1

I have a bash script, /home/localuser/backup-script.sh, with this snippet inside of it:

rsync -avzh \
  -e "ssh -i /home/localuser/.ssh/id_ed25519" \
  /home/localuser/backups/file-to-backup.gz \
  [email protected]:/home/remoteuser/backups

If I run it directly from shell, everything works like a charm, while if I run it through a systemd service I configured, I get the error [email protected]: Permission denied (publickey,password).

This is the service (/etc/systemd/system/backup.service) I configured:

[Unit]
Description=Trigger script to perform backup

[Service]
Type=oneshot
User=localuser
ExecStart=/bin/bash /home/localuser/backup-script.sh

[Install]
WantedBy=multi-user.target

And I usually run it via a timer, but I also get the same error if I start it directly via sudo systemctl start backup.service

The ssh service is correctly setup, as confirmed by the success I have running the script directly, or also by launching ssh [email protected].

I cannot figure out what is going on... any clue?

Additional info: I get same error replacing rsync with scp

Edit:

Following the Stewart's comment I tried to directly launch the script by running this command env -i /bin/bash --norc --noprofile backup-script.sh and in this case I'm prompted for the ssh key passphrase, so the problem is exactly what Stewart's comments are pointing to.

To work-around the problem with a simple solution (so avoiding to add ssh-agent as service, automatic keys loading, and automatic passphrase entering on boot), I changed the rsync command in my script, replacing the second line (-e ...) with this one: --rsh="/usr/bin/sshpass -p remoteuser_pwd ssh -o StrictHostKeyChecking=no -l remoteuser":

The result is similar: if I launch it directly, it works fine. If I launch it via the service it doesn't work: but this time with no errors, it simply hangs. And if I launch it by env -i /bin/bash --norc --noprofile backup-script.sh it hangs too, in the same way.

Changing the backup.service by adding --login in this way ExecStart=/bin/bash --login /home/localuser/backup-script.sh won't solve the issue.

Improve this question
8
  • Do you always use the username remoteuser and the private key ~/.ssh/id_ed25519 with that host? If so, you can simplify your rsync command by creating a ~/.ssh/config file with a clause associating the username and private key file with that host.
    – Sotto Voce
    Commented Jul 24, 2022 at 20:24
  • Have you verified that systemd is running your script as localuser and not as another user who can't read the private key file? Perhaps add a command to check, such as touch /tmp/backup.service.test.$$ in the script before the rsync command...
    – Sotto Voce
    Commented Jul 24, 2022 at 20:25
  • I would say it is verified, since in the localuser's home a file is created by the same script, and the owner is correctly set to localuser
    – Andrea
    Commented Jul 24, 2022 at 20:44
  • 1
    Just a thought, could there be something ssh related in one of your bash configurations? To test that hypothesis, try running this from your shell /bin/bash --noprofile --norc /home/localuser/backup-script.sh. If you reproduce the problem from your interactive terminal, then we know where to start looking.
    – Stewart
    Commented Jul 26, 2022 at 9:10
  • 1
    If you have something in /etc/profile, ~/.bash_profile, ~/.bash_login, or ~/.profile, then add /bin/bash --login ... to read those. If you have something in /etc/bash.bashrc or ~/.bashrc, then consider moving that to one of the previous files.
    – Stewart
    Commented Jul 26, 2022 at 9:11

1 Answer 1

Reset to default
0

I don't have an answer to fix your specific problem, but you can add verbose output to the ssh command to debug more relating to its use of ssh keys:

rsync -avzh \
  -e "ssh -vvv -i /home/localuser/.ssh/id_ed25519" \
  /home/localuser/backups/file-to-backup.gz \
  [email protected]:/home/remoteuser/backups

The -vvv wil make ssh spew a bunch of output to stdout related to the connection, ssh config and ssh keys. Pipe the output from an interactive run that works to a file and then pipe the output of the service (not working) to a file. Read both files using a difference utility. I recommend vimdiff if you are comfortable with vim. This should at least give you an indication of where something differs and is going wrong.

EDIT: I think rsync defaults to ssh now, and you could put an entry for the remote host in ~/.ssh/config. This should configure any ssh session (including rsync) to use the provided identity/key and other host specific options you'd like.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .