diff --git a/.gitignore b/.gitignore
index a8b42eb..fc586ce 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 *.retry
+ldap-password.txt
diff --git a/copy-keys.sh b/copy-keys.sh
new file mode 100755
index 0000000..e5343fd
--- /dev/null
+++ b/copy-keys.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+set -e
+
+# Grab valid unique hostnames from the Ansible inventory.
+HOSTS=$(grep -ve '^[#\[]' hosts \
+| grep -ve '^$' \
+| grep -F adm.auro.re \
+| grep -vf ssh-blacklist.txt \
+| sort -u)
+
+for host in $HOSTS; do
+  echo "Handling host $host"
+
+  # sshpass can be used for non-interactive password authentication.
+  # place your password in ldap-password.txt.
+  sshpass -f ldap-password.txt ssh-copy-id "$host"
+done
diff --git a/ssh-blacklist.txt b/ssh-blacklist.txt
new file mode 100644
index 0000000..248f525
--- /dev/null
+++ b/ssh-blacklist.txt
@@ -0,0 +1,4 @@
+ldap-replica-edc-backup.adm.auro.re
+ldap-replica-fleming-backup.adm.auro.re
+ldap-replica-gs.adm.auro.re
+ldap-replica-gs-backup.adm.auro.re