[SOLVED] Security doubt about ssh-copy-id

banderas20 · 07-21-2023, 03:06 AM

Hi!

I have been using SSH for a long time, and I do know the purpose of ssh-copy-id command.

If I copy the pubfile contents and paste it into the authorised_keys file on the target server, that's OK, because I already have access to the target server, and there are not security concerns.

However, I have a silly doubt regarding how ssh-copy-id command works.

Whenever we issue ssh-copy-id -i <pubfile> user@host, we are adding the pubfile contents to authorised_keys file of the ./ssh directory of "user" on "host" machine. But we don't necessary have access to that server yet.

Why can anyone issue that command from anywhere without being asked anything? I mean... anyone could add an arbitrary public key and gain access to any server. Who or which mechanism controls that?

Sorry if that's an obvious question, but I can't find the clue.

Thanks!

pan64 · 07-21-2023, 03:38 AM

if you don't have access to the server you won't be able to add pubfile to authorised_keys. That is that simple.

michaelk · 07-21-2023, 04:26 AM

In other words to copy the keys with ssh-copy-id you still need to be able to login to that server with a valid username and password. It is basically a script that uses the ssh command.

Turbocapitalist · 07-21-2023, 06:15 AM

Quote:

Originally Posted by banderas20

Sorry if that's an obvious question, but I can't find the clue.

In addition to the above comments, you can look at the contents of ssh-copy-id itself, it's just a simple shell script.

You can copy the keys by hand too, either via password or out of band though out of band is a lot more difficult and time consuming.

banderas20 · 07-21-2023, 06:35 AM

OK. I'm beginning to get it.

So, which user should I use to issue ssh-copy-id?
So far I'm trying it with a sudo user which exists on my local machine, but not in the remote server.

Should my local user exist on the remote one?

Thanks!

pan64 · 07-21-2023, 06:42 AM

There are two users involved, the local user which has an id and the remotes user. You need to use the local user to copy that id to the remote host using that remote user.

banderas20 · 07-21-2023, 08:09 AM

Quote:

Originally Posted by pan64

There are two users involved, the local user which has an id and the remotes user. You need to use the local user to copy that id to the remote host using that remote user.

OK. Here's what I do:

LOCAL:

Code:

/home/localuser/.ssh/ssh-keygen (keypair named "test2")
/home/localuser/.ssh/ssh-copy-id -i test2.pub test@192.168.1.138 (test user already exists in 192.168.1.138)

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "test.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Received disconnect from 192.168.1.138 port 22:2: Too many authentication failures
Disconnected from 192.168.1.138 port 22

EDIT: solved

PasswordAuthentication yes
MaxAuthTries 100

I got rid of the message, was prompted for the password and now able to add the pubkey

Thanks everyone!