{ "mode": "man", "parameter": "ssh-copy-id", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/ssh-copy-id/1/json", "generated": "2026-06-13T21:39:13Z", "synopsis": "ssh-copy-id [-f] [-n] [-s] [-i [identityfile]] [-p port] [-o sshoption] [user@]hostname\nssh-copy-id -h | -?", "sections": { "NAME": { "content": "ssh-copy-id — use locally available keys to authorise logins on a remote machine\n", "subsections": [] }, "SYNOPSIS": { "content": "ssh-copy-id [-f] [-n] [-s] [-i [identityfile]] [-p port] [-o sshoption] [user@]hostname\nssh-copy-id -h | -?\n", "subsections": [] }, "DESCRIPTION": { "content": "ssh-copy-id is a script that uses ssh(1) to log into a remote machine (presumably using a login\npassword, so password authentication should be enabled, unless you've done some clever use of\nmultiple identities). It assembles a list of one or more fingerprints (as described below) and\ntries to log in with each key, to see if any of them are already installed (of course, if you\nare not using ssh-agent(1) this may result in you being repeatedly prompted for pass-phrases).\nIt then assembles a list of those that failed to log in, and using ssh, enables logins with\nthose keys on the remote server. By default it adds the keys by appending them to the remote\nuser's ~/.ssh/authorizedkeys (creating the file, and directory, if necessary). It is also ca‐\npable of detecting if the remote system is a NetScreen, and using its ‘set ssh pka-dsa key ...’\ncommand instead.\n\nThe options are as follows:\n", "subsections": [ { "name": "-i", "content": "Use only the key(s) contained in identityfile (rather than looking for identities via\nssh-add(1) or in the defaultIDfile). If the filename does not end in .pub this is\nadded. If the filename is omitted, the defaultIDfile is used.\n\nNote that this can be used to ensure that the keys copied have the comment one prefers\nand/or extra options applied, by ensuring that the key file has these set as preferred\nbefore the copy is attempted.\n", "flag": "-i" }, { "name": "-f", "content": "that it does not need the private key. Of course, this can result in more than one\ncopy of the key being installed on the remote system.\n", "flag": "-f" }, { "name": "-n", "content": "that would have been installed.\n", "flag": "-n" }, { "name": "-s", "content": "side. With this option the user's ~/.ssh/authorizedkeys file will be downloaded, mod‐\nified locally and uploaded with sftp. This option is useful if the server has restric‐\ntions on commands which can be used on the remote side.\n", "flag": "-s" }, { "name": "-h -", "content": "", "flag": "-h" }, { "name": "-p -o", "content": "These two options are simply passed through untouched, along with their argument, to\nallow one to set the port or other ssh(1) options, respectively.\n\nRather than specifying these as command line options, it is often better to use (per-\nhost) settings in ssh(1)'s configuration file: sshconfig(5).\n\nDefault behaviour without -i, is to check if ‘ssh-add -L’ provides any output, and if so those\nkeys are used. Note that this results in the comment on the key being the filename that was\ngiven to ssh-add(1) when the key was loaded into your ssh-agent(1) rather than the comment con‐\ntained in that file, which is a bit of a shame. Otherwise, if ssh-add(1) provides no keys con‐\ntents of the defaultIDfile will be used.\n\nThe defaultIDfile is the most recent file that matches: ~/.ssh/id*.pub, (excluding those that\nmatch ~/.ssh/*-cert.pub) so if you create a key that is not the one you want ssh-copy-id to\nuse, just use touch(1) on your preferred key's .pub file to reinstate it as the most recent.\n", "flag": "-o" } ] }, "EXAMPLES": { "content": "If you have already installed keys from one system on a lot of remote hosts, and you then cre‐\nate a new key, on a new client machine, say, it can be difficult to keep track of which systems\non which you've installed the new key. One way of dealing with this is to load both the new\nkey and old key(s) into your ssh-agent(1). Load the new key first, without the -c option, then\nload one or more old keys into the agent, possibly by ssh-ing to the client machine that has\nthat old key, using the -A option to allow agent forwarding:\n\nuser@newclient$ ssh-add\nuser@newclient$ ssh -A old.client\nuser@oldl$ ssh-add -c\n... prompt for pass-phrase ...\nuser@old$ logoff\nuser@newclient$ ssh someserver\n\nnow, if the new key is installed on the server, you'll be allowed in unprompted, whereas if you\nonly have the old key(s) enabled, you'll be asked for confirmation, which is your cue to log\nback out and run\n\nuser@newclient$ ssh-copy-id -i someserver\n\nThe reason you might want to specify the -i option in this case is to ensure that the comment\non the installed key is the one from the .pub file, rather than just the filename that was\nloaded into your agent. It also ensures that only the id you intended is installed, rather\nthan all the keys that you have in your ssh-agent(1). Of course, you can specify another id,\nor use the contents of the ssh-agent(1) as you prefer.\n\nHaving mentioned ssh-add(1)'s -c option, you might consider using this whenever using agent\nforwarding to avoid your key being hijacked, but it is much better to instead use ssh(1)'s\nProxyCommand and -W option, to bounce through remote servers while always doing direct end-to-\nend authentication. This way the middle hop(s) don't get access to your ssh-agent(1). A web\nsearch for ‘ssh proxycommand nc’ should prove enlightening (N.B. the modern approach is to use\nthe -W option, rather than nc(1)).\n", "subsections": [] }, "SEE ALSO": { "content": "ssh(1), ssh-agent(1), sshd(8)\n\nBSD June 17, 2010 BSD", "subsections": [] } }, "summary": "ssh-copy-id — use locally available keys to authorise logins on a remote machine", "flags": [ { "flag": "-i", "long": null, "arg": null, "description": "Use only the key(s) contained in identityfile (rather than looking for identities via ssh-add(1) or in the defaultIDfile). If the filename does not end in .pub this is added. If the filename is omitted, the defaultIDfile is used. Note that this can be used to ensure that the keys copied have the comment one prefers and/or extra options applied, by ensuring that the key file has these set as preferred before the copy is attempted." }, { "flag": "-f", "long": null, "arg": null, "description": "that it does not need the private key. Of course, this can result in more than one copy of the key being installed on the remote system." }, { "flag": "-n", "long": null, "arg": null, "description": "that would have been installed." }, { "flag": "-s", "long": null, "arg": null, "description": "side. With this option the user's ~/.ssh/authorizedkeys file will be downloaded, mod‐ ified locally and uploaded with sftp. This option is useful if the server has restric‐ tions on commands which can be used on the remote side." }, { "flag": "-h", "long": null, "arg": null, "description": "" }, { "flag": "-o", "long": null, "arg": null, "description": "These two options are simply passed through untouched, along with their argument, to allow one to set the port or other ssh(1) options, respectively. Rather than specifying these as command line options, it is often better to use (per- host) settings in ssh(1)'s configuration file: sshconfig(5). Default behaviour without -i, is to check if ‘ssh-add -L’ provides any output, and if so those keys are used. Note that this results in the comment on the key being the filename that was given to ssh-add(1) when the key was loaded into your ssh-agent(1) rather than the comment con‐ tained in that file, which is a bit of a shame. Otherwise, if ssh-add(1) provides no keys con‐ tents of the defaultIDfile will be used. The defaultIDfile is the most recent file that matches: ~/.ssh/id*.pub, (excluding those that match ~/.ssh/*-cert.pub) so if you create a key that is not the one you want ssh-copy-id to use, just use touch(1) on your preferred key's .pub file to reinstate it as the most recent." } ], "examples": [ "If you have already installed keys from one system on a lot of remote hosts, and you then cre‐", "ate a new key, on a new client machine, say, it can be difficult to keep track of which systems", "on which you've installed the new key. One way of dealing with this is to load both the new", "key and old key(s) into your ssh-agent(1). Load the new key first, without the -c option, then", "load one or more old keys into the agent, possibly by ssh-ing to the client machine that has", "that old key, using the -A option to allow agent forwarding:", "user@newclient$ ssh-add", "user@newclient$ ssh -A old.client", "user@oldl$ ssh-add -c", "... prompt for pass-phrase ...", "user@old$ logoff", "user@newclient$ ssh someserver", "now, if the new key is installed on the server, you'll be allowed in unprompted, whereas if you", "only have the old key(s) enabled, you'll be asked for confirmation, which is your cue to log", "back out and run", "user@newclient$ ssh-copy-id -i someserver", "The reason you might want to specify the -i option in this case is to ensure that the comment", "on the installed key is the one from the .pub file, rather than just the filename that was", "loaded into your agent. It also ensures that only the id you intended is installed, rather", "than all the keys that you have in your ssh-agent(1). Of course, you can specify another id,", "or use the contents of the ssh-agent(1) as you prefer.", "Having mentioned ssh-add(1)'s -c option, you might consider using this whenever using agent", "forwarding to avoid your key being hijacked, but it is much better to instead use ssh(1)'s", "ProxyCommand and -W option, to bounce through remote servers while always doing direct end-to-", "end authentication. This way the middle hop(s) don't get access to your ssh-agent(1). A web", "search for ‘ssh proxycommand nc’ should prove enlightening (N.B. the modern approach is to use", "the -W option, rather than nc(1))." ], "see_also": [ { "name": "ssh", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/ssh/1/json" }, { "name": "ssh-agent", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/ssh-agent/1/json" }, { "name": "sshd", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/sshd/8/json" } ], "tldr": { "source": "official", "description": "Install your public key in a remote machine's authorized_keys.", "examples": [ { "description": "Copy your keys to the remote machine", "command": "ssh-copy-id {{username}}@{{remote_host}}" }, { "description": "Copy the given public key to the remote", "command": "ssh-copy-id -i {{path/to/certificate}} {{username}}@{{remote_host}}" }, { "description": "Copy the given public key to the remote with specific port", "command": "ssh-copy-id -i {{path/to/certificate}} -p {{port}} {{username}}@{{remote_host}}" } ] } }