- djm@cvs.openbsd.org 2011/10/18 05:00:48

     [ssh-add.1 ssh-add.c]
     new "ssh-add -k" option to load plain keys (skipping certificates);
     "looks ok" markus@

3 files changed, 27 insertions, 13 deletions

diff --git a/ChangeLog b/ChangeLog
index 583f88f22..1ff341719 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,10 @@
      [auth-options.c key.c]
      remove explict search for \0 in packet strings, this job is now done
      implicitly by buffer_get_cstring; ok markus
+   - djm@cvs.openbsd.org 2011/10/18 05:00:48
+     [ssh-add.1 ssh-add.c]
+     new "ssh-add -k" option to load plain keys (skipping certificates);
+     "looks ok" markus@
 
 20111001
  - (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning.  ok djm
diff --git a/ssh-add.1 b/ssh-add.1
index fd48ff98f..aec620dea 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-add.1,v 1.55 2010/10/28 18:33:28 jmc Exp $
+.\"     $OpenBSD: ssh-add.1,v 1.56 2011/10/18 05:00:48 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 28 2010 $
+.Dd $Mdocdate: October 18 2011 $
 .Dt SSH-ADD 1
 .Os
 .Sh NAME
@@ -43,7 +43,7 @@
 .Nd adds private key identities to the authentication agent
 .Sh SYNOPSIS
 .Nm ssh-add
-.Op Fl cDdLlXx
+.Op Fl cDdkLlXx
 .Op Fl t Ar life
 .Op Ar
 .Nm ssh-add
@@ -110,6 +110,9 @@ and retry.
 .It Fl e Ar pkcs11
 Remove keys provided by the PKCS#11 shared library
 .Ar pkcs11 .
+.It Fl k
+When loading keys into the agent, load plain private keys only and skip
+certificates.
 .It Fl L
 Lists public key parameters of all identities currently represented
 by the agent.
diff --git a/ssh-add.c b/ssh-add.c
index 6d5e2a957..ea7619e6a 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.101 2011/05/04 21:15:29 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.102 2011/10/18 05:00:48 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -139,11 +139,11 @@ delete_all(AuthenticationConnection *ac)
 }
 
 static int
-add_file(AuthenticationConnection *ac, const char *filename)
+add_file(AuthenticationConnection *ac, const char *filename, int key_only)
 {
         Key *private, *cert;
         char *comment = NULL;
-        char msg[1024], *certpath;
+        char msg[1024], *certpath = NULL;
         int fd, perms_ok, ret = -1;
         Buffer keyblob;
 
@@ -219,6 +219,9 @@ add_file(AuthenticationConnection *ac, const char *filename)
                 fprintf(stderr, "Could not add identity: %s\n", filename);
         }
 
+        /* Skip trying to load the cert if requested */
+        if (key_only)
+                goto out;
 
         /* Now try to add the certificate flavour too */
         xasprintf(&certpath, "%s-cert.pub", filename);
@@ -253,7 +256,8 @@ add_file(AuthenticationConnection *ac, const char *filename)
         if (confirm != 0)
                 fprintf(stderr, "The user must confirm each use of the key\n");
  out:
-        xfree(certpath);
+        if (certpath != NULL)
+                xfree(certpath);
         xfree(comment);
         key_free(private);
 
@@ -347,13 +351,13 @@ lock_agent(AuthenticationConnection *ac, int lock)
 }
 
 static int
-do_file(AuthenticationConnection *ac, int deleting, char *file)
+do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file)
 {
         if (deleting) {
                 if (delete_file(ac, file) == -1)
                         return -1;
         } else {
-                if (add_file(ac, file) == -1)
+                if (add_file(ac, file, key_only) == -1)
                         return -1;
         }
         return 0;
@@ -383,7 +387,7 @@ main(int argc, char **argv)
         extern int optind;
         AuthenticationConnection *ac = NULL;
         char *pkcs11provider = NULL;
-        int i, ch, deleting = 0, ret = 0;
+        int i, ch, deleting = 0, ret = 0, key_only = 0;
 
         /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
         sanitise_stdfd();
@@ -400,8 +404,11 @@ main(int argc, char **argv)
                     "Could not open a connection to your authentication agent.\n");
                 exit(2);
         }
-        while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
+        while ((ch = getopt(argc, argv, "klLcdDxXe:s:t:")) != -1) {
                 switch (ch) {
+                case 'k':
+                        key_only = 1;
+                        break;
                 case 'l':
                 case 'L':
                         if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
@@ -467,7 +474,7 @@ main(int argc, char **argv)
                             default_files[i]);
                         if (stat(buf, &st) < 0)
                                 continue;
-                        if (do_file(ac, deleting, buf) == -1)
+                        if (do_file(ac, deleting, key_only, buf) == -1)
                                 ret = 1;
                         else
                                 count++;
@@ -476,7 +483,7 @@ main(int argc, char **argv)
                         ret = 1;
         } else {
                 for (i = 0; i < argc; i++) {
-                        if (do_file(ac, deleting, argv[i]) == -1)
+                        if (do_file(ac, deleting, key_only, argv[i]) == -1)
                                 ret = 1;
                 }
         }