7

Edit: There's a bug report for this, doing the equivalent of this answer.

I'm trying to script the copying of public keys to multiple machines. ssh-copy-id checks whether it can log in with the current configuration before copying, but unfortunately this includes any IdentityFile entries in ~/.ssh/config. I would like to completely ignore ~/.ssh/config; is there some way to do that, or to force ssh-copy-id to always add the key? This does not work:

ssh-add "$old_key"
ssh-copy-id -i "$new_key" -o "IdentityFile $new_key" "$login"

This is similar to, but distinct from How can I make ssh ignore .ssh/config?.

Community
  • 1
l0b0
  • 51,350
  • 2
    ssh-copy-id is itself a shell script. You can try editing it. – muru Feb 11 '15 at 10:14
  • You can force adding PreferredAuthentications password & PubkeyAuthentication no for required host in ~/.ssh/config. You will use password for ssh-copy-id authentication – AJIOB Oct 22 '22 at 08:28

2 Answers2

7

After checking the code of ssh-copy-id, it turns out this hack works:

SSH_OPTS='-F /dev/null' ssh-copy-id [...]

Would still be interested in a solution that only relies on documented features, though.

l0b0
  • 51,350
  • If there is such a feature, would you not have encountered it while checking the code ;-) – Anthon Feb 11 '15 at 10:28
  • I guess you could consider my answer a hint that this should be a supported feature :) – l0b0 Feb 11 '15 at 13:06
  • File a wishlist bug? – Faheem Mitha Feb 11 '15 at 15:00
  • @FaheemMitha I'd be happy to, but I have no idea where it's maintained. There's bug reports all over the place, and no reference in the file itself. Any idea? – l0b0 Feb 11 '15 at 18:29
  • 1
    ssh-copy-id is part of OpenSSH, which is is maintained by the OpenBSD people. Looks like they use Bugzilla. See http://www.openssh.com/report.html. Some copy-id bugs have been reported recently. See https://bugzilla.mindrot.org/buglist.cgi?bug_status=open&content=&no_redirect=1&order=changeddate%20DESC%2Cpriority%2Cbug_severity&product=&query_based_on=&query_format=specific – Faheem Mitha Feb 11 '15 at 21:00
  • dpkg -L openssh-client |grep SSH_OPTS returns nothing on my system (Ubuntu 12.04). – Gilles 'SO- stop being evil' Feb 11 '15 at 21:50
  • @Gilles Curious. Why should a file listing mention an environment variable? – muru Feb 13 '15 at 13:10
  • @muru I meant dpkg -L openssh-client |xargs grep SSH_OPTS, i.e. none of the files in the package use the variable SSH_OPTS, or else they construct it dynamically (which is unlikely). In particular, the ssh-copy-id script from OpenSSH portable 5.9 doesn't mention SSH_OPTS. It's present in 6.6 (on Ubuntu 14.04), but not documented. – Gilles 'SO- stop being evil' Feb 13 '15 at 13:18
  • @Gilles It does on Ubuntu 14.04 (6.6p1-2ubuntu1) and Arch Linux (OpenSSH 6.7p1-1). Might have been introduced later on. Oh, didn't see your edit. – muru Feb 13 '15 at 13:21
  • @muru And on 6.6, the alternate method ssh-copy-id -o -F -o /dev/null … (which wasn't present in 5.9) is documented in the man page. – Gilles 'SO- stop being evil' Feb 13 '15 at 13:22
  • @Gilles It is? I can't find it on http://manpages.ubuntu.com/manpages/trusty/en/man1/ssh-copy-id.1.html – muru Feb 13 '15 at 13:25
2

The use of SSH_OPTS may not be future-proof (I think that the script should reset it at the beginning for security reasons: the behavior shouldn't depend on unspecified environment variables, which may have not been cleaned up in some cases). What you could do (possibly via a shell function):

env PATH="/path/to/special_dir:$PATH" ssh-copy-id [...]

where /path/to/special_dir just contains a ssh script, which can execute the real ssh with -F /dev/null. This is a bit ugly, but I don't think that there is any clean way with the current ssh-copy-id script.

vinc17
  • 12,174
  • This relies on ssh-copy-id using PATH to resolve ssh, which may also change (Unlikely, but still). +1 for a clever hack. – l0b0 Feb 11 '15 at 13:15