SFTP fails from crontab but works from terminal

Lord_Spectre · August 16, 2012, 1:08pm

Dear community,
I'm driving crazy with a strange issue.

I have a simple script to transfer a file to a remote system:

#!/bin/bash
echo "put /tmp/server.log" > /tmp/server1_transfer.sftp
sftp -b /tmp/server1_transfer.sftp user@10.99.1.2:

Between client and server there is a SSH KEY, so if I run the script from root terminal, the file is correctly transferred.

Now, I edit the root crontab to automatically execute this script, but the trasfer fails!! :wall:

Seems the SSH KEY doesn't work from root cron, because every time the script runs, the system send me the following mail:

Date: Thu, 16 Aug 2012 18:57:01 +0200
Message-Id: <201208161657.q7GGv1qv022647@xyz>
From: root@xyz (Cron Daemon)
To: root@xyz
Subject: Cron <root@xyz1> /tmp/test.sh
Content-Type: text/plain; charset=ANSI_X3.4-1968
Auto-Submitted: auto-generated

Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey).

Please, could someone explain me why from terminal works and from crontab doesn't work?

Many thanks
Lucas

Corona688 · August 16, 2012, 1:12pm

Make sure it's using the correct key. Point it to it with -i if necessary.

Skrynesaver · August 16, 2012, 1:13pm

The copy command fails because cron is not a regular shell. I'm on my phone but the SCP/SSH man pages explain how to provide a config directory/key file option to the command

Lord_Spectre · August 16, 2012, 1:17pm

Thanks both for tips, but I believe I cannot provide to SFTP the SSHKEY path. This is what I seen on the SFTP manual.

     sftp [-1Cv] [-B buffer_size] [-b batchfile] [-F ssh_config] [-o ssh_option] [-P sftp_server_path]
          [-R num_requests] [-S program] [-s subsystem | sftp_server] host
     sftp [[user@]host[:file [file]]]
     sftp [[user@]host[:dir[/]]]
     sftp -b batchfile [user@]host

Corona688 · August 16, 2012, 1:25pm

What's your system?

Lord_Spectre · August 16, 2012, 1:28pm

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)

Corona688 · August 16, 2012, 1:31pm

You have openssh then, which supports -i. See man sftp.

Lord_Spectre · August 16, 2012, 1:37pm

Nope

sftp -b /tmp/server1_transfer.sftp -i /root/.ssh/authorized_keys user@10.99.1.2:

X-Cron-Env: <USER=root>
sftp: illegal option -- i
usage: sftp [-1Cv] [-B buffer_size] [-b batchfile] [-F ssh_config]
            [-o ssh_option] [-P sftp_server_path] [-R num_requests]
            [-S program] [-s subsystem | sftp_server] host
       sftp [[user@]host[:file [file]]]
       sftp [[user@]host[:dir[/]]]
       sftp -b batchfile [user@]host

methyl · August 16, 2012, 1:52pm

Note the current working directory when the script is run manually.
Try making the first line of your script a cd to that directory.

Lord_Spectre · August 16, 2012, 2:18pm

Same result:
Permission denied (publickey,password).
Couldn't read packet: Connection reset by peer

---------- Post updated at 01:18 PM ---------- Previous update was at 12:57 PM ----------

Well, I can use succesfully the REXEC command from crontab, providing USERNAME and PASSWORD.

Now I need to tranfer the file, I tried some methods:
SFTP: Doesn't work from crontab
SCP (OpenSSH): Doesn't work since the destination server is HP OpenVMS and for some reason it can't accept the SCP protocol
Simple FTP: Does't work, since I receive the following error message

Connected to 10.99.1.2.
220 FTP Server (Version 5.6) Ready.
502 AUTH is unimplemented.
502 AUTH is unimplemented.
KERBEROS_V4 rejected as an authentication type

At this point, Is there any other way to copy this file to remote OpenVMS server?

binlib · August 16, 2012, 9:41pm

sftp accept ssh options through the -o option:

sftp -o IdentityFile=$HOME/.ssh/id_rsa

Does your key have a pass phrase? Maybe you are running ssh-agent. Your interactive shell has the env SSH_AUTH_SOCK set, but not for the cron job.

spacebar · August 16, 2012, 11:27pm

ftp -vu host # The 'u' disables auto-authentication
passive # I believe vms requires passive mode
Then try the 'user' command

Lord_Spectre · August 17, 2012, 7:08am

Well, thanks all for hints,
I resolved the issue using NCFTP (ncftp(1) manual page)

It also allow me to setup a timeout when one of the destination server is down (i.e. for maintenance). This avoid the script hangs awaiting for long timeout:

/usr/local/bin/ncftpput -t $ftp_timeout -r 1 -u $username -p $password $server1 / /tmp/server.log 2> /dev/null

-t = Timeout in seconds
-r = The retry attempts

Corona688 · August 18, 2012, 12:58pm

You do realize this makes your password visible in plaintext to the entire system for the entire duration of the connection, yes!?

Lord_Spectre · August 18, 2012, 1:40pm

Yes I already realized that, indeed I created a special limited account for this operation (transfer and remote command execute),

I just tried a lot of combination between Linux and OpenVMS, but OpenVMS is the worst OS I ever seen, and I always failed!

Corona688 · August 18, 2012, 9:50pm

Putting it in a limited account doesn't change who can see the password... It's visible to anyone on the system, limited or not, via ps.