1

I'm trying to copy a bunch of RSA keys to multiple servers for a specific user. Whenever I issue the ssh-copy-id command it asks me to confirm by typing "yes", then asks me for the password. I wanted to avoid wearing out my arms and fingers, so, I decided to create a script for this task, something like this:

#!/bin/bash
runuser -u $RMTUSER -- ssh-copy-id [email protected]
runuser -u $RMTUSER -- ssh-copy-id [email protected]
(...)
runuser -u $RMTUSER -- ssh-copy-id [email protected]
runuser -u $RMTUSER -- ssh-copy-id [email protected]

I can't seem to find a good way to automate that task. Nothing seems to work. How can I input "yes" and the password automatically?

I've realized my initial question was quite lackluster. I'm sorry for that... it remains above, though.

I've improved the script to something similar to what Marcus proposed. I'm stuck at the "for" loop wondering how to pass that password for different server arrays.

My host sets are all static and there's much more.

#!/bin/bash

LOCUSER="$1"    # USER FOR REMOTE ACCESS
RMTUSER="$2"    # REMOTE USER
PASSWD="$3"     # SITE PASSWORD
SITE="$4"       # SERV SITE


function uras() {
        for IP in "$@"; do
                runuser -u "${LOCUSER}" -- sshpass "-p${PASSWD}" ssh-copy-id "${RMTUSER}@${IP}"
                [ "$?" -eq "0" ] && echo "OK - $IP" || echo "FAIL! - $IP"
        done
        }


case $SITE in
        "sa")
                ARRAY_A=( $(cat ./serv_a.txt) )
                uras "${ARRAY_A[@]}"
                ;;
        "sb")
                ARRAY_B=( $(cat ./serv_b.txt) )
                uras "${ARRAY_B[@]}"
                ;;
        "sc")
                ARRAY_C=( $(cat ./serv_c.txt) )
                uras "${ARRAY_C[@]}"
                ;;
        *)
                echo "INVALID SITE"
                ;;
esac

Still, the script fails for every host.

# ./auto_ssh_copy.sh [user] root [pass] [site]
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/var/lib/zabbix/.ssh/id_rsa.pub"
FAIL! - 172.24.168.48
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/var/lib/zabbix/.ssh/id_rsa.pub"
FAIL! - 172.24.168.49
/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/var/lib/zabbix/.ssh/id_rsa.pub"
FAIL! - 172.24.168.50
(...)

I tried using "-f" as well, but the result is the same.

I agree that using something robust like Ansible might be a better tool for the job, but unfortunately it is just not available in my working set for now. This is what I came up with so far.

Finally I managed to copy all keys. The script above was missing option -o StrictHostKeyChecking=no, thus sshpass was returning exit code 6. The resulting command is this:

runuser -u ${LOCUSER} -- sshpass -v -p${PASSWD} ssh-copy-id -o StrictHostKeyChecking=no ${RMTUSER}@${IP}

Marcus awnser help a lot. Thanks everybody.

Improve this question

3 Answers 3

Reset to default
3

You can disable the yes checking with the -f option to ssh-copy-id.

The password should probably not be part of that script, assuming that script ends up somewhere that might be readable by others. Instead, I'd recommend writing a script like this:

#!/bin/sh
# Usage: myscript user password

RMTUSER=$1
PASSWORD=$2
# just an example, but to highlight you can use brace expansions.
hosts=("172.24.168.47" "172.24.168.48" 172.24.168.{200..213})

for host in ${hosts[@]}; do
  runuser -u "${RMTUSER}" -- sshpass "-p${PASSWORD}" ssh-copy-id -f "root@${host}"
done
Improve this answer
5
  • Of course this then puts the password on the command line twice visible to anybody using the ps command. Once for the script invocation and once for each runuser. Your suggestion of using Ansible (or puppet) is a much better solution. Commented Dec 16, 2021 at 14:48
  • @doneal24 no questions asked about that! one could also replaced PASSWORD=$1 with and let the user put the password in a file only they can read, or read it straight from stdin, and put it in a temporary file, and use that with sshpass -f instead of -p Commented Dec 16, 2021 at 14:50
  • @doneal24 note that I'm a bit confused, honestly, why this answer's gotten more positive attention than the ansible one, but hm, I guess there's a certain skepticism towards tooling of that kind. Commented Dec 16, 2021 at 14:53
  • 1
    There is a learning curve to running ansible and it's not worth it for just a few servers. The OP looks like he's running 150+ systems so automation is a must. I too wonder about the downvote on your other answer. Commented Dec 16, 2021 at 16:00
  • Why use "-p${PASSWD}" instead of -p "${PASSWD}"? Commented Dec 17, 2021 at 13:52
0

You could either add -f to force copy or

set StrictHostKeyChecking no inside the ~/.ssh/config file so the ssh-copy-id wont check if the key is already present on the server.

These options however, mean that you could potentially end up with the same key being installed multiple times if you aren't careful.

Improve this answer
0

The honest answer to this kind of question is "stop building bespoke tools with all their own funny ways of failing, use something robust that is well-maintained by someone else".

Enter ansible. You'll find that maintaining one list of hosts you administrate and their "logical groups" (ansible calls that "inventory") and a list of things that need to happen to these hosts (ansible calls that "playbook") makes for much better and consistent, and also less time-consuming administration.

In your case, you want an inventory file (let's call it ~/servers.ini) like this:

[rootservers]
172.24.168.47
172.24.168.48
172.24.168.[200:213]

[rootservers:vars]
ansible_password=f00bar

You can also supply the password through other means¹.

and a playbook (say, ~/playbook.yaml) like:

hosts: rootservers
  tasks:
  - name: Set authorized key took from file
    authorized_key:
      user: root
      state: present
      key: "{{ lookup('file', '/home/mark/.ssh/id_rsa.pub') }}"

That's it. You can now run

ansible-playbook -i ~/servers.ini ~/playbook.yaml

to make ansible check, for each host in the rootservers group, whether mark's rsa_id is already in the authorized_keys file on the server and if not, add it there.

But you typically would want to do more; like, after that's done, configure SSHd to disallow password logins for root alltogether (always a good idea, imho), install or update some software packages ("enable this third-party repository and install the CUDA drivers in version 10.1"), set up some monitoring software, clean up some user directories, copy over some files, etc.

For all these tasks, ansible has either simply commands like authorized_key (or apt or copy or ...) built in, or there's someone who wrote a role (like for "set up a Postfix mail server") for ansible that you can just use.

Personally, I never manually install any packages on any servers, add any local users or change any config, because I won't remember whether I did that tomorrow morning. Has the advantage that I not only get a written statement of what I've done to said server, but also, setting up a new server to replace or supplement that one is just adding a line to the inventory in the right group.

So, the workflow I have is generally:

  1. Install Linux on a physical machine / spin up a virtual machine; often, that can even be done already adding an authorized key, with nothing but an SSH server installed
  2. if necessary, add the authorized key for root
  3. add that machine to the inventory under an appropriate group
  4. Run the playbook containing what I want to happen on that machine

¹you should actually not store your password in the inventory, use a vault instead, but for illustration, this might suffice.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.