OSX 10.4 & cron

Do per-user crontabs still work on 10.4? Or should I be using launchd instead?

I have some cron jobs that need to ssh to other hosts to do stuff (rsync and cvs via ssh, etc.) On Linux, the only way to make this work was to use non-password-protected ssh certs. On OSX, is there some keychain magic I can do to tell it that these scripts are pre-authorized, without having to leave the private key files unprotected? (I'm guessing not, but I figured it was worth asking.)

Update / Summary: Crontabs still work (they are run by launchd). Some speculation that maybe they will stop working in 10.5. No easy answers to the keychain question, but ydna has some interesting tricks.

Tags: , , , , , ,

41 Responses:

  1. nugget says:

    launchd will see the presence of a personal crontab file and will "fake it" to maintain appearances. Go ahead and "crontab -e" all you want.

  2. johnreen says:

    Dear <lj user="jwz">,

    Don't abuse us.

    The Lazyweb

    Oh wait. Your transformation was posted to Slashdot.

    As predicted.

    So nevermind... there are plenty of lazyweb users to service you indefinitely.

  3. fdaapproved says:

    ...there was an app called SSHKeyChain that does some ssh-agent types of things using the OS X KeyChain.

  4. spyderous says:

    http://www.gentoo.org/proj/en/keychain/ ought to work, if you don't run across anything else and that OS X Keychain program can't do the job. It's a "simple" shell script that caches your key pass on a per-session or per-boot basis.

  5. mattbot says:

    This has nothing to do with your problem but I recommend checking out LaunchBar. It's a niffy little app that allows you to open apps, urls, mp3s, etc without having to touch the mouse. A hot key combo opens a search box that you can type app names into, press return and it opens them. The search box also ranks your past choices so your most called apps come up first. I think you'll like it. It's become painful for me to use a Mac without Launchbar now.

    SSHKeyChain is the best thing I know of for securing keys.

    • kalephunk says:

      Doesn't Spotlight already do this?

    • jwz says:

      How do LaunchBar and Quicksilver differ? They look like the same kind of thing. And both of them look kind of dumb and gimicky to me...

      • keimel says:

        Sorry that I can't speak towards the difference, but Quicksilver's use is proved when I go looking for one of those rarely used apps, like "iStumbler". Instead of clicking to 'MacIntosh HD' 'Applications' 'iStumbler', I can simply whack a couple keys and type 'i' 's' and it'll be ready for me to launch. It also works on those recent documents as well, so when I look for 'ap-inventory-2005.xls' I can start typing it and it's there before I know it.

        If you prefer to type a couople keys instead of mousing around the screen and don't want a gazillion items in your dock, Quicksilver will be a help.

        • mattbot says:

          What he said.

          I perfer LaunchBar but both are nice. Quicksilver has a shinier more polished feel to it so I stuck with using LaunchBar. I'm using these apps to speed launch times up not look nice. The less I notice it the better. Plus Quicksilver is kinda a nag about version updates and such. Both beat speakable items...

          The caveat is that LaunchBar slows down logins, especially if you use a networked home folder. And your porn site URLs popup at inopportune moments.

        • Unless Quicksilver is swapped out, which it *always* is.

        • en_ki says:

          "Whack a couple of keys" is a funny way of saying "bounce on Control".

      • chetfarmer says:

        First, Quicksilver is (as of now) free. It may become Free (FOSS), but the actual license I think won't be settled until the codebase is.

        Second, Quicksilver is actually capable of far more than LB. Check out Merlin Mann's site (43folders.com) wherein he frequently discusses cool stuff you can do with QS. Lots of the more advanced stuff is nonobvious, but very, very neat. (You can, for example, use QS to append text to a file (think to-do list), or send text to Backpack, or execute terminal commands, or...).

        I was a pretty committed (and paid) LB user until I discovered QS. I can't imagine going without one or the other -- it's just way easier to find stuff. It also keeps my Dock tidier (with nothing running, there's essentially nothing in my Dock except QS).

      • jerronimo says:

        I used to use Butler. Same kinda thing, but a little more lightweight.

        Butler also had this neat thing where it understood your AddressBook, so you could hit command-spacebar, and start typing "zawinsk", and there'd be an address book entry for jwz there with a little telephone icon next to it... select it, and it put the phone number up on the screen in a HUGE font.

        very useful.

      • solios says:

        Quicksilver gimmicky? I beg to differ.

        Can't speak on Launchbar - haven't used it, not interested. Quicksilver, however, has gotten me off of the Finder and Dock for application launching and switching, as well as some types of document handling.

        Since the OS X finder sucks a load of rancid horse leavings for these tasks, it's made using OS X much, much more bearable. (new finder window -> applications -> find the damned app -> double click to launch OR dock alias it OR keybind -> first two or three characters -> enter if you're using QS.)

        QS has changed the way I use my machine - I dispute any assertion that it's a "gimmick" on the grounds that it's the first real improvement I've encountered to the GUI since OS 8.

        • jwz says:

          Well, given that I've only just switched to the Mac, I think I probably ought to actually give Apple's UI a try for a while before ditching it in favor of something else.

          • solios says:


            Conversely, I've been a Mac user since the heady days of 7.6.1, switched over when I realized OS 8 was more stable than NT 4 (at the time), and have been riding it like a cheap prostitute ever since.

            Personally, the OS X Finder has more problems than just about everything else in the system, and damned near every OS related headache I've had since I've switched from 9.2.2 to X has been directly related to Finder retardedness. I got around it for application launching for the longest time by throwing an alias of the applications folder into the dock, but that was slow to say the least - Quicksilver is, in my opinion, a fundamental improvement over using the Finder to find and launch GUI apps. I've found it to be a bit obtuse for anything else, and certainly wouldn't use it to organize data.

            The fact that the OS X Finder still manages to be better than damned near everything else for what it does best says more about the state of other "desktop" file browsers than it does about OS X - most of my dissatisfaction comes from the fact that the Aqua finder eats more real estate and is visibly slower than the Platinum (OS 8-9) Finder, and column view image preview chokes on several file types - specifically video that Quicktime doesn't grok.

            But then, it took Apple eight major revisions and a multitude of point releases to get the classic MacOS finder useable. If that metric extends to OS X, then we've got at least another three major revisions before the bugs get ironed out.

          • bradleywayne says:

            A good idea.

            I can only say that QS or LB are what Spotlight hopes to be some day. For example,

            CMD-SPACE "dict" SPACE sycophant RETURN

            The dict autocompletes to Dictionary.com, the space opens a textbox, into which I type my word. This also works for... ebay, amazon, and google out of the box (at least for Launchbar). As a heavy keyboard user, I find this sort of application/search access to be invaluable. Both products are also much faster and smarter than spotlight.

            On the subject of which is better, I prefer Launchbar for it's polish (it's like 10 yrs old), and functional default config. QS sounds really powerful, but only if I spent two days configuring it. Things like that are why I'm not using linux on the desktop anymore. Just $0.02, I've not spent a lot of time with QS.

            In spotlights defense, it's CLI tool "/usr/bin/mdfind" has in a lot of cases replaced "locate" for me.

  6. ydna says:

    For the situations I need to use unprotected SSH DSA/RSA keys, I use restrictions on the target machine's authorized_keys file. For example, my rsync backups run from root@source and send to root@target. In root@target:.ssh/authorized_keys (in one long line):

    from="source.example.com",command="/usr/bin/rsync --server --daemon \
    --config=/etc/rsync-backups/source.example.com.conf . " \
    ssh-dss lOnGkEyHeRe root-backups@source.example.com

    This is to restrict what the key pair in root@source:.ssh/id_dsa-backups can do (I make separate keys for each task). To complete the example, the back up is run on source with:

    rsync -e 'ssh -i /root/.ssh/id_dsa-backups -l root' -azxH \
    --numeric-ids \
    --partial \
    --partial-dir=.rsync-partial \
    --stats \
    --delete \
    --link-dest=../$DATETIMELAST \
    /$VOLUME \

    In the target:/etc/rsync-backups/source.example.com.conf:

    log file=/var/log/rsync-backups/source.example.com.log
    pid file=/var/run/rsync-backups-source.example.com.pid
    comment = source.example.com backup zone
    path = /backups/source.example.com
    use chroot = yes
    read only = no
    uid = root
    gid = root
    • jwz says:

      Wow, that's slick. I didn't know you could do that!

      Here's the guts of how I do cross-host backups: the machine with the backup drive on it is running an rsync server, and on that machine I run "backup.sh remote-host" as root; that SSHes to the remote machine as "jwz", and once there, runs "su" and prompts me for the root password on the remote machine, then the remote machine connects to the backup machine's rsync server via an ssh tunnel.

      This way, the backup machine doesn't need to allow incoming connections (in fact, it's NATted) and I don't have to allow ssh as user root, in or out.

        port=9876 # whatever

        rsync_args="--verbose --archive --delete"
        rsync_args="$rsync_args --port $port"


        remote_cmd="rsync $rsync_args / $rsync_dest"
        remote_cmd="su $remote_user -f -c '$remote_cmd'"

        set -x
        ssh -t "$local_user@$host" -i $identity \
        -R $port:localhost:873 \
        set +x

      • ydna says:

        Yeah, permitting incoming connections to the backup machine is the rub. But with the method I described, my backup machine doesn't have to know anything about the "clients" and doesn't have to trust them further than the space they're given. Mine views it as a service to untrustworthy clients. Yours has the benefit of owning the clients.

      • mikegrb says:

        You shouldn't be using su, it makes the baby jesus cry. Check out this amazing brand new thing called sudo, it's only been around since 1980 and anybody who calls themselves a power user should be using it already, otherwise they are just an idiot.

        • packetslave says:

          What an impressively condescending comment. Somehow, I think Jamie cemented his "power user" status when he wrote Netscape 1.x for UNIX. Call me crazy, though.

          • mikegrb says:

            I call you crazy. He may have cemented his "power user" status then but he certainly has bulldozed it in the years since. Perhaps you have neglected to read these posts? I have his blog in my private planet for shear comedy value. I chortle with every new post!!! Well, other then the times I cringe.

  7. rpkrajewski says:

    This is all great stuff. I suggest joining <lj user="macosx">. There's also the developer-oriented <lj user="macosxdev">.

  8. mark242 says:

    As has already been said, crontab -e works fine. Apple is treating this as deprecated, so my guess is that in 10.5, cron will go away completely (as per Apple's past history of giving you exactly one minor OS revision to fix your shit, as they say).

    The "keychain magic" that you speak of isn't possible with shell scripts, but if you're adamant about keeping your authorized_keys file clean, you may want to look into writing up a simple Applescript, which _can_ be "pre-authorized" (at least, you authorize it the first time it runs). Use a secure samba mount, or webdav, blah blah blah, all those things can be accessed directly in the Finder.

    My opinion is that it isn't worth the hassle to jump through all the hoops just to duplicate a good rsync script. If some malicious person has physical access to your iMac, you have far worse problems to deal with than them using ssh to your other boxes.

    • jwz says:

      I'm not worried about "physical access", but I do think that "remote access to the raw disk" is something worth being at least slightly concerned about, which is why I'd like to keep my private keys encrypted on disk if possible. I know this is probably overly paranoid, but there are worse habits than security paranoia.

    • mikegrb says:

      Are you a real moron or do you just play one on this LJ madness?

      This is what ssh-agent and friends were invented for.

  9. ewindisch says:

    OSX ships with OpenSSH. Your non-password-protected ssh cert under ~/.ssh/ file will work just like it did under Linux.

    • ewindisch says:

      Wow.. I wasn't paying attention. I didn't immediately realize that you wanted to improve upon that concept :)

      How about playing with SSH_ASKPASS ?