RFC: ssh-copy-id tweaks

Ben Lindstrom mouring at eviladmin.org
Wed Feb 6 03:52:13 EST 2008 

Geesh, I knew a better solution would be more complex, but this is 
starting to be scary. =)

In some respects it is sad that VanDyke's proposed key management RFC has 
stalled (or was stalled last I checked).

I'd almost advocate looking at this from another direction and seeing if 
ssh-agent or some other tool leveraging the openssh base code for testing 
and validating these things.  Just I doubt it would be cleaner any other 
way.

  - Ben

On Tue, 5 Feb 2008, Jim Knoble wrote:

> Circa 2008-02-02 00:50 dixit Jim Knoble:
>
> : I'm working on a rewrite of ssh-copy-id
>
> The (nearly complete) rewrite of ssh-copy-id is available:
>
>    http://www.jmknoble.net/openssh/ssh-copy-id
>
> Differences from prior ssh-copy-id:
>
>    (1) Searches for identities in the following order:
>
>            [identities in ssh-agent]
>            ~/.ssh/id_rsa.pub
>            ~/.ssh/id_dsa.pub
>            ~/.ssh/identity.pub
>
>        Copies the first one available (more than one if ssh-agent has
>        multiple identities loaded, see below).
>
>    (2) Old ssh-copy-id overloaded two meanings onto the '-i' switch:
>
>            (a) "Don't look for identities in ssh-agent"
>            (b) "Use this identity file over here"
>
>        [a] above has moved from '-i' (with no arguments) to '-A'.
>        [b] above remains at '-i' (with an argument).  See the help
>        (available with 'ssh-copy-id --help').
>
>    (3) Allows one to use an alternate "dot-ssh" directory on the local
>        host, by setting the SSH_DIR environment variable to the path to
>        a directory.  Equivalent functionality on the remote side is not
>        yet available.
>
>    (4) Most importantly (it's what initiated this whole thread), only
>        adds an identity to ~/.ssh/authorized_keys on the remote host if
>        the public key isn't already present in some form.
>
>    (5) It's more complex.  In order to be smart enough about how we do
>        [4], we use awk, which may be present on the remote host as
>        'gawk', 'mawk', 'nawk', or 'awk'.  We look for them, in that
>        order, on the PATH.  You can correct the limited search used by
>        setting the REMOTE_AWK environment variable to the path to the
>        remote system's awk ('env REMOTE_AWK=/usr/bin/awk ssh-copy-id').
>
>    (6) It executes commands on the remote host using 'sh'.  I believe
>        it to be portable to situations where the remote user's shell is
>        csh or tcsh, but i could be mistaken.  Please test that.
>
> I'm a little worried about command-line length; the 'ssh' command has
> gotten somewhat long.  Feedback about that would be handy as well.
>
> --
> jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
> (GnuPG key ID: 6F39C2CC  >>>>>>  http://www.pobox.com/~jmknoble/keys/ )
> (GnuPG fingerprint: 5024:D578:7CF4:5660:7269::F6F3:B919:9307:6F39:C2CC)
> +----------------------------------------------------------------------+
> |[L]iberty, as we all know, cannot flourish in a country that is perma-|
> | nently on a war footing, or even a near-war footing.  --Aldous Huxley|
> +----------------------------------------------------------------------+
>

More information about the openssh-unix-dev mailing list