Using ssh-copy
Distributing SSH keys manually can be time-consuming, especially when setting up passwordless authentication on multiple servers. The ssh-copy-id utility simplifies this process by automating the copying of public keys to remote servers, making it easier to set up secure, passwordless SSH access.
What is ssh-copy-id?
ssh-copy-id is a simple command-line tool used to copy a user’s public SSH key to a remote server’s authorized_keys
file. This command ensures that the necessary permissions are set and that the public key is appended to the correct file, making the process straightforward and less error-prone compared to manual copying.
The ssh-copy-id tool reduces the need to manually edit the authorized_keys
file on each server, allowing for more efficient setup of passwordless authentication across multiple systems.
Using ssh-copy-id
To use ssh-copy-id, ensure that the public key to be distributed is available on the local machine. The tool will automatically copy the public key from the default location (~/.ssh/id_rsa.pub
) or another specified file to the remote server.
Basic usage:
ssh-copy-id user@remote-server
In this example, ssh-copy-id connects to the remote-server
as the specified user
and copies the public key from the local machine to the remote server's ~/.ssh/authorized_keys
file. If the remote server requires a password for authentication, ssh-copy-id will prompt for the password once. Afterward, passwordless authentication will be enabled using the copied public key.
Setting Correct Permissions
One of the key advantages of using ssh-copy-id is that it automatically ensures the correct file permissions on the remote server. This includes setting the following permissions:
- The
~/.ssh
directory will be set to0700
(read, write, and execute only by the user). - The
~/.ssh/authorized_keys
file will be set to0600
(readable and writable only by the user).
Correct permissions are critical for SSH key-based authentication to work. If these permissions are not set properly, SSH may refuse to authenticate using the key.
Specifying a Different Public Key
If a different key file needs to be copied (other than the default id_rsa.pub
), the -i
option can be used to specify the path to the key:
ssh-copy-id -i ~/.ssh/custom_key.pub user@remote-server
This command copies the public key from the file custom_key.pub
to the authorized_keys
file on the remote server.
Verifying the Key Copy
After running ssh-copy-id, passwordless authentication can be tested by attempting to SSH into the remote server:
ssh user@remote-server
If the setup was successful, the SSH connection will no longer prompt for a password, and the key-based authentication will be used instead.
Security Considerations
When using ssh-copy-id, it's important to ensure that the correct public key is being copied to trusted remote servers. By default, ssh-copy-id appends the public key to the authorized_keys
file, so existing entries will not be overwritten. However, the presence of unauthorized keys in the authorized_keys
file should be monitored regularly to prevent potential security issues.
In environments with stricter security policies, manually reviewing the authorized_keys
file after using ssh-copy-id is recommended to ensure only authorized keys are present.