1 files changed, 181 insertions, 70 deletions
diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1
index cb15ab24d..67a59e492 100644
--- a/contrib/ssh-copy-id.1
+++ b/contrib/ssh-copy-id.1
@@ -1,75 +1,186 @@
 .ig \"  -*- nroff -*-
-Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/>
+Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/>
-Permission is granted to make and distribute verbatim copies of
+Redistribution and use in source and binary forms, with or without
-this manual provided the copyright notice and this permission notice
+modification, are permitted provided that the following conditions
-are preserved on all copies.
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
-Permission is granted to copy and distribute modified versions of this
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-manual under the conditions for verbatim copying, provided that the
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-entire resulting derived work is distributed under the terms of a
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-permission notice identical to this one.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-Permission is granted to copy and distribute translations of this
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-manual into another language, under the above conditions for modified
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-versions, except that this permission notice may be included in
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-translations approved by the Free Software Foundation instead of in
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-the original English.
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 ..
-.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH"
+.Dd $Mdocdate: June 17 2010 $
-.SH NAME
+.Dt SSH-COPY-ID 1
-ssh-copy-id \- install your public key in a remote machine's authorized_keys
+.Os
-.SH SYNOPSIS
+.Sh NAME
-.B ssh-copy-id [-i [identity_file]]
+.Nm ssh-copy-id
-.I "[user@]machine"
+.Nd use locally available keys to authorise logins on a remote machine
+.Sh SYNOPSIS
+.Nm
+.Op Fl n
+.Op Fl i Op Ar identity_file
+.Op Fl p Ar port
+.Op Fl o Ar ssh_option
+.Op Ar user Ns @ Ns
+.Ar hostname
+.Nm
+.Fl h | Fl ?
 .br
-.SH DESCRIPTION
+.Sh DESCRIPTION
-.BR ssh-copy-id
+.Nm
-is a script that uses ssh to log into a remote machine and
+is a script that uses
-append the indicated identity file to that machine's
+.Xr ssh 1
-.B ~/.ssh/authorized_keys
+to log into a remote machine (presumably using a login password,
-file.
+so password authentication should be enabled, unless you've done some
-.PP
+clever use of multiple identities).  It assembles a list of one or more
-If the
+fingerprints (as described below) and tries to log in with each key, to
-.B -i
+see if any of them are already installed (of course, if you are not using
-option is given then the identity file (defaults to
+.Xr ssh-agent 1
-.BR ~/.ssh/id_rsa.pub )
+this may result in you being repeatedly prompted for pass-phrases).
-is used, regardless of whether there are any keys in your
+It then assembles a list of those that failed to log in, and using ssh,
-.BR ssh-agent .
+enables logins with those keys on the remote server.  By default it adds
-Otherwise, if this:
+the keys by appending them to the remote user's
-.PP
+.Pa ~/.ssh/authorized_keys
-.B "      ssh-add -L"
+(creating the file, and directory, if necessary).  It is also capable
-.PP
+of detecting if the remote system is a NetScreen, and using its
-provides any output, it uses that in preference to the identity file.
+.Ql set ssh pka-dsa key ...
-.PP
+command instead.
-If the
+.Pp
-.B -i
+The options are as follows:
-option is used, or the
+.Bl -tag -width Ds
-.B ssh-add
+.It Fl i Ar identity_file
-produced no output, then it uses the contents of the identity
+Use only the key(s) contained in
-file.  Once it has one or more fingerprints (by whatever means) it
+.Ar identity_file
-uses ssh to append them to
+(rather than looking for identities via
-.B ~/.ssh/authorized_keys
+.Xr ssh-add 1
-on the remote machine (creating the file, and directory, if necessary.)
+or in the
+.Ic default_ID_file ) .
-.SH NOTES
+If the filename does not end in
-This program does not modify the permissions of any
+.Pa .pub
-pre-existing files or directories. Therefore, if the remote
+this is added.  If the filename is omitted, the 
-.B sshd
+.Ic default_ID_file
-has
+is used.
-.B StrictModes
+.Pp
-set in its
+Note that this can be used to ensure that the keys copied have the
-configuration, then the user's home,
+comment one prefers and/or extra options applied, by ensuring that the
-.B ~/.ssh
+key file has these set as preferred before the copy is attempted.
-folder, and
+.It Fl n
-.B ~/.ssh/authorized_keys
+do a dry-run.  Instead of installing keys on the remote system simply
-file may need to have group writability disabled manually, e.g. via
+prints the key(s) that would have been installed.
+.It Fl h , Fl ?
-.B "      chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys"
+Print Usage summary
+.It Fl p Ar port , Fl o Ar ssh_option
-on the remote machine.
+These two options are simply passed through untouched, along with their
+argument, to allow one to set the port or other
-.SH "SEE ALSO"
+.Xr ssh 1
-.BR ssh (1),
+options, respectively.
-.BR ssh-agent (1),
+.Pp
-.BR sshd (8)
+Rather than specifying these as command line options, it is often better to use (per-host) settings in
+.Xr ssh 1 Ns 's
+configuration file:
+.Xr ssh_config 5 .
+.El
+.Pp
+Default behaviour without
+.Fl i ,
+is to check if
+.Ql ssh-add -L
+provides any output, and if so those keys are used.  Note that this results in
+the comment on the key being the filename that was given to
+.Xr ssh-add 1
+when the key was loaded into your
+.Xr ssh-agent 1
+rather than the comment contained in that file, which is a bit of a shame.
+Otherwise, if
+.Xr ssh-add 1
+provides no keys contents of the 
+.Ic default_ID_file
+will be used.
+.Pp
+The
+.Ic default_ID_file
+is the most recent file that matches:
+.Pa ~/.ssh/id*.pub ,
+(excluding those that match
+.Pa ~/.ssh/*-cert.pub )
+so if you create a key that is not the one you want
+.Nm
+to use, just use
+.Xr touch 1
+on your preferred key's 
+.Pa .pub
+file to reinstate it as the most recent.
+.Pp
+.Sh EXAMPLES
+If you have already installed keys from one system on a lot of remote
+hosts, and you then create a new key, on a new client machine, say,
+it can be difficult to keep track of which systems on which you've
+installed the new key.  One way of dealing with this is to load both
+the new key and old key(s) into your
+.Xr ssh-agent 1 .
+Load the new key first, without the
+.Fl c
+option, then load one or more old keys into the agent, possibly by
+ssh-ing to the client machine that has that old key, using the
+.Fl A
+option to allow agent forwarding:
+.Pp
+.D1 user@newclient$ ssh-add
+.D1 user@newclient$ ssh -A old.client
+.D1 user@oldl$ ssh-add -c
+.D1 No   ... prompt for pass-phrase ...
+.D1 user@old$ logoff
+.D1 user@newclient$ ssh someserver
+.Pp
+now, if the new key is installed on the server, you'll be allowed in
+unprompted, whereas if you only have the old key(s) enabled, you'll be
+asked for confirmation, which is your cue to log back out and run
+.Pp
+.D1 user@newclient$ ssh-copy-id -i someserver
+.Pp
+The reason you might want to specify the -i option in this case is to
+ensure that the comment on the installed key is the one from the
+.Pa .pub
+file, rather than just the filename that was loaded into you agent.
+It also ensures that only the id you intended is installed, rather than
+all the keys that you have in your
+.Xr ssh-agent 1 .
+Of course, you can specify another id, or use the contents of the
+.Xr ssh-agent 1
+as you prefer.
+.Pp
+Having mentioned
+.Xr ssh-add 1 Ns 's
+.Fl c
+option, you might consider using this whenever using agent forwarding
+to avoid your key being hijacked, but it is much better to instead use
+.Xr ssh 1 Ns 's
+.Ar ProxyCommand
+and 
+.Fl W
+option,
+to bounce through remote servers while always doing direct end-to-end
+authentication. This way the middle hop(s) don't get access to your
+.Xr ssh-agent 1 .
+A web search for
+.Ql ssh proxycommand nc
+should prove enlightening (N.B. the modern approach is to use the
+.Fl W
+option, rather than
+.Xr nc 1 ) .
+.Sh "SEE ALSO"
+.Xr ssh 1 ,
+.Xr ssh-agent 1 ,
+.Xr sshd 8

diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1 index cb15ab24d..67a59e492 100644 --- a/contrib/ssh-copy-id.1 +++ b/contrib/ssh-copy-id.1
@@ -1,75 +1,186 @@
1	.ig \" -- nroff --	1	.ig \" -- nroff --
2	Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/>	2	Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/>
3		3
4	Permission is granted to make and distribute verbatim copies of	4	Redistribution and use in source and binary forms, with or without
5	this manual provided the copyright notice and this permission notice	5	modification, are permitted provided that the following conditions
6	are preserved on all copies.	6	are met:
		7	1. Redistributions of source code must retain the above copyright
		8	notice, this list of conditions and the following disclaimer.
		9	2. Redistributions in binary form must reproduce the above copyright
		10	notice, this list of conditions and the following disclaimer in the
		11	documentation and/or other materials provided with the distribution.
7		12
8	Permission is granted to copy and distribute modified versions of this	13	THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
9	manual under the conditions for verbatim copying, provided that the	14	IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
10	entire resulting derived work is distributed under the terms of a	15	OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
11	permission notice identical to this one.	16	IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
12		17	INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
13	Permission is granted to copy and distribute translations of this	18	NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
14	manual into another language, under the above conditions for modified	19	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
15	versions, except that this permission notice may be included in	20	THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
16	translations approved by the Free Software Foundation instead of in	21	(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
17	the original English.	22	THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
18	..	23	..
19	.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH"	24	.Dd $Mdocdate: June 17 2010 $
20	.SH NAME	25	.Dt SSH-COPY-ID 1
21	ssh-copy-id \- install your public key in a remote machine's authorized_keys	26	.Os
22	.SH SYNOPSIS	27	.Sh NAME
23	.B ssh-copy-id [-i [identity_file]]	28	.Nm ssh-copy-id
24	.I "[user@]machine"	29	.Nd use locally available keys to authorise logins on a remote machine
		30	.Sh SYNOPSIS
		31	.Nm
		32	.Op Fl n
		33	.Op Fl i Op Ar identity_file
		34	.Op Fl p Ar port
		35	.Op Fl o Ar ssh_option
		36	.Op Ar user Ns @ Ns
		37	.Ar hostname
		38	.Nm
		39	.Fl h \| Fl ?
25	.br	40	.br
26	.SH DESCRIPTION	41	.Sh DESCRIPTION
27	.BR ssh-copy-id	42	.Nm
28	is a script that uses ssh to log into a remote machine and	43	is a script that uses
29	append the indicated identity file to that machine's	44	.Xr ssh 1
30	.B ~/.ssh/authorized_keys	45	to log into a remote machine (presumably using a login password,
31	file.	46	so password authentication should be enabled, unless you've done some
32	.PP	47	clever use of multiple identities). It assembles a list of one or more
33	If the	48	fingerprints (as described below) and tries to log in with each key, to
34	.B -i	49	see if any of them are already installed (of course, if you are not using
35	option is given then the identity file (defaults to	50	.Xr ssh-agent 1
36	.BR ~/.ssh/id_rsa.pub )	51	this may result in you being repeatedly prompted for pass-phrases).
37	is used, regardless of whether there are any keys in your	52	It then assembles a list of those that failed to log in, and using ssh,
38	.BR ssh-agent .	53	enables logins with those keys on the remote server. By default it adds
39	Otherwise, if this:	54	the keys by appending them to the remote user's
40	.PP	55	.Pa ~/.ssh/authorized_keys
41	.B " ssh-add -L"	56	(creating the file, and directory, if necessary). It is also capable
42	.PP	57	of detecting if the remote system is a NetScreen, and using its
43	provides any output, it uses that in preference to the identity file.	58	.Ql set ssh pka-dsa key ...
44	.PP	59	command instead.
45	If the	60	.Pp
46	.B -i	61	The options are as follows:
47	option is used, or the	62	.Bl -tag -width Ds
48	.B ssh-add	63	.It Fl i Ar identity_file
49	produced no output, then it uses the contents of the identity	64	Use only the key(s) contained in
50	file. Once it has one or more fingerprints (by whatever means) it	65	.Ar identity_file
51	uses ssh to append them to	66	(rather than looking for identities via
52	.B ~/.ssh/authorized_keys	67	.Xr ssh-add 1
53	on the remote machine (creating the file, and directory, if necessary.)	68	or in the
54		69	.Ic default_ID_file ) .
55	.SH NOTES	70	If the filename does not end in
56	This program does not modify the permissions of any	71	.Pa .pub
57	pre-existing files or directories. Therefore, if the remote	72	this is added. If the filename is omitted, the
58	.B sshd	73	.Ic default_ID_file
59	has	74	is used.
60	.B StrictModes	75	.Pp
61	set in its	76	Note that this can be used to ensure that the keys copied have the
62	configuration, then the user's home,	77	comment one prefers and/or extra options applied, by ensuring that the
63	.B ~/.ssh	78	key file has these set as preferred before the copy is attempted.
64	folder, and	79	.It Fl n
65	.B ~/.ssh/authorized_keys	80	do a dry-run. Instead of installing keys on the remote system simply
66	file may need to have group writability disabled manually, e.g. via	81	prints the key(s) that would have been installed.
67		82	.It Fl h , Fl ?
68	.B " chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys"	83	Print Usage summary
69		84	.It Fl p Ar port , Fl o Ar ssh_option
70	on the remote machine.	85	These two options are simply passed through untouched, along with their
71		86	argument, to allow one to set the port or other
72	.SH "SEE ALSO"	87	.Xr ssh 1
73	.BR ssh (1),	88	options, respectively.
74	.BR ssh-agent (1),	89	.Pp
75	.BR sshd (8)	90	Rather than specifying these as command line options, it is often better to use (per-host) settings in
		91	.Xr ssh 1 Ns 's
		92	configuration file:
		93	.Xr ssh_config 5 .
		94	.El
		95	.Pp
		96	Default behaviour without
		97	.Fl i ,
		98	is to check if
		99	.Ql ssh-add -L
		100	provides any output, and if so those keys are used. Note that this results in
		101	the comment on the key being the filename that was given to
		102	.Xr ssh-add 1
		103	when the key was loaded into your
		104	.Xr ssh-agent 1
		105	rather than the comment contained in that file, which is a bit of a shame.
		106	Otherwise, if
		107	.Xr ssh-add 1
		108	provides no keys contents of the
		109	.Ic default_ID_file
		110	will be used.
		111	.Pp
		112	The
		113	.Ic default_ID_file
		114	is the most recent file that matches:
		115	.Pa ~/.ssh/id*.pub ,
		116	(excluding those that match
		117	.Pa ~/.ssh/*-cert.pub )
		118	so if you create a key that is not the one you want
		119	.Nm
		120	to use, just use
		121	.Xr touch 1
		122	on your preferred key's
		123	.Pa .pub
		124	file to reinstate it as the most recent.
		125	.Pp
		126	.Sh EXAMPLES
		127	If you have already installed keys from one system on a lot of remote
		128	hosts, and you then create a new key, on a new client machine, say,
		129	it can be difficult to keep track of which systems on which you've
		130	installed the new key. One way of dealing with this is to load both
		131	the new key and old key(s) into your
		132	.Xr ssh-agent 1 .
		133	Load the new key first, without the
		134	.Fl c
		135	option, then load one or more old keys into the agent, possibly by
		136	ssh-ing to the client machine that has that old key, using the
		137	.Fl A
		138	option to allow agent forwarding:
		139	.Pp
		140	.D1 user@newclient$ ssh-add
		141	.D1 user@newclient$ ssh -A old.client
		142	.D1 user@oldl$ ssh-add -c
		143	.D1 No ... prompt for pass-phrase ...
		144	.D1 user@old$ logoff
		145	.D1 user@newclient$ ssh someserver
		146	.Pp
		147	now, if the new key is installed on the server, you'll be allowed in
		148	unprompted, whereas if you only have the old key(s) enabled, you'll be
		149	asked for confirmation, which is your cue to log back out and run
		150	.Pp
		151	.D1 user@newclient$ ssh-copy-id -i someserver
		152	.Pp
		153	The reason you might want to specify the -i option in this case is to
		154	ensure that the comment on the installed key is the one from the
		155	.Pa .pub
		156	file, rather than just the filename that was loaded into you agent.
		157	It also ensures that only the id you intended is installed, rather than
		158	all the keys that you have in your
		159	.Xr ssh-agent 1 .
		160	Of course, you can specify another id, or use the contents of the
		161	.Xr ssh-agent 1
		162	as you prefer.
		163	.Pp
		164	Having mentioned
		165	.Xr ssh-add 1 Ns 's
		166	.Fl c
		167	option, you might consider using this whenever using agent forwarding
		168	to avoid your key being hijacked, but it is much better to instead use
		169	.Xr ssh 1 Ns 's
		170	.Ar ProxyCommand
		171	and
		172	.Fl W
		173	option,
		174	to bounce through remote servers while always doing direct end-to-end
		175	authentication. This way the middle hop(s) don't get access to your
		176	.Xr ssh-agent 1 .
		177	A web search for
		178	.Ql ssh proxycommand nc
		179	should prove enlightening (N.B. the modern approach is to use the
		180	.Fl W
		181	option, rather than
		182	.Xr nc 1 ) .
		183	.Sh "SEE ALSO"
		184	.Xr ssh 1 ,
		185	.Xr ssh-agent 1 ,
		186	.Xr sshd 8