Module Name: src
Committed By: jmcneill
Date: Sat Jun 1 13:21:28 UTC 2019
Modified Files:
src/crypto/external/bsd/openssh/bin: Makefile
src/distrib/sets/lists/base: mi
src/distrib/sets/lists/man: mi
Added Files:
src/crypto/external/bsd/openssh/bin/ssh-copy-id: Makefile ssh-copy-id
ssh-copy-id.1
Log Message:
Install ssh-copy-id(1) from the OpenSSH 8.0p1 portable distribution.
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/crypto/external/bsd/openssh/bin/Makefile
cvs rdiff -u -r0 -r1.1 \
src/crypto/external/bsd/openssh/bin/ssh-copy-id/Makefile \
src/crypto/external/bsd/openssh/bin/ssh-copy-id/ssh-copy-id \
src/crypto/external/bsd/openssh/bin/ssh-copy-id/ssh-copy-id.1
cvs rdiff -u -r1.1204 -r1.1205 src/distrib/sets/lists/base/mi
cvs rdiff -u -r1.1644 -r1.1645 src/distrib/sets/lists/man/mi
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/external/bsd/openssh/bin/Makefile
diff -u src/crypto/external/bsd/openssh/bin/Makefile:1.3 src/crypto/external/bsd/openssh/bin/Makefile:1.4
--- src/crypto/external/bsd/openssh/bin/Makefile:1.3 Sun Nov 21 19:19:21 2010
+++ src/crypto/external/bsd/openssh/bin/Makefile Sat Jun 1 13:21:27 2019
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.3 2010/11/21 19:19:21 adam Exp $
+# $NetBSD: Makefile,v 1.4 2019/06/01 13:21:27 jmcneill Exp $
.include <bsd.own.mk>
SSHDIST?= ${NETBSDSRCDIR}/crypto/external/bsd/openssh/dist
-SUBDIR= ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server \
- ssh-keysign ssh-keyscan sftp ssh-pkcs11-helper
+SUBDIR= ssh sshd ssh-add ssh-copy-id ssh-keygen ssh-agent scp \
+ sftp-server ssh-keysign ssh-keyscan sftp ssh-pkcs11-helper
.PATH: ${SSHDIST}
.MADE: moduli
Index: src/distrib/sets/lists/base/mi
diff -u src/distrib/sets/lists/base/mi:1.1204 src/distrib/sets/lists/base/mi:1.1205
--- src/distrib/sets/lists/base/mi:1.1204 Tue May 7 05:02:41 2019
+++ src/distrib/sets/lists/base/mi Sat Jun 1 13:21:27 2019
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1204 2019/05/07 05:02:41 thorpej Exp $
+# $NetBSD: mi,v 1.1205 2019/06/01 13:21:27 jmcneill Exp $
#
# Note: Don't delete entries from here - mark them as "obsolete" instead,
# unless otherwise stated below.
@@ -951,6 +951,7 @@
./usr/bin/ssh base-secsh-bin
./usr/bin/ssh-add base-secsh-bin
./usr/bin/ssh-agent base-secsh-bin
+./usr/bin/ssh-copy-id base-secsh-bin
./usr/bin/ssh-keygen base-secsh-bin
./usr/bin/ssh-keyscan base-secsh-bin
./usr/bin/stat base-util-bin
Index: src/distrib/sets/lists/man/mi
diff -u src/distrib/sets/lists/man/mi:1.1644 src/distrib/sets/lists/man/mi:1.1645
--- src/distrib/sets/lists/man/mi:1.1644 Wed May 1 06:47:45 2019
+++ src/distrib/sets/lists/man/mi Sat Jun 1 13:21:27 2019
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1644 2019/05/01 06:47:45 mlelstv Exp $
+# $NetBSD: mi,v 1.1645 2019/06/01 13:21:27 jmcneill Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -540,6 +540,7 @@
./usr/share/man/cat1/srtconfig.0 man-netutil-catman .cat
./usr/share/man/cat1/ssh-add.0 man-secsh-catman .cat
./usr/share/man/cat1/ssh-agent.0 man-secsh-catman .cat
+./usr/share/man/cat1/ssh-copy-id.0 man-secsh-catman .cat
./usr/share/man/cat1/ssh-keygen.0 man-secsh-catman .cat
./usr/share/man/cat1/ssh-keyscan.0 man-secsh-catman .cat
./usr/share/man/cat1/ssh.0 man-secsh-catman .cat
@@ -3765,6 +3766,7 @@
./usr/share/man/html1/srtconfig.html man-netutil-htmlman html
./usr/share/man/html1/ssh-add.html man-secsh-htmlman html
./usr/share/man/html1/ssh-agent.html man-secsh-htmlman html
+./usr/share/man/html1/ssh-copy-id.html man-secsh-htmlman html
./usr/share/man/html1/ssh-keygen.html man-secsh-htmlman html
./usr/share/man/html1/ssh-keyscan.html man-secsh-htmlman html
./usr/share/man/html1/ssh.html man-secsh-htmlman html
@@ -6642,6 +6644,7 @@
./usr/share/man/man1/srtconfig.1 man-netutil-man .man
./usr/share/man/man1/ssh-add.1 man-secsh-man .man
./usr/share/man/man1/ssh-agent.1 man-secsh-man .man
+./usr/share/man/man1/ssh-copy-id.1 man-secsh-man .man
./usr/share/man/man1/ssh-keygen.1 man-secsh-man .man
./usr/share/man/man1/ssh-keyscan.1 man-secsh-man .man
./usr/share/man/man1/ssh.1 man-secsh-man .man
Added files:
Index: src/crypto/external/bsd/openssh/bin/ssh-copy-id/Makefile
diff -u /dev/null src/crypto/external/bsd/openssh/bin/ssh-copy-id/Makefile:1.1
--- /dev/null Sat Jun 1 13:21:28 2019
+++ src/crypto/external/bsd/openssh/bin/ssh-copy-id/Makefile Sat Jun 1 13:21:27 2019
@@ -0,0 +1,8 @@
+# $NetBSD: Makefile,v 1.1 2019/06/01 13:21:27 jmcneill Exp $
+
+BINDIR= /usr/bin
+
+SCRIPTS= ssh-copy-id
+MAN= ssh-copy-id.1
+
+.include <bsd.prog.mk>
Index: src/crypto/external/bsd/openssh/bin/ssh-copy-id/ssh-copy-id
diff -u /dev/null src/crypto/external/bsd/openssh/bin/ssh-copy-id/ssh-copy-id:1.1
--- /dev/null Sat Jun 1 13:21:28 2019
+++ src/crypto/external/bsd/openssh/bin/ssh-copy-id/ssh-copy-id Sat Jun 1 13:21:27 2019
@@ -0,0 +1,325 @@
+#!/bin/sh
+# $NetBSD: ssh-copy-id,v 1.1 2019/06/01 13:21:27 jmcneill Exp $
+
+# Copyright (c) 1999-2016 Philip Hands <p...@hands.com>
+# 2013 Martin Kletzander <mklet...@redhat.com>
+# 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <as...@alu.ua.es>
+# 2010 Eric Moret <eric.mo...@gmail.com>
+# 2009 Xr <x...@i-jeuxvideo.com>
+# 2007 Justin Pryzby <justinpry...@users.sourceforge.net>
+# 2004 Reini Urban <rur...@x-ray.at>
+# 2003 Colin Watson <cjwat...@debian.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Shell script to install your public key(s) on a remote machine
+# See the ssh-copy-id(1) man page for details
+
+# check that we have something mildly sane as our shell, or try to find something better
+if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0"
+then
+ SANE_SH=${SANE_SH:-/usr/bin/ksh}
+ if printf 'true ^ false\n' | "$SANE_SH"
+ then
+ printf "'%s' seems viable.\n" "$SANE_SH"
+ exec "$SANE_SH" "$0" "$@"
+ else
+ cat <<-EOF
+ oh dear.
+
+ If you have a more recent shell available, that supports \$(...) etc.
+ please try setting the environment variable SANE_SH to the path of that
+ shell, and then retry running this script. If that works, please report
+ a bug describing your setup, and the shell you used to make it work.
+
+ EOF
+ printf "%s: ERROR: Less dimwitted shell required.\n" "$0"
+ exit 1
+ fi
+fi
+
+most_recent_id="$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)"
+DEFAULT_PUB_ID_FILE="${most_recent_id:+$HOME/}$most_recent_id"
+
+usage () {
+ printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
+ printf '\t-f: force mode -- copy keys without trying to check if they are already installed\n' >&2
+ printf '\t-n: dry run -- no keys are actually copied\n' >&2
+ printf '\t-h|-?: print this help\n' >&2
+ exit 1
+}
+
+# escape any single quotes in an argument
+quote() {
+ printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g"
+}
+
+use_id_file() {
+ local L_ID_FILE="$1"
+
+ if [ -z "$L_ID_FILE" ] ; then
+ printf "%s: ERROR: no ID file found\n" "$0"
+ exit 1
+ fi
+
+ if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then
+ PUB_ID_FILE="$L_ID_FILE"
+ else
+ PUB_ID_FILE="$L_ID_FILE.pub"
+ fi
+
+ [ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
+
+ # check that the files are readable
+ for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
+ ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
+ local L_PRIVMSG=""
+ [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
+ printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
+ exit 1
+ }
+ done
+ printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" "$PUB_ID_FILE" >&2
+ GET_ID="cat \"$PUB_ID_FILE\""
+}
+
+if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
+ GET_ID="ssh-add -L"
+fi
+
+while test "$#" -gt 0
+do
+ [ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
+ printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0"
+ usage
+ }
+
+ OPT= OPTARG=
+ # implement something like getopt to avoid Solaris pain
+ case "$1" in
+ -i?*|-o?*|-p?*)
+ OPT="$(printf -- "$1"|cut -c1-2)"
+ OPTARG="$(printf -- "$1"|cut -c3-)"
+ shift
+ ;;
+ -o|-p)
+ OPT="$1"
+ OPTARG="$2"
+ shift 2
+ ;;
+ -i)
+ OPT="$1"
+ test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || {
+ OPTARG="$2"
+ shift
+ }
+ shift
+ ;;
+ -f|-n|-h|-\?)
+ OPT="$1"
+ OPTARG=
+ shift
+ ;;
+ --)
+ shift
+ while test "$#" -gt 0
+ do
+ SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
+ shift
+ done
+ break
+ ;;
+ -*)
+ printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1"
+ usage
+ ;;
+ *)
+ SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
+ shift
+ continue
+ ;;
+ esac
+
+ case "$OPT" in
+ -i)
+ SEEN_OPT_I="yes"
+ use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}"
+ ;;
+ -o|-p)
+ SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
+ ;;
+ -f)
+ FORCED=1
+ ;;
+ -n)
+ DRY_RUN=1
+ ;;
+ -h|-\?)
+ usage
+ ;;
+ esac
+done
+
+eval set -- "$SAVEARGS"
+
+if [ $# = 0 ] ; then
+ usage
+fi
+if [ $# != 1 ] ; then
+ printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2
+ usage
+fi
+
+# drop trailing colon
+USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
+# tack the hostname onto SSH_OPTS
+SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
+# and populate "$@" for later use (only way to get proper quoting of options)
+eval set -- "$SSH_OPTS"
+
+if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then
+ use_id_file "$PUB_ID_FILE"
+fi
+
+if [ -z "$(eval $GET_ID)" ] ; then
+ printf '%s: ERROR: No identities found\n' "$0" >&2
+ exit 1
+fi
+
+# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
+# and has the side effect of setting $NEW_IDS
+populate_new_ids() {
+ local L_SUCCESS="$1"
+
+ if [ "$FORCED" ] ; then
+ NEW_IDS=$(eval $GET_ID)
+ return
+ fi
+
+ # repopulate "$@" inside this function
+ eval set -- "$SSH_OPTS"
+
+ umask 0177
+ local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
+ if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
+ printf '%s: ERROR: mktemp failed\n' "$0" >&2
+ exit 1
+ fi
+ local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
+ trap "$L_CLEANUP" EXIT TERM INT QUIT
+ printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
+ NEW_IDS=$(
+ eval $GET_ID | {
+ while read ID || [ "$ID" ] ; do
+ printf '%s\n' "$ID" > "$L_TMP_ID_FILE"
+
+ # the next line assumes $PRIV_ID_FILE only set if using a single id file - this
+ # assumption will break if we implement the possibility of multiple -i options.
+ # The point being that if file based, ssh needs the private key, which it cannot
+ # find if only given the contents of the .pub file in an unrelated tmpfile
+ ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
+ -o ControlPath=none \
+ -o LogLevel=INFO \
+ -o PreferredAuthentications=publickey \
+ -o IdentitiesOnly=yes "$@" exit 2>"$L_TMP_ID_FILE.stderr" </dev/null
+ if [ "$?" = "$L_SUCCESS" ] ; then
+ : > "$L_TMP_ID_FILE"
+ else
+ grep 'Permission denied' "$L_TMP_ID_FILE.stderr" >/dev/null || {
+ sed -e 's/^/ERROR: /' <"$L_TMP_ID_FILE.stderr" >"$L_TMP_ID_FILE"
+ cat >/dev/null #consume the other keys, causing loop to end
+ }
+ fi
+
+ cat "$L_TMP_ID_FILE"
+ done
+ }
+ )
+ eval "$L_CLEANUP" && trap - EXIT TERM INT QUIT
+
+ if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
+ printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
+ exit 1
+ fi
+ if [ -z "$NEW_IDS" ] ; then
+ printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
+ printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
+ exit 0
+ fi
+ printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
+}
+
+REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' -o ControlPath=none "$@" 2>&1 |
+ sed -ne 's/.*remote software version //p')
+
+case "$REMOTE_VERSION" in
+ NetScreen*)
+ populate_new_ids 1
+ for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do
+ KEY_NO=$(($KEY_NO + 1))
+ printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || {
+ printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2
+ continue
+ }
+ [ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1
+ if [ $? = 255 ] ; then
+ printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2
+ else
+ ADDED=$(($ADDED + 1))
+ fi
+ done
+ if [ -z "$ADDED" ] ; then
+ exit 1
+ fi
+ ;;
+ *)
+ # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
+ populate_new_ids 0
+ # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
+ # 'cd' to be at $HOME; add a newline if it's missing; and all on one line, because tcsh.
+ [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
+ ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && { [ -z "'`tail -1c .ssh/authorized_keys 2>/dev/null`'" ] || echo >> .ssh/authorized_keys ; } && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
+ || exit 1
+ ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
+ ;;
+esac
+
+if [ "$DRY_RUN" ] ; then
+ cat <<-EOF
+ =-=-=-=-=-=-=-=
+ Would have added the following key(s):
+
+ $NEW_IDS
+ =-=-=-=-=-=-=-=
+ EOF
+else
+ cat <<-EOF
+
+ Number of key(s) added: $ADDED
+
+ Now try logging into the machine, with: "ssh $SSH_OPTS"
+ and check to make sure that only the key(s) you wanted were added.
+
+ EOF
+fi
+
+# =-=-=-=
Index: src/crypto/external/bsd/openssh/bin/ssh-copy-id/ssh-copy-id.1
diff -u /dev/null src/crypto/external/bsd/openssh/bin/ssh-copy-id/ssh-copy-id.1:1.1
--- /dev/null Sat Jun 1 13:21:28 2019
+++ src/crypto/external/bsd/openssh/bin/ssh-copy-id/ssh-copy-id.1 Sat Jun 1 13:21:27 2019
@@ -0,0 +1,191 @@
+.ig \" -*- nroff -*-
+Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/>
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+..
+.Dd $Mdocdate: June 17 2010 $
+.Dt SSH-COPY-ID 1
+.Os
+.Sh NAME
+.Nm ssh-copy-id
+.Nd use locally available keys to authorise logins on a remote machine
+.Sh SYNOPSIS
+.Nm
+.Op Fl f
+.Op Fl n
+.Op Fl i Op Ar identity_file
+.Op Fl p Ar port
+.Op Fl o Ar ssh_option
+.Op Ar user Ns @ Ns
+.Ar hostname
+.Nm
+.Fl h | Fl ?
+.br
+.Sh DESCRIPTION
+.Nm
+is a script that uses
+.Xr ssh 1
+to log into a remote machine (presumably using a login password,
+so password authentication should be enabled, unless you've done some
+clever use of multiple identities). It assembles a list of one or more
+fingerprints (as described below) and tries to log in with each key, to
+see if any of them are already installed (of course, if you are not using
+.Xr ssh-agent 1
+this may result in you being repeatedly prompted for pass-phrases).
+It then assembles a list of those that failed to log in, and using ssh,
+enables logins with those keys on the remote server. By default it adds
+the keys by appending them to the remote user's
+.Pa ~/.ssh/authorized_keys
+(creating the file, and directory, if necessary). It is also capable
+of detecting if the remote system is a NetScreen, and using its
+.Ql set ssh pka-dsa key ...
+command instead.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl i Ar identity_file
+Use only the key(s) contained in
+.Ar identity_file
+(rather than looking for identities via
+.Xr ssh-add 1
+or in the
+.Ic default_ID_file ) .
+If the filename does not end in
+.Pa .pub
+this is added. If the filename is omitted, the
+.Ic default_ID_file
+is used.
+.Pp
+Note that this can be used to ensure that the keys copied have the
+comment one prefers and/or extra options applied, by ensuring that the
+key file has these set as preferred before the copy is attempted.
+.It Fl f
+Forced mode: doesn't check if the keys are present on the remote server.
+This means that it does not need the private key. Of course, this can result
+in more than one copy of the key being installed on the remote system.
+.It Fl n
+do a dry-run. Instead of installing keys on the remote system simply
+prints the key(s) that would have been installed.
+.It Fl h , Fl ?
+Print Usage summary
+.It Fl p Ar port , Fl o Ar ssh_option
+These two options are simply passed through untouched, along with their
+argument, to allow one to set the port or other
+.Xr ssh 1
+options, respectively.
+.Pp
+Rather than specifying these as command line options, it is often better to use (per-host) settings in
+.Xr ssh 1 Ns 's
+configuration file:
+.Xr ssh_config 5 .
+.El
+.Pp
+Default behaviour without
+.Fl i ,
+is to check if
+.Ql ssh-add -L
+provides any output, and if so those keys are used. Note that this results in
+the comment on the key being the filename that was given to
+.Xr ssh-add 1
+when the key was loaded into your
+.Xr ssh-agent 1
+rather than the comment contained in that file, which is a bit of a shame.
+Otherwise, if
+.Xr ssh-add 1
+provides no keys contents of the
+.Ic default_ID_file
+will be used.
+.Pp
+The
+.Ic default_ID_file
+is the most recent file that matches:
+.Pa ~/.ssh/id*.pub ,
+(excluding those that match
+.Pa ~/.ssh/*-cert.pub )
+so if you create a key that is not the one you want
+.Nm
+to use, just use
+.Xr touch 1
+on your preferred key's
+.Pa .pub
+file to reinstate it as the most recent.
+.Pp
+.Sh EXAMPLES
+If you have already installed keys from one system on a lot of remote
+hosts, and you then create a new key, on a new client machine, say,
+it can be difficult to keep track of which systems on which you've
+installed the new key. One way of dealing with this is to load both
+the new key and old key(s) into your
+.Xr ssh-agent 1 .
+Load the new key first, without the
+.Fl c
+option, then load one or more old keys into the agent, possibly by
+ssh-ing to the client machine that has that old key, using the
+.Fl A
+option to allow agent forwarding:
+.Pp
+.D1 user@newclient$ ssh-add
+.D1 user@newclient$ ssh -A old.client
+.D1 user@oldl$ ssh-add -c
+.D1 No ... prompt for pass-phrase ...
+.D1 user@old$ logoff
+.D1 user@newclient$ ssh someserver
+.Pp
+now, if the new key is installed on the server, you'll be allowed in
+unprompted, whereas if you only have the old key(s) enabled, you'll be
+asked for confirmation, which is your cue to log back out and run
+.Pp
+.D1 user@newclient$ ssh-copy-id -i someserver
+.Pp
+The reason you might want to specify the -i option in this case is to
+ensure that the comment on the installed key is the one from the
+.Pa .pub
+file, rather than just the filename that was loaded into you agent.
+It also ensures that only the id you intended is installed, rather than
+all the keys that you have in your
+.Xr ssh-agent 1 .
+Of course, you can specify another id, or use the contents of the
+.Xr ssh-agent 1
+as you prefer.
+.Pp
+Having mentioned
+.Xr ssh-add 1 Ns 's
+.Fl c
+option, you might consider using this whenever using agent forwarding
+to avoid your key being hijacked, but it is much better to instead use
+.Xr ssh 1 Ns 's
+.Ar ProxyCommand
+and
+.Fl W
+option,
+to bounce through remote servers while always doing direct end-to-end
+authentication. This way the middle hop(s) don't get access to your
+.Xr ssh-agent 1 .
+A web search for
+.Ql ssh proxycommand nc
+should prove enlightening (N.B. the modern approach is to use the
+.Fl W
+option, rather than
+.Xr nc 1 ) .
+.Sh "SEE ALSO"
+.Xr ssh 1 ,
+.Xr ssh-agent 1 ,
+.Xr sshd 8
