6

The ssh-copy-id was very useful for sending public keys to server. But it fail if you haven't private key file, now.

$ ssh-copy-id -i my_friend_rsa.pub root@example.com

/usr/bin/ssh-copy-id: ERROR: failed to open ID file 'my_friend_rsa': No such file

I don't understand this behaviour.

There are two cases for me:

  1. I send my own public key
  2. I send colleague's public key.

The first case is rare. The server has my public key already if I can connect to it. So I don't need the ssh-copy-id in this case.

The second case is very often. I grant access to other user. But I have not his nor her private key. So this behaviour makes the ssh-copy-id useless in second case.

Please, explain me why ssh-copy-id requires private key file?

Jakuje
  • 9,715
  • 2
  • 42
  • 45
dev.brutus
  • 211
  • 3
  • 7

3 Answers3

5

Because of the way this program works. Citing man ssh-copy-id:

ssh-copy-id is a script that uses ssh(1) to log into a remote machine (presumably using a login password, so password authentication should be enabled, unless you've done some clever use of multiple identities). It assembles a list of one or more finger‐ prints (as described below) and tries to log in with each key, to see if any of them are already installed (of course, if you are not using ssh-agent(1) this may result in you being repeatedly prompted for pass-phrases). It then assembles a list of those that failed to log in, and using ssh, enables logins with those keys on the remote server.

I would agree that this can be too clever sometimes, but this is not the place to ask "why" as we are not the developers.

Sven
  • 98,649
  • 14
  • 180
  • 226
4

It needs the private key to verify, that the public key was installed properly (this is basically a sanity check). But ...

You can use the -f switch, which will allow you to copy just a public key to the server and will not validate that (if you have new enough openssh installed).

It is how the ssh-copy-id used to work before. The other possibility is the environment variable SSH_COPY_ID_LEGACY which allows you to restore this behavior:

$ SSH_COPY_ID_LEGACY=1 ssh-copy-id -i my_friend_rsa.pub root@example.com

Or you can just pick up current version of ssh-copy-id to use from upstream repository, which supports the -f switch.

Jakuje
  • 9,715
  • 2
  • 42
  • 45
  • Thanks but is not work for me: /usr/bin/ssh-copy-id: ERROR: invalid option (-f) – dev.brutus Oct 05 '16 at 18:02
  • If you have new enough openssh. You can always update (modified answer) or use `SSH_COPY_ID_LEGACY` environment variable if you are using RHEL (modified the answer). – Jakuje Oct 05 '16 at 18:07
0

As a windows user, I can say it's a shame we don't have the ssh-copy-id script. But if you spend some time studying its internals, you might learn that it can be easily replaced with the following command:

grep ^AuthorizedKeysFile /etc/ssh/sshd_config | awk '{print $2}' | xargs -I{} sh -c 'ssh-add -L >> {}; sort -u {} -o {}';echo  "ForwardAgent yes" >~/.ssh/config

Just issue this command right after your login & next time you can authorize by your key, easy as that. If for some reason it won't work for you, please describe your system a little bit in comments. Remember that your ssh-client must be configured to use an agent, forward & password for this command to work. Here is putty settings screen.

P.S. In case you might wonder, it works linux -> linux too...

Anubioz
  • 3,677
  • 18
  • 23