ssh-copy-id vs PasswordAuthentication no
Jochen Bern
Jochen.Bern at binect.de
Fri Dec 10 07:05:59 AEDT 2021
On 09.12.21 14:04, Jakub Jelen wrote:
> On 12/9/21 10:21, Harald Dunkel wrote:
>> I wonder if it would be possible to support a "destination user"
>> option on the ssh-copy-id command line, e.g.
>> ssh-copy-id -i somepath/id_ed25519.pub -u systemuser1 root at newhost
>> to add the pubkey to ~systemuser1/.ssh/authorized_keys on the
>> remote host?
>
> This would be a RFE on the repository for the ssh-copy-id:
> https://gitlab.com/phil_hands/ssh-copy-id/
I note that, nonetheless, any such tool
a) faces the problem of determining where exactly to put the pubkey
(ssh-copy-id only knows about the most basic default locations
of OpenSSH and dropbear), if it is to *reliably* do its job,
b) which, in the case of an OpenSSH-based target machine, requires
knowledge of sshd_config (Authorized* statements, including any
relevant Match clauses) and, thus, both
c) root access to the target machine, even if the file eventually
pinpointed can be written by the nonprivileged target user, and
d) quite a boatload of options- and filesystem-parsing code that
would essentially duplicate that of the target machine's sshd.
I wonder whether "please add this pubkey for target user X (without
telling me which file exactly it went into), after I auth for either X
or root" would be suitably well-defined a task to roll a standardized
API + Subsystem implementation that a remote rollout tool would have to
only throw auth, username and pubkey at?
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20211209/1a87a7d5/attachment.p7s>
More information about the openssh-unix-dev
mailing list