RFC: ssh-copy-id tweaks

Jim Knoble jmknoble at pobox.com
Sat Feb 2 16:50:01 EST 2008


Circa 2008-02-01 17:44 dixit Nick Dokos:

: Ben Lindstrom <mouring at eviladmin.org> wrote:
: > If anything I'd rather see a solution where it it looks at the 
: > RSA/DSA/RSA1 key proper without any prefix logic and not insert a new 
: > entry if it finds one (with a nice message to that effect as well).
: 
: I think the grep-using implementation of Jim Knoble *is* better in that
: respect both to the existing behavior and to either of the sort-using
: suggestions.  It avoids entering the key if it is already in the
: authorized_keys file, key restrictions or no key restrictions (although
: it does not produce the nice message). If it is not present, it appends
: it.

It's got portability problems, however.  Principally, it depends on
Bourne shell syntax, when the remote account could well use csh or tcsh,
due to either system defaults or user preference.

I'm working on a rewrite of ssh-copy-id which adds the first identity
available from the following:

    keys added to a currently running ssh-agent[*]
    ~/.ssh/id_rsa.pub
    ~/.ssh/id_dsa.pub
    ~/.ssh/identity

[*] This functionality is present in the current ssh-copy-id.  I'm not
    too happy with its implementation (copies whatever 'ssh-add -L'
    gives it, as long as it's not blank, which could be multiple public
    keys).  I'm beginning to think it might be better for ssh-copy-id to
    find all available identities and prompt the user for which one(s)
    to "copy"....

My rewrite will also work regardless of whether the user's shell is
Bourne shell, ksh, bash, or csh/tcsh, by executing commands using
/bin/sh.  I'm considering sending an awk script (or a thin wrapper
around one) to the remote ~/.ssh directory, then running it as part of
the ssh-copy-id transaction.  If done properly, this could leave a
useful 'add-authorized-key' script behind....

--jim

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG key ID: 6F39C2CC  >>>>>>  http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 5024:D578:7CF4:5660:7269::F6F3:B919:9307:6F39:C2CC)
+----------------------------------------------------------------------+
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|
+----------------------------------------------------------------------+


More information about the openssh-unix-dev mailing list