Does ssh-copy-id -i blah.pub user@host, log in with the private key form of the public key specified with -i, or does it log in with ~/.ssh/id_rsa?"
It won't log in with the private key form of the public key specified with -i.
It logs in with the key ssh uses by default. ~/.ssh/id_rsa, (though perhaps if ssh-agent is running then ssh could try other keys, but either way.. it won't be logging in with the private key form of the public key specified with -i). Let's assume you don't have ssh-agent running, which I think is the assumption in the question too.
If the answer is that it logs in with ~/.ssh/id_rsa, / the key SSH uses by default, and not with the private key form of the public key specified with -i, why does it give an error here?
I have a private and public key pair, rodney and rodney.pub If I
rename the file rodney, to roddney, and then I do ssh-copy-id -i
./rodney.pub user@ip I expect it to log in and do its appending though
I get the error "ERROR: failed to open ID file './rodney': No such
file". If I rename roddney to rodney, then I don't get that error. Why
would ssh-copy-id need or care about the private key rodney, if all it
is doing is ssh (which by default uses id_rsa to log in), and then
copying rodney.pub over?
I spoke to an ssh expert a while back about this..
My use case was I had a laptop and some VPSs, I wanted one VPS to SSH/SFTP to all the others. My laptop already had SSH access to all the VPSs.
What I could have done was generated the key pair on the laptop, then ssh-copy-id the public key to all the VPSs. Then move or copy the private key I had generated from the laptop onto the first VPS.
But what I did(which led to an error that puzzled me and had me enquiring), I generated the key pair on my laptop, I copied the private key I had generated, from the laptop, to the first VPS. I then deleted that private key from my laptop 'cos I figured(incorrectly), that I don't need it on the laptop anymore. As(I actually correctly figured) ssh-copy-id isn't going to use that to log into any of my VPSs. So I did ssh-copy-id -i blah.pub user@IPofFirstVPS and I got an error.
ssh-copy-id does need the key pair, so, both the private and the public key..
So if when you do ssh-copy-id -i blah.pub user@host then it expects the private key form of that public key file specified.
If you were to do ssh-copy-id blah then it writes .pub onto the filename and does ssh-copy-id blah.pub. So may as well put the .pub on the end of it i.e. specifying the public key filename rather than the private key filename.
But it needing the private key is only a "safety check". In the sense of, it's just a test it does before its thing, appending the public key to the remote authorized_keys file. In theory it doesn't even have to do that check to do its logging in and appending.
It's anticipating / guessing, and maybe guessing wrongly, that in future you might be SSHing from that machine that you did ssh-copy-id from, to the remote host, using the private key form of that public id you specified, and that therefore you would need that private key on the machine you are running ssh-copy-id from! (it doesn't think that oh maybe you generated the key pair with the intention to use that private key on other machines, but are just using ssh-copy-id from the machine you are, because that machine has ssh access to lots of your other machines).
ssh-copy-id does not log in with the private key form of the public key pair.
ssh-copy-id does have an option -o, where you can specify a private key to log in with.
I don't have ssh-agent set up, so my ssh connects with the private key ~/.ssh/id_rsa and that is the private key that ssh-copy-id will log in with Whatever public key is specified in -i. But it will still check to see if the private key filename of the public key specified in -i, exists!
ssh-copy-id is a script e.g. it even starts with #!/bin/sh so somebody familiar with scripts could even cat/vim it and check and see.
