summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-02-23 05:14:05 +0000
committerDamien Miller <djm@mindrot.org>2018-02-23 17:00:52 +1100
commit1a348359e4d2876203b5255941bae348557f4f54 (patch)
tree261e9047facd8bd8213ca2c4f38389b334eb60b3
parent3e19fb976a47b44b3d7c4f8355269f7f2c5dd82c (diff)
upstream: Add ssh-keyscan -D option to make it print its results in
SSHFP format bz#2821, ok dtucker@ OpenBSD-Commit-ID: 831446b582e0f298ca15c9d99c415c899e392221
Diffstat
-rw-r--r--ssh-keyscan.116
-rw-r--r--ssh-keyscan.c20
2 files changed, 29 insertions, 7 deletions
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index aa4a2ae83..cdbce0b30 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keyscan.1,v 1.40 2017/05/02 17:04:09 jmc Exp $ 1.\" $OpenBSD: ssh-keyscan.1,v 1.41 2018/02/23 05:14:05 djm Exp $
2.\" 2.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\" 4.\"
@@ -6,7 +6,7 @@
6.\" permitted provided that due credit is given to the author and the 6.\" permitted provided that due credit is given to the author and the
7.\" OpenBSD project by leaving this copyright notice intact. 7.\" OpenBSD project by leaving this copyright notice intact.
8.\" 8.\"
9.Dd $Mdocdate: May 2 2017 $ 9.Dd $Mdocdate: February 23 2018 $
10.Dt SSH-KEYSCAN 1 10.Dt SSH-KEYSCAN 1
11.Os 11.Os
12.Sh NAME 12.Sh NAME
@@ -15,7 +15,7 @@
15.Sh SYNOPSIS 15.Sh SYNOPSIS
16.Nm ssh-keyscan 16.Nm ssh-keyscan
17.Bk -words 17.Bk -words
18.Op Fl 46cHv 18.Op Fl 46cDHv
19.Op Fl f Ar file 19.Op Fl f Ar file
20.Op Fl p Ar port 20.Op Fl p Ar port
21.Op Fl T Ar timeout 21.Op Fl T Ar timeout
@@ -56,6 +56,12 @@ Forces
56to use IPv6 addresses only. 56to use IPv6 addresses only.
57.It Fl c 57.It Fl c
58Request certificates from target hosts instead of plain keys. 58Request certificates from target hosts instead of plain keys.
59.It Fl D
60Print keys found as SSHFP DNS records.
61The default is to print keys in a format usable as a
62.Xr ssh 1
63.Pa known_hosts
64file.
59.It Fl f Ar file 65.It Fl f Ar file
60Read hosts or 66Read hosts or
61.Dq addrlist namelist 67.Dq addrlist namelist
@@ -159,6 +165,10 @@ $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
159.Sh SEE ALSO 165.Sh SEE ALSO
160.Xr ssh 1 , 166.Xr ssh 1 ,
161.Xr sshd 8 167.Xr sshd 8
168.%R RFC 4255
169.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
170.%D 2006
171.Re
162.Sh AUTHORS 172.Sh AUTHORS
163.An -nosplit 173.An -nosplit
164.An David Mazieres Aq Mt dm@lcs.mit.edu 174.An David Mazieres Aq Mt dm@lcs.mit.edu
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index a816a220e..15059f6fa 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keyscan.c,v 1.116 2017/11/25 06:46:22 dtucker Exp $ */ 1/* $OpenBSD: ssh-keyscan.c,v 1.117 2018/02/23 05:14:05 djm Exp $ */
2/* 2/*
3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4 * 4 *
@@ -46,6 +46,7 @@
46#include "hostfile.h" 46#include "hostfile.h"
47#include "ssherr.h" 47#include "ssherr.h"
48#include "ssh_api.h" 48#include "ssh_api.h"
49#include "dns.h"
49 50
50/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. 51/* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
51 Default value is AF_UNSPEC means both IPv4 and IPv6. */ 52 Default value is AF_UNSPEC means both IPv4 and IPv6. */
@@ -66,6 +67,8 @@ int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
66 67
67int hash_hosts = 0; /* Hash hostname on output */ 68int hash_hosts = 0; /* Hash hostname on output */
68 69
70int print_sshfp = 0; /* Print SSHFP records instead of known_hosts */
71
69#define MAXMAXFD 256 72#define MAXMAXFD 256
70 73
71/* The number of seconds after which to give up on a TCP connection */ 74/* The number of seconds after which to give up on a TCP connection */
@@ -280,6 +283,11 @@ keyprint_one(const char *host, struct sshkey *key)
280 char *hostport; 283 char *hostport;
281 const char *known_host, *hashed; 284 const char *known_host, *hashed;
282 285
286 if (print_sshfp) {
287 export_dns_rr(host, key, stdout, 0);
288 return;
289 }
290
283 hostport = put_host_port(host, ssh_port); 291 hostport = put_host_port(host, ssh_port);
284 lowercase(hostport); 292 lowercase(hostport);
285 if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL) 293 if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
@@ -497,7 +505,8 @@ congreet(int s)
497 confree(s); 505 confree(s);
498 return; 506 return;
499 } 507 }
500 fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf)); 508 fprintf(stderr, "%c %s:%d %s\n", print_sshfp ? ';' : '#',
509 c->c_name, ssh_port, chop(buf));
501 keygrab_ssh2(c); 510 keygrab_ssh2(c);
502 confree(s); 511 confree(s);
503} 512}
@@ -621,7 +630,7 @@ static void
621usage(void) 630usage(void)
622{ 631{
623 fprintf(stderr, 632 fprintf(stderr,
624 "usage: %s [-46cHv] [-f file] [-p port] [-T timeout] [-t type]\n" 633 "usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n"
625 "\t\t [host | addrlist namelist] ...\n", 634 "\t\t [host | addrlist namelist] ...\n",
626 __progname); 635 __progname);
627 exit(1); 636 exit(1);
@@ -650,7 +659,7 @@ main(int argc, char **argv)
650 if (argc <= 1) 659 if (argc <= 1)
651 usage(); 660 usage();
652 661
653 while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) { 662 while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) {
654 switch (opt) { 663 switch (opt) {
655 case 'H': 664 case 'H':
656 hash_hosts = 1; 665 hash_hosts = 1;
@@ -658,6 +667,9 @@ main(int argc, char **argv)
658 case 'c': 667 case 'c':
659 get_cert = 1; 668 get_cert = 1;
660 break; 669 break;
670 case 'D':
671 print_sshfp = 1;
672 break;
661 case 'p': 673 case 'p':
662 ssh_port = a2port(optarg); 674 ssh_port = a2port(optarg);
663 if (ssh_port <= 0) { 675 if (ssh_port <= 0) {
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-22 10:55:13 +0000