Do your infrastructure has lots of servers that require automated and passwordless logins? Here we introduce a handy tool to install ssh key.
In this tutorial, we learn about ssh-copy-id command in Linux with examples.
ssh-copy-id is a unique command line utility that copies or transfers a public key to a remote machine where it is saved in the authorized_keys file. The file is found in the remote user's home directory ( ~/.ssh/authorized_keys). It is one of the secure networking utilities that is included in the OpenSSH suite which is an open-source implementation of the SSH protocol.
By copying the public key to a remote host, the SSH-copy-id command enables automated passwordless authentication using the SSH protocol. This is a better alternative to password authentication as it provides better security. Only the user with the private key can access the remote machine on which the public key has been saved. It is also beneficial when working with automated tools such as Ansible or shell scripts.
The ssh copy id command takes the following syntax:
ssh-copy-id [options] [email protected]
where user is the username of the user on the remote host and host-ip is the IP address of the remote server.
As mentioned earlier, the ssh-copy-id command is bundled in the OpenSSH package which comes pre-installed in most Linux distributions. Therefore, no installation is required. However, if the OpenSSH client package is not installed, install it as follows.
Debian / Ubuntu
sudo apt install openssh-client
RHEL/ Fedora/ CentOS/ Rocky Linux/ Almalinux
sudo dnf install openssh-clients
Understanding SSH Public Key Authentication
In SSH Public key authentication, a user generates an SSH key pair that comprises a set of two cryptographic keys:
- Public key: The public key is copied and saved in the authorized_keys file on the remote machine. This is a file that contains a list of all authorized public keys. The public key checks the legitimacy of a digital signature and is used by both the host and the remote system to encrypt a message. When generated, it is accompanied by a private key which should only be known to the owner. On the other hand, the public key can be shared across multiple servers without an issue.
- Private Key: The private key provides proof of a user's identity. It decrypts messages created by the public key. The key should be kept confidential and only remain on the host machine of the user connecting to the remote machine. Only the user of the private key that corresponds to the public key can successfully authenticate to the remote host. Again, the private key, as the name infers, should be stored in a secret and confidential manner. No multiple copies should be made and distributed to other users as this could lead to data breaches.
During public key authentication, a user or process sends a connection request using an SSH client. A challenge response is then initiated to complete the connection. The remote SSH server detects that the connection is being requested and sends an encrypted challenge request back to the client using the shared public key information. Upon receiving the request, the client system uses the private key to decrypt the challenge message and sends it back to the server. The remote server receives the decrypted message and grants the client access.
The challenge-response takes place without any user interaction and only the holder of the private key is granted access to the remote server. If the person attempting to connect to the remote system does not have the private key, the connection attempt fails.
How to Use the ssh-copy-id Command
In order to see how the ssh-copy-id command works, you need a client machine on which the ssh keys will the generated and a remote host or servers on which the keys will be copied.
Check out the out lab setup below.
To demonstrate how the ssh-copy-id tool is used, we are going to have the following lab setup.
- HostMachine - Create a normal user named admin.
- SSHServer1 - Create a normal user named jack.
- SSHServer2 - Create a normal user named bob
Next, we will log in to the host machine where we will generate SSH Keys and later copy the public key to SSHServer1 and SSHServer2 in order to enable passwordless authentication.
Step 1. Create SSH Keys
Once the users have been created, we will generate an SSH key pair ( private and public keys) on the host machine and then copy them to the two SSH servers.
So we will switch to the admin user on the host machine.
su - admin
Next, we will generate an SSH key pair using the ssh-keygen command:
The command generates a public and private key. All the keys are saved in the .ssh directory which is a hidden directory in the home directory of the user ( /home/admin/.ssh)
The ssh passphrase provides additional security to protect your private key. This protects the private key in case someone copied it from your computer. But remember if you add passphrase password when connecting to the remote host is it prompt for password. You can leave passphrase blank to avoid prompting. Here in the example, I have left it bank.
The private key is saved in the /home/admin/.ssh/id_rsa file.
The public key is saved in the /home/admin/.ssh/id_rsa.pub file.
To view the keys, use the ls -l command:
ls -l ~/.ssh
Step 2. Send Public Key to SSH Server using ssh-copy-id
With the public and private keys generated, in this step, we will copy or send the public key to the remote servers using the ssh copy id command using the following syntax:
ssh-copy-id [email protected]
For example, to send the public key to SSH Server1, run the command:
ssh-copy-id [email protected]
Similarly, copying the public key to the SSH Server2 takes the same format.
ssh-copy-id [email protected]
The above command copies the public ssh key to the remote hosts. If you are connecting to the remote machine for the first time, like in our case here, you will get the following output.
The key fingerprint will be displayed and you will be prompted if you want to continue connecting to the remote host. To proceed, type 'yes' and hit ENTER. Next, you will be prompted for the remote user's password. Type the password and press ENTER. This installs the public ssh key to the remote system.
The public key is saved on the remote system in a file called authorized_keys. This is contained in the .ssh directory in the remote user's home directory ( ~/.ssh/authorized_keys )
The default port for SSH is port 22. Sometimes, this port can be changed to a different value by editing the default SSH configuration file. If the port is changed, you can specify a different one using the -p flag followed by the port number. For example, if the SSH port is 2552, run the command:
ssh-copy-id -p 2552 [email protected]
Step 3. Connect to SSH Server Without Password
Once the key has been saved, any subsequent SSH connections will not require any password. At the bottom, you will see a notification 'Now try logging into the machine, with: 'ssh [email protected]'.
To connect to the SSH server without a password, simply run the command indicated.
To login to SSHServer1:
ssh [email protected]
To log in to SSHServer2, run the following command.
ssh [email protected]
As you can see, no password is prompted since the ssh public key authentication is now being used as the authentication method.
SSH-copy-id Command Options
Here are some of the commonly-used ssh-copy-id command options.
- -p : The flag specifies the SSH port to use while connecting to the remote host. This option is used when the default port that SSH listens to on the remote host is not port 22.
- -f : The -f argument enables forced mode. This mode does not probe whether the key is pre-configured in authorized_keys on the server. It simply adds a new key which usually results in multiple copies of the same key being installed on the server.
- -n : The flag performs a simulation or a dry run that displays the keys that will be installed without actually installing them on the remote host.
- -i : The -i flag specifies the identity file to be copied to the remote host. If you omit the -i argument, all the files in the ~/.ssh directory matching the *.pub pattern will be added.
In this tutorial, we learned how to use the ssh-copy-id command to install SSH keys on a remote machine.
Keep in mind that misconfigured keys can potentially lock you out of a system - situation where you have disabled ssh root login. Extra caution is recommended when handling SSH keys.