Bug 1093168 - ssh-copy-id -i does not work
Summary: ssh-copy-id -i does not work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Jelen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-30 19:25 UTC by Jean-Eudes ONFRAY
Modified: 2015-04-09 09:08 UTC (History)
8 users (show)

Fixed In Version: openssh-6.6.1p1-12.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-09 08:30:31 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenSSH Project 2350 0 None None None Never

Description Jean-Eudes ONFRAY 2014-04-30 19:25:28 UTC
Description of problem:

"ssh-copy-id -i {identity}" is broken

Steps to Reproduce:

/usr/bin/ssh-copy-id -i ~/.ssh/id_dsa.pub user@host

Actual results:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.


Expected results:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@host's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user@host'"
and check to make sure that only the key(s) you wanted were added.


Additional info:

I traced it in the script.
The problem lays in:
    eval $GET_ID | {
      while read ID ; do
   [...]

$GET_ID = cat "/pathto/.ssh/id_dsa.pub"

If you try this code in your shell, you can see that it doesn't work:
cat "/pathto/.ssh/id_dsa.pub" | while read ID; do echo $ID; done

That's because id_dsa.pub is a single line file (no new line)

read -r ID should be used rather than read ID

Here's a patch to solve this issue:

--- /usr/bin/ssh-copy-id.orig	2014-04-30 21:23:23.085531454 +0200
+++ /usr/bin/ssh-copy-id	2014-04-30 21:07:10.720599144 +0200
@@ -207,7 +207,7 @@
   printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
   NEW_IDS=$(
     eval $GET_ID | {
-      while read ID ; do
+      while read -r ID ; do
         printf '%s\n' "$ID" > $L_TMP_ID_FILE
 
         # the next line assumes $PRIV_ID_FILE only set if using a single id file - this

Comment 1 Alex Leonhardt 2014-06-14 11:53:26 UTC
I had the same issue - seems to have something to do with a user ssh config - I renamed mine, re-did it, and it worked - I did have the following in my config : 

ForwardAgent yes
LogLevel quiet
StrictHostKeyChecking no
UserKnownHostsFile /dev/null


Alex

Comment 2 Jakub Jelen 2015-01-12 16:56:59 UTC
Works for me with current fedora 20 and fedora 21:
openssh-6.4p1-7.fc20.x86_64
openssh-6.6.1p1-9.fc21.x86_64

Can you retest it with your configuration? If it will still not work, can you provide more information, content of your ssh config, version of your software or whatever can help us?

Your examples work for me as they should with just fresh created keys using ssh-keygen. Even with above mentioned config I don't have any issues.


[root@localhost .ssh]# ssh-copy-id -i id_ecdsa.pub f21
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.236's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'f21'"
and check to make sure that only the key(s) you wanted were added.

[root@localhost .ssh]# ssh f21
Last login: Mon Jan 12 16:49:35 2015 from 192.168.1.1



[root@localhost .ssh]# ssh-copy-id -i ~/.ssh/id_ecdsa.pub f20 
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.1.226's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'f20'"
and check to make sure that only the key(s) you wanted were added.

[root@localhost .ssh]# ssh f20
Last login: Mon Jan 12 17:33:42 2015 from 192.168.1.1

Comment 3 Jean-Eudes ONFRAY 2015-02-09 13:19:39 UTC
Tested again. Here's the result:

$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@host
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.

$ ssh-copy-id -i ~/.ssh/id_dsa.pub user@host
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@host's password: 

Some keys works, some don't. The difference between both keys (except one being rsa, and the other dsa) is that the former has no \n at the end of the file while the other has.

I've tested with a newly created rsa key and it works fine. The new key has a trailing \n.

Something may have changed in ssh-keygen to always add a trailing \n at keyfiles.

You should be able to reproduce that after removing the trailing \n at the end of you keyfile.

Comment 4 Jakub Jelen 2015-02-12 09:58:02 UTC
So it looks like ssh-copy-id is not broken, but your keys are. Every text-file should end with new line, but tools _should_ be able to handle missing newline.

I tried your patch, but it didn't help me with keys without trailing newline. Both

# cat .ssh/id_dsa1.pub | while read ID; do echo $ID; done
# cat .ssh/id_dsa1.pub | while read -r ID; do echo $ID; done

shows nothing in bash-4.3.33-1.fc21.x86_64


Possible workaround is to use command like this which works same for both keys:
# cat ~/.ssh/id_rsa.pub | while read -r ID  || [[ -n "$ID" ]]; do echo $ID; done

I can try to discuss this issue with upstream. It seems acceptable for me.

Comment 5 Fedora Update System 2015-02-27 18:13:59 UTC
openssh-6.7p1-9.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/openssh-6.7p1-9.fc22

Comment 6 Fedora Update System 2015-02-27 19:44:03 UTC
Package openssh-6.7p1-9.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.7p1-9.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-2786/openssh-6.7p1-9.fc22
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2015-03-09 08:30:31 UTC
openssh-6.7p1-9.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-03-30 06:37:09 UTC
openssh-6.6.1p1-12.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/openssh-6.6.1p1-12.fc21

Comment 9 Fedora Update System 2015-04-09 09:08:05 UTC
openssh-6.6.1p1-12.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.