ssh-copy-id

Copy your keys to the remote machine

$ ssh-copy-id [username]@[remote_host]

$ ssh-copy-id -i [path/to/certificate] [username]@[remote_host]

$ ssh-copy-id -i [path/to/certificate] -p [port] [username]@[remote_host]

ssh-copy-id [-f] [-n] [-i identity_file] [-o ssh_option] [-p port] [[-e] user@]hostname

[user@]hostname
    The target remote host and optional username where the public key should be copied.

-i identity_file
    Specifies the public key file to be used. If not specified, ssh-copy-id will attempt to use keys from ssh-agent, and if none are found, it will look for default identity files like ~/.ssh/id_rsa.pub, ~/.ssh/id_dsa.pub, etc.

-f
    Force mode. Not commonly used in typical scenarios.

-n
    Dry run mode. Shows what commands would be executed without actually performing any changes on the remote host.

-o ssh_option
    Allows passing options directly to the underlying ssh command. For example, -o ProxyJump=jump.example.com.

-p port
    Specifies the port to connect to on the remote host, if different from the default SSH port (22).

-e
    Obsolete option, equivalent to -o EscapeChar=none. Used to disable the escape character.

ssh-copy-id is a utility designed to simplify the process of installing your public SSH key on a remote server. When setting up passwordless SSH logins, you need your public key (e.g., from ~/.ssh/id_rsa.pub) to be appended to the ~/.ssh/authorized_keys file on the target machine.

Manually performing this often involves using scp to copy the key and then ensuring correct file permissions with chmod. ssh-copy-id automates these steps: it connects to the remote host (prompting for the password if necessary), creates the .ssh directory and authorized_keys file if they don't exist, appends your public key to authorized_keys, and ensures the correct permissions for secure SSH operation. This makes setting up passwordless SSH authentication significantly easier and less prone to errors.

Initial access to the remote host requires password-based authentication or another method (e.g., existing key) if password authentication is disabled. The sshd service must be running on the remote host. It does not remove or manage existing keys in authorized_keys; it only appends new ones. Ensure your local public key file has appropriate read permissions.

If no identity file is specified with the -i option, ssh-copy-id will first try to use any identities loaded into ssh-agent. If ssh-agent is not running or has no identities, it then searches for default public key files in the ~/.ssh/ directory, such as id_rsa.pub, id_dsa.pub, id_ecdsa.pub, and id_ed25519.pub.

One of the key advantages of ssh-copy-id is its ability to correctly set permissions on the remote ~/.ssh directory and the authorized_keys file. SSH requires strict permissions (e.g., ~/.ssh must be 700, and authorized_keys must be 600). If these are incorrect, SSH authentication will fail. ssh-copy-id ensures these permissions are set properly, preventing common 'Permissions too open' errors.

ssh-copy-id is a shell script included as part of the OpenSSH suite. Its development aimed to streamline the common task of setting up public key authentication, reducing the manual steps and potential errors associated with copying keys and setting permissions. It has been a standard utility within OpenSSH for many years, simplifying the workflow for system administrators and users alike since the widespread adoption of SSH.

ssh(1), sshd(8), ssh-keygen(1), ssh-agent(1), authorized_keys(5)