Solved Security doubt about ssh-copy-id

Solved issue
B

banderas20

Active Member
Joined
Aug 1, 2018
Messages
102
Reaction score
42
Credits
799
Hi!

I have been using SSH for a long time, and I do know the purpose of ssh-copy-id command.

If I copy the pubfile contents and paste it into the authorised_keys file on the target server, that's OK, because I already have access to the target server, and there are not security concerns.

However, I have a silly doubt regarding how ssh-copy-id command works.

Whenever we issue ssh-copy-id -i <pubfile> user@host, we are adding the pubfile contents to authorised_keys file of the ./ssh directory of "user" on "host" machine. But we don't necessary have access to that server yet.

Why can anyone issue that command from anywhere without being asked anything? I mean... anyone could add an arbitrary public key and gain access to any server. Who or which mechanism controls that?

Sorry if that's an obvious question, but I can't find the clue.

Thanks!
 


banderas20 said:
However, I have a silly doubt regarding how ssh-copy-id command works.
Click to expand...
ssh-copy-id asks for a username/password, so you will have to authenticate first before it copies over ssh pubkey.
 
Hi!

The user I'm issuing the command with only exists in my local machine. So I'm not prompted for any user/pwd.

ssh-copy-id -i /home/user/.ssh/test.pub [email protected]

and I get

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Received disconnect from 192.168.1.138 port 22:2: Too many authentication failures
Disconnected from 192.168.1.138 port 22
 
ssh-copy-id [email protected]
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
Click to expand...
 
Replace root with the wanted username on the remote host.
Code: 
ssh-copy-id [email protected]
 
OK. Here's what I do:

LOCAL:
Code: 
/home/localuser/.ssh/ssh-keygen (keypair named "test2")
/home/localuser/.ssh/ssh-copy-id -i test2.pub [email protected] (test user already exists in 192.168.1.138)


/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "test.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Received disconnect from 192.168.1.138 port 22:2: Too many authentication failures
Disconnected from 192.168.1.138 port 22
 
Code: 
ssh-copy-id -i pubkeytest.pub [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "pubkeytest.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
Check on that remote system if you have password authentication disabled in your sshd_config, if so it will refuse password authentication and not allow you to copy over the publickey using ssh-copy-id.
 
OK. I have set:

PasswordAuthentication yes

I still was getting the message

Too many authentication failures

I uncommented and set the directive:

MaxAuthTries 1000

So I got rid of the message, was prompted for the password and now able to add the pubkey.

Thanks!
 
banderas20 said:
MaxAuthTries 1000

So I got rid of the message, was prompted for the password and now able to add the pubkey.
Click to expand...
What distribution is your remote system using? I did see the following in the Rocky man-page.
MaxAuthTries
Specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value,
additional failures are logged. The default is 6.
Click to expand...
 
Yes. Default is 6, altthough the line was commented (??). I'm using Ubuntu 22.04.
 
Try doubling it instead of setting it to 1000 since that seems kind of overkill.
 
You must log in or register to reply here.

Members online

Total: 885 (members: 2, guests: 883)

Latest posts

Top