Joachim Schipper joachim at
Thu Dec 16 06:07:39 EST 2010

On Wed, Dec 15, 2010 at 12:01:22PM -0600, Dustin Kirkland wrote:
> Howdy,
> We in the Ubuntu Server world have been using a handy little shell
> utility for a couple of releases now, called 'ssh-import-id' [1].
> Whereas ssh-copy-id _pushes_ a public key from one system to another,
> ssh-import-id _pulls_ a public key from a secure key server and
> installs it.
> It takes one or more userid's as command line arguments, loops over
> them, sequentially attempts to retrieve public keys from a web api
> (using wget or curl), and can write to stdout or to file
> (~/.ssh/authorized_keys).
> We find this particularly handy in the cloud world, where systems are
> started from pristine images every time, and we need to a way to seed
> the system with credentials before the first authentication.  Here, we
> can run something like 'ssh-import-id kirkland' during the boot
> process, and my public key will be installed by the time I log in.
> It's also really useful when and if you need to grant access to the
> system to others, or perhaps start a system in the cloud on behalf of
> someone else.  Here, we can 'ssh-import-id kirkland smoser cjwatson',
> and each of these keys are retrieved and installed.
> We're using URL="", where %s is a
> userid, but this URL could really be configurable and point to any
> public or private SSH public key server.  An SSL connection to a https
> site with a valid certificate is, of course, essential to the security
> of the key retrieval.  If there were a free/public SSH key server like
> for PGP/GPG keys, that would probably make a good default
> (thought I haven't found anything like this).
> Seeing the ssh-copy-id utility in SSH's contrib/ directory, I'm
> hopeful you might consider this ssh-import-id tool for the project.
> Before we get into reviewing the code, can you tell me if this is
> something that would, or would not be interesting to openssh upstream?

I'm not an OpenSSH developer, but: why not use SSH? Install *one*
server's key, and pull the users' keys over that connection. This seems
to have quite a few less moving parts, avoids a dependency on
wget/libcurl/..., and doesn't crash and burn when another CA signs
something it shouldn't.


More information about the openssh-unix-dev mailing list