ssh-copy-id: Usage, Options & Common CI Errors
ssh-copy-id appends your public key to a remote host's authorized_keys.
ssh-copy-id is the convenience tool for enabling key-based login on a server. It is awkward in CI because it normally needs an interactive password for the first connection - so pipelines often template authorized_keys directly instead.
What it does
ssh-copy-id logs into a remote host (initially with a password) and appends a local public key to ~/.ssh/authorized_keys there, enabling subsequent passwordless key auth. It also sets safe permissions on the remote ~/.ssh and authorized_keys.
Common usage
ssh-copy-id -i ./deploy_key.pub user@host
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 user@host
ssh-copy-id -f -i ./key.pub user@host # skip the "already there" check
# CI without a password: provision the key out-of-band instead:
ssh user@host 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys' < ./deploy_key.pubOptions
| Flag | What it does |
|---|---|
| -i <file.pub> | Public key to install (defaults to id_rsa.pub) |
| -p <port> | Remote SSH port |
| -f | Force copy without checking for existing keys |
| -n | Dry run - print what would be installed |
Common errors in CI
ssh-copy-id prompts for the remote password on first use, which has no TTY in CI and hangs or fails with "Permission denied (publickey,password)" - CI usually cannot use it as-is; provision authorized_keys via a configuration-management step or a cloud user-data block instead. Passing a private key to -i installs the wrong thing - it must be the .pub. "WARNING: All keys were skipped because they already exist" is benign (use -f to re-add). Wrong remote ~/.ssh permissions (must be 700, authorized_keys 600) silently disable key auth - sshd ignores world-writable files.