Ssh – Why ssh-copy-id requires private key file

sshssh-keys

The ssh-copy-id was very useful for sending public keys to server. But it fail if you haven't private key file, now.

$ ssh-copy-id -i my_friend_rsa.pub root@example.com

/usr/bin/ssh-copy-id: ERROR: failed to open ID file 'my_friend_rsa': No such file

I don't understand this behaviour.

There are two cases for me:

I send my own public key
I send colleague's public key.

The first case is rare. The server has my public key already if I can connect to it. So I don't need the ssh-copy-id in this case.

The second case is very often. I grant access to other user. But I have not his nor her private key. So this behaviour makes the ssh-copy-id useless in second case.

Please, explain me why ssh-copy-id requires private key file?

Best Answer

Because of the way this program works. Citing man ssh-copy-id:

ssh-copy-id is a script that uses ssh(1) to log into a remote machine (presumably using a login password, so password authentication should be enabled, unless you've done some clever use of multiple identities). It assembles a list of one or more finger‐ prints (as described below) and tries to log in with each key, to see if any of them are already installed (of course, if you are not using ssh-agent(1) this may result in you being repeatedly prompted for pass-phrases). It then assembles a list of those that failed to log in, and using ssh, enables logins with those keys on the remote server.

I would agree that this can be too clever sometimes, but this is not the place to ask "why" as we are not the developers.

Related Solutions

SSH – How to Change Private Key Passphrase

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_dsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
               [-f output_keyfile]
    ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.

     -P passphrase
             Provides the (old) passphrase.

     -p      Requests changing the passphrase of a private key file instead of
             creating a new private key.  The program will prompt for the file
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
[...]

SSH Key – How to Create a Public Key from a Private Key

Use the -y option to ssh-keygen:

ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub

From the 'man ssh-keygen'

 -y      This option will read a private OpenSSH format file and print an
         OpenSSH public key to stdout.

Specify the private key with the -f option, yours might be dsa instead of rsa. The name of your private key probably contains which you used. The newly generated public key should be the same as the one you generated before.

Best Answer

Related Solutions

SSH – How to Change Private Key Passphrase

SSH Key – How to Create a Public Key from a Private Key

Related Topic