4

I have 2 Ubuntu 14.04 servers with openssh-server installed on both. I've set up key-based authentication using RSA keys, without passphrase, so that I can run automated backup scripts, to a remote site, with rsync.

I normally do the key exchange over a lan network, while password based login is still enabled, I then disable password only ssh, before taking the remote server to its off-site location. So any users log in through keys with passphrase, and automated scripts use keys without passphrase.

To share keys I use the ssh-copy-id command.

All commands for off-site use a high non-standard port on the external modem/router, forwarded to the router on subnet, which then NAT addresses to the standard 22 port on the remote server.

If I wanted to add a new user's key, I could use a current user to enable password only login, which would make it possible to use ssh-copy-id (as it requires the user's password. After using ssh-copy-id to set up key-based ssh, I would disable password based login afterwards.

Is there any risk in using ssh-copy-id over an internet connection?

Arronical
  • 167
  • 10
  • 2
    The `ssh-copy-id` command uses SSH underneath, so the risk is absolutely the same of using plain old SSH over an internet connection. – ThoriumBR Nov 24 '15 at 17:03

1 Answers1

4

As pointed out in the comments, there is no other risk then using normal ssh with password.

This means that from the client you need to go through the common check of hostkey or fingerprint and then everything (passwords, keys and all communication) is encrypted.

You can even have a look into ssh-copy-id, since it is just a simple shell script doing the "magic", which consist of password-based login, copy your key there, set correct permissions. As addition it is trying to make sure that the key was successfully copied and works fine for pubkey authentication.

Jakuje
  • 5,229
  • 16
  • 31