# Shell script to install your public key on a remote machine

# Copyright (c) 1999-2010 Philip Hands <phil@hands.com>

# Takes the remote machine name as an argument.

#               2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>

# Obviously, the remote machine must accept password authentication,

#               2010 Eric Moret <eric.moret@gmail.com>

# or one of the other keys in your ssh-agent, for this to work.

#               2009 Xr <xr@i-jeuxvideo.com>

#               2007 Justin Pryzby <justinpryzby@users.sourceforge.net>

#               2004 Reini Urban <rurban@x-ray.at>

#               2003 Colin Watson <cjwatson@debian.org>

# Modification and redistribution is permitted provided that due credit

# is given to the authors by leaving this copyright notice intact.

ID_FILE="${HOME}/.ssh/id_rsa.pub"

# Shell script to install your public key(s) on a remote machine

# See the ssh-copy-id(1) man page for details

if [ "-i" = "$1" ]; then

DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub | head -n 1)

  shift

  # check if we have 2 parameters left, if so the first is the new ID file

usage () {

  if [ -n "$2" ]; then

  echo "Usage: $0 [-h|-?|-n] [-i [identity_file]] [-p port] [user@]hostname" >&2

    if expr "$1" : ".*\.pub" > /dev/null ; then

  exit 1

      ID_FILE="$1"

}

    else

      ID_FILE="$1.pub"

use_id_file() {

    fi

  local L_ID_FILE=$1

    shift         # and this should leave $1 as the target name

  fi

  if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then

else

    PUB_ID_FILE="$L_ID_FILE"

  if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then

  else

    GET_ID="$GET_ID ssh-add -L"

    PUB_ID_FILE="$L_ID_FILE.pub"

if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then

GETOPT_PARSED=$(getopt --options 'i::p:nh?' --name "$0" --quiet -- "$@")

  GET_ID="cat \"${ID_FILE}\""

eval set -- "$GETOPT_PARSED"

while true ; do

  case "$1" in

    -i)

      case "$2" in

        '')

          CHECK_EXTRA_PARAM=1

          use_id_file $DEFAULT_PUB_ID_FILE

          ;;

        *)

          use_id_file $2

          ;;

      esac

      shift 2

      ;;

    -p)

      if 2>/dev/null [ "$2" -gt 0 ] && [ "$2" -lt 65536 ] ; then

        PORTOPTION="-p $2 "

      else

        echo "Bad port '$2'" >&2

        exit 1

      fi

      shift 2

      ;;

    -n)

      DRY_RUN=1

      shift

      ;;

    -h|-\?)

      usage

      shift

      ;;

    --)

      shift

      break

      ;;

  esac

done

if [ -n "$CHECK_EXTRA_PARAM" ] && [ $# = 2 ] ; then

  use_id_file $1

  shift

if [ -z "`eval $GET_ID`" ]; then

if [ $# != 1 ] ; then

  echo "$0: ERROR: No identities found" >&2

  usage

  exit 1

fi

# drop a trailing colon

USER_HOST=${1%:}

if [ -z "$(eval $GET_ID)" ] && [ -r "$PUB_ID_FILE" ] ; then

  use_id_file $PUB_ID_FILE

if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then

if [ -z "$(eval $GET_ID)" ] ; then

  echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2

  echo "$0: ERROR: No identities found" >&2

# strip any trailing colon

# populate_new_ids() uses several global variables ($USER_HOST, $PORTOPTION ...)

host=`echo $1 | sed 's/:$//'`

# and has the side effect of setting $NEW_IDS

populate_new_ids() {

  local L_SUCCESS="$1"

  local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)

  trap "rm -f $L_TMP_ID_FILE*" EXIT TERM INT QUIT

  NEW_IDS=$(

    eval $GET_ID | {

      while read ID ; do

        printf "$ID\n" > $L_TMP_ID_FILE

        # the next line assumes $PRIV_ID_FILE only set if using a single id file - this

        # assumption will break if we implement the possibility of multiple -i options.

        # The point being that if file based, ssh needs the private key, which it cannot

        # find if only given the contents of the .pub file in an unreleated tmpfile

        ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \

            -o PreferredAuthentications=publickey \

            -o IdentitiesOnly=yes $PORTOPTION $USER_HOST exit 2>$L_TMP_ID_FILE.stderr </dev/null

        if [ "$?" = "$L_SUCCESS" ] ; then

          : > $L_TMP_ID_FILE 

        else

          if ! grep -q 'Permission denied' $L_TMP_ID_FILE.stderr ; then

            sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE

            cat >/dev/null #consume the other keys, causing loop to end

          fi

        fi

        cat $L_TMP_ID_FILE

      done

    }

  )

  rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT

  if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then

    printf "\n$0: $NEW_IDS\n\n" >&2

    exit 1

  fi

  if [ -z "$NEW_IDS" ] ; then

    printf "\n$0: WARNING: All keys were skipped because they already exist on the remote system.\n\n" >&2

    exit 0

  fi

}

REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' $PORTOPTION $USER_HOST 2>&1 |

                 sed -ne 's/.*remote software version //p')

{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1

case "$REMOTE_VERSION" in

  NetScreen*)

    populate_new_ids 1

    for KEY in $(echo "$NEW_IDS"| cut -d' ' -f2) ; do

      [ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T $PORTOPTION $USER_HOST >/dev/null 2>&1

      if [ $? = 255 ] ; then

        echo "$0: WARNING: NetScreen only supports dsa keys" >&2

      else

        ADDED=$(($ADDED + 1))

      fi

    done

    if [ -z "$ADDED" ] ; then

      exit 1

    fi

    ;;

  *)

    # Assuming default being OpenSSH

    populate_new_ids 0

    [ "$DRY_RUN" ] || printf "\n$NEW_IDS\n" | ssh $PORTOPTION $USER_HOST "umask 077 ; mkdir -p .ssh ; cat >> .ssh/authorized_keys" || exit 1

    ADDED=$(printf "$NEW_IDS\n" | wc -l)

    ;;

esac

if [ "$DRY_RUN" ] ; then

  echo =-=-=-=-=-=-=-=

  echo "Would have added the following key(s):"

  printf "\n$NEW_IDS\n"

  echo =-=-=-=-=-=-=-=

fi

cat <<EOF

cat <<-EOF

Now try logging into the machine, with "ssh '$host'", and check in:

  ~/.ssh/authorized_keys

	Number of key(s) added: $ADDED

to make sure we haven't added extra keys that you weren't expecting.

	Now try logging into the machine, with "ssh $PORTOPTION'$USER_HOST'", and check

	to make sure we haven't added extra keys that you weren't expecting.

Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/>

Copyright (c) 1999-2010 hands.com Ltd. <http://hands.com/>

.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH"

.Dd $Mdocdate: June 17 2010 $

.SH NAME

.Dt SSH-COPY-ID 1

ssh-copy-id \- install your public key in a remote machine's authorized_keys

.Os

.SH SYNOPSIS

.Sh NAME

.B ssh-copy-id [-i [identity_file]]

.Nm ssh-copy-id

.I "[user@]machine"

.Nd use locally available keys to authorise logins on a remote machine

.Sh SYNOPSIS

.Nm ssh-copy-id

.Op Fl n

.Op Fl i Op Ar identity_file

.Op Fl p Ar port

.Op Ar user Ns @ Ns

.Ar hostname

.Nm ssh-copy-id

.Fl h | Fl ?

.SH DESCRIPTION

.Sh DESCRIPTION

.BR ssh-copy-id

.Nm

is a script that uses ssh to log into a remote machine and

is a script that uses

append the indicated identity file to that machine's

.Xr ssh 1

.B ~/.ssh/authorized_keys

to log into a remote machine (presumably using a login password,

file.

so password authentication should be enabled, unless you've done some

.PP

clever use of multiple identities).  It assembles a list of one or more

If the

fingerprints (as described below) and tries to log in with each key, to

.B -i

see if any of them are already installed (of course, if you are not using

option is given then the identity file (defaults to

.Xr ssh-agent 1

.BR ~/.ssh/id_rsa.pub )

this may result in you being repeatedly prompted for pass-phrases).

is used, regardless of whether there are any keys in your

It then assembles a list of those that failed to log in, and using ssh,

.BR ssh-agent .

enables logins with those keys on the remote server.  By default it adds

Otherwise, if this:

the keys by appending them to the remote user's

.PP

.Pa ~/.ssh/authorized_keys

.B "      ssh-add -L"

(creating the file, and directory, if necessary).  It is also capable

.PP

of detecting if the remote system is a NetScreen, and using its

provides any output, it uses that in preference to the identity file.

.Ql set ssh pka-dsa key ...

.PP

command instead.

If the

.Pp

.B -i

The options are as follows:

option is used, or the

.Bl -tag -width Ds

.B ssh-add

.It Fl i Ar identity_file

produced no output, then it uses the contents of the identity

Use only the key(s) contained in

file.  Once it has one or more fingerprints (by whatever means) it

.Ar identity_file

uses ssh to append them to

(rather than looking for identities via

.B ~/.ssh/authorized_keys

.Xr ssh-add 1

on the remote machine (creating the file, and directory, if necessary.)

or in the default_ID_file).

If the filename does not end in

.SH NOTES

.Pa .pub

This program does not modify the permissions of any

this is added.  If the filename is omitted, the default_ID_file is used.

pre-existing files or directories. Therefore, if the remote

.Pp

.B sshd

Note that this can be used to ensure that the keys copied have the

has

comment one prefers and/or extra options applied, by ensuring that the

.B StrictModes

key file has these set as preferred before the copy is attempted.

set in its

.Nm .

configuration, then the user's home,

.It Fl p Ar port

.B ~/.ssh

Port to connect to on the remote host.

folder, and

This can be specified on a

.B ~/.ssh/authorized_keys

per-host basis in

file may need to have group writability disabled manually, e.g. via

.Xr ssh 1 Ns 's

configuration file.

.B "      chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys"

.It Fl n

do a dry-run.  Instead of installing keys on the remote system simply

on the remote machine.

prints the key(s) that would have been installed.

.It Fl h , Fl ?

.SH "SEE ALSO"

Print Usage summary

.BR ssh (1),

.El

.BR ssh-agent (1),

.Pp

.BR sshd (8)

Default behaviour without

.Fl i ,

is to check if

.Ql ssh-add -L

provides any output, and if so uses that.  Note that this results in

the comment on the key being the filename that was given to

.Nm ssh-add

when the key was loaded into your

.Nm ssh-agent

rather than the comment contained in that file, which is a bit of a shame.

Otherwise, if

.Xr ssh-add 1

provides no keys it uses the contents of the default_ID_file.

.Pp

The

.Em default_ID_file

is the most recent file that matches:

.Pa ~/.ssh/id*.pub ,

so if you want to create a key that is not the one you want ssh-copy-id

to use, either call it something that does not start with

.Ql id

or after creating the new key, use

.Xr touch 1

on your preferred key to reinstate it as the most recent.

.Pp

.Sh EXAMPLES

If you have already installed keys from one system on a lot of remote

hosts, and you then create a new key, on a new client machine, say,

it can be difficult to keep track of which systems on which you've

installed the new key.  One way of dealing with this is to load both

the new key and old key(s) into your

.Xr ssh-agent 1 .

Load the new key first, without the

.Fl c

option, then load one or more old keys into the agent, possibly by

ssh-ing to the client machine that has that old key, using the

.Fl A

option to allow agent forwarding:

.Pp

.D1 user@newclient$ ssh-add

.D1 user@newclient$ ssh -A old.client

.D1 user@oldl$ ssh-add -c

.D1 No   ... prompt for pass-phrase ...

.D1 user@old$ logoff

.D1 user@newclient$ ssh someserver

.Pp

now, if the new key is installed on the server, you'll be allowed in

unprompted, whereas if you only have the old key(s) enabled, you'll be

asked for confirmation, which is your cue to log back out and run

.Pp

.D1 user@newclient$ ssh-copy-id -i someserver

.Pp

The reason you might want to specify the -i option in this case is to

ensure that the comment on the installed key is the one from the

.Pa .pub

file, rather than just the filename that was loaded into you agent.

It also ensures that only the id you intended is installed, rather than

all the keys that you have in your

.Xr ssh-agent 1 .

Of course, you can specify another id, or use the contents of the

.Xr ssh-agent 1

as you prefer.

.Pp

Having mentioned

.Xr ssh-add 1 Ns 's

.Fl c

option, you might consider using this whenever using agent forwarding

to avoid your key being hijacked, but it is much better to instead use

.Xr ssh 1 Ns 's

.Ar ProxyCommand

option with

.Xr netcat 1

to bounce through remote servers while always doing direct end-to-end

authentication. This way the middle hop(s) don't get access to your

.Xr ssh-agent 1 .

A web search for

.Ql ssh proxycommand nc

should prove enlightening.

.Sh "SEE ALSO"

.Xr ssh 1 ,

.Xr ssh-agent 1 ,

.Xr sshd 8