Bug 1045191 - ssh-copy-id fails with message 'Ambiguous output redirect.' with a non-sh style remote shell
ssh-copy-id fails with message 'Ambiguous output redirect.' with a non-sh sty...
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Jakub Jelen
Fedora Extras Quality Assurance
Depends On:
Blocks: 1135521
  Show dependency treegraph
Reported: 2013-12-19 15:32 EST by Justin Hickey
Modified: 2015-04-09 05:08 EDT (History)
6 users (show)

See Also:
Fixed In Version: openssh-6.6.1p1-12.fc21
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1135521 (view as bug list)
Last Closed: 2015-02-18 11:50:24 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
OpenSSH Project 2206 None None None Never

  None (edit)
Description Justin Hickey 2013-12-19 15:32:10 EST
Description of problem:
When using ssh-copy-id to copy the ssh public key to a remote server, if the account on the remote server uses a shell that is not based on sh or bash (like tcsh), then the script will fail with the message 'Ambiguous output redirect.'. This message is caused by the redirection of STDOUT and STDERR using the sh syntax 2>&1 which is invalid for tcsh.

Specific details:
In the file /usr/bin/ssh-copy-id at line 275 we have the following:

if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \

This command is being executed on the remote machine using the default shell of the remote account. If the remote shell is tcsh (or any other shell that doesn't support the 2>&1 syntax), the
     if type restorecon >/dev/null 2>&1 ;
command fails.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create an account on a remote machine using tcsh for the shell (or any other shell that doesn't support the 2>&1 syntax)
2. Generate an ssh key on the local machine
    ssh-keygen -t rsa -b 2048
3. Run ssh-copy-id on the local machine (the command below assumes the login id is the same on both machines
    ssh-copy-id x.x.x.x

Actual results:
The script exits with
    Ambiguous output redirect.

Expected results:
The script successfully runs with 
    Number of key(s) added: 1

    Now try logging into the machine, with: "ssh 'x.x.x.x'"
    and check to make sure that only the key(s) you wanted were added.

Additional info:
I was able to fix this bug by basically specifying that the ssh command should use the sh shell instead of the default shell of the remote account. The changes I made to the ssh-copy-id script are as follows:

Starting at line 273, change the lines
    umask 077 ;
    mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
    if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \

To the following single line - add "exec sh -c" at the beginning and surround the commands in single quotes
    exec sh -c 'umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \

I'm not sure if this is the best fix, but it works regardless of the remote shell.
Comment 1 Petr Lautrbach 2014-02-26 10:51:26 EST
Your fix seems to be reasonable but I've re-send your report to the upstream bugzilla [1] to see how it should be fixed. Thanks for the report.

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2206
Comment 2 Fedora End Of Life 2015-01-09 17:23:02 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 3 Justin Hickey 2015-01-15 09:27:43 EST
This bug still exists in Fedora 20, thus I bumped the version to 20.
Comment 4 mikey 2015-03-27 06:05:49 EDT
Still an issue on Fedora 21, can this be reopened. I have updated upstream bug report.
Comment 5 Fedora Update System 2015-03-30 02:37:11 EDT
openssh-6.6.1p1-12.fc21 has been submitted as an update for Fedora 21.
Comment 6 Fedora Update System 2015-04-09 05:08:06 EDT
openssh-6.6.1p1-12.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.