From owner-freebsd-stable@FreeBSD.ORG  Fri Feb 28 23:42:18 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3AA9FE92;
 Fri, 28 Feb 2014 23:42:18 +0000 (UTC)
Received: from mx1.stack.nl (relay04.stack.nl [IPv6:2001:610:1108:5010::107])
 (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id EE9C5167A;
 Fri, 28 Feb 2014 23:42:17 +0000 (UTC)
Received: from snail.stack.nl (snail.stack.nl [IPv6:2001:610:1108:5010::131])
 by mx1.stack.nl (Postfix) with ESMTP id 3D11AB80B6;
 Sat,  1 Mar 2014 00:42:15 +0100 (CET)
Received: by snail.stack.nl (Postfix, from userid 1677)
 id 2C2DC28497; Sat,  1 Mar 2014 00:42:15 +0100 (CET)
Date: Sat, 1 Mar 2014 00:42:15 +0100
From: Jilles Tjoelker <jilles@stack.nl>
To: Eitan Adler <eadler@freebsd.org>
Subject: Re: ssh-copy-id
Message-ID: <20140228234214.GA23514@stack.nl>
References: <2cba8fd9cc51dedc1bd5e127046f4ab7@dweimer.net>
 <1393618827.9046.89104957.4A974C56@webmail.messagingengine.com>
 <ea6804d070e9b2e4393eaca2fa45d938@dweimer.net>
 <1393625741.9928.89141917.3B723B0F@webmail.messagingengine.com>
 <CAF6rxg=SBno64BpmxcvddQFpnAePFHKZ+1kp1a+AY5F6-xQsMA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAF6rxg=SBno64BpmxcvddQFpnAePFHKZ+1kp1a+AY5F6-xQsMA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: freebsd-stable <freebsd-stable@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2014 23:42:18 -0000

On Fri, Feb 28, 2014 at 06:08:10PM -0500, Eitan Adler wrote:
> On 28 February 2014 17:15, Mark Felder <feld@freebsd.org> wrote:
> ....

> > In my opinion, if I'm using an ssh utility and I specify "-i" flag it
> > should be the private key.

> Hey all,

> Sorry about the confusion ssh-copy-id has caused you.

> Does the following patch help ?

In addition to that, it may be useful to add an explicit check against
sending private keys. Even though printf(1) fails, the receiving server
still gets the private key and a malicious root user might steal it.

For example, any key starting with '-' is inappropriate.

-- 
Jilles Tjoelker