Oct 222012
 
I only just discovered the ssh-copy-id command a few weeks ago after a tab-completion revealed it. I’d never considered that the command existed, the function of which I’ll shortly explain.

But I have an even more embarrassing admission to make. It was only about a year ago that I discovered that grep had a recursive switch, “-r”. I’d just never checked. I’d worked with Solaris almost exclusively for several years and the native Solaris grep didn’t have a recursive mode, so I always assumed that this was how it always was.

That is, I didn’t know I could type this:

   # grep -r PATTERN .

And instead, to search in subdirectories, I’d type this:

  # find . -type f -exec grep PATTERN {} /dev/null ;

The lesson I’ve learnt from both of these? It just reconfirmed for me the old adage – “Read the Man Page”. I’ll spare our gentler readers the usual angry adjective that frequently appears in said adage.

In this sysadmin life it’s so easy to get set in your ways, conservative, and assume that the way you’ve always done things is the best, easiest or only way. It’s easy to forget that the great thing about open source is that improvements are rapid (unlike commercial distros; I’m looking at you Sun/Oracle, or whatever you call yourself these days). Last month’s annoyance may have been fixed by some generous boffin who took it upon himself to put the work in and share it with the rest of us. The point is, these Linux tools we use evolve all the time, and we sysadmins need to evolve our practices as well by keeping ourselves informed.

Which brings me back to ssh-copy-id. SSH allows you to generate a pair of encryption keys – one public and one private – protected with a passphrase. You can then configure your SSH daemon to allow you to use this key pair for authentication. With OpenSSH, if the public key exists in the file ~/.ssh/authorized_keys, a user with the corresponding private key can login as long as they know the passphrase. This has advantages over the regular /etc/passwd login in that it adds an extra factor to the authentication: knowing the password/passphrase isn’t enough – you need to possess the private key as well.

Furthermore, you can also use the ssh-agent to cache the key and passphrase allowing you to authenticate just once, and then login without being challenged. Or, you can create a key pair with no passphrase at all, and have an unchallenged login, but this practice is ill-advised for its lack of security.

So the procedure to manually effect the key exchange is well documented in the man page, and all over the Internet. It’s a bit tricky to remember exactly, and can vary between distributions, but on Fedora, OpenSSH. The manual commands are:

$> ssh-keygen -q -t rsa -N '' -f ~/.ssh/id_rsa
$> scp ~/.ssh/id_rsa.pub user@remote.example.com:/tmp/id_rsa.pub
$> ssh user@remote.example.com "mkdir -p ~/.ssh; 
      chmod 700 ~/.ssh; touch ~/.ssh/authorized_keys; 
      cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys"

This generates a key, copies it to the remote system, and then sets the correct permissions on the files. If any of these are not done correctly, it won’t work. If the keys aren’t secured on both systems, it also won’t work. To complicate matters, some versions of SSH implement this slightly differently. I’ve always had it written down in my notebook and could check every time I forgot. At some point, I understood it well enough to remember it intuitively.

So you can imagine my delight when I discovered ssh-copy-id. It makes perfect sense that the above set of commands has been replaced with just this:

  $> ssh-copy-id user@remote.example.com

Not only is this faster, but the ssh-copy-id command is intuitively easier to understand that your ID is being copied to another host. This is in contrast to that longer set of commands above, which while useful to have learnt is time consuming and error-prone to type, and difficult to remember .

I’ll never know how long I’ve been wasting time typing these commands out the the long way, rather than just ssh-copy-id but this revelation opened my eyes. I’m now beginning to wonder how many of my old set ways are just bad habits that have come from not reading man page. Now, I read more than just enough to get a job done, and instead make sure I’m familiar enough with commands to know how to perform tasks well. The beauty of open source is that it evolves and develops quickly, and it’s important to research these developments and keep up to date. I think this is the least that a sysadmin worth his salt can do.

Now that I’ve shared this shameful admission, feel free to share with the rest of us some ignoramus Linux techniques you stuck with way to long.

And in line with the SSH discussion, here’s a very good article of on SSH best practices:
http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html

[flattr uid=’matthewparsons’ /] Brother, can you spare a microdonation?


Matt Parsons is a freelance Linux specialist who has designed, built and supported Unix and Linux systems in the finance, telecommunications and media industries.

He lives and works in London.

  One Response to “ssh-copy-id and why I read the man pages”

  1. I like very much the two tricks: ssh-copy-id and grep -r PATTERN .
    I don’t now none of this and the grep -r is very useful I need do this type of search several times, and create a script to do this, but grep -r is best.

    I will post a link in my blog to this article

Leave a Reply to Giovanni Candido da Silva Cancel reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>