How to avoid password prompt with rsync (and without using public keys)?

Question

I need to execute rsync, without it prompting me for password.

I've seen in rsync manpage that it doesn't allow specifying the password as command line argument.
But I noticed that it allows specifying the password via the variable RSYNC_PASSWORD.

So I've tried exporting the variable, but rsync keeps asking me for password.

export RSYNC_PASSWORD="abcdef"
rsync [email protected]:/abc /def

What am I doing wrong?

Please consider:

I understand that this is a bad idea from security aspect
I must use only rsync, can't use other software
I can't use key-based authentication
I've already read many SE question, e.g.:
how-to-pass-password-for-rsync-ssh-command @ stackoverflow.com
rsync-cron-job-with-a-password @ superuser.com
how-to-setup-rsync-without-password-with-ssh-on-unix-linux @ superuser.com

In other words, I need to have the RSYNC_PASSWORD approach working! :-)

Not always an option, but one can use the `mirror` option with `lftp` to do this over SFTP. See [here](https://unix.stackexchange.com/a/153408/282432) — Sean Breckenridge, Jun 29 '20 at 04:51

Graeme · Answer 1 · 2018-07-14T21:14:34.693

111

If the rsync daemon isn't running on the target machine, and you don't care about exposing passwords to everyone on the local machine (Why shouldn't someone use passwords in the command line?), you can use sshpass:

 sshpass -p "password" rsync [email protected]:/abc /def

Note the space at the start of the command, in the bash shell this will stop the command (and the password) from being stored in the history. I don't recommend using the RSYNC_PASSWORD variable unless absolutely necessary (as per a previous edit to this answer), I recommend suppressing history storage or at least clearing history after. In addition, you can use tput reset to clear your terminal history.

edited Jul 14 '18 at 21:14

answered Jan 29 '14 at 20:23

Graeme

33,607
8
85
110

3

Why would you suggest adding password clear text on a command, that's bad linux admin 101. – Eddie Mar 22 '15 at 12:34
Super handy.. been searching for an approach to this for a while. Thank you. – Isaac Gregson Feb 26 '16 at 18:55
7

While this is bad to add the password as clear text, this is currently the only reasonably simple way to this. – Weston Ganger Jun 24 '16 at 16:34
27

you can always do something like this: `sshpass -p $(cat passFile) ..` to hide clear pass in bash history,, and chmod 400 on passFile to secure it – Kresimir Pendic Jan 02 '17 at 16:27
Best answer right here. Achieves what one should be able to achieve with only rsync. – etech Jan 06 '17 at 14:54
6

I know that this is old, but for the sake of newer readers, **please** quote the password — passwords can contain special characters and spaces. `-p "$RSYNC_PASSWORD"` – Paddy Landau Jul 14 '18 at 15:54
@PaddyLandau, I edited the answer. I don't actually recommend using the `RSYNC_PASSWORD` variable. But if it is used then, yes I agree it should be quoted. – Graeme Jul 14 '18 at 21:06
One might also consider `sshpass -f passFile`, it interprets first line of the file as password – zawuza Apr 02 '21 at 10:44
Not a big deal if the target account has minimal access restriction just to a folder of backups – Hayden Thring Sep 27 '21 at 10:28
A better way to solve the problem stated in OP, than the (also good) direct answer provided earlier. – BobHy Jun 08 '22 at 18:17

score 23 · Accepted Answer · edited May 01 '22 at 15:44

This password environment variable appears only to be used when using the rsync protocol:

rsync rsync://[email protected]:/abc /def

For this to work, you need to run rsync as a daemon as well (--daemon option), which is often done using inetd.conf.

When using this protocol, abc should correspond to a target defined in /etc/rsyncd.conf. The user name should be present in a auth users line for this target, and a password file should be specified with the secrets file option.

It is this secrets file that contains mappings between user names and passwords in the following format:

username:password

And it is this password that you can specify using the RSYNC_PASSWORD environment variable.

a quicky way to run an rsync server is with [https://s3.amazonaws.com/skaperen/rsend](http://web.archive.org/web/20151013142515/https://s3.amazonaws.com/skaperen/rsend) — Skaperen, Mar 22 '15 at 13:54

score 20 · Answer 3 · edited May 01 '22 at 15:46

20

Very useful for scripting is to use --password-file command line option.

Create empty file called rsync_pass
write in password to this file (nothing more)
chmod 600 rsync_pass
rsync $args --password-file=rsync_pass user@rsynchost::/share localdirectory

This can be used for scripting and allows to be more secure that just exporting password to system variable.

edited May 01 '22 at 15:46

Cristian Ciupitu

2,430
1
22
29

answered Feb 22 '15 at 13:22

Arunas Bartisius

773
5
13

13

Note to reader: this also requires an rsync daemon running on the server. I really was hoping that ssh keys would be sufficient for passwordless rsync. – Sridhar Sarnobat Nov 02 '15 at 07:01
1

IMHO this is the only correct way to do it if one doesn't want to use ssh. – diestl May 08 '16 at 09:51
You can use SSH keys. I have done this on my systems. You put the authorized key in the .ssh folder on the side you are trying to ssh to. In my case it is /root/.ssh/authorized_keys and on the side running the rsync command use the -e parameter to specify the ssh settings. In my case it is -e "ssh -i /path/to/ssh-key" for example. – Glenn J. Schworak Dec 26 '19 at 22:37
1

The main point was using rsyncd directly, thus ssh key doesn't play a role. It was stated in question 'without using public key authentication' – Arunas Bartisius Dec 28 '19 at 20:19

score 18 · Answer 4 · edited Apr 10 '19 at 01:50

18

You can use standard ssh identities to do passwordless login. This is handled by default if you have a ~/.ssh/id_rsa or the like, but you can also hardcode your own path to the private key of an authorized keypair.

This allows batching/scripting without exposing passwords, and the public key can be remove from the target server if the private key is ever compromised.

rsync -e"ssh -i /path/to/privateKey" -avR $sourcedir ${ruser}@${rhost}:~/${rdir}/

You can also add arguments like -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null to not force remote host key verification. !Caution - that opens up man in the middle attacks and is general bad practice!

edited Apr 10 '19 at 01:50

muru

69,900
13
192
292

answered Dec 23 '14 at 20:04

Eddie

300
2
7

1

This is especially useful if you're using the new Bash shell for Windows 10. I was wondering why rsync wasn't working passwordlessly. I realized it was using the `~/.ssh` folder inside the shell (where rsync lives). Once I used -e to point to the key inside `/mnt/c/Users/MyUsername/.ssh`, it worked as expected. (Thanks. :D) – Toby Deshane Oct 25 '16 at 14:06
1

While helpful in general for promptless access, the original question explicitly asked about *not* using key-based auth. – ND Geek Jul 21 '20 at 21:04

score 6 · Answer 5 · answered Oct 08 '21 at 16:10

6

This seems to be an evergreen topic. Therefore I would like to propose the solution which worked best for me on an Ubuntu 20.04 machine.

My goal was to create a backup on a 1blu cloud drive, which did not allow SSH key login.

First, I created the file ~/.rsync_pass and wrote the password of the SSH user into it.
Then I used the sshpass command with parameter -f to read the password from this file and to pass it to rsync.

sshpass -f ~/.rsync_pass rsync -av /var/www/folder/ [email protected]:/backup

answered Oct 08 '21 at 16:10

Marco

61
1
2

1

Thanks. Exactly the answer I looked for. I wished to retrieve backups from VM containing Sangoma FreePBX and Asterisk. But that VM is running using limited resources, thus it was not very wise to keep rsyncD running. Using sshpass and the credentials file does the job as intended. – Troublemaker-DV Sep 05 '22 at 02:03

score 1 · Answer 6 · edited Dec 30 '20 at 11:20

1

For rsyncd protocol, use process substitution for the option --password-file=FILE

rsync --password-file=<(echo "1233456") [email protected]::abc /def

edited Dec 30 '20 at 11:20

Archemar

31,183
18
69
104

answered Dec 30 '20 at 07:32

user3435576

11
1

score 0 · Answer 7 · answered Apr 01 '20 at 13:18

I wrote my script inspired by the comments in this post, so I'll post it here as another source of inspiration. My requirements were, no rsyncd on remote, password login, no exposure of password in history or command line. That's actually not very difficult:

#!/bin/bash

HOST=mymachine.mydomain.com
USER=fms
LOCAL=/home/fms/Progetti/MyProject/src

read -s -p "Password for $USER@$HOST: " SSHPASS
echo

sshpass -e rsync -i -r --checksum --delete --chown=nginx:nginx -e "ssh -o PreferredAuthentications=password" $LOCAL/lavori_senato $USER@$HOST:/var/www/drupal/test/web/modules/custom

I needed to alter the default configuration of my ssh so that it wouldn't try public-key first. The echo after read is just a touch of formatting, since using -s even the end of line is not printed, and the output of rsync overlapped with the password prompt.

How to avoid password prompt with rsync (and without using public keys)?

7 Answers7

Linked