Solved Security doubt about ssh-copy-id

Solved issue

banderas20

Member
Joined
Aug 1, 2018
Messages
96
Reaction score
39
Credits
746
Hi!

I have been using SSH for a long time, and I do know the purpose of ssh-copy-id command.

If I copy the pubfile contents and paste it into the authorised_keys file on the target server, that's OK, because I already have access to the target server, and there are not security concerns.

However, I have a silly doubt regarding how ssh-copy-id command works.

Whenever we issue ssh-copy-id -i <pubfile> user@host, we are adding the pubfile contents to authorised_keys file of the ./ssh directory of "user" on "host" machine. But we don't necessary have access to that server yet.

Why can anyone issue that command from anywhere without being asked anything? I mean... anyone could add an arbitrary public key and gain access to any server. Who or which mechanism controls that?

Sorry if that's an obvious question, but I can't find the clue.

Thanks!
 


However, I have a silly doubt regarding how ssh-copy-id command works.
ssh-copy-id asks for a username/password, so you will have to authenticate first before it copies over ssh pubkey.
 
Hi!

The user I'm issuing the command with only exists in my local machine. So I'm not prompted for any user/pwd.

ssh-copy-id -i /home/user/.ssh/test.pub [email protected]

and I get

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Received disconnect from 192.168.1.138 port 22:2: Too many authentication failures
Disconnected from 192.168.1.138 port 22
 
ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
 
Replace root with the wanted username on the remote host.
Code:
ssh-copy-id [email protected]
 
OK. Here's what I do:

LOCAL:
Code:
/home/localuser/.ssh/ssh-keygen (keypair named "test2")
/home/localuser/.ssh/ssh-copy-id -i test2.pub [email protected] (test user already exists in 192.168.1.138)


/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "test.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Received disconnect from 192.168.1.138 port 22:2: Too many authentication failures
Disconnected from 192.168.1.138 port 22
 
Code:
ssh-copy-id -i pubkeytest.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "pubkeytest.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
Check on that remote system if you have password authentication disabled in your sshd_config, if so it will refuse password authentication and not allow you to copy over the publickey using ssh-copy-id.
 
OK. I have set:

PasswordAuthentication yes


I still was getting the message

Too many authentication failures


I uncommented and set the directive:

MaxAuthTries 1000

So I got rid of the message, was prompted for the password and now able to add the pubkey.

Thanks!
 
MaxAuthTries 1000

So I got rid of the message, was prompted for the password and now able to add the pubkey.
What distribution is your remote system using? I did see the following in the Rocky man-page.
MaxAuthTries
Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value,
additional failures are logged. The default is 6.
 
Try doubling it instead of setting it to 1000 since that seems kind of overkill.
 

Members online


Top