[Bug 1980] use updated ssh-copy-id

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jan 4 10:45:59 EST 2013


https://bugzilla.mindrot.org/show_bug.cgi?id=1980

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
I'd like to get this in shortly. Some comments on the revised script:

  35 DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/*.pub | head -n 1)

The man page says that the default behaviour is to copy id*.pub. I
think copying id* is a better idea too.

You also need to exclude *-cert.pub as these don't have any place in
authorized_keys.

67 GETOPT_PARSED=$(getopt --options 'i::p:nh?' --name "$0" --quiet --
"$@")

Please consider passing through all -o options directly to the ssh
commandline.

 131 populate_new_ids() {

The old ssh-copy-id script didn't do this and I can't say that I'm
thrilled with the extra complexity it requires. It also has the
potential to be quite slow when a number of key are to be copied.

authorized_keys doesn't care if the IDs already exist, but I guess it
would be worthwhile to ensure that an ID with key options isn't
clobbered by one that lacks them.

IMO it would be better to do everything in one ssh run: connect, grep
for the keys in authorized_keys and add them if they aren't already
there. If this leads to too long a command-line then you might need to
consider piping in a script to "ssh user at host sh".

 182       if [ $? = 255 ] ; then
 183         echo "$0: WARNING: NetScreen only supports dsa keys" >&2

IMO it would be better to grep for "ssh-dsa" in the key strings rather
than sending them to the remote host.

193     # Assuming default being OpenSSH

I think it would be a good idea to verify this assumption. e.g. by
doing a "test -x ssh-keygen || exit 1" early in the commandline.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list