Bug 2206 - ssh-copy-id fails with message 'Ambiguous output redirect.' with a non-sh style remote shell
Summary: ssh-copy-id fails with message 'Ambiguous output redirect.' with a non-sh sty...
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-copy-id (show other bugs)
Version: 6.5p1
Hardware: Other Linux
: P5 normal
Assignee: Philip Hands
URL:
Keywords:
Depends on:
Blocks: V_7_2
  Show dependency treegraph
 
Reported: 2014-02-27 02:48 AEDT by Petr Lautrbach
Modified: 2016-08-02 10:40 AEST (History)
5 users (show)

See Also:

Attachments
use "sh" on remote system (665 bytes, patch)
2015-11-24 23:11 AEDT, Radek Podgorny 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Lautrbach 2014-02-27 02:48:49 AEDT 
This is originally Fedora bug https://bugzilla.redhat.com/show_bug.cgi?id=1045191 but it's also applicable to the vanilla sources:

Description of problem:
When using ssh-copy-id to copy the ssh public key to a remote server, if the account on the remote server uses a shell that is not based on sh or bash (like tcsh), then the script will fail with the message 'Ambiguous output redirect.'. This message is caused by the redirection of STDOUT and STDERR using the sh syntax 2>&1 which is invalid for tcsh.

Specific details:
In the file /usr/bin/ssh-copy-id at line 275 we have the following:

if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \

This command is being executed on the remote machine using the default shell of the remote account. If the remote shell is tcsh (or any other shell that doesn't support the 2>&1 syntax), the
     if type restorecon >/dev/null 2>&1 ;
command fails.

Version-Release number of selected component (if applicable):
6.2p2-6.fc19

How reproducible:
Always

Steps to Reproduce:
1. Create an account on a remote machine using tcsh for the shell (or any other shell that doesn't support the 2>&1 syntax)
2. Generate an ssh key on the local machine
    ssh-keygen -t rsa -b 2048
3. Run ssh-copy-id on the local machine (the command below assumes the login id is the same on both machines
    ssh-copy-id x.x.x.x

Actual results:
The script exits with
    Ambiguous output redirect.

Expected results:
The script successfully runs with 
    Number of key(s) added: 1

    Now try logging into the machine, with: "ssh 'x.x.x.x'"
    and check to make sure that only the key(s) you wanted were added.

Additional info:
I was able to fix this bug by basically specifying that the ssh command should use the sh shell instead of the default shell of the remote account. The changes I made to the ssh-copy-id script are as follows:

Starting at line 273, change the lines
    umask 077 ;
    mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
    if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \

To the following single line - add "exec sh -c" at the beginning and surround the commands in single quotes
    exec sh -c 'umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \

I'm not sure if this is the best fix, but it works regardless of the remote shell.
Comment 1 Martin Ueding 2014-07-14 04:31:23 AEST 
I use the Fish shell which does not use the &&. So this causes errors here as well:

ssh-copy-id mu@martin-pi.local
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed     
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys   
mu@martin-pi.local's password:                                                                                         
fish: Expected a command name, got token of type 'Job im Hintergrund ausführen'. Did you mean 'COMMAND; and COMMAND'? See the help section for the 'and' builtin command by typing 'help and'.                                                
Standard input:                 mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;                               
                                               ^                                         
The suggestion by Petr Lautrbach sounds good, since you cannot rely on the shell, you have to start your own. Maybe some script could be shipped with the openssh-server that accepts the keys?
Comment 2 Michael 2015-03-27 21:04:38 AEDT 
Hello,

I am experiencing the same problem with the fish shell. The reported solution seems like it should really be implemented. Relying on the shell of the server seems unreliable at best.
Comment 3 Radek Podgorny 2015-11-24 23:09:50 AEDT 
same issue here (with fish shell on remote). what can i do to get this fixed?
Comment 4 Radek Podgorny 2015-11-24 23:11:08 AEDT 
Created attachment 2756 [details]
use "sh" on remote system
Comment 5 Jakub Jelen 2015-11-25 01:41:12 AEDT 
Actually we had to use one-line version of this patch, because some other shells (tcsh) do not support multi-line arguments well. The readability is not better, but we achieved more portability.

We carry in Fedora this patch:
http://pkgs.fedoraproject.org/cgit/openssh.git/tree/openssh-6.8p1-fix-ssh-copy-id-on-non-sh-shell.patch

Upstream doesn't seem to be interested in fixing this so at least for the others who will encounter such problems and who would like to fix.
Comment 6 Philip Hands 2015-11-29 04:01:39 AEDT 
Thanks for the patch, and sorry for not getting to it sooner.

My latest version, incorporating something very similar is available here:

  http://git.hands.com/ssh-copy-id

which I'd hope works for you (confirmation would be nice), and will hopefully make it's way into OpenSSH in the not too distant future.

Cheers, Phil.
Comment 7 Damien Miller 2016-08-02 10:40:46 AEST 
Close all resolved bugs after 7.3p1 release