diff options
author | Colin Watson <cjwatson@debian.org> | 2013-05-07 10:06:42 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2013-05-07 10:06:42 +0100 |
commit | ecebda56da46a03dafff923d91c382f31faa9eec (patch) | |
tree | 449614b6c06a2622c74a609b31fcc46c60037c56 /contrib/ssh-copy-id.1 | |
parent | c6a2c0334e45419875687d250aed9bea78480f2e (diff) | |
parent | ffc06452028ba78cd693d4ed43df8b60a10d6163 (diff) |
merge 6.2p1; reorder additions to monitor.h for easier merging in future
Diffstat (limited to 'contrib/ssh-copy-id.1')
-rw-r--r-- | contrib/ssh-copy-id.1 | 251 |
1 files changed, 181 insertions, 70 deletions
diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1 index cb15ab24d..67a59e492 100644 --- a/contrib/ssh-copy-id.1 +++ b/contrib/ssh-copy-id.1 | |||
@@ -1,75 +1,186 @@ | |||
1 | .ig \" -*- nroff -*- | 1 | .ig \" -*- nroff -*- |
2 | Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/> | 2 | Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/> |
3 | 3 | ||
4 | Permission is granted to make and distribute verbatim copies of | 4 | Redistribution and use in source and binary forms, with or without |
5 | this manual provided the copyright notice and this permission notice | 5 | modification, are permitted provided that the following conditions |
6 | are preserved on all copies. | 6 | are met: |
7 | 1. Redistributions of source code must retain the above copyright | ||
8 | notice, this list of conditions and the following disclaimer. | ||
9 | 2. Redistributions in binary form must reproduce the above copyright | ||
10 | notice, this list of conditions and the following disclaimer in the | ||
11 | documentation and/or other materials provided with the distribution. | ||
7 | 12 | ||
8 | Permission is granted to copy and distribute modified versions of this | 13 | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
9 | manual under the conditions for verbatim copying, provided that the | 14 | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
10 | entire resulting derived work is distributed under the terms of a | 15 | OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
11 | permission notice identical to this one. | 16 | IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
12 | 17 | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
13 | Permission is granted to copy and distribute translations of this | 18 | NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
14 | manual into another language, under the above conditions for modified | 19 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
15 | versions, except that this permission notice may be included in | 20 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
16 | translations approved by the Free Software Foundation instead of in | 21 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
17 | the original English. | 22 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
18 | .. | 23 | .. |
19 | .TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH" | 24 | .Dd $Mdocdate: June 17 2010 $ |
20 | .SH NAME | 25 | .Dt SSH-COPY-ID 1 |
21 | ssh-copy-id \- install your public key in a remote machine's authorized_keys | 26 | .Os |
22 | .SH SYNOPSIS | 27 | .Sh NAME |
23 | .B ssh-copy-id [-i [identity_file]] | 28 | .Nm ssh-copy-id |
24 | .I "[user@]machine" | 29 | .Nd use locally available keys to authorise logins on a remote machine |
30 | .Sh SYNOPSIS | ||
31 | .Nm | ||
32 | .Op Fl n | ||
33 | .Op Fl i Op Ar identity_file | ||
34 | .Op Fl p Ar port | ||
35 | .Op Fl o Ar ssh_option | ||
36 | .Op Ar user Ns @ Ns | ||
37 | .Ar hostname | ||
38 | .Nm | ||
39 | .Fl h | Fl ? | ||
25 | .br | 40 | .br |
26 | .SH DESCRIPTION | 41 | .Sh DESCRIPTION |
27 | .BR ssh-copy-id | 42 | .Nm |
28 | is a script that uses ssh to log into a remote machine and | 43 | is a script that uses |
29 | append the indicated identity file to that machine's | 44 | .Xr ssh 1 |
30 | .B ~/.ssh/authorized_keys | 45 | to log into a remote machine (presumably using a login password, |
31 | file. | 46 | so password authentication should be enabled, unless you've done some |
32 | .PP | 47 | clever use of multiple identities). It assembles a list of one or more |
33 | If the | 48 | fingerprints (as described below) and tries to log in with each key, to |
34 | .B -i | 49 | see if any of them are already installed (of course, if you are not using |
35 | option is given then the identity file (defaults to | 50 | .Xr ssh-agent 1 |
36 | .BR ~/.ssh/id_rsa.pub ) | 51 | this may result in you being repeatedly prompted for pass-phrases). |
37 | is used, regardless of whether there are any keys in your | 52 | It then assembles a list of those that failed to log in, and using ssh, |
38 | .BR ssh-agent . | 53 | enables logins with those keys on the remote server. By default it adds |
39 | Otherwise, if this: | 54 | the keys by appending them to the remote user's |
40 | .PP | 55 | .Pa ~/.ssh/authorized_keys |
41 | .B " ssh-add -L" | 56 | (creating the file, and directory, if necessary). It is also capable |
42 | .PP | 57 | of detecting if the remote system is a NetScreen, and using its |
43 | provides any output, it uses that in preference to the identity file. | 58 | .Ql set ssh pka-dsa key ... |
44 | .PP | 59 | command instead. |
45 | If the | 60 | .Pp |
46 | .B -i | 61 | The options are as follows: |
47 | option is used, or the | 62 | .Bl -tag -width Ds |
48 | .B ssh-add | 63 | .It Fl i Ar identity_file |
49 | produced no output, then it uses the contents of the identity | 64 | Use only the key(s) contained in |
50 | file. Once it has one or more fingerprints (by whatever means) it | 65 | .Ar identity_file |
51 | uses ssh to append them to | 66 | (rather than looking for identities via |
52 | .B ~/.ssh/authorized_keys | 67 | .Xr ssh-add 1 |
53 | on the remote machine (creating the file, and directory, if necessary.) | 68 | or in the |
54 | 69 | .Ic default_ID_file ) . | |
55 | .SH NOTES | 70 | If the filename does not end in |
56 | This program does not modify the permissions of any | 71 | .Pa .pub |
57 | pre-existing files or directories. Therefore, if the remote | 72 | this is added. If the filename is omitted, the |
58 | .B sshd | 73 | .Ic default_ID_file |
59 | has | 74 | is used. |
60 | .B StrictModes | 75 | .Pp |
61 | set in its | 76 | Note that this can be used to ensure that the keys copied have the |
62 | configuration, then the user's home, | 77 | comment one prefers and/or extra options applied, by ensuring that the |
63 | .B ~/.ssh | 78 | key file has these set as preferred before the copy is attempted. |
64 | folder, and | 79 | .It Fl n |
65 | .B ~/.ssh/authorized_keys | 80 | do a dry-run. Instead of installing keys on the remote system simply |
66 | file may need to have group writability disabled manually, e.g. via | 81 | prints the key(s) that would have been installed. |
67 | 82 | .It Fl h , Fl ? | |
68 | .B " chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys" | 83 | Print Usage summary |
69 | 84 | .It Fl p Ar port , Fl o Ar ssh_option | |
70 | on the remote machine. | 85 | These two options are simply passed through untouched, along with their |
71 | 86 | argument, to allow one to set the port or other | |
72 | .SH "SEE ALSO" | 87 | .Xr ssh 1 |
73 | .BR ssh (1), | 88 | options, respectively. |
74 | .BR ssh-agent (1), | 89 | .Pp |
75 | .BR sshd (8) | 90 | Rather than specifying these as command line options, it is often better to use (per-host) settings in |
91 | .Xr ssh 1 Ns 's | ||
92 | configuration file: | ||
93 | .Xr ssh_config 5 . | ||
94 | .El | ||
95 | .Pp | ||
96 | Default behaviour without | ||
97 | .Fl i , | ||
98 | is to check if | ||
99 | .Ql ssh-add -L | ||
100 | provides any output, and if so those keys are used. Note that this results in | ||
101 | the comment on the key being the filename that was given to | ||
102 | .Xr ssh-add 1 | ||
103 | when the key was loaded into your | ||
104 | .Xr ssh-agent 1 | ||
105 | rather than the comment contained in that file, which is a bit of a shame. | ||
106 | Otherwise, if | ||
107 | .Xr ssh-add 1 | ||
108 | provides no keys contents of the | ||
109 | .Ic default_ID_file | ||
110 | will be used. | ||
111 | .Pp | ||
112 | The | ||
113 | .Ic default_ID_file | ||
114 | is the most recent file that matches: | ||
115 | .Pa ~/.ssh/id*.pub , | ||
116 | (excluding those that match | ||
117 | .Pa ~/.ssh/*-cert.pub ) | ||
118 | so if you create a key that is not the one you want | ||
119 | .Nm | ||
120 | to use, just use | ||
121 | .Xr touch 1 | ||
122 | on your preferred key's | ||
123 | .Pa .pub | ||
124 | file to reinstate it as the most recent. | ||
125 | .Pp | ||
126 | .Sh EXAMPLES | ||
127 | If you have already installed keys from one system on a lot of remote | ||
128 | hosts, and you then create a new key, on a new client machine, say, | ||
129 | it can be difficult to keep track of which systems on which you've | ||
130 | installed the new key. One way of dealing with this is to load both | ||
131 | the new key and old key(s) into your | ||
132 | .Xr ssh-agent 1 . | ||
133 | Load the new key first, without the | ||
134 | .Fl c | ||
135 | option, then load one or more old keys into the agent, possibly by | ||
136 | ssh-ing to the client machine that has that old key, using the | ||
137 | .Fl A | ||
138 | option to allow agent forwarding: | ||
139 | .Pp | ||
140 | .D1 user@newclient$ ssh-add | ||
141 | .D1 user@newclient$ ssh -A old.client | ||
142 | .D1 user@oldl$ ssh-add -c | ||
143 | .D1 No ... prompt for pass-phrase ... | ||
144 | .D1 user@old$ logoff | ||
145 | .D1 user@newclient$ ssh someserver | ||
146 | .Pp | ||
147 | now, if the new key is installed on the server, you'll be allowed in | ||
148 | unprompted, whereas if you only have the old key(s) enabled, you'll be | ||
149 | asked for confirmation, which is your cue to log back out and run | ||
150 | .Pp | ||
151 | .D1 user@newclient$ ssh-copy-id -i someserver | ||
152 | .Pp | ||
153 | The reason you might want to specify the -i option in this case is to | ||
154 | ensure that the comment on the installed key is the one from the | ||
155 | .Pa .pub | ||
156 | file, rather than just the filename that was loaded into you agent. | ||
157 | It also ensures that only the id you intended is installed, rather than | ||
158 | all the keys that you have in your | ||
159 | .Xr ssh-agent 1 . | ||
160 | Of course, you can specify another id, or use the contents of the | ||
161 | .Xr ssh-agent 1 | ||
162 | as you prefer. | ||
163 | .Pp | ||
164 | Having mentioned | ||
165 | .Xr ssh-add 1 Ns 's | ||
166 | .Fl c | ||
167 | option, you might consider using this whenever using agent forwarding | ||
168 | to avoid your key being hijacked, but it is much better to instead use | ||
169 | .Xr ssh 1 Ns 's | ||
170 | .Ar ProxyCommand | ||
171 | and | ||
172 | .Fl W | ||
173 | option, | ||
174 | to bounce through remote servers while always doing direct end-to-end | ||
175 | authentication. This way the middle hop(s) don't get access to your | ||
176 | .Xr ssh-agent 1 . | ||
177 | A web search for | ||
178 | .Ql ssh proxycommand nc | ||
179 | should prove enlightening (N.B. the modern approach is to use the | ||
180 | .Fl W | ||
181 | option, rather than | ||
182 | .Xr nc 1 ) . | ||
183 | .Sh "SEE ALSO" | ||
184 | .Xr ssh 1 , | ||
185 | .Xr ssh-agent 1 , | ||
186 | .Xr sshd 8 | ||