Using ssh-copy

Distributing SSH keys manually can be time-consuming, especially when setting up passwordless authentication on multiple servers. The ssh-copy-id utility simplifies this process by automating the copying of public keys to remote servers, making it easier to set up secure, passwordless SSH access.

What is ssh-copy-id?

ssh-copy-id is a simple command-line tool used to copy a user’s public SSH key to a remote server’s authorized_keys file. This command ensures that the necessary permissions are set and that the public key is appended to the correct file, making the process straightforward and less error-prone compared to manual copying.

The ssh-copy-id tool reduces the need to manually edit the authorized_keys file on each server, allowing for more efficient setup of passwordless authentication across multiple systems.

Using ssh-copy-id

To use ssh-copy-id, ensure that the public key to be distributed is available on the local machine. The tool will automatically copy the public key from the default location (~/.ssh/id_rsa.pub) or another specified file to the remote server.

Basic usage:

ssh-copy-id user@remote-server

In this example, ssh-copy-id connects to the remote-server as the specified user and copies the public key from the local machine to the remote server's ~/.ssh/authorized_keys file. If the remote server requires a password for authentication, ssh-copy-id will prompt for the password once. Afterward, passwordless authentication will be enabled using the copied public key.

Setting Correct Permissions

One of the key advantages of using ssh-copy-id is that it automatically ensures the correct file permissions on the remote server. This includes setting the following permissions:

  • The ~/.ssh directory will be set to 0700 (read, write, and execute only by the user).
  • The ~/.ssh/authorized_keys file will be set to 0600 (readable and writable only by the user).

Correct permissions are critical for SSH key-based authentication to work. If these permissions are not set properly, SSH may refuse to authenticate using the key.

Specifying a Different Public Key

If a different key file needs to be copied (other than the default id_rsa.pub), the -i option can be used to specify the path to the key:

ssh-copy-id -i ~/.ssh/custom_key.pub user@remote-server

This command copies the public key from the file custom_key.pub to the authorized_keys file on the remote server.

Verifying the Key Copy

After running ssh-copy-id, passwordless authentication can be tested by attempting to SSH into the remote server:

ssh user@remote-server

If the setup was successful, the SSH connection will no longer prompt for a password, and the key-based authentication will be used instead.

Security Considerations

When using ssh-copy-id, it's important to ensure that the correct public key is being copied to trusted remote servers. By default, ssh-copy-id appends the public key to the authorized_keys file, so existing entries will not be overwritten. However, the presence of unauthorized keys in the authorized_keys file should be monitored regularly to prevent potential security issues.

In environments with stricter security policies, manually reviewing the authorized_keys file after using ssh-copy-id is recommended to ensure only authorized keys are present.