openssh unix dev - Jan 2008 - RFC: ssh-copy-id tweaks

I'd like to propose a couple of tweaks to ssh-copy-id:

o Change the default ID_FILE from identity.pub to id_dsa.pub or perhaps
  {id_dsa,id_rsa,identity}.pub to cover all the bases, although the
  patch below deals only with id_dsa.pub - it would need some more
  tweaking to deal with more than one (possibly non-existent) file.

o If the destination authorized_keys file already contains the keys,
  they should not be duplicated. I use ssh-copy-id in a regression harness
  and I end up adding the same key tens or hundreds of times. I have not
  seen any problem but it is somewhat distasteful.

  The method proposed is frankly a hack, but it is simple and I think it
  is foolproof and portable. At least initially, it will mess up the
  order of the keys, but given that the file is mostly write-only by
  humans, that should not make any difference.

Comments?

Thanks,
Nick

--- ssh-copy-id.orig	2008-01-31 12:01:03.000000000 -0500
+++ ssh-copy-id	2008-01-31 12:05:16.000000000 -0500
@@ -1,11 +1,11 @@
 #!/bin/sh
 
-# Shell script to install your identity.pub on a remote machine
+# Shell script to install your id_dsa.pub on a remote machine
 # Takes the remote machine name as an argument.
 # Obviously, the remote machine must accept password authentication,
 # or one of the other keys in your ssh-agent, for this to work.
 
-ID_FILE="${HOME}/.ssh/identity.pub"
+ID_FILE="${HOME}/.ssh/id_dsa.pub"
 
 if [ "-i" = "$1" ]; then
   shift
@@ -38,7 +38,7 @@
   exit 1
 fi
 
-{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir
.ssh ; cat >> .ssh/authorized_keys" || exit 1
+{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir
.ssh ; cat >> .ssh/authorized_keys && sort -u -o
.ssh/authorized_keys .ssh/authorized_keys" || exit 1
 
 cat <<EOF
 Now try logging into the machine, with "ssh '$1'", and check
in:

Circa 2008-01-31 13:00 dixit Nick Dokos:

: I'd like to propose a couple of tweaks to ssh-copy-id:
: 
: o Change the default ID_FILE from identity.pub to id_dsa.pub or perhaps
:   {id_dsa,id_rsa,identity}.pub to cover all the bases, although the
:   patch below deals only with id_dsa.pub - it would need some more
:   tweaking to deal with more than one (possibly non-existent) file.

If this is to be done, i would propose the default be id_rsa.pub, since
the RSA patent has expired, but that it be changeable via the
environment.  See below.

: o If the destination authorized_keys file already contains the keys,
:   they should not be duplicated. I use ssh-copy-id in a regression harness
:   and I end up adding the same key tens or hundreds of times. I have not
:   seen any problem but it is somewhat distasteful.
: 
:   The method proposed is frankly a hack, but it is simple and I think it
:   is foolproof and portable. At least initially, it will mess up the
:   order of the keys, but given that the file is mostly write-only by
:   humans, that should not make any difference.

See below for comments.

: --- ssh-copy-id.orig	2008-01-31 12:01:03.000000000 -0500
: +++ ssh-copy-id	2008-01-31 12:05:16.000000000 -0500
: @@ -1,11 +1,11 @@
:  #!/bin/sh
:  
: -# Shell script to install your identity.pub on a remote machine
: +# Shell script to install your id_dsa.pub on a remote machine
:  # Takes the remote machine name as an argument.
:  # Obviously, the remote machine must accept password authentication,
:  # or one of the other keys in your ssh-agent, for this to work.
:  
: -ID_FILE="${HOME}/.ssh/identity.pub"
: +ID_FILE="${HOME}/.ssh/id_dsa.pub"

I'd propose changing this to:

    SSH_IDENTITY_FILE="${SSH_IDENTITY_FILE:-${HOME}/.ssh/id_rsa.pub}"

or, alternatively, if there's concern about ${...:-...} being
non-portable:

    [ x"${SSH_IDENTITY_FILE}" = x"" ] && \
    SSH_IDENTITY_FILE="${HOME}/.ssh/id_rsa.pub"

This allows the default identity to be set in the environment.

Even more interesting would be to make ssh-copy-id use the same
approach as ssh-add, i.e., copying all of the available identities
that exist (~/.ssh/id_rsa.pub, ~/.ssh/id_dsa.pub, and ~/.ssh/identity).
(Alternatively, for more paranoai, ssh-copy-id could copy only the first
found of the three).

This would be more complex, but might do the right thing for more folks.

:  
:  if [ "-i" = "$1" ]; then
:    shift
: @@ -38,7 +38,7 @@
:    exit 1
:  fi
:  
: -{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh ||
mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1
: +{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh ||
mkdir .ssh ; cat >> .ssh/authorized_keys && sort -u -o
.ssh/authorized_keys .ssh/authorized_keys" || exit 1

I would propose the following pipeline instead (on multiple lines for
legibility):

    { eval "$GET_ID" ; } \
    |ssh "$1" '
        umask 077
        test -d .ssh || mkdir .ssh
        cd .ssh \
        && ( test -f authorized_keys || touch authorized_keys ) \
        && ( cat authorized_keys; cat ) |sort |uniq
>authorized_keys.$$ \
        && mv -f authorized_keys.$$ authorized_keys
    ' || exit 1

This does the following:

    * ensures that the .ssh directory exists and is searchable after the
      test -d and mkdir

    * avoids writing to the authorized_keys file until it has been
      written completely and successfully

    * avoids depending on 'sort -u', which may not be available on all
      systems

    * remains (i believe) compatible with Bourne/ksh, and csh
      shells and their descendants on the remote host

Alternatively, the following would keep the authorized_keys file from
being reordered, using 'grep -F' to check whether the identity is
already present:

    { eval "$GET_ID" ; } \
    |ssh "$1" '
        umask 077
        test -d .ssh || mkdir .ssh
        cd .ssh || exit 1
        SSH_IDENTITY="`cat`"
        test x"${SSH_IDENTITY}" = x"" && exit 1
        ( test -f authorized_keys || touch authorized_keys ) \
        grep -F "${SSH_IDENTITY}" authorized_keys >/dev/null
2>&1 \
        || {
            ( cat authorized_keys; echo "${SSH_IDENTITY}" )
            >authorized_keys.$$ \
            && mv -f authorized_keys.$$ authorized_keys
        }
    ' || exit 1

Unfortunately, the use of the SSH_IDENTITY variable makes this only work
With Bourne/ksh shells and their descendants.  A shell-independent
version of this may be able to be written with nawk or gawk, but that
poses its own portability problems....

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG key ID: 6F39C2CC  >>>>>> 
http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 5024:D578:7CF4:5660:7269::F6F3:B919:9307:6F39:C2CC)
+----------------------------------------------------------------------+
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|
+----------------------------------------------------------------------+