MITM: ssh-copy-id

From OnnoWiki
Jump to: navigation, search


ssh-copy-id - Copy SSH keys to Servers to Provision Access

SSH keys are easy to create. ssh-keygen is used to create new key pairs, and the ssh-copy-id command can be used to install the new keys in the authorized_keys file on a server.

ssh-copy-id uses the SSH protocol to connect to the target host and upload the SSH user key in the provided key file to the authorized_keys file at the server. After this simple procedure, the user can log in to the remote server without a password query. If the user's private key is not protected with a passphrase, the remote login will require no action whatsoever.

The ssh-copy-id command uses SSH to log into a remote host. This login is done using a method of authentication that allows the user access to the remote account - presumably using a password since the SSH keys are not there yet.

Once the script gets access to the remote account, it modifies the ~/.ssh/authorized_keys files. It may also fix permissions of the user's home directory if they are inappropriate. ssh-copy-id options

The sample below presents ssh-copy-id syntax:

ssh-copy-id -i ~/.ssh/

ssh-copy-id has very few options:

-i specifies the identity file that is to be used (default is ~/.ssh/ Ample Power - Little Control

The ssh-copy-id is an excellent example of the high degree of freedom provided to trusted users of SSH. The users are free to generate and provision (even very highly privileged) access to any servers they have (even very temporary) access to. Since the provisioning of access is easy, this has resulted in the volumes of SSH keys proliferating.

Environments that have been using SSH for years have accumulated large - sometimes extremely large - numbers of SSH keys. Since the keys do not expire, the state of access control is often unclear, unmanaged, and in many cases very much in violation of both corporate security policy and the many legal mandates that apply to information security in regulated industries. Many organizations no longer know who has access to what, and in some cases have had millions of SSH keys granting access to servers, 90% of of which are no longer in use. SSH Key Management to the Rescue

If left unmanaged, SSH keys form the most critical security problem in identity and access management. SSH Communications Security offers the leading solution for SSH key management. Many leading companies have selected Universal SSH Key Manager for managing their key-based access. It supports locking down keys (in root-owned locations) so that individual users cannot use ssh-copy-id to permanently provision access for themselves and their friends. It can also fully automate access provisioning based on proper approvals.