ssh-copy-id results in immediate lockout

[rcoder]

I can pull detailed logs if it would help, but the basic use case seems consistent with each of the ~half-dozen CL hosts I've deployed in the cloud:

1. SSH to a remote host using password auth for the normal installer-created user, then log out: ✅
2. Run ssh-copy-id to install the local client (ed25519) SSH public key into authorized_keys on the same host
3. ...watch the copy hang at INFO: 1 key(s) remain to be installed..., after which tallow has banned the client IP: 😢

I'm guessing there's a logfile parsing issue where the handshake used to query existing keys appears as a failed auth and results in the ban, but this exact workflow is part of how I bootstrap a new server or workstation so it's honestly a PITA that tallow locks me out 100% of the time when I do it, after which I have to log in via the actual server console and whitelist client IPs and flush firewall rules to unlock my access.