Skip to content
Latchkey

ssh-copy-id: Usage, Options & Common CI Errors

ssh-copy-id appends your public key to a remote host's authorized_keys.

ssh-copy-id is the convenience tool for enabling key-based login on a server. It is awkward in CI because it normally needs an interactive password for the first connection - so pipelines often template authorized_keys directly instead.

What it does

ssh-copy-id logs into a remote host (initially with a password) and appends a local public key to ~/.ssh/authorized_keys there, enabling subsequent passwordless key auth. It also sets safe permissions on the remote ~/.ssh and authorized_keys.

Common usage

Terminal
ssh-copy-id -i ./deploy_key.pub user@host
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 2222 user@host
ssh-copy-id -f -i ./key.pub user@host          # skip the "already there" check
# CI without a password: provision the key out-of-band instead:
ssh user@host 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys' < ./deploy_key.pub

Options

FlagWhat it does
-i <file.pub>Public key to install (defaults to id_rsa.pub)
-p <port>Remote SSH port
-fForce copy without checking for existing keys
-nDry run - print what would be installed

Common errors in CI

ssh-copy-id prompts for the remote password on first use, which has no TTY in CI and hangs or fails with "Permission denied (publickey,password)" - CI usually cannot use it as-is; provision authorized_keys via a configuration-management step or a cloud user-data block instead. Passing a private key to -i installs the wrong thing - it must be the .pub. "WARNING: All keys were skipped because they already exist" is benign (use -f to re-add). Wrong remote ~/.ssh permissions (must be 700, authorized_keys 600) silently disable key auth - sshd ignores world-writable files.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →