What, exactly, does ssh-copy-id do?
Asked Answered
Y

2

33

What does the ssh-copy-id command do, exactly? I've used it numerous times and it works great. However, when I try to manually cut and paste my .pub key file to my remote authorized_keys file, it doesn't work.

I've compared the contents of my authorized_keys file where I've cut and pasted the .pub into it vs subsequently using ssh-copy-id and I'm not seeing any differences between the two, including whitespace.

Is there anything that ssh-copy-id does beyond copying the public key into authorized_keys?

Yulma answered 27/3, 2014 at 22:45 Comment(3)
Did you check if the permissions for authorized_keys are set up correctly?Layton
Yes, permissions on the directory and authorized_keys were both correct. ssh-copy-id inserted into the same file as my cut and paste so the file environment is identical. I'm mostly curious if there's any other action that ssh-copy-id does to 'activate' the key on the remote server. If not, I need to figure out how my cut and paste is altering the public key.Yulma
Perhaps a try a diff between your version and the automated version? The man page for ssh-copy-id doesn't say it does anything else. Plus, ssh-copy-id is just an ordinary shell script so you could examine to see what it does.Layton
A
33

This little one liner script works on sh, bash, and zsh. I use it every time there is no ssh-copy-id, for example when I'm on older version of OSX.

cat ~/.ssh/id_rsa.pub | ssh <user>@<hostname> 'cat >> ~/.ssh/authorized_keys'

How it works

I am sending the public key to the Unix standard output (STDOUT) using the cat command. I then connect the STDOUT of cat to the standard input (STDIN) of the ssh.

The ssh executes the cat command on the server. Remember that we have our key in the STDIN now? This key gets passed from ssh to the cat command executed on a server. The >> operator redirects the STDOUT of the cat to the end of the ~/.ssh/authorized_keys file. This way, the key from public keys is appended to the authorized_keys on the server.

IMO, it's better than manual copying and pasting: in this case, you know exactly what content will end up in the file.

Always answered 2/12, 2014 at 11:36 Comment(0)
D
8

I usually copy-paste keys into authorized_keys as you describe (I forget about ssh-copy-id), so it can work. Note thatchmod 600 ~/.ssh/authorized_keys is required if you're creating the file.

ssh-copy-id is a shell script so you can open it in a text editor to see what it does, this looks like the relevant bit:

printf '%s\n' "$NEW_IDS" | ssh "$@" "
    umask 077 ;
    mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
    if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi"

restorecon in the last line restores default SELinux security contexts. I haven't had to run that, but it might be necessary in your case.

Drink answered 7/3, 2015 at 15:56 Comment(2)
FYI, I created a small script at github.com/centic9/generate-and-send-ssh-key which runs the necessary steps in one go and additionally ensures all the file/directory permissions which usually always caused me headaches...Euromarket
@JacksonPauls can you provide a source for this statement that you said: "chmod 600 ~/.ssh/authorized_keys is required if you're creating the file"? I searched in the script and didn't see any code like that. I also experienced inconsistent results while testing.Intestine

© 2022 - 2024 — McMap. All rights reserved.