ssh-copy-id vs PasswordAuthentication no

Jochen Bern Jochen.Bern at
Sun Dec 12 08:52:13 AEDT 2021

On 09.12.21 22:17, TJ Saunders wrote:
>> I wonder whether "please add this pubkey for target user X (without
>> telling me which file exactly it went into), after I auth for either X
>> or root" would be suitably well-defined a task to roll a standardized
>> API + Subsystem implementation that a remote rollout tool would have to
>> only throw auth, username and pubkey at?
> Something like the "publickey" SSH subsystem?

(... which seems to be implemented as an OpenSSH-compatible server-side 

*possibly* - I find the statement's wording rather confusing - in JunOS:

and in a number of clients, but *not* the OpenSSH one.)

Nice ... but the spec covers only the case of managing an account's 
authorized_keys *when authenticating for the account itself*, not the 
scenario of the sysadmin generating the account on a 
no-passwords-permitted system, or having to remove pubkeys of 
compromised keypairs or a user losing access ...

P.S.: And I see (only) "~/.ssh/authorized_keys" hardcoded into 
ssh-publickeyd as well ... :-/

Jochen Bern

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the openssh-unix-dev mailing list