"subprocess ssh: Permission denied" using cron

Hi everyone, I used restic in a lot of different ways, always without problems, but I’m experiencing some strange behavior on one of my servers.

The server where restic is installed is a CentOS 8 Stream and the restic version is 0.10.0 (installed using Copr yum repo).
The backup repository is a Debian 10 on an arm sbpc, and I’m using sftp as transport protocol.

On the server I configured restic repository url and password using a configuration file (/root/.restic.conf) with env variables RESTIC_PASSWORD and RESTIC_REPOSITORY (sftp:backupuser@myserver.domain.tld:/data/backup/restic), this file is loaded using ~/.bashrc file.
Please note that ssh on the destination server is listening on a non standard port (1221) and the authentication is made using an ssh key, so on the CentOS Stream server I created an entry into the ~/.ssh/config file for the user running the backup (root).
On the destination Debian server the user “backupuser” is owner of the /data/backup/restic directory (I made a chmod -R backupuser:backupuser /data/backup/restic).

Now the problem, if I run a restic backup (restic backup --one-file-system --exclude-caches /) from ssh terminal with root user everything works perfectly fine, no errors, no problems, and the snapshot is right there at the end of the backup command.
Same for check, forget or prune restic commands.

But if I run one of these commands from a cronjob, snapshots are done, if I check them using “restic snapshot” command they are right there… but for each cronjob running I also got errors like this one

subprocess ssh: Permission denied, please try again.
Fatal: unable to open repo at sftp:backupuser@myserver.domain.tld:/data/backup/restic: unable to start the sftp session, error: EOF

On the CentOS server jobs are running as root and I did not use the --quiet options to get stdout and stderr sent by email by cron, and for each cron run I got two mails, one of the output of the backup…

Files:           8 new,   137 changed, 63897 unmodified
Dirs:            0 new,    73 changed, 10255 unmodified
Added to the repo: 134.174 MiB

processed 64042 files, 3.634 GiB in 1:02
snapshot 5c9be9d5 saved

…and a second mail containing the error I pasted before.

I manually launched a restic check command (from ssh on the CentOS server), no errors found.
Basically everything I launch on ssh works flawlessly, but the same command launched by cron ends ok but returns those errors.

This is an example of the cronjobs I put on on the /etc/crontab file:

00 0,6,12,18 * * * root . /root/.restic.conf ; /usr/bin/restic backup --one-file-system --exclude-caches /
00 19  * * * root . /root/.restic.conf ; /usr/bin/restic check >> /var/log/restic.log
00 20  * * * root . /root/.restic.conf ; /usr/bin/restic forget --quiet --keep-daily 30 --prune

Does anyone have any idea why each cron returns those errors?



In the end it came out the vps provider restored a backup of the vps where restic was started, and the 2nd vps ssh key was not allowed on the Debian server.
Mystery solved, restic was not guilty :sweat_smile:

1 Like

Thanks for the feedback! This may even help other users in a similar situation :slight_smile: