:
```
  if [[ "$SSH_ORIGINAL_COMMAND" == "rsync --server --sender -vlDtre.iLsfxCIvu /home/server/files ." ]] 
  then
       $SSH_ORIGINAL_COMMAND
  fi
```
where "rsync --server --sender -vlDtre.iLsfxCIvu /home/server/files ." is an ssh digest you get from your server when you try to unsuccessfully login with
```
rsync -av -e "ssh -i rsync_key" user@$7.7.7.7:/home/server/files /home/user
```
Upon this unsuccessful login, the value of the digest (i.e. its string value) will be recorded in $SSH_ORIGINAL_COMMAND;
Things to consider: if you are backing up any webroot files which the standard ssh user does not have access to without sudo, add that user to group www-data
Things to consider: www-data user will need to have maximally restrictive configuration. Ideally we would want something like this:
```
 www-data:x:33:33:www-data:/nonexistent:/usr/sbin/nologin
```
which is achievable by running
```
  sudo usermod -d /nonexistent $wwwuser -s /usr/sbin/nologin
```

Now you can ssh to the server to run a passwordless rsync backup

rsync -av -e "ssh -i rsync_key" user@$7.7.7.7:/home/server/files /home/user

How to avoid password prompt with rsync (and without using public keys)?

9 Answers9

Linked