Re: RFC: ssh-copy-id tweaks

On Thu, 31 Jan 2008, Jim Knoble wrote:
> Alternatively, the following would keep the authorized_keys file from
> being reordered, using 'grep -F' to check whether the identity is
> already present: [script deleted]

This is much better than other attempts I have seen. Apart from trivial
issues like one line with an unwanted backslash and another with a
missing backslash, the only problem I see is that, if the key exists but
has a different comment at the end of line, then a duplicate line will
be added.

> Unfortunately, the use of the SSH_IDENTITY variable makes this only work
> With Bourne/ksh shells and their descendants.

A client can force a remote command to be executed under 'sh',
like this:

ssh "${user_at_host}" sh -c \''blah blah'\'

This assumes that the remote host has a working 'sh' command, assumes no
nested single quotes inside the 'blah blah' part, and assumes that the
remote user's preferred shell handles backslashes and single quotes in
the same way as sh or csh. It would probably be a good idea to have an
option to customise the 'sh' part of this (for example, it might need to
be /bin/sh or /usr/xpg4/bin/sh instead of just plain sh).

Digression:

I think it's a bug that sshd runs commands with the user's shell instead
of with /bin/sh. The bug is easy to fix, by using _PATH_BSHELL in
appropriate places in do_child() in session.c. If this is deemed to be
intended behaviour and not a bug, then I'd ask that the part of the ssh
man page that says

If command is specified, it is executed on the remote host instead
of a login shell.

should be changed to explain what actually happens, so that people don't
think "command is executed" means "command is executed using the remote
system's standard command processor (which is /bin/sh on Unix-like
systems)".

--apb (Alan Barrett)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev