31

I am trying to setup a second access ssh key for a friend. He sent me his id_rsa.pub.

ssh-copy-id -i id_rsa.pub root@123.123.123.123
/usr/local/bin/ssh-copy-id: ERROR: failed to open ID file './id_rsa': No such file or directory

Do I need him to send me both files?

  • 1
    The .pub is sufficient. And keep in mind that you always keep your private key secrete (at all times!). To add a new key you can simple append the content of .pub to your authorized_keys. – deagh Feb 06 '15 at 07:04
  • 2
    @deaghYou don't need to keep a private key secret, you need to keep it secure. –  Feb 06 '15 at 07:20
  • The ssh-copy-id script [here](https://github.com/andrewpile/ssh-copy-id) doesn't appear to emit that particular error message. I notice your ssh-copy-id script is in /usr/local/bin. It may be different from the commonly-used version of the command. – Kenster Feb 06 '15 at 16:19

6 Answers6

25

It's not necessary to have the private key file to authorize a key on a server. In fact, you should never ask a friend for their private key, it's called private because it should be kept to yourself.

However, the ssh-copy-id command from OpenSSH might fail if there is no private key file with the same name available, because it tries to login with the specified key to check if it is already present on the remote server.

In recent versions you can override this behavior with the -f switch ("Forced mode").

From the man page:

-f

    Forced mode: doesn't check if the keys are present on the remote server.  This means that it does not need the private key.  Of course, this can result in more than one copy of the key being installed on the remote system.
Dario Seidl
  • 3,735
  • 1
  • 20
  • 22
  • 11
    heads up, the ordering of parameters is strict. `-f` only works as expected if you pass it _before_ the `-i` argument. `ssh-copy-id -i mykey.pub -f otheruser@host` just complains, until you move -f at the front. – init_js Jul 23 '19 at 00:08
  • and the private key file **must not** have a file extension (e.g. key.ppk will not work) – TmTron Nov 05 '20 at 13:27
  • 1
    @TmTron: not so; file extensions work fine. OTOH file _contents_ in PPK (Putty Private Key) format do NOT work in OpenSSH, regardless of file name or extension, and many sensible people use extension .ppk to indicate PPK format. PPK format can be _converted_ to/from an OpenSSH format using Puttygen, and there are many existing Qs covering this. – dave_thompson_085 Jan 09 '21 at 08:45
  • @dave_thompson_085 This may depend on the version of the `ssh-copy-id` command. In my case, it does definitely not work when the private key file has an extension, in git-bash (mingw64 on Windows). Maybe that's helpful for someone that comes here... – TmTron Jan 09 '21 at 09:55
  • 1
    @TmTron: okay, with the long weekend I downloaded 'Git for Windows 2.30.0' from git-scm.com and ran git-bash, and `ssh -V` identifies as OpenSSH 8.4p1 (with OpenSSL 1.1.1i). I created a valid key with `ssh-keygen -t rsa -f filename.ppk` and `ssh-copy-id -i filename.ppk user@host` works just fine. `filename.otherext` also works, as does a name with no extension. Will you please look at the first line of _your_ whatever.ppk file and make sure it is actually a valid OpenSSH keyfile? – dave_thompson_085 Jan 20 '21 at 09:10
  • @dave_thompson_085 here's the [output of my commands](https://ibb.co/mG5V1fj). You can see that I execute the same command twice. First, when the private key-file has the extension `.ppk`, the command fails. Then I rename the private key-file (remove the extension). Now the same command works. `git version 2.23.0.windows.1` – TmTron Jan 20 '21 at 09:28
  • The answer is not entirely correct because the argument it uses is wrong; if you are using agent forwarding, the private key doesn't need to exist on the immediate client machine to be able to connect further with keys. – Nikita Kipriyanov Jun 04 '22 at 03:26
  • @NikitaKipriyanov I don't know what you mean, feel free to elaborate. The answer answers the question (which wasn't about agent forwarding), The `-f` agrument can be used as described in the man page to avoid the duplicate key check which requires the private key. – Dario Seidl Jun 07 '22 at 10:32
  • I meant not the command line argument, but the discussion argument "openssh fails ... because it tries ...". It tries, but that doesn't necessitate the need to always have private keys directly on the node from which you connect. And `ssh-copy-id` command uses agent forwarding, so in the end *you don't always need to have private keys to run it successfully*, while you clearly state the other in the answer. – Nikita Kipriyanov Jun 07 '22 at 12:11
  • The question was about other thing, but anyway setting the keys for the friend using this command... it is tricky idea. It was meant to copy your own keys, not to set up access for others. – Nikita Kipriyanov Jun 07 '22 at 12:17
  • I see, I'll update the answer to clarify it. – Dario Seidl Jun 07 '22 at 12:33
6

The .pub is sufficient. You are not in the correct folder.

You can try this :

ssh-copy-id -i /root/.ssh/id_rsa.pub root@123.123.123.123

(for the root user : not recommended, it's just an example).

This file is under the .ssh folder on the user folder.

tread
  • 356
  • 3
  • 6
  • 21
Jérémy Munoz
  • 169
  • 1
3

This has been reported as OpenSSH bug #2110.

Mihai Capotă
  • 1,143
  • 10
  • 12
3

As mentioned here this is a bug.

Anyway you can simply create an empty file to make it work. In your case:

$ touch ./id_rsa
$ ssh-copy-id -i id_rsa.pub root@123.123.123.123

I had the same issue and this worked for me

jawira
  • 131
  • 2
2

No, You only need his public key stored in ~/.ssh/id_rsa.pub

Note that ssh-copy-id command uses the public key of the current user running the command which has the private key beside it.

You can either make a new key by running ssh-keygen and give your friend the key pair and delete the private one from your machine, or either add the private key of your friend manually to the remote server, by appending it at the end of the ~/.ssh/authorized_keys of the user that your friend will connect in the future.

Unicornist
  • 251
  • 2
  • 5
0

Yes it needs both.. In theory though, it shouldn't need both,

but it checks that the private key form of the public key specified with -i, is there, as a "safety check". So that if a user were to ssh from that machine with the private key form of that public key, then that private key should be there for that ssh to work!

It won't use the private key form of the public key specified with -i, to log in. It logs in with the same key that ssh will use.

see this related question

By default, does ssh-copy-id -i blah.pub user@host, log in with the private key specified by -i, or does it log in with ~/.ssh/id_rsa?"

barlop
  • 23,380
  • 43
  • 145
  • 225