openssh bugs - May 2013 - [Bug 2110] New: ssh-copy-id fails on nonexisting private key

https://bugzilla.mindrot.org/show_bug.cgi?id=2110

            Bug ID: 2110
           Summary: ssh-copy-id fails on nonexisting private key
           Product: Portable OpenSSH
           Version: 6.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: plautrba at redhat.com

ssh-copy-id fails when a private key file (without .pub suffix) is not
present in the same directory as the public key file.

# ls ~/.ssh/id_rsa*
/root/.ssh/id_rsa  /root/.ssh/id_rsa.pub

# cp -vf ~/.ssh/id_rsa.pub /tmp/.
?/root/.ssh/id_rsa.pub? -> ?/tmp/./id_rsa.pub?

# ssh-copy-id -i /tmp/id_rsa.pub root at localhost

/usr/bin/ssh-copy-id: ERROR: failed to open ID file '/tmp/id_rsa': No
such file or directory

There's no switch that would disable checking for the private key file.
There's no keypair verification done, simply creating an empty
/tmp/id_rsa file makes ssh-copy-id work again.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2110

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
          Component|Miscellaneous               |ssh-copy-id

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2110

Ken Coar <Ken.Coar+Mindrot-BZ at GMail.Com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Ken.Coar+Mindrot-BZ at GMail.C
                   |                            |om
           Priority|P5                          |P3

--- Comment #1 from Ken Coar <Ken.Coar+Mindrot-BZ at GMail.Com> ---
Although creating an empty corresponding private-key file will get past
the "ERROR: failed to open ID file" problem, it doesn't solve the
issue
-- because the empty privkey file will cause the next step to fail:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s),
to filter out any that are already installed

/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they
already exist on the remote system.

That last error message is erroneous, because the ssh *login* failed,
not because the key was already in the remote host's authorized_keys
file.

I used to be able to use ssh-copy-id to add a colleague's public key to
a remote host without having to know his private key.  This change no
longer allows that, and isn't controllable by options.

Therefore, I consider this change a REGRESSION.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2110

--- Comment #2 from Petr Lautrbach <plautrba at redhat.com> ---
Created attachment 2345
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2345&action=edit
add a '-l' option for a legacy mode

This patch adds a new option to ssh-copy-id -l for a legacy mode. The
legacy mode doesn't check an existence of a private key and doesn't do
remote checks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2110

Petr Lautrbach <plautrba at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |phil at hands.com
            Version|6.2p1                       |6.4p1

--- Comment #3 from Petr Lautrbach <plautrba at redhat.com> ---
ping?

Do you have any comments or objections? I've seen several people
complaining about the new ssh-copy-id and "-l" for legacy mode seems
to
me to be reasonable trade-off

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2110

Jim Ciallella <jimc at orangecoat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jimc at orangecoat.com

--- Comment #4 from Jim Ciallella <jimc at orangecoat.com> ---
+1 for this being a problem. 1/2 of my use of ssh-copy-id is to copy
other people's .pub keys to give them access.

It follows that nobody in this same position will have the other
person's private key file.

A flag, or similar method, to indicate that this is a not the
initiator's key would be great.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2110

Thomas Waldmann <twaldmann at thinkmo.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |twaldmann at thinkmo.de

--- Comment #5 from Thomas Waldmann <twaldmann at thinkmo.de> ---
I just had the same problem. I had to install a pubkey of a coworker to
some servers and had to fall back to copy&paste method as I ofc did not
have his privkey.

See also my fresh comment on bug #2331 - I suspect the issue here is
caused by the same magic that caused the issue there. Maybe just remove
that magic in favor of a "do what I say" mode.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2110

Josip Rodin <joy+openssh at entuzijast.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |joy+openssh at entuzijast.net

--- Comment #6 from Josip Rodin <joy+openssh at entuzijast.net> ---
Please add this, I also ran into it while trying to use the program to
allow other people access. I'm not sure why it would need to be called
a "legacy" mode, it's more of a "blind" mode or a
"no verification"
mode.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2110

Philip Hands <phil at hands.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |phil at hands.com
             Status|NEW                         |ASSIGNED

--- Comment #7 from Philip Hands <phil at hands.com> ---
In my git repo:

  http://git.hands.com/ssh-copy-id

there's now a version that has a '-f' (force) option that does what
the
legacy option was suggested to do (i.e. just go ahead and install
things)

It would be helpful if you could test that and say whether it deals
with the problem for you.

Cheers, Phil.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2110

Philip Hands <phil at hands.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED
             Blocks|                            |2451


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2451
[Bug 2451] Bugs intended to be fixed in 7.2
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2110

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #8 from Damien Miller <djm at mindrot.org> ---
Close all resolved bugs after 7.3p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.