upstream commit

Add "ssh-keyscan -c ..." flag to allow fetching
 certificates instead of plain keys; ok markus@

Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82

2 files changed, 42 insertions, 13 deletions

diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 6bbc480cd..12eb5810b 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keyscan.1,v 1.36 2014/08/30 15:33:50 sobrado Exp $
+.\"     $OpenBSD: ssh-keyscan.1,v 1.37 2015/11/08 22:30:20 djm Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: August 30 2014 $
+.Dd $Mdocdate: November 8 2015 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -15,7 +15,7 @@
 .Sh SYNOPSIS
 .Nm ssh-keyscan
 .Bk -words
-.Op Fl 46Hv
+.Op Fl 46Hcv
 .Op Fl f Ar file
 .Op Fl p Ar port
 .Op Fl T Ar timeout
@@ -54,6 +54,8 @@ to use IPv4 addresses only.
 Forces
 .Nm
 to use IPv6 addresses only.
+.It Fl c
+Request certificates from target hosts instead of plain keys.
 .It Fl f Ar file
 Read hosts or
 .Dq addrlist namelist
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 7db0e10e5..0e5ca609a 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.102 2015/10/24 22:56:19 djm Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.103 2015/11/08 22:30:20 djm Exp $ */
 /*
  * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
  *
@@ -60,6 +60,7 @@ int ssh_port = SSH_DEFAULT_PORT;
 #define KT_ECDSA        8
 #define KT_ED25519      16
 
+int get_cert = 0;
 int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
 
 int hash_hosts = 0;             /* Hash hostname on output */
@@ -267,11 +268,32 @@ keygrab_ssh2(con *c)
         int r;
 
         enable_compat20();
-        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
-            c->c_keytype == KT_DSA ?  "ssh-dss" :
-            (c->c_keytype == KT_RSA ? "ssh-rsa" :
-            (c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
-            "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"));
+        switch (c->c_keytype) {
+        case KT_DSA:
+                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+                    "ssh-dss-cert-v01@openssh.com" : "ssh-dss";
+                break;
+        case KT_RSA:
+                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+                    "ssh-rsa-cert-v01@openssh.com" : "ssh-rsa";
+                break;
+        case KT_ED25519:
+                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+                    "ssh-ed25519-cert-v01@openssh.com" : "ssh-ed25519";
+                break;
+        case KT_ECDSA:
+                myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+                    "ecdsa-sha2-nistp256-cert-v01@openssh.com,"
+                    "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
+                    "ecdsa-sha2-nistp521-cert-v01@openssh.com" :
+                    "ecdsa-sha2-nistp256,"
+                    "ecdsa-sha2-nistp384,"
+                    "ecdsa-sha2-nistp521";
+                break;
+        default:
+                fatal("unknown key type %d", c->c_keytype);
+                break;
+        }
         if ((r = kex_setup(c->c_ssh, myproposal)) != 0) {
                 free(c->c_ssh);
                 fprintf(stderr, "kex_setup: %s\n", ssh_err(r));
@@ -304,7 +326,8 @@ keyprint_one(char *host, struct sshkey *key)
                 fatal("host_hash failed");
 
         hostport = put_host_port(host, ssh_port);
-        fprintf(stdout, "%s ", hostport);
+        if (!get_cert)
+                fprintf(stdout, "%s ", hostport);
         sshkey_write(key, stdout);
         fputs("\n", stdout);
         free(hostport);
@@ -318,7 +341,7 @@ keyprint(con *c, struct sshkey *key)
 
         if (key == NULL)
                 return;
-        if (!hash_hosts && ssh_port == SSH_DEFAULT_PORT) {
+        if (get_cert || (!hash_hosts && ssh_port == SSH_DEFAULT_PORT)) {
                 keyprint_one(hosts, key);
                 return;
         }
@@ -384,6 +407,7 @@ conalloc(char *iname, char *oname, int keytype)
         if (fdcon[s].c_status)
                 fatal("conalloc: attempt to reuse fdno %d", s);
 
+        debug3("%s: oname %s kt %d", __func__, oname, keytype);
         fdcon[s].c_fd = s;
         fdcon[s].c_status = CS_CON;
         fdcon[s].c_namebase = namebase;
@@ -654,7 +678,7 @@ static void
 usage(void)
 {
         fprintf(stderr,
-            "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n"
+            "usage: %s [-46Hcv] [-f file] [-p port] [-T timeout] [-t type]\n"
             "\t\t   [host | addrlist namelist] ...\n",
             __progname);
         exit(1);
@@ -682,11 +706,14 @@ main(int argc, char **argv)
         if (argc <= 1)
                 usage();
 
-        while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) {
+        while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
                 switch (opt) {
                 case 'H':
                         hash_hosts = 1;
                         break;
+                case 'c':
+                        get_cert = 1;
+                        break;
                 case 'p':
                         ssh_port = a2port(optarg);
                         if (ssh_port <= 0) {