12 March 2013

Simplify SSH Setup on Remote Machines With ssh-copy-id

If you're not aware of the ssh-copy-id command to copy your SSH keys to a remote server, then you should really check it out. It seems to be prevalent on Linux but it's not available in the BSD world (which means it's not part of Mac OS X).

Just last week I encountered some folks who were not aware of this handy little utility and it's definitely not the first time. So I thought I'd just mention it here in the hope that others might like the info as well. The ssh-copy-id utility is a shell script that, quite simply, copies your SSH keys to a remote server, sets up the permissions correctly and appends the keys to the remote-host’s .ssh/authorized_key file. For those folks like me on Mac OS X who want this script, here's a port of the script from Linux.

Here's a quick example of using ssh-copy-id from Linux:

bsnyder@ubux:~$ ssh-copy-id -i ~/.ssh/id_rsa.pub 172.16.82.150
The authenticity of host '172.16.82.150 (172.16.82.150)' can't be established.
ECDSA key fingerprint is 83:df:ca:af:61:ab:59:cc:a5:08:28:f3:ac:72:87:18.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.82.150' (ECDSA) to the list of known hosts.
bsnyder@172.16.82.150's password: 
Now try logging into the machine, with "ssh '172.16.82.150'", and check in:

  ~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

bsnyder@ubux:~$ ssh 172.16.82.150
Welcome to Ubuntu 12.10 (GNU/Linux 3.5.0-17-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

bsnyder@ubuntu:~$ 
Notice that first I used ssh-copy-id and then I immediately logged into the machine using the key (i.e., without a passphrase).

This task is certainly something that's relatively easy to do manually, but why expend the effort on a manual solution when there's something pre-built for the exactly problem?

2 comments:

  1. It is not working for me it says public key permission denied, checked permissions, not sure where the problem is
    sh-copy-id -i $HOME/.ssh/id_rsa.pub hadoop@ec2-23-XX-40-246.compute-1.amazonaws.com
    Permission denied (publickey).
    -rw-r--r-- 1 hadoop hadoop 405 May 17 14:03 authorized_keys
    -rw------- 1 hadoop hadoop 1679 May 16 13:28 id_rsa
    -rw-r--r-- 1 hadoop hadoop 405 May 16 13:28 id_rsa.pub
    -rw-r--r-- 1 hadoop hadoop 444 May 17 14:20 known_hosts

    ReplyDelete
  2. I'm not sure what the permissions problem is exactly, but if I ran into this problem, I would debug it to figure it out. Below are some tips.

    Given that the ssh-copy-id command is a shell script, you can hack the script to add some additional items for debugging. For example, the ssh-copy-id shell script makes use of the ssh command internally, so you can add the ssh verbosity options directly to the call to ssh in the script (-v, -vv, or -vvv for levels of debugging). That's where I would start.

    Another item that may be helpful are the options offered by the shell for debugging, specifically the -x and -v options. The -x option tells the shell to print each commands as it is evaluated and the -v option tells the shell to print each command before it is evaluated. These options will help you debug the ssh-copy-id shell script itself (however, I suspect that the script is not the problem). Just use the -x shell option either on the command line or by editing the script (EITHER: sh -x ssh-copy-id ... OR: edit the script and add it to the shebang line). See Setting Shell Flags for some more info about these two options.

    ReplyDelete