current community

your communities

more stack exchange communities

Stack Exchange Inbox Reputation and Badges
tour help
Take the 2-minute tour ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. It's 100% free, no registration required.
up vote 1 down vote favorite

I have two nearly identical scripts in network/if-up that need to access SSH keys. Permissions on SSH private keys are 600, so how can my scripts access these keys?

I would prefer to keep the SSH keys associated with a user account I set up for the task that these scripts perform.

I don't know how to find the user that runs the scripts in network/if-up and I also have not had any luck trying to use su -l -c "my_command" mytaskuser in my scripts. Hopefully I'm just making a simple mistake.

On Ubuntu my scripts are located in /etc/network/if-up.d and in other distros (e.g., openSuse) they are in etc/sysconfig/network/if-up.d.

Both my scripts look similar to this (I'll just use one example to keep the question focused):

#!/bin/sh
LOGDATE="_`date +%Y-%m-%d_%H%M`"
scp -i /home/mytaskuser/.ssh/id_rsa /home/mytaskuser/some.log  [email protected]:somelog${LOGDATE}.log
exit 0

The script works totally correctly if I log in as mytaskuser and run it manually. It fails without any obvious error messages when run automatically from if-up.d/.

I have tried variations like this:

#!/bin/sh
LOGDATE="_`date +%Y-%m-%d_%H%M`"
su -l -c "scp -i /home/mytaskuser/.ssh/id_rsa /home/mytaskuser/some.log  [email protected]:somelog${LOGDATE}.log" mytaskuser
exit 0

That hasn't worked. The only way the script works is when I run it while logged in as the user that owns the SSH key (id_rsa).

share|improve this question

1 Answer 1

up vote 1 down vote accepted

If you run scp as root, then it looks for files in root's home directory, including the known_hosts file. If the server's public key is not in ~/.ssh/known_hosts, then ssh prompts the user to ask whether to add the key. If there is no terminal to prompt the user, ssh refuses to connect since it cannot ensure that the host is the right one.

You should run scp as your own user (mytaskuser).

su -c "scp -i ~/.ssh/id_rsa ~/some.log  [email protected]:somelog${LOGDATE}.log" mytaskuser

Don't pass the -l option to su: that runs a login shell, which ignores the command passed with -c.

share|improve this answer
    
Thank you. One thing I stumbled across while testing is to use the setuid bit. I removed su -c and set the owner of the script to mytaskuser and set permissions to 6755 and it appears to have worked. (I say appears because I have had a few false successes so far in my testing.) Which approach will be more reliable and robust? setuid or su -c "command" mytaskuser? –  MountainX Jul 14 '13 at 1:31
    
@MountainX Setuid is ignored for scripts! Maybe you've entered the key in /root/.ssh/known_hosts? Or you were running the script as yourself and the key was in /home/mountainx/.ssh/known_hosts? –  Gilles Jul 14 '13 at 1:32
    
None of the above. I'm confused as to how it is working, but it is working... –  MountainX Jul 19 '13 at 0:22

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.