ssh-copy-id bugfix

Radek Podgorny radek at podgorny.cz
Wed Nov 25 22:43:04 AEDT 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi,

On 11/25/2015 12:07 PM, Ruediger Meier wrote:
> Hi,
> 
> On Tuesday 24 November 2015, Radek Podgorny wrote:
>> hello everyone!
>> 
>> i'd like to sincerely ask you to include a fix for ssh-copy-id
>> bug i'll be linking below. it's a trivial fix which resolves 
>> https://bugzilla.mindrot.org/show_bug.cgi?id=2206 and eases life
>> of many. it's been field-tested by redhat devs and users so i see
>> no problem in incorporating it.
>> 
>> http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.8p1-fix
>>
>> 
- -ss h-copy-id-on-non-sh-shell.patch
> 
> 
>>> - umask 077 ; + exec sh -c 'umask 077; mkdir -p .ssh && cat >>
>>> .ssh/authorized_keys || exit 1; if type restorecon >/dev/null
>>> 2>&1; then restorecon -F .ssh .ssh/authorized_keys; fi'" \ -
>>> mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; - if
>>> type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh
>>> .ssh/authorized_keys ; fi" \
> 
> Does "exec sh -c ..." really make sense in general? People who are 
> using non-posix login shells where not even "2>&1" or "&&" works
> are probably good candidates who would also link /bin/sh to point
> to a non-posix shell.
> 
> Personally I think it's hard enough to write POSIX compatible
> shell scripts and I wouldn't start to add such hacks for fish and
> tcsh. Next week somebody may complain that his "shell" does not 
> support "exec ...".

i wouldn't be afraid of that. i think it's a common practice (no hard
numbers for that, thou) that you leave the sh link pointed to posix
shell at all times - there's too many things in the wild depending on
that.

anyway, i wouldn't call it a hack. you need a posix shell on the
remote side and this so far the best method to state it. of course,
someone may have a relly odd shell with no exec support or have the sh
link pointing elsewhere but for such poor guy, the ssh-copy-id is not
working today, anyway, so no real "breakage" happens. on the other
hand, there's many people who would benefit from this patch and as
it's backwards compatible, nothing gets broken for anyone.

if - and that may never happen - in the future someone complains about
his shell not being supported, let's find a better way. but until then
i think this is a safe thing to do.

thanks,
R.

> cu, Rudi
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlZVnsQACgkQ7mej6pjlbYQavACeJEeA9swKxO8bzc6B+uCqLntH
CNAAoKh5r/n2BrkeefN2H7cBc51FyiJk
=f/zb
-----END PGP SIGNATURE-----

More information about the openssh-unix-dev mailing list