[Bug 2331] New: ssh-copy-id -i id_new.pub fails to copy that id, also: wrong error msg

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Jan 7 09:57:07 EST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2331

            Bug ID: 2331
           Summary: ssh-copy-id -i id_new.pub fails to copy that id, also:
                    wrong error msg
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: ssh-copy-id
          Assignee: unassigned-bugs at mindrot.org
          Reporter: twaldmann at thinkmo.de

On the server, password auth is disabled, I log in via pubkey auth and
have an "old" pubkey installed there and can successfully log in with
it.

Now I want to install a new (stronger) pubkey and use:

ssh-copy-id -i .ssh/id_new.pub user at remote

It fails with:

/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they
already exist on the remote system.

This is wrong, the pubkey I gave with -i ... does not exist on the
remote system.

This is because it obviously has a broken check for which keys it needs
to copy.

While it works perfectly if there is no key installed yet on the remote
(and pw auth still enabled), it fails if it already has an old working
pubkey there because it uses pubkey-login-failure to detect a missing
key and assumes that only the key given with -i is used. But in fact,
it also uses keys from the config (where I have my old key configured).

I could make -i work with this patch:

https://paste.thinkmo.de/Unr2wWqd#ssh-copy-id-with-i-arg.txt

This basically killed all the magic happening in the detection and just
"does what I say". Of course this only works for the special -i xxx
case and needs a better fix for the generic case.

I think it would need something like "CommandLineGivenIdentitiesOnly"
as "IdentitiesOnly" does obviously not work as the author of that code
expected.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list