iocage exec, ssh, and keychain

[pyrocumulus]

Hello,
I am using rdiff-backup on a Raspberry Pi to back up files from my FreeNAS server (11.3-RELEASE). I didn't want to install rdiff-backup directly on the freenas server so I put it in an iocage jail instead (also running 11.3-RELEASE). FreeNAS is running an ssh server but the jail is not. I suppose I could just enable sshd on the jail and bypass this whole issue but it seems like there should be a better way. I could also remove the passphrase for the ssh key but I'd rather not do that either.

Basically what I am hoping to do is connect to FreeNAS with ssh and run rdiff-backup on the jail via iocage exec. This happens via a cron job so it can't be interactive. I installed the keychain package to store the passphrase for my ssh key in the jail but I am still being asked for my key's passphrase when I try to run rdiff-backup.

Ideally this would run without asking for a key passphrase from the jail root user but it doesn't:

Code:

root@freenas:~ # iocage exec nextcloud_jail rdiff-backup -v5 --print-statistics /root/test/ pi@rpi2::/home/pi/test
Executing ssh -C pi@rpi2 rdiff-backup --server
Enter passphrase for key '/root/.ssh/id_ecdsa':  

I added this to my .cshrc for keychain:

Code:

setenv SHELL /bin/csh
eval `keychain --eval id_ecdsa` 
source $HOME/.keychain/$HOST-csh

Keychain appears to be working:

Code:

root@freenas:~ # iocage exec nextcloud_jail ssh-agent
setenv SSH_AUTH_SOCK /tmp/ssh-wwinG8eUBk8R/agent.53590; 
setenv SSH_AGENT_PID 53591;
echo Agent pid 53591; 

I can manually ssh from nextcloud_jail to pi@rpi2 without a passphrase as expected.

The first time I run iocage console nextcloud_jail I have to enter the passphrase for my ssh key but then keychain stores it for subsequent logins, which is how it should be. Why doesn't this work with the iocage exec command above?

 

[pyrocumulus]

I believe the problem is related to environment variables in the jail. Keychain's primary function appears to be to maintain the environment vars needed for ssh-add. When I directly log into the jail all the variables- note the last two- are correctly set because my .cshrc was executed:

Code:

root@nextcloud:~ # env
LOGNAME=root
SHELL=/bin/csh
HOME=/root
USER=root
BLOCKSIZE=K
MAIL=/var/mail/root
MM_CHARSET=UTF-8
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
PWD=/root
TERM=xterm-256color
LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8
HOSTTYPE=FreeBSD
VENDOR=amd
OSTYPE=FreeBSD
MACHTYPE=x86_64
SHLVL=1
GROUP=wheel
HOST=nextcloud
EDITOR=vi
PAGER=more
SSH_AUTH_SOCK=/tmp/ssh-3CnqlIbvo3Jn/agent.36085
SSH_AGENT_PID=36086

However this produces a much shorter set and it's missing the ssh vars:

Code:

root@freenas:~ # iocage exec nextcloud_jail -- env
LANG=en_US.UTF-8
MAIL=/var/mail/root
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
PWD=/
TERM=xterm-256color
USER=root
HOME=/root
SHELL=/bin/csh
MM_CHARSET=UTF-8

How do I ensure that the necessary environment variables are set when I run iocage exec?
Even this doesn't work:

Code:

root@freenas:~ # iocage exec nextcloud_jail -- source /root/.keychain/nextcloud-csh
jexec: execvp: source: No such file or directory
Command: source /root/.keychain/nextcloud-csh failed!

Both the host and the jail are using /bin/csh by default.

 

[pyrocumulus]

Got it! It's a bit of a work-around but it works:
On the jail create an executable shell script for each rdiff-backup target that contains something like

Code:

#!/bin/csh
eval `keychain --eval id_ecdsa`
rdiff-backup -v5 --print-statistics --force /mnt/data/files/Audios/ \
        pi@rpi2.mylocal::/mnt/seagate/backups/nextcloud/Audios

Then it's possible to call that script from the host and keychain will supply the ssh key passphrase within the jail as intended so it can be run non-interactively:
root@freenas:~ # iocage exec nextcloud_jail /root/Documents/backup_Audios.sh

Now I can stop worrying about this and worry about Covid-19 instead!