[ssh-copy-id] Do not treat Dropbear special #250
Conversation
ssh-copy-id currently copies authorized keys to /etc/dropbear/authorized_keys when Dropbear is detected as SSH server. This is wrong as Dropbear by default looks for authorized keys in ~/.ssh/authorized_keys, like OpenSSH does. Presumably /etc/dropbear/authorized_keys made its way into this script as OpenWRT uses a non-default Dropbear build, using this location instead. But this is special to OpenWRT, being a single user single purpose router distribution. Official Dropbear manpage: https://github.com/mkj/dropbear/blob/846d38fe4319c517683ac3df1796b3bc0180be14/dropbear.8#L108 OpenWRT patch to override the authorized keys location: https://github.com/openwrt/openwrt/blob/ec6293febc244d187e71a6e54f44920be679cde4/package/network/services/dropbear/patches/100-pubkey_path.patch Signed-off-by: MichaIng <micha@dietpi.com>
|
ssh-copy-id is a contributed file that OpenSSH distributes. Its upstream is https://git.hands.com/?p=ssh-copy-id.git;a=summary and any pull requests should be directed there. |
|
Thanks for the info. I contacted Philip and will report back here on updates. |
MichaIng
changed the title
djmdjm
changed the title
|
This btw is the commit which broke it: https://git.hands.com/?p=ssh-copy-id.git;a=commit;h=c6f0b6c |
|
It affects each and every system aside of OpenWRT |
|
I can confirm that the PR checks out; the PR fixes the bug so that I can ssh-copy-id to my dropbear system. |
|
Please reread what Darren said above:
This PR will only be merged when it is accepted into Phil's upstream repository first. |
|
@djmdjm Also please consider that Phil's goals might not match the ones of OpenSSH: Probably he uses OpenWRT and hence configured "his" tool to work with OpenWRT. OpenSSH's goal is however likely to support distros in a generic way, following application defaults and not the non-default setup decisions of a single distro. In this case a downstream patch may be necessary. It is small and simple to maintain anyway, as it simply removes a code block which never needs to be re-added, regardless how it may change upstream. |
|
I was just about to ask the same thing; what if the contrib maintainer decides to keep hos "broken" implementation because it fits his needs better? He's in his good right to. IMHO I think it would be better if openssh maintained their own ssh-copy-id script. It has become an important tool of the openssh package and many people are relying on it. This makes it even more unfortunate that the whole (dropbear) world has to wait for one "random" guy (sorry Phil, no offence =) to fix it, when the community (specifically @MichaIng) has already committed a fix. I know it's easy for me to lay the burden of maintaining this thing on your shoulders, but you could start by just taking ssh-copy-id as it is now. Eventually someone will rewrite it to half the size and complexity. What are openssh's thoughts on this? |
ssh-copy-idcurrently copies authorized keys to/etc/dropbear/authorized_keyswhen Dropbear is detected as SSH server. This is wrong as Dropbear by default looks for authorized keys in~/.ssh/authorized_keys, like OpenSSH does. Presumably/etc/dropbear/authorized_keysmade its way into this script as OpenWRT uses a non-default Dropbear build, using this location instead. But this is special to OpenWRT, being a single user single purpose router distribution.Official Dropbear manpage: https://github.com/mkj/dropbear/blob/846d38fe4319c517683ac3df1796b3bc0180be14/dropbear.8#L108
OpenWRT patch to override the authorized keys location: https://github.com/openwrt/openwrt/blob/ec6293febc244d187e71a6e54f44920be679cde4/package/network/services/dropbear/patches/100-pubkey_path.patch