Bugzilla – Attachment 3441 Details for
Bug 3201
provide an option to use sftp instead of ssh 'exec sh -c …' for installing ssh-keys via ssh-copy-id
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patchfile to solve #3201
3201.patch (text/plain), 5.04 KB, created by
Matthias Blümel
on 2020-08-18 23:51:43 AEST
(
hide
)
Description:
patchfile to solve #3201
Filename:
MIME Type:
Creator:
Matthias Blümel
Created:
2020-08-18 23:51:43 AEST
Size:
5.04 KB
patch
obsolete
>diff --git a/ssh-copy-id b/ssh-copy-id >index b83b836..ce63e19 100755 >--- a/ssh-copy-id >+++ b/ssh-copy-id >@@ -60,9 +60,10 @@ most_recent_id="$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cer > DEFAULT_PUB_ID_FILE="${most_recent_id:+$HOME/}$most_recent_id" > > usage () { >- printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2 >+ printf 'Usage: %s [-h|-?|-f|-n|-s] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2 > printf '\t-f: force mode -- copy keys without trying to check if they are already installed\n' >&2 > printf '\t-n: dry run -- no keys are actually copied\n' >&2 >+ printf '\t-s: use sftp -- use sftp instead of executing remote-commands. Can be useful if the remote only allows sftp\n' >&2 > printf '\t-h|-?: print this help\n' >&2 > exit 1 > } >@@ -133,7 +134,7 @@ do > } > shift > ;; >- -f|-n|-h|-\?) >+ -f|-n|-s|-h|-\?) > OPT="$1" > OPTARG= > shift >@@ -172,6 +173,9 @@ do > -n) > DRY_RUN=1 > ;; >+ -s) >+ USE_SFTP=1 >+ ;; > -h|-\?) > usage > ;; >@@ -293,11 +297,29 @@ case "$REMOTE_VERSION" in > *) > # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect > populate_new_ids 0 >- # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; >- # 'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh. >- [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \ >+ >+ if ! [ "$DRY_RUN" ] && ! [ "$USE_SFTP" ]; then >+ # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; >+ # 'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh. >+ printf '%s\n' "$NEW_IDS" | \ > ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \ > || exit 1 >+ fi >+ if ! [ "$DRY_RUN" ] && [ "$USE_SFTP" ] ; then >+ KEYS_TMPFILE=$(mktemp --dry-run authorized_keys.XXXXXXXXXXXX) >+ trap "rm -f $KEYS_TMPFILE" EXIT >+ SHARED_CON_TMPFILE=$(mktemp --dry-run ssh-copy-id-shared-connection.XXXXXXXXXXXX) >+ ssh -f -N -M -S $SHARED_CON_TMPFILE "$@" >+ trap "ssh -S $SHARED_CON_TMPFILE -O exit 'notnecessary' >/dev/null 2>&1" EXIT >+ echo "mkdir .ssh" | sftp -b - -o "ControlPath=${SHARED_CON_TMPFILE}" "notnecessary" >/dev/null 2>&1 >+ echo "chmod 700 .ssh" | sftp -b - -o "ControlPath=${SHARED_CON_TMPFILE}" "notnecessary" >/dev/null 2>&1 >+ echo "get .ssh/authorized_keys $KEYS_TMPFILE" | sftp -b - -o "ControlPath=$SHARED_CON_TMPFILE" "notnecessary" >/dev/null 2>&1 >+ # add a newline or create file if it's missing, same like above >+ [ -z "$(tail -1c $KEYS_TMPFILE 2>/dev/null)" ] || echo >> $KEYS_TMPFILE >+ printf '%s\n' "$NEW_IDS" >> $KEYS_TMPFILE >+ echo "put $KEYS_TMPFILE .ssh/authorized_keys" | sftp -b - -o "ControlPath=$SHARED_CON_TMPFILE" "notnecessary" >/dev/null 2>&1 || exit 1 >+ echo "chmod 600 .ssh/authorized_keys" | sftp -b - -o "ControlPath=${SHARED_CON_TMPFILE}" "notnecessary" >/dev/null 2>&1 >+ fi > ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l) > ;; > esac >diff --git a/ssh-copy-id.1 b/ssh-copy-id.1 >index e344de7..7655f70 100644 >--- a/ssh-copy-id.1 >+++ b/ssh-copy-id.1 >@@ -1,5 +1,5 @@ > .ig \" -*- nroff -*- >-Copyright (c) 1999-2016 hands.com Ltd. <http://hands.com/> >+Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/> > > Redistribution and use in source and binary forms, with or without > modification, are permitted provided that the following conditions >@@ -31,6 +31,7 @@ THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > .Nm > .Op Fl f > .Op Fl n >+.Op Fl s > .Op Fl i Op Ar identity_file > .Op Fl p Ar port > .Op Fl o Ar ssh_option >@@ -84,6 +85,12 @@ in more than one copy of the key being installed on the remote system. > .It Fl n > do a dry-run. Instead of installing keys on the remote system simply > prints the key(s) that would have been installed. >+.It Fl s >+SFTP mode: usually the public keys are installed by executing commands on the remote side. >+With this option the user's >+.Pa ~/.ssh/authorized_keys >+file will be downloaded, modified locally and uploaded with sftp. >+This option is useful if the server has restrictions on commands which can be used on the remote side. > .It Fl h , Fl ? > Print Usage summary > .It Fl p Ar port , Fl o Ar ssh_option >@@ -158,7 +165,7 @@ asked for confirmation, which is your cue to log back out and run > The reason you might want to specify the -i option in this case is to > ensure that the comment on the installed key is the one from the > .Pa .pub >-file, rather than just the filename that was loaded into you agent. >+file, rather than just the filename that was loaded into your agent. > It also ensures that only the id you intended is installed, rather than > all the keys that you have in your > .Xr ssh-agent 1 .
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3441">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 3201
: 3441