summaryrefslogtreecommitdiff
path: root/ssh-keygen.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 13:33:15 +0100
committerColin Watson <cjwatson@debian.org>2014-10-07 14:27:30 +0100
commitf0b009aea83e9ff3a50be30f51012099a5143c16 (patch)
tree3825e6f7e3b7ea4481d06ed89aba9a7a95150df5 /ssh-keygen.c
parent47f0bad4330b16ec3bad870fcf9839c196e42c12 (diff)
parent762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (diff)
Merge 6.7p1.
* New upstream release (http://www.openssh.com/txt/release-6.7): - sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. The full set of algorithms remains available if configured explicitly via the Ciphers and MACs sshd_config options. - ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket (closes: #236718). - ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519 key types. - sftp(1): Allow resumption of interrupted uploads. - ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange. - sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family. - sshd(8): Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option. - ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths. - sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success / failure messages. - Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is available. It considers time spent suspended, thereby ensuring timeouts (e.g. for expiring agent keys) fire correctly (closes: #734553). - Use prctl() to prevent sftp-server from accessing /proc/self/{mem,maps}. * Restore TCP wrappers support, removed upstream in 6.7. It is true that dropping this reduces preauth attack surface in sshd. On the other hand, this support seems to be quite widely used, and abruptly dropping it (from the perspective of users who don't read openssh-unix-dev) could easily cause more serious problems in practice. It's not entirely clear what the right long-term answer for Debian is, but it at least probably doesn't involve dropping this feature shortly before a freeze. * Replace patch to disable OpenSSL version check with an updated version of Kurt Roeckx's patch from #732940 to just avoid checking the status field.
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r--ssh-keygen.c194
1 files changed, 104 insertions, 90 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 2a316bcea..23058ee99 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.241 2014/02/05 20:13:25 naddy Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.249 2014/07/03 03:47:27 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -165,7 +165,7 @@ int rounds = 0;
165/* argv0 */ 165/* argv0 */
166extern char *__progname; 166extern char *__progname;
167 167
168char hostname[MAXHOSTNAMELEN]; 168char hostname[NI_MAXHOST];
169 169
170/* moduli.c */ 170/* moduli.c */
171int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); 171int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
@@ -195,6 +195,7 @@ type_bits_valid(int type, u_int32_t *bitsp)
195 fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); 195 fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
196 exit(1); 196 exit(1);
197 } 197 }
198#ifdef WITH_OPENSSL
198 if (type == KEY_DSA && *bitsp != 1024) 199 if (type == KEY_DSA && *bitsp != 1024)
199 fatal("DSA keys must be 1024 bits"); 200 fatal("DSA keys must be 1024 bits");
200 else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) 201 else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
@@ -202,6 +203,7 @@ type_bits_valid(int type, u_int32_t *bitsp)
202 else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) 203 else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
203 fatal("Invalid ECDSA key length - valid lengths are " 204 fatal("Invalid ECDSA key length - valid lengths are "
204 "256, 384 or 521 bits"); 205 "256, 384 or 521 bits");
206#endif
205} 207}
206 208
207static void 209static void
@@ -278,6 +280,7 @@ load_identity(char *filename)
278#define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" 280#define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
279#define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb 281#define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb
280 282
283#ifdef WITH_OPENSSL
281static void 284static void
282do_convert_to_ssh2(struct passwd *pw, Key *k) 285do_convert_to_ssh2(struct passwd *pw, Key *k)
283{ 286{
@@ -408,7 +411,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
408 Buffer b; 411 Buffer b;
409 Key *key = NULL; 412 Key *key = NULL;
410 char *type, *cipher; 413 char *type, *cipher;
411 u_char *sig, data[] = "abcde12345"; 414 u_char *sig = NULL, data[] = "abcde12345";
412 int magic, rlen, ktype, i1, i2, i3, i4; 415 int magic, rlen, ktype, i1, i2, i3, i4;
413 u_int slen; 416 u_int slen;
414 u_long e; 417 u_long e;
@@ -479,7 +482,9 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
479 buffer_get_bignum_bits(&b, key->rsa->iqmp); 482 buffer_get_bignum_bits(&b, key->rsa->iqmp);
480 buffer_get_bignum_bits(&b, key->rsa->q); 483 buffer_get_bignum_bits(&b, key->rsa->q);
481 buffer_get_bignum_bits(&b, key->rsa->p); 484 buffer_get_bignum_bits(&b, key->rsa->p);
482 rsa_generate_additional_parameters(key->rsa); 485 if (rsa_generate_additional_parameters(key->rsa) != 0)
486 fatal("%s: rsa_generate_additional_parameters "
487 "error", __func__);
483 break; 488 break;
484 } 489 }
485 rlen = buffer_len(&b); 490 rlen = buffer_len(&b);
@@ -711,6 +716,7 @@ do_convert_from(struct passwd *pw)
711 key_free(k); 716 key_free(k);
712 exit(0); 717 exit(0);
713} 718}
719#endif
714 720
715static void 721static void
716do_print_public(struct passwd *pw) 722do_print_public(struct passwd *pw)
@@ -981,7 +987,7 @@ do_gen_all_hostkeys(struct passwd *pw)
981} 987}
982 988
983static void 989static void
984printhost(FILE *f, const char *name, Key *public, int ca, int hash) 990printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash)
985{ 991{
986 if (print_fingerprint) { 992 if (print_fingerprint) {
987 enum fp_rep rep; 993 enum fp_rep rep;
@@ -1001,7 +1007,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
1001 } else { 1007 } else {
1002 if (hash && (name = host_hash(name, NULL, 0)) == NULL) 1008 if (hash && (name = host_hash(name, NULL, 0)) == NULL)
1003 fatal("hash_host failed"); 1009 fatal("hash_host failed");
1004 fprintf(f, "%s%s%s ", ca ? CA_MARKER : "", ca ? " " : "", name); 1010 fprintf(f, "%s%s%s ", ca ? CA_MARKER " " : "",
1011 revoked ? REVOKE_MARKER " " : "" , name);
1005 if (!key_write(public, f)) 1012 if (!key_write(public, f))
1006 fatal("key_write failed"); 1013 fatal("key_write failed");
1007 fprintf(f, "\n"); 1014 fprintf(f, "\n");
@@ -1016,7 +1023,7 @@ do_known_hosts(struct passwd *pw, const char *name)
1016 char *cp, *cp2, *kp, *kp2; 1023 char *cp, *cp2, *kp, *kp2;
1017 char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; 1024 char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN];
1018 int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; 1025 int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;
1019 int ca; 1026 int ca, revoked;
1020 int found_key = 0; 1027 int found_key = 0;
1021 1028
1022 if (!have_identity) { 1029 if (!have_identity) {
@@ -1030,6 +1037,7 @@ do_known_hosts(struct passwd *pw, const char *name)
1030 if ((in = fopen(identity_file, "r")) == NULL) 1037 if ((in = fopen(identity_file, "r")) == NULL)
1031 fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); 1038 fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
1032 1039
1040 /* XXX this code is a mess; refactor -djm */
1033 /* 1041 /*
1034 * Find hosts goes to stdout, hash and deletions happen in-place 1042 * Find hosts goes to stdout, hash and deletions happen in-place
1035 * A corner case is ssh-keygen -HF foo, which should go to stdout 1043 * A corner case is ssh-keygen -HF foo, which should go to stdout
@@ -1073,7 +1081,7 @@ do_known_hosts(struct passwd *pw, const char *name)
1073 fprintf(out, "%s\n", cp); 1081 fprintf(out, "%s\n", cp);
1074 continue; 1082 continue;
1075 } 1083 }
1076 /* Check whether this is a CA key */ 1084 /* Check whether this is a CA key or revocation marker */
1077 if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 && 1085 if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 &&
1078 (cp[sizeof(CA_MARKER) - 1] == ' ' || 1086 (cp[sizeof(CA_MARKER) - 1] == ' ' ||
1079 cp[sizeof(CA_MARKER) - 1] == '\t')) { 1087 cp[sizeof(CA_MARKER) - 1] == '\t')) {
@@ -1081,6 +1089,14 @@ do_known_hosts(struct passwd *pw, const char *name)
1081 cp += sizeof(CA_MARKER); 1089 cp += sizeof(CA_MARKER);
1082 } else 1090 } else
1083 ca = 0; 1091 ca = 0;
1092 if (strncasecmp(cp, REVOKE_MARKER,
1093 sizeof(REVOKE_MARKER) - 1) == 0 &&
1094 (cp[sizeof(REVOKE_MARKER) - 1] == ' ' ||
1095 cp[sizeof(REVOKE_MARKER) - 1] == '\t')) {
1096 revoked = 1;
1097 cp += sizeof(REVOKE_MARKER);
1098 } else
1099 revoked = 0;
1084 1100
1085 /* Find the end of the host name portion. */ 1101 /* Find the end of the host name portion. */
1086 for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++) 1102 for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++)
@@ -1124,20 +1140,23 @@ do_known_hosts(struct passwd *pw, const char *name)
1124 printf("# Host %s found: " 1140 printf("# Host %s found: "
1125 "line %d type %s%s\n", name, 1141 "line %d type %s%s\n", name,
1126 num, key_type(pub), 1142 num, key_type(pub),
1127 ca ? " (CA key)" : ""); 1143 ca ? " (CA key)" :
1128 printhost(out, cp, pub, ca, 0); 1144 revoked? " (revoked)" : "");
1145 printhost(out, cp, pub, ca, revoked, 0);
1129 found_key = 1; 1146 found_key = 1;
1130 } 1147 }
1131 if (delete_host) { 1148 if (delete_host) {
1132 if (!c && !ca) 1149 if (!c || ca || revoked) {
1133 printhost(out, cp, pub, ca, 0); 1150 printhost(out, cp, pub,
1134 else 1151 ca, revoked, 0);
1152 } else {
1135 printf("# Host %s found: " 1153 printf("# Host %s found: "
1136 "line %d type %s\n", name, 1154 "line %d type %s\n", name,
1137 num, key_type(pub)); 1155 num, key_type(pub));
1156 }
1138 } 1157 }
1139 } else if (hash_hosts) 1158 } else if (hash_hosts)
1140 printhost(out, cp, pub, ca, 0); 1159 printhost(out, cp, pub, ca, revoked, 0);
1141 } else { 1160 } else {
1142 if (find_host || delete_host) { 1161 if (find_host || delete_host) {
1143 c = (match_hostname(name, cp, 1162 c = (match_hostname(name, cp,
@@ -1148,38 +1167,43 @@ do_known_hosts(struct passwd *pw, const char *name)
1148 "line %d type %s%s\n", name, 1167 "line %d type %s%s\n", name,
1149 num, key_type(pub), 1168 num, key_type(pub),
1150 ca ? " (CA key)" : ""); 1169 ca ? " (CA key)" : "");
1151 printhost(out, name, pub, 1170 printhost(out, name, pub, ca, revoked,
1152 ca, hash_hosts && !ca); 1171 hash_hosts && !(ca || revoked));
1153 found_key = 1; 1172 found_key = 1;
1154 } 1173 }
1155 if (delete_host) { 1174 if (delete_host) {
1156 if (!c && !ca) 1175 if (!c || ca || revoked) {
1157 printhost(out, cp, pub, ca, 0); 1176 printhost(out, cp, pub,
1158 else 1177 ca, revoked, 0);
1178 } else {
1159 printf("# Host %s found: " 1179 printf("# Host %s found: "
1160 "line %d type %s\n", name, 1180 "line %d type %s\n", name,
1161 num, key_type(pub)); 1181 num, key_type(pub));
1182 }
1162 } 1183 }
1184 } else if (hash_hosts && (ca || revoked)) {
1185 /* Don't hash CA and revoked keys' hostnames */
1186 printhost(out, cp, pub, ca, revoked, 0);
1187 has_unhashed = 1;
1163 } else if (hash_hosts) { 1188 } else if (hash_hosts) {
1189 /* Hash each hostname separately */
1164 for (cp2 = strsep(&cp, ","); 1190 for (cp2 = strsep(&cp, ",");
1165 cp2 != NULL && *cp2 != '\0'; 1191 cp2 != NULL && *cp2 != '\0';
1166 cp2 = strsep(&cp, ",")) { 1192 cp2 = strsep(&cp, ",")) {
1167 if (ca) { 1193 if (strcspn(cp2, "*?!") !=
1168 fprintf(stderr, "Warning: "
1169 "ignoring CA key for host: "
1170 "%.64s\n", cp2);
1171 printhost(out, cp2, pub, ca, 0);
1172 } else if (strcspn(cp2, "*?!") !=
1173 strlen(cp2)) { 1194 strlen(cp2)) {
1174 fprintf(stderr, "Warning: " 1195 fprintf(stderr, "Warning: "
1175 "ignoring host name with " 1196 "ignoring host name with "
1176 "metacharacters: %.64s\n", 1197 "metacharacters: %.64s\n",
1177 cp2); 1198 cp2);
1178 printhost(out, cp2, pub, ca, 0); 1199 printhost(out, cp2, pub, ca,
1179 } else 1200 revoked, 0);
1180 printhost(out, cp2, pub, ca, 1); 1201 has_unhashed = 1;
1202 } else {
1203 printhost(out, cp2, pub, ca,
1204 revoked, 1);
1205 }
1181 } 1206 }
1182 has_unhashed = 1;
1183 } 1207 }
1184 } 1208 }
1185 key_free(pub); 1209 key_free(pub);
@@ -1589,7 +1613,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1589 } 1613 }
1590 } 1614 }
1591 1615
1616#ifdef ENABLE_PKCS11
1592 pkcs11_init(1); 1617 pkcs11_init(1);
1618#endif
1593 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); 1619 tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
1594 if (pkcs11provider != NULL) { 1620 if (pkcs11provider != NULL) {
1595 if ((ca = load_pkcs11_key(tmp)) == NULL) 1621 if ((ca = load_pkcs11_key(tmp)) == NULL)
@@ -1631,12 +1657,12 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1631 public->cert->valid_after = cert_valid_from; 1657 public->cert->valid_after = cert_valid_from;
1632 public->cert->valid_before = cert_valid_to; 1658 public->cert->valid_before = cert_valid_to;
1633 if (v00) { 1659 if (v00) {
1634 prepare_options_buf(&public->cert->critical, 1660 prepare_options_buf(public->cert->critical,
1635 OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); 1661 OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);
1636 } else { 1662 } else {
1637 prepare_options_buf(&public->cert->critical, 1663 prepare_options_buf(public->cert->critical,
1638 OPTIONS_CRITICAL); 1664 OPTIONS_CRITICAL);
1639 prepare_options_buf(&public->cert->extensions, 1665 prepare_options_buf(public->cert->extensions,
1640 OPTIONS_EXTENSIONS); 1666 OPTIONS_EXTENSIONS);
1641 } 1667 }
1642 public->cert->signature_key = key_from_private(ca); 1668 public->cert->signature_key = key_from_private(ca);
@@ -1672,7 +1698,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
1672 key_free(public); 1698 key_free(public);
1673 free(out); 1699 free(out);
1674 } 1700 }
1701#ifdef ENABLE_PKCS11
1675 pkcs11_terminate(); 1702 pkcs11_terminate();
1703#endif
1676 exit(0); 1704 exit(0);
1677} 1705}
1678 1706
@@ -1820,8 +1848,8 @@ add_cert_option(char *opt)
1820static void 1848static void
1821show_options(const Buffer *optbuf, int v00, int in_critical) 1849show_options(const Buffer *optbuf, int v00, int in_critical)
1822{ 1850{
1823 char *name; 1851 char *name, *arg;
1824 u_char *data; 1852 const u_char *data;
1825 u_int dlen; 1853 u_int dlen;
1826 Buffer options, option; 1854 Buffer options, option;
1827 1855
@@ -1844,9 +1872,9 @@ show_options(const Buffer *optbuf, int v00, int in_critical)
1844 else if ((v00 || in_critical) && 1872 else if ((v00 || in_critical) &&
1845 (strcmp(name, "force-command") == 0 || 1873 (strcmp(name, "force-command") == 0 ||
1846 strcmp(name, "source-address") == 0)) { 1874 strcmp(name, "source-address") == 0)) {
1847 data = buffer_get_string(&option, NULL); 1875 arg = buffer_get_cstring(&option, NULL);
1848 printf(" %s\n", data); 1876 printf(" %s\n", arg);
1849 free(data); 1877 free(arg);
1850 } else { 1878 } else {
1851 printf(" UNKNOWN OPTION (len %u)\n", 1879 printf(" UNKNOWN OPTION (len %u)\n",
1852 buffer_len(&option)); 1880 buffer_len(&option));
@@ -1905,24 +1933,25 @@ do_show_cert(struct passwd *pw)
1905 printf("\n"); 1933 printf("\n");
1906 } 1934 }
1907 printf(" Critical Options: "); 1935 printf(" Critical Options: ");
1908 if (buffer_len(&key->cert->critical) == 0) 1936 if (buffer_len(key->cert->critical) == 0)
1909 printf("(none)\n"); 1937 printf("(none)\n");
1910 else { 1938 else {
1911 printf("\n"); 1939 printf("\n");
1912 show_options(&key->cert->critical, v00, 1); 1940 show_options(key->cert->critical, v00, 1);
1913 } 1941 }
1914 if (!v00) { 1942 if (!v00) {
1915 printf(" Extensions: "); 1943 printf(" Extensions: ");
1916 if (buffer_len(&key->cert->extensions) == 0) 1944 if (buffer_len(key->cert->extensions) == 0)
1917 printf("(none)\n"); 1945 printf("(none)\n");
1918 else { 1946 else {
1919 printf("\n"); 1947 printf("\n");
1920 show_options(&key->cert->extensions, v00, 0); 1948 show_options(key->cert->extensions, v00, 0);
1921 } 1949 }
1922 } 1950 }
1923 exit(0); 1951 exit(0);
1924} 1952}
1925 1953
1954#ifdef WITH_OPENSSL
1926static void 1955static void
1927load_krl(const char *path, struct ssh_krl **krlp) 1956load_krl(const char *path, struct ssh_krl **krlp)
1928{ 1957{
@@ -2145,60 +2174,40 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
2145 ssh_krl_free(krl); 2174 ssh_krl_free(krl);
2146 exit(ret); 2175 exit(ret);
2147} 2176}
2177#endif
2148 2178
2149static void 2179static void
2150usage(void) 2180usage(void)
2151{ 2181{
2152 fprintf(stderr, "usage: %s [options]\n", __progname); 2182 fprintf(stderr,
2153 fprintf(stderr, "Options:\n"); 2183 "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]\n"
2154 fprintf(stderr, " -A Generate non-existent host keys for all key types.\n"); 2184 " [-N new_passphrase] [-C comment] [-f output_keyfile]\n"
2155 fprintf(stderr, " -a number Number of KDF rounds for new key format or moduli primality tests.\n"); 2185 " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n"
2156 fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); 2186 " ssh-keygen -i [-m key_format] [-f input_keyfile]\n"
2157 fprintf(stderr, " -b bits Number of bits in the key to create.\n"); 2187 " ssh-keygen -e [-m key_format] [-f input_keyfile]\n"
2158 fprintf(stderr, " -C comment Provide new comment.\n"); 2188 " ssh-keygen -y [-f input_keyfile]\n"
2159 fprintf(stderr, " -c Change comment in private and public key files.\n"); 2189 " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"
2190 " ssh-keygen -l [-f input_keyfile]\n"
2191 " ssh-keygen -B [-f input_keyfile]\n");
2160#ifdef ENABLE_PKCS11 2192#ifdef ENABLE_PKCS11
2161 fprintf(stderr, " -D pkcs11 Download public key from pkcs11 token.\n"); 2193 fprintf(stderr,
2194 " ssh-keygen -D pkcs11\n");
2162#endif 2195#endif
2163 fprintf(stderr, " -e Export OpenSSH to foreign format key file.\n"); 2196 fprintf(stderr,
2164 fprintf(stderr, " -F hostname Find hostname in known hosts file.\n"); 2197 " ssh-keygen -F hostname [-f known_hosts_file] [-l]\n"
2165 fprintf(stderr, " -f filename Filename of the key file.\n"); 2198 " ssh-keygen -H [-f known_hosts_file]\n"
2166 fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n"); 2199 " ssh-keygen -R hostname [-f known_hosts_file]\n"
2167 fprintf(stderr, " -g Use generic DNS resource record format.\n"); 2200 " ssh-keygen -r hostname [-f input_keyfile] [-g]\n"
2168 fprintf(stderr, " -H Hash names in known_hosts file.\n"); 2201 " ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n"
2169 fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n"); 2202 " ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n"
2170 fprintf(stderr, " -I key_id Key identifier to include in certificate.\n"); 2203 " [-j start_line] [-K checkpt] [-W generator]\n"
2171 fprintf(stderr, " -i Import foreign format to OpenSSH key file.\n"); 2204 " ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n"
2172 fprintf(stderr, " -J number Screen this number of moduli lines.\n"); 2205 " [-O option] [-V validity_interval] [-z serial_number] file ...\n"
2173 fprintf(stderr, " -j number Start screening moduli at specified line.\n"); 2206 " ssh-keygen -L [-f input_keyfile]\n"
2174 fprintf(stderr, " -K checkpt Write checkpoints to this file.\n"); 2207 " ssh-keygen -A\n"
2175 fprintf(stderr, " -k Generate a KRL file.\n"); 2208 " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"
2176 fprintf(stderr, " -L Print the contents of a certificate.\n"); 2209 " file ...\n"
2177 fprintf(stderr, " -l Show fingerprint of key file.\n"); 2210 " ssh-keygen -Q -f krl_file file ...\n");
2178 fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
2179 fprintf(stderr, " -m key_fmt Conversion format for -e/-i (PEM|PKCS8|RFC4716).\n");
2180 fprintf(stderr, " -N phrase Provide new passphrase.\n");
2181 fprintf(stderr, " -n name,... User/host principal names to include in certificate\n");
2182 fprintf(stderr, " -O option Specify a certificate option.\n");
2183 fprintf(stderr, " -o Enforce new private key format.\n");
2184 fprintf(stderr, " -P phrase Provide old passphrase.\n");
2185 fprintf(stderr, " -p Change passphrase of private key file.\n");
2186 fprintf(stderr, " -Q Test whether key(s) are revoked in KRL.\n");
2187 fprintf(stderr, " -q Quiet.\n");
2188 fprintf(stderr, " -R hostname Remove host from known_hosts file.\n");
2189 fprintf(stderr, " -r hostname Print DNS resource record.\n");
2190 fprintf(stderr, " -S start Start point (hex) for generating DH-GEX moduli.\n");
2191 fprintf(stderr, " -s ca_key Certify keys with CA key.\n");
2192 fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n");
2193 fprintf(stderr, " -t type Specify type of key to create.\n");
2194 fprintf(stderr, " -u Update KRL rather than creating a new one.\n");
2195 fprintf(stderr, " -V from:to Specify certificate validity interval.\n");
2196 fprintf(stderr, " -v Verbose.\n");
2197 fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n");
2198 fprintf(stderr, " -y Read private key file and print public key.\n");
2199 fprintf(stderr, " -Z cipher Specify a cipher for new private key format.\n");
2200 fprintf(stderr, " -z serial Specify a serial number.\n");
2201
2202 exit(1); 2211 exit(1);
2203} 2212}
2204 2213
@@ -2469,6 +2478,7 @@ main(int argc, char **argv)
2469 printf("Cannot use -l with -H or -R.\n"); 2478 printf("Cannot use -l with -H or -R.\n");
2470 usage(); 2479 usage();
2471 } 2480 }
2481#ifdef WITH_OPENSSL
2472 if (gen_krl) { 2482 if (gen_krl) {
2473 do_gen_krl(pw, update_krl, argc, argv); 2483 do_gen_krl(pw, update_krl, argc, argv);
2474 return (0); 2484 return (0);
@@ -2477,6 +2487,7 @@ main(int argc, char **argv)
2477 do_check_krl(pw, argc, argv); 2487 do_check_krl(pw, argc, argv);
2478 return (0); 2488 return (0);
2479 } 2489 }
2490#endif
2480 if (ca_key_path != NULL) { 2491 if (ca_key_path != NULL) {
2481 if (cert_key_id == NULL) 2492 if (cert_key_id == NULL)
2482 fatal("Must specify key id (-I) when certifying"); 2493 fatal("Must specify key id (-I) when certifying");
@@ -2494,10 +2505,12 @@ main(int argc, char **argv)
2494 do_change_passphrase(pw); 2505 do_change_passphrase(pw);
2495 if (change_comment) 2506 if (change_comment)
2496 do_change_comment(pw); 2507 do_change_comment(pw);
2508#ifdef WITH_OPENSSL
2497 if (convert_to) 2509 if (convert_to)
2498 do_convert_to(pw); 2510 do_convert_to(pw);
2499 if (convert_from) 2511 if (convert_from)
2500 do_convert_from(pw); 2512 do_convert_from(pw);
2513#endif
2501 if (print_public) 2514 if (print_public)
2502 do_print_public(pw); 2515 do_print_public(pw);
2503 if (rr_hostname != NULL) { 2516 if (rr_hostname != NULL) {
@@ -2519,7 +2532,8 @@ main(int argc, char **argv)
2519 _PATH_HOST_DSA_KEY_FILE, rr_hostname); 2532 _PATH_HOST_DSA_KEY_FILE, rr_hostname);
2520 n += do_print_resource_record(pw, 2533 n += do_print_resource_record(pw,
2521 _PATH_HOST_ECDSA_KEY_FILE, rr_hostname); 2534 _PATH_HOST_ECDSA_KEY_FILE, rr_hostname);
2522 2535 n += do_print_resource_record(pw,
2536 _PATH_HOST_ED25519_KEY_FILE, rr_hostname);
2523 if (n == 0) 2537 if (n == 0)
2524 fatal("no keys found."); 2538 fatal("no keys found.");
2525 exit(0); 2539 exit(0);
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-14 12:54:21 +0000