1

I'm trying to run an rsync between two servers. I'm basing things off of this post: How to rsync files between two remotes?

What I find missing is how to facilitate the rsync (via ssh) when a key (the same key) is required for logging into each server.

Here's the closest I've got:

ssh -i ~/path/to/pem/file.pem -R localhost:50000:SERVER2:22 ubuntu@SERVER1 'rsync -e "ssh -p 50000" -vur /home/ubuntu/test localhost:/home/ubuntu/test'

It seems like the initial connection works properly, however I can't seem to figure out how to specific the key and username for SERVER2.

Any thoughts?

Community
  • 1
onassar
  • 113
  • I guess you need specify the key in -e argument that is ... -e ''ssh -p 50000 -i ~/path/to/pem/file.pem" ... – Tagwint Mar 31 '16 at 15:39
  • I've tried that, but doing so attempts to reference the remote server, where the file naturally does not exist. – onassar Mar 31 '16 at 15:42
  • yes indeed. I could suggest using ssh agent + agent forwarding - the things would go automatically, if that's acceptable option. If usure on how to implement that, i can provide it as an answer – Tagwint Mar 31 '16 at 15:46
  • Sure give that a go and if it works, it works :) What's surprising is I've updated by .ssh/config file and tried specifying the IdentifyFile and User defaults for hosts, but that doesn't seem to work either. It's almost like the reverse-port forwarding doesn't adhere to the .ssh/config rules? Not sure. – onassar Mar 31 '16 at 15:49
  • just one more point to check - pem extension may mean the key file is not in appropriate format. Anyways it's a good idea to add -v option to ssh command. – Tagwint Mar 31 '16 at 15:58
  • The format of the pem is fine, since I can use it to connect directly. – onassar Mar 31 '16 at 16:26

2 Answers2

1

Three steps:

  1. Create a ~/.ssh/config on the SERVER1 with all you need to connect to the SERVER2, such as:

    Host SERVER2
  Port 50000
  User user2
  Hostname localhost
  IdentityFile ~/path/to/pem/file.pem

  2. Try to connect to SERVER2 hosts without any arguments (from SERVER1 after initiating port forwarding):

    ssh SERVER2 # works?

    If not, add -vvv and investigate what went wrong.

  3. Run the rsync command:

    ssh -i ~/path/to/pem/file.pem -R localhost:50000:SERVER2:22 ubuntu@SERVER1 \
  'rsync -vur /home/ubuntu/test SERVER2:/home/ubuntu/test'

Note, you need to have the authentication key available on the SERVER1, if you want to do it this way. It is better to create a new key there than copying your private key from your machine.

Jakuje
  • 21,357
1

I'd recommend using of ssh agent - that way you only need one key pair where your private part is kept on your workstation. No need to replicate it on other servers (which is bad idea as such) or create other key pairs for specific servers.

There are more that one way to start ssh agent, you can read more on it there. Here is the simplest one:

eval ($ssh-agent)

then you add your key(s) to the agent

ssh-add /path/to/private.key

This asks you for pass phrase if your key is protected. Once added you can connect to the servers having the public part without prompting.

What is more, you can continue ssh'ing from that server to another and the agent will carry your authentication further as long as AllowAgentForwarding option of ssh servers on your way is set to yes, which is mostly default setting.

Well, that was a preface :)

Now back to your case. Unless port forwarding is prohibited by server config, the approach is following:

  1. Check you can connect to SERVER2 using agent -

ssh ubuntu@SERVER1 'echo Hi from $(hostname)'

  1. Check your agent forwarding works from SERVER1 to SERVER2

ssh -t ubuntu@SERVER1 ssh SERVER2 'Hi from $(hostname)'

  1. Start a connection with port forwarding only

ssh -R localhost:50000:SERVER2:22 -Nv

and leave this terminal window open so far.

  1. In a new terminal window, log on to SERVER1 and from there check the port is forwarded as requested:

[SERVER1]ssh -p 50000 localhost 'echo Hi from $(hostname)'

you should see Hi from SERVER2

If all 4 steps above work for you, then you'll be able to perform your rsync command - just omit -i part

Tagwint
  • 2,480
  • Could you go into a bit more detail? So far, I've run ssh-add /path/to/pem/file.pem and had it added successfully. I've also updated my .ssh/config file to include the IdentifyFile, HostName and User for each Host I'm connecting to. But then when I run ssh -t SERVER1 ssh SERVER2 'echo Hi from ($hostname)' I get a permission denied? – onassar Mar 31 '16 at 17:28
  • OK, let's try this: ssh -t -A SERVER1 ssh SERVER2. -A switch explicitly sets agent forwarding on – Tagwint Mar 31 '16 at 17:38
  • In case -A does the trick, you can alternatively set ForwardAgent=yes in for either all hosts *, or specific host in your ~/.ssh/config. I'll extend my answer later, if that proves to be the issue. – Tagwint Mar 31 '16 at 17:54
  • You were right. The forwarding wasn't on. I've found the following works perfectly for what I'm trying to accomplish: http://pastebin.com/zhrf20pU (annoyed with the fact I can't paste code properly in a comment). I'm being explicit here so that I don't need to have a config file (for me, I prefer to be verbose in the commands so I know what's going on). My follow-up questions are: (1) Is there anyway to not have to call ssh-add? I'd prefer to not have to. (2) Is there anyway I can perform the following without having to open up a new terminal window? I'd like to bake this into a build-script – onassar Mar 31 '16 at 17:56
  • (1) there is. Gnome keyring or similar thing can hold it for you once you log on in your graphical session. Complete description would go over the scope of the question. But even ssh-add is one-time action, you dont have to do it each time. (2) Step 3 was only for check purpose. you dont need it for your rsync command, so no need in extra window when all is set correctly. – Tagwint Mar 31 '16 at 18:03
  • Great thanks @Tagwint. This perfectly addresses things for me. I can automate this into a build script now. – onassar Mar 31 '16 at 18:08