https://bugzilla.mindrot.org/show_bug.cgi?id=2331
Bug ID: 2331
Summary: ssh-copy-id -i id_new.pub fails to copy that id, also:
wrong error msg
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: Linux
Status: NEW
Severity: major
Priority: P5
Component: ssh-copy-id
Assignee: [email protected]
Reporter: [email protected]
On the server, password auth is disabled, I log in via pubkey auth and
have an "old" pubkey installed there and can successfully log in with
it.
Now I want to install a new (stronger) pubkey and use:
ssh-copy-id -i .ssh/id_new.pub user@remote
It fails with:
/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they
already exist on the remote system.
This is wrong, the pubkey I gave with -i ... does not exist on the
remote system.
This is because it obviously has a broken check for which keys it needs
to copy.
While it works perfectly if there is no key installed yet on the remote
(and pw auth still enabled), it fails if it already has an old working
pubkey there because it uses pubkey-login-failure to detect a missing
key and assumes that only the key given with -i is used. But in fact,
it also uses keys from the config (where I have my old key configured).
I could make -i work with this patch:
https://paste.thinkmo.de/Unr2wWqd#ssh-copy-id-with-i-arg.txt
This basically killed all the magic happening in the detection and just
"does what I say". Of course this only works for the special -i xxx
case and needs a better fix for the generic case.
I think it would need something like "CommandLineGivenIdentitiesOnly"
as "IdentitiesOnly" does obviously not work as the author of that code
expected.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
