diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-02-23 05:14:05 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-02-23 17:00:52 +1100 |
commit | 1a348359e4d2876203b5255941bae348557f4f54 (patch) | |
tree | 261e9047facd8bd8213ca2c4f38389b334eb60b3 | |
parent | 3e19fb976a47b44b3d7c4f8355269f7f2c5dd82c (diff) |
upstream: Add ssh-keyscan -D option to make it print its results in
SSHFP format bz#2821, ok dtucker@
OpenBSD-Commit-ID: 831446b582e0f298ca15c9d99c415c899e392221
-rw-r--r-- | ssh-keyscan.1 | 16 | ||||
-rw-r--r-- | ssh-keyscan.c | 20 |
2 files changed, 29 insertions, 7 deletions
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 index aa4a2ae83..cdbce0b30 100644 --- a/ssh-keyscan.1 +++ b/ssh-keyscan.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keyscan.1,v 1.40 2017/05/02 17:04:09 jmc Exp $ | 1 | .\" $OpenBSD: ssh-keyscan.1,v 1.41 2018/02/23 05:14:05 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. | 3 | .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. |
4 | .\" | 4 | .\" |
@@ -6,7 +6,7 @@ | |||
6 | .\" permitted provided that due credit is given to the author and the | 6 | .\" permitted provided that due credit is given to the author and the |
7 | .\" OpenBSD project by leaving this copyright notice intact. | 7 | .\" OpenBSD project by leaving this copyright notice intact. |
8 | .\" | 8 | .\" |
9 | .Dd $Mdocdate: May 2 2017 $ | 9 | .Dd $Mdocdate: February 23 2018 $ |
10 | .Dt SSH-KEYSCAN 1 | 10 | .Dt SSH-KEYSCAN 1 |
11 | .Os | 11 | .Os |
12 | .Sh NAME | 12 | .Sh NAME |
@@ -15,7 +15,7 @@ | |||
15 | .Sh SYNOPSIS | 15 | .Sh SYNOPSIS |
16 | .Nm ssh-keyscan | 16 | .Nm ssh-keyscan |
17 | .Bk -words | 17 | .Bk -words |
18 | .Op Fl 46cHv | 18 | .Op Fl 46cDHv |
19 | .Op Fl f Ar file | 19 | .Op Fl f Ar file |
20 | .Op Fl p Ar port | 20 | .Op Fl p Ar port |
21 | .Op Fl T Ar timeout | 21 | .Op Fl T Ar timeout |
@@ -56,6 +56,12 @@ Forces | |||
56 | to use IPv6 addresses only. | 56 | to use IPv6 addresses only. |
57 | .It Fl c | 57 | .It Fl c |
58 | Request certificates from target hosts instead of plain keys. | 58 | Request certificates from target hosts instead of plain keys. |
59 | .It Fl D | ||
60 | Print keys found as SSHFP DNS records. | ||
61 | The default is to print keys in a format usable as a | ||
62 | .Xr ssh 1 | ||
63 | .Pa known_hosts | ||
64 | file. | ||
59 | .It Fl f Ar file | 65 | .It Fl f Ar file |
60 | Read hosts or | 66 | Read hosts or |
61 | .Dq addrlist namelist | 67 | .Dq addrlist namelist |
@@ -159,6 +165,10 @@ $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e | |||
159 | .Sh SEE ALSO | 165 | .Sh SEE ALSO |
160 | .Xr ssh 1 , | 166 | .Xr ssh 1 , |
161 | .Xr sshd 8 | 167 | .Xr sshd 8 |
168 | .%R RFC 4255 | ||
169 | .%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" | ||
170 | .%D 2006 | ||
171 | .Re | ||
162 | .Sh AUTHORS | 172 | .Sh AUTHORS |
163 | .An -nosplit | 173 | .An -nosplit |
164 | .An David Mazieres Aq Mt dm@lcs.mit.edu | 174 | .An David Mazieres Aq Mt dm@lcs.mit.edu |
diff --git a/ssh-keyscan.c b/ssh-keyscan.c index a816a220e..15059f6fa 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keyscan.c,v 1.116 2017/11/25 06:46:22 dtucker Exp $ */ | 1 | /* $OpenBSD: ssh-keyscan.c,v 1.117 2018/02/23 05:14:05 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. | 3 | * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. |
4 | * | 4 | * |
@@ -46,6 +46,7 @@ | |||
46 | #include "hostfile.h" | 46 | #include "hostfile.h" |
47 | #include "ssherr.h" | 47 | #include "ssherr.h" |
48 | #include "ssh_api.h" | 48 | #include "ssh_api.h" |
49 | #include "dns.h" | ||
49 | 50 | ||
50 | /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. | 51 | /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. |
51 | Default value is AF_UNSPEC means both IPv4 and IPv6. */ | 52 | Default value is AF_UNSPEC means both IPv4 and IPv6. */ |
@@ -66,6 +67,8 @@ int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519; | |||
66 | 67 | ||
67 | int hash_hosts = 0; /* Hash hostname on output */ | 68 | int hash_hosts = 0; /* Hash hostname on output */ |
68 | 69 | ||
70 | int print_sshfp = 0; /* Print SSHFP records instead of known_hosts */ | ||
71 | |||
69 | #define MAXMAXFD 256 | 72 | #define MAXMAXFD 256 |
70 | 73 | ||
71 | /* The number of seconds after which to give up on a TCP connection */ | 74 | /* The number of seconds after which to give up on a TCP connection */ |
@@ -280,6 +283,11 @@ keyprint_one(const char *host, struct sshkey *key) | |||
280 | char *hostport; | 283 | char *hostport; |
281 | const char *known_host, *hashed; | 284 | const char *known_host, *hashed; |
282 | 285 | ||
286 | if (print_sshfp) { | ||
287 | export_dns_rr(host, key, stdout, 0); | ||
288 | return; | ||
289 | } | ||
290 | |||
283 | hostport = put_host_port(host, ssh_port); | 291 | hostport = put_host_port(host, ssh_port); |
284 | lowercase(hostport); | 292 | lowercase(hostport); |
285 | if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL) | 293 | if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL) |
@@ -497,7 +505,8 @@ congreet(int s) | |||
497 | confree(s); | 505 | confree(s); |
498 | return; | 506 | return; |
499 | } | 507 | } |
500 | fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf)); | 508 | fprintf(stderr, "%c %s:%d %s\n", print_sshfp ? ';' : '#', |
509 | c->c_name, ssh_port, chop(buf)); | ||
501 | keygrab_ssh2(c); | 510 | keygrab_ssh2(c); |
502 | confree(s); | 511 | confree(s); |
503 | } | 512 | } |
@@ -621,7 +630,7 @@ static void | |||
621 | usage(void) | 630 | usage(void) |
622 | { | 631 | { |
623 | fprintf(stderr, | 632 | fprintf(stderr, |
624 | "usage: %s [-46cHv] [-f file] [-p port] [-T timeout] [-t type]\n" | 633 | "usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n" |
625 | "\t\t [host | addrlist namelist] ...\n", | 634 | "\t\t [host | addrlist namelist] ...\n", |
626 | __progname); | 635 | __progname); |
627 | exit(1); | 636 | exit(1); |
@@ -650,7 +659,7 @@ main(int argc, char **argv) | |||
650 | if (argc <= 1) | 659 | if (argc <= 1) |
651 | usage(); | 660 | usage(); |
652 | 661 | ||
653 | while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) { | 662 | while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) { |
654 | switch (opt) { | 663 | switch (opt) { |
655 | case 'H': | 664 | case 'H': |
656 | hash_hosts = 1; | 665 | hash_hosts = 1; |
@@ -658,6 +667,9 @@ main(int argc, char **argv) | |||
658 | case 'c': | 667 | case 'c': |
659 | get_cert = 1; | 668 | get_cert = 1; |
660 | break; | 669 | break; |
670 | case 'D': | ||
671 | print_sshfp = 1; | ||
672 | break; | ||
661 | case 'p': | 673 | case 'p': |
662 | ssh_port = a2port(optarg); | 674 | ssh_port = a2port(optarg); |
663 | if (ssh_port <= 0) { | 675 | if (ssh_port <= 0) { |