Bug 1093168

Summary: ssh-copy-id -i does not work
Product: [Fedora] Fedora Reporter: Jean-Eudes ONFRAY <je>
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: alex.tuxx, je, jjelen, mattias.ellert, mgrepl, plautrba, slukasik, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-6.6.1p1-12.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-09 08:30:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jean-Eudes ONFRAY 2014-04-30 19:25:28 UTC 
Description of problem:

"ssh-copy-id -i {identity}" is broken

Steps to Reproduce:

/usr/bin/ssh-copy-id -i ~/.ssh/id_dsa.pub user@host

Actual results:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.


Expected results:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@host's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user@host'"
and check to make sure that only the key(s) you wanted were added.


Additional info:

I traced it in the script.
The problem lays in:
    eval $GET_ID | {
      while read ID ; do
   [...]

$GET_ID = cat "/pathto/.ssh/id_dsa.pub"

If you try this code in your shell, you can see that it doesn't work:
cat "/pathto/.ssh/id_dsa.pub" | while read ID; do echo $ID; done

That's because id_dsa.pub is a single line file (no new line)

read -r ID should be used rather than read ID

Here's a patch to solve this issue:

--- /usr/bin/ssh-copy-id.orig	2014-04-30 21:23:23.085531454 +0200
+++ /usr/bin/ssh-copy-id	2014-04-30 21:07:10.720599144 +0200
@@ -207,7 +207,7 @@
   printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
   NEW_IDS=$(
     eval $GET_ID | {
-      while read ID ; do
+      while read -r ID ; do
         printf '%s\n' "$ID" > $L_TMP_ID_FILE
 
         # the next line assumes $PRIV_ID_FILE only set if using a single id file - this
Comment 1 Alex Leonhardt 2014-06-14 11:53:26 UTC 
I had the same issue - seems to have something to do with a user ssh config - I renamed mine, re-did it, and it worked - I did have the following in my config : 

ForwardAgent yes
LogLevel quiet
StrictHostKeyChecking no
UserKnownHostsFile /dev/null


Alex
Comment 2 Jakub Jelen 2015-01-12 16:56:59 UTC 
Works for me with current fedora 20 and fedora 21:
openssh-6.4p1-7.fc20.x86_64
openssh-6.6.1p1-9.fc21.x86_64

Can you retest it with your configuration? If it will still not work, can you provide more information, content of your ssh config, version of your software or whatever can help us?

Your examples work for me as they should with just fresh created keys using ssh-keygen. Even with above mentioned config I don't have any issues.


[root@localhost .ssh]# ssh-copy-id -i id_ecdsa.pub f21
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root.1.236's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'f21'"
and check to make sure that only the key(s) you wanted were added.

[root@localhost .ssh]# ssh f21
Last login: Mon Jan 12 16:49:35 2015 from 192.168.1.1



[root@localhost .ssh]# ssh-copy-id -i ~/.ssh/id_ecdsa.pub f20 
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root.1.226's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'f20'"
and check to make sure that only the key(s) you wanted were added.

[root@localhost .ssh]# ssh f20
Last login: Mon Jan 12 17:33:42 2015 from 192.168.1.1
Comment 3 Jean-Eudes ONFRAY 2015-02-09 13:19:39 UTC 
Tested again. Here's the result:

$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@host
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.

$ ssh-copy-id -i ~/.ssh/id_dsa.pub user@host
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@host's password: 

Some keys works, some don't. The difference between both keys (except one being rsa, and the other dsa) is that the former has no \n at the end of the file while the other has.

I've tested with a newly created rsa key and it works fine. The new key has a trailing \n.

Something may have changed in ssh-keygen to always add a trailing \n at keyfiles.

You should be able to reproduce that after removing the trailing \n at the end of you keyfile.
Comment 4 Jakub Jelen 2015-02-12 09:58:02 UTC 
So it looks like ssh-copy-id is not broken, but your keys are. Every text-file should end with new line, but tools _should_ be able to handle missing newline.

I tried your patch, but it didn't help me with keys without trailing newline. Both

# cat .ssh/id_dsa1.pub | while read ID; do echo $ID; done
# cat .ssh/id_dsa1.pub | while read -r ID; do echo $ID; done

shows nothing in bash-4.3.33-1.fc21.x86_64


Possible workaround is to use command like this which works same for both keys:
# cat ~/.ssh/id_rsa.pub | while read -r ID  || [[ -n "$ID" ]]; do echo $ID; done

I can try to discuss this issue with upstream. It seems acceptable for me.
Comment 5 Fedora Update System 2015-02-27 18:13:59 UTC 
openssh-6.7p1-9.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/openssh-6.7p1-9.fc22
Comment 6 Fedora Update System 2015-02-27 19:44:03 UTC 
Package openssh-6.7p1-9.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.7p1-9.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-2786/openssh-6.7p1-9.fc22
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2015-03-09 08:30:31 UTC 
openssh-6.7p1-9.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-03-30 06:37:09 UTC 
openssh-6.6.1p1-12.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/openssh-6.6.1p1-12.fc21
Comment 9 Fedora Update System 2015-04-09 09:08:05 UTC 
openssh-6.6.1p1-12.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.