Bugzilla – Attachment 2133 Details for
Bug 1980
use updated ssh-copy-id
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch showing differences from current
ssh-copy-id.patch (text/plain), 14.03 KB, created by
Darren Tucker
on 2012-02-24 11:30:50 AEDT
(
hide
)
Description:
patch showing differences from current
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2012-02-24 11:30:50 AEDT
Size:
14.03 KB
patch
obsolete
>? build >Index: contrib/ssh-copy-id >=================================================================== >RCS file: /var/cvs/openssh/contrib/ssh-copy-id,v >retrieving revision 1.12 >diff -u -p -r1.12 ssh-copy-id >--- contrib/ssh-copy-id 17 Aug 2011 02:05:49 -0000 1.12 >+++ contrib/ssh-copy-id 24 Feb 2012 00:24:27 -0000 >@@ -1,54 +1,194 @@ > #!/bin/sh > >-# Shell script to install your public key on a remote machine >-# Takes the remote machine name as an argument. >-# Obviously, the remote machine must accept password authentication, >-# or one of the other keys in your ssh-agent, for this to work. >+# Copyright (c) 1999-2010 Philip Hands <phil@hands.com> >+# 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es> >+# 2010 Eric Moret <eric.moret@gmail.com> >+# 2009 Xr <xr@i-jeuxvideo.com> >+# 2007 Justin Pryzby <justinpryzby@users.sourceforge.net> >+# 2004 Reini Urban <rurban@x-ray.at> >+# 2003 Colin Watson <cjwatson@debian.org> >+# Modification and redistribution is permitted provided that due credit >+# is given to the authors by leaving this copyright notice intact. > >-ID_FILE="${HOME}/.ssh/id_rsa.pub" >+# Shell script to install your public key(s) on a remote machine >+# See the ssh-copy-id(1) man page for details > >-if [ "-i" = "$1" ]; then >- shift >- # check if we have 2 parameters left, if so the first is the new ID file >- if [ -n "$2" ]; then >- if expr "$1" : ".*\.pub" > /dev/null ; then >- ID_FILE="$1" >- else >- ID_FILE="$1.pub" >- fi >- shift # and this should leave $1 as the target name >- fi >-else >- if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then >- GET_ID="$GET_ID ssh-add -L" >+DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub | head -n 1) >+ >+usage () { >+ echo "Usage: $0 [-h|-?|-n] [-i [identity_file]] [-p port] [user@]hostname" >&2 >+ exit 1 >+} >+ >+use_id_file() { >+ local L_ID_FILE=$1 >+ >+ if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then >+ PUB_ID_FILE="$L_ID_FILE" >+ else >+ PUB_ID_FILE="$L_ID_FILE.pub" > fi >+ >+ PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub) >+ >+ # check that the files are readable >+ for f in $PUB_ID_FILE $PRIV_ID_FILE ; do >+ ErrMSG=$( { : < $f ; } 2>&1 ) || { >+ printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(echo $ErrMSG | sed -e 's/.*: *//')" >+ exit 1 >+ } >+ done >+ GET_ID="cat \"$PUB_ID_FILE\"" >+} >+ >+if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then >+ GET_ID="ssh-add -L" > fi > >-if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then >- GET_ID="cat \"${ID_FILE}\"" >+GETOPT_PARSED=$(getopt --options 'i::p:nh?' --name "$0" --quiet -- "$@") >+ >+eval set -- "$GETOPT_PARSED" >+while true ; do >+ case "$1" in >+ -i) >+ case "$2" in >+ '') >+ CHECK_EXTRA_PARAM=1 >+ use_id_file $DEFAULT_PUB_ID_FILE >+ ;; >+ *) >+ use_id_file $2 >+ ;; >+ esac >+ shift 2 >+ ;; >+ -p) >+ if 2>/dev/null [ "$2" -gt 0 ] && [ "$2" -lt 65536 ] ; then >+ PORTOPTION="-p $2 " >+ else >+ echo "Bad port '$2'" >&2 >+ exit 1 >+ fi >+ shift 2 >+ ;; >+ -n) >+ DRY_RUN=1 >+ shift >+ ;; >+ -h|-\?) >+ usage >+ shift >+ ;; >+ --) >+ shift >+ break >+ ;; >+ esac >+done >+ >+if [ -n "$CHECK_EXTRA_PARAM" ] && [ $# = 2 ] ; then >+ use_id_file $1 >+ shift > fi > >-if [ -z "`eval $GET_ID`" ]; then >- echo "$0: ERROR: No identities found" >&2 >- exit 1 >+if [ $# != 1 ] ; then >+ usage >+fi >+ >+# drop a trailing colon >+USER_HOST=${1%:} >+ >+if [ -z "$(eval $GET_ID)" ] && [ -r "$PUB_ID_FILE" ] ; then >+ use_id_file $PUB_ID_FILE > fi > >-if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then >- echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2 >+if [ -z "$(eval $GET_ID)" ] ; then >+ echo "$0: ERROR: No identities found" >&2 > exit 1 > fi > >-# strip any trailing colon >-host=`echo $1 | sed 's/:$//'` >+# populate_new_ids() uses several global variables ($USER_HOST, $PORTOPTION ...) >+# and has the side effect of setting $NEW_IDS >+populate_new_ids() { >+ local L_SUCCESS="$1" >+ >+ local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX) >+ trap "rm -f $L_TMP_ID_FILE*" EXIT TERM INT QUIT >+ NEW_IDS=$( >+ eval $GET_ID | { >+ while read ID ; do >+ printf "$ID\n" > $L_TMP_ID_FILE >+ >+ # the next line assumes $PRIV_ID_FILE only set if using a single id file - this >+ # assumption will break if we implement the possibility of multiple -i options. >+ # The point being that if file based, ssh needs the private key, which it cannot >+ # find if only given the contents of the .pub file in an unreleated tmpfile >+ ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \ >+ -o PreferredAuthentications=publickey \ >+ -o IdentitiesOnly=yes $PORTOPTION $USER_HOST exit 2>$L_TMP_ID_FILE.stderr </dev/null >+ if [ "$?" = "$L_SUCCESS" ] ; then >+ : > $L_TMP_ID_FILE >+ else >+ if ! grep -q 'Permission denied' $L_TMP_ID_FILE.stderr ; then >+ sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE >+ cat >/dev/null #consume the other keys, causing loop to end >+ fi >+ fi >+ >+ cat $L_TMP_ID_FILE >+ done >+ } >+ ) >+ rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT >+ >+ if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then >+ printf "\n$0: $NEW_IDS\n\n" >&2 >+ exit 1 >+ fi >+ if [ -z "$NEW_IDS" ] ; then >+ printf "\n$0: WARNING: All keys were skipped because they already exist on the remote system.\n\n" >&2 >+ exit 0 >+ fi >+} >+ >+REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' $PORTOPTION $USER_HOST 2>&1 | >+ sed -ne 's/.*remote software version //p') > >-{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1 >+case "$REMOTE_VERSION" in >+ NetScreen*) >+ populate_new_ids 1 >+ for KEY in $(echo "$NEW_IDS"| cut -d' ' -f2) ; do >+ [ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T $PORTOPTION $USER_HOST >/dev/null 2>&1 >+ if [ $? = 255 ] ; then >+ echo "$0: WARNING: NetScreen only supports dsa keys" >&2 >+ else >+ ADDED=$(($ADDED + 1)) >+ fi >+ done >+ if [ -z "$ADDED" ] ; then >+ exit 1 >+ fi >+ ;; >+ *) >+ # Assuming default being OpenSSH >+ populate_new_ids 0 >+ [ "$DRY_RUN" ] || printf "\n$NEW_IDS\n" | ssh $PORTOPTION $USER_HOST "umask 077 ; mkdir -p .ssh ; cat >> .ssh/authorized_keys" || exit 1 >+ ADDED=$(printf "$NEW_IDS\n" | wc -l) >+ ;; >+esac >+ >+if [ "$DRY_RUN" ] ; then >+ echo =-=-=-=-=-=-=-= >+ echo "Would have added the following key(s):" >+ printf "\n$NEW_IDS\n" >+ echo =-=-=-=-=-=-=-= >+fi > >-cat <<EOF >-Now try logging into the machine, with "ssh '$host'", and check in: >+cat <<-EOF > >- ~/.ssh/authorized_keys >+ Number of key(s) added: $ADDED > >-to make sure we haven't added extra keys that you weren't expecting. >+ Now try logging into the machine, with "ssh $PORTOPTION'$USER_HOST'", and check >+ to make sure we haven't added extra keys that you weren't expecting. > > EOF >- >Index: contrib/ssh-copy-id.1 >=================================================================== >RCS file: /var/cvs/openssh/contrib/ssh-copy-id.1,v >retrieving revision 1.4 >diff -u -p -r1.4 ssh-copy-id.1 >--- contrib/ssh-copy-id.1 19 Jul 2010 11:24:13 -0000 1.4 >+++ contrib/ssh-copy-id.1 24 Feb 2012 00:24:27 -0000 >@@ -1,5 +1,5 @@ > .ig \" -*- nroff -*- >-Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/> >+Copyright (c) 1999-2010 hands.com Ltd. <http://hands.com/> > > Permission is granted to make and distribute verbatim copies of > this manual provided the copyright notice and this permission notice >@@ -16,60 +16,150 @@ versions, except that this permission no > translations approved by the Free Software Foundation instead of in > the original English. > .. >-.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH" >-.SH NAME >-ssh-copy-id \- install your public key in a remote machine's authorized_keys >-.SH SYNOPSIS >-.B ssh-copy-id [-i [identity_file]] >-.I "[user@]machine" >+.Dd $Mdocdate: June 17 2010 $ >+.Dt SSH-COPY-ID 1 >+.Os >+.Sh NAME >+.Nm ssh-copy-id >+.Nd use locally available keys to authorise logins on a remote machine >+.Sh SYNOPSIS >+.Nm ssh-copy-id >+.Op Fl n >+.Op Fl i Op Ar identity_file >+.Op Fl p Ar port >+.Op Ar user Ns @ Ns >+.Ar hostname >+.Nm ssh-copy-id >+.Fl h | Fl ? > .br >-.SH DESCRIPTION >-.BR ssh-copy-id >-is a script that uses ssh to log into a remote machine and >-append the indicated identity file to that machine's >-.B ~/.ssh/authorized_keys >-file. >-.PP >-If the >-.B -i >-option is given then the identity file (defaults to >-.BR ~/.ssh/id_rsa.pub ) >-is used, regardless of whether there are any keys in your >-.BR ssh-agent . >-Otherwise, if this: >-.PP >-.B " ssh-add -L" >-.PP >-provides any output, it uses that in preference to the identity file. >-.PP >-If the >-.B -i >-option is used, or the >-.B ssh-add >-produced no output, then it uses the contents of the identity >-file. Once it has one or more fingerprints (by whatever means) it >-uses ssh to append them to >-.B ~/.ssh/authorized_keys >-on the remote machine (creating the file, and directory, if necessary.) >- >-.SH NOTES >-This program does not modify the permissions of any >-pre-existing files or directories. Therefore, if the remote >-.B sshd >-has >-.B StrictModes >-set in its >-configuration, then the user's home, >-.B ~/.ssh >-folder, and >-.B ~/.ssh/authorized_keys >-file may need to have group writability disabled manually, e.g. via >- >-.B " chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys" >- >-on the remote machine. >- >-.SH "SEE ALSO" >-.BR ssh (1), >-.BR ssh-agent (1), >-.BR sshd (8) >+.Sh DESCRIPTION >+.Nm >+is a script that uses >+.Xr ssh 1 >+to log into a remote machine (presumably using a login password, >+so password authentication should be enabled, unless you've done some >+clever use of multiple identities). It assembles a list of one or more >+fingerprints (as described below) and tries to log in with each key, to >+see if any of them are already installed (of course, if you are not using >+.Xr ssh-agent 1 >+this may result in you being repeatedly prompted for pass-phrases). >+It then assembles a list of those that failed to log in, and using ssh, >+enables logins with those keys on the remote server. By default it adds >+the keys by appending them to the remote user's >+.Pa ~/.ssh/authorized_keys >+(creating the file, and directory, if necessary). It is also capable >+of detecting if the remote system is a NetScreen, and using its >+.Ql set ssh pka-dsa key ... >+command instead. >+.Pp >+The options are as follows: >+.Bl -tag -width Ds >+.It Fl i Ar identity_file >+Use only the key(s) contained in >+.Ar identity_file >+(rather than looking for identities via >+.Xr ssh-add 1 >+or in the default_ID_file). >+If the filename does not end in >+.Pa .pub >+this is added. If the filename is omitted, the default_ID_file is used. >+.Pp >+Note that this can be used to ensure that the keys copied have the >+comment one prefers and/or extra options applied, by ensuring that the >+key file has these set as preferred before the copy is attempted. >+.Nm . >+.It Fl p Ar port >+Port to connect to on the remote host. >+This can be specified on a >+per-host basis in >+.Xr ssh 1 Ns 's >+configuration file. >+.It Fl n >+do a dry-run. Instead of installing keys on the remote system simply >+prints the key(s) that would have been installed. >+.It Fl h , Fl ? >+Print Usage summary >+.El >+.Pp >+Default behaviour without >+.Fl i , >+is to check if >+.Ql ssh-add -L >+provides any output, and if so uses that. Note that this results in >+the comment on the key being the filename that was given to >+.Nm ssh-add >+when the key was loaded into your >+.Nm ssh-agent >+rather than the comment contained in that file, which is a bit of a shame. >+Otherwise, if >+.Xr ssh-add 1 >+provides no keys it uses the contents of the default_ID_file. >+.Pp >+The >+.Em default_ID_file >+is the most recent file that matches: >+.Pa ~/.ssh/id*.pub , >+so if you want to create a key that is not the one you want ssh-copy-id >+to use, either call it something that does not start with >+.Ql id >+or after creating the new key, use >+.Xr touch 1 >+on your preferred key to reinstate it as the most recent. >+.Pp >+.Sh EXAMPLES >+If you have already installed keys from one system on a lot of remote >+hosts, and you then create a new key, on a new client machine, say, >+it can be difficult to keep track of which systems on which you've >+installed the new key. One way of dealing with this is to load both >+the new key and old key(s) into your >+.Xr ssh-agent 1 . >+Load the new key first, without the >+.Fl c >+option, then load one or more old keys into the agent, possibly by >+ssh-ing to the client machine that has that old key, using the >+.Fl A >+option to allow agent forwarding: >+.Pp >+.D1 user@newclient$ ssh-add >+.D1 user@newclient$ ssh -A old.client >+.D1 user@oldl$ ssh-add -c >+.D1 No ... prompt for pass-phrase ... >+.D1 user@old$ logoff >+.D1 user@newclient$ ssh someserver >+.Pp >+now, if the new key is installed on the server, you'll be allowed in >+unprompted, whereas if you only have the old key(s) enabled, you'll be >+asked for confirmation, which is your cue to log back out and run >+.Pp >+.D1 user@newclient$ ssh-copy-id -i someserver >+.Pp >+The reason you might want to specify the -i option in this case is to >+ensure that the comment on the installed key is the one from the >+.Pa .pub >+file, rather than just the filename that was loaded into you agent. >+It also ensures that only the id you intended is installed, rather than >+all the keys that you have in your >+.Xr ssh-agent 1 . >+Of course, you can specify another id, or use the contents of the >+.Xr ssh-agent 1 >+as you prefer. >+.Pp >+Having mentioned >+.Xr ssh-add 1 Ns 's >+.Fl c >+option, you might consider using this whenever using agent forwarding >+to avoid your key being hijacked, but it is much better to instead use >+.Xr ssh 1 Ns 's >+.Ar ProxyCommand >+option with >+.Xr netcat 1 >+to bounce through remote servers while always doing direct end-to-end >+authentication. This way the middle hop(s) don't get access to your >+.Xr ssh-agent 1 . >+A web search for >+.Ql ssh proxycommand nc >+should prove enlightening. >+.Sh "SEE ALSO" >+.Xr ssh 1 , >+.Xr ssh-agent 1 , >+.Xr sshd 8
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2133">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1980
: 2133 |
2210