diff options
author | Colin Watson <cjwatson@debian.org> | 2014-10-07 13:33:15 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2014-10-07 14:27:30 +0100 |
commit | f0b009aea83e9ff3a50be30f51012099a5143c16 (patch) | |
tree | 3825e6f7e3b7ea4481d06ed89aba9a7a95150df5 /ssh-keygen.c | |
parent | 47f0bad4330b16ec3bad870fcf9839c196e42c12 (diff) | |
parent | 762c062828f5a8f6ed189ed6e44ad38fd92f8b36 (diff) |
Merge 6.7p1.
* New upstream release (http://www.openssh.com/txt/release-6.7):
- sshd(8): The default set of ciphers and MACs has been altered to
remove unsafe algorithms. In particular, CBC ciphers and arcfour* are
disabled by default. The full set of algorithms remains available if
configured explicitly via the Ciphers and MACs sshd_config options.
- ssh(1), sshd(8): Add support for Unix domain socket forwarding. A
remote TCP port may be forwarded to a local Unix domain socket and
vice versa or both ends may be a Unix domain socket (closes: #236718).
- ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for ED25519
key types.
- sftp(1): Allow resumption of interrupted uploads.
- ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is
the same as the one sent during initial key exchange.
- sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses
when GatewayPorts=no; allows client to choose address family.
- sshd(8): Add a sshd_config PermitUserRC option to control whether
~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys
option.
- ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that
expands to a unique identifer based on a hash of the tuple of (local
host, remote user, hostname, port). Helps avoid exceeding miserly
pathname limits for Unix domain sockets in multiplexing control paths.
- sshd(8): Make the "Too many authentication failures" message include
the user, source address, port and protocol in a format similar to the
authentication success / failure messages.
- Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC when it is
available. It considers time spent suspended, thereby ensuring
timeouts (e.g. for expiring agent keys) fire correctly (closes:
#734553).
- Use prctl() to prevent sftp-server from accessing
/proc/self/{mem,maps}.
* Restore TCP wrappers support, removed upstream in 6.7. It is true that
dropping this reduces preauth attack surface in sshd. On the other
hand, this support seems to be quite widely used, and abruptly dropping
it (from the perspective of users who don't read openssh-unix-dev) could
easily cause more serious problems in practice. It's not entirely clear
what the right long-term answer for Debian is, but it at least probably
doesn't involve dropping this feature shortly before a freeze.
* Replace patch to disable OpenSSL version check with an updated version
of Kurt Roeckx's patch from #732940 to just avoid checking the status
field.
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 194 |
1 files changed, 104 insertions, 90 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 2a316bcea..23058ee99 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.241 2014/02/05 20:13:25 naddy Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.249 2014/07/03 03:47:27 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -165,7 +165,7 @@ int rounds = 0; | |||
165 | /* argv0 */ | 165 | /* argv0 */ |
166 | extern char *__progname; | 166 | extern char *__progname; |
167 | 167 | ||
168 | char hostname[MAXHOSTNAMELEN]; | 168 | char hostname[NI_MAXHOST]; |
169 | 169 | ||
170 | /* moduli.c */ | 170 | /* moduli.c */ |
171 | int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); | 171 | int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); |
@@ -195,6 +195,7 @@ type_bits_valid(int type, u_int32_t *bitsp) | |||
195 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); | 195 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); |
196 | exit(1); | 196 | exit(1); |
197 | } | 197 | } |
198 | #ifdef WITH_OPENSSL | ||
198 | if (type == KEY_DSA && *bitsp != 1024) | 199 | if (type == KEY_DSA && *bitsp != 1024) |
199 | fatal("DSA keys must be 1024 bits"); | 200 | fatal("DSA keys must be 1024 bits"); |
200 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) | 201 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) |
@@ -202,6 +203,7 @@ type_bits_valid(int type, u_int32_t *bitsp) | |||
202 | else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) | 203 | else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) |
203 | fatal("Invalid ECDSA key length - valid lengths are " | 204 | fatal("Invalid ECDSA key length - valid lengths are " |
204 | "256, 384 or 521 bits"); | 205 | "256, 384 or 521 bits"); |
206 | #endif | ||
205 | } | 207 | } |
206 | 208 | ||
207 | static void | 209 | static void |
@@ -278,6 +280,7 @@ load_identity(char *filename) | |||
278 | #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" | 280 | #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" |
279 | #define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb | 281 | #define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb |
280 | 282 | ||
283 | #ifdef WITH_OPENSSL | ||
281 | static void | 284 | static void |
282 | do_convert_to_ssh2(struct passwd *pw, Key *k) | 285 | do_convert_to_ssh2(struct passwd *pw, Key *k) |
283 | { | 286 | { |
@@ -408,7 +411,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) | |||
408 | Buffer b; | 411 | Buffer b; |
409 | Key *key = NULL; | 412 | Key *key = NULL; |
410 | char *type, *cipher; | 413 | char *type, *cipher; |
411 | u_char *sig, data[] = "abcde12345"; | 414 | u_char *sig = NULL, data[] = "abcde12345"; |
412 | int magic, rlen, ktype, i1, i2, i3, i4; | 415 | int magic, rlen, ktype, i1, i2, i3, i4; |
413 | u_int slen; | 416 | u_int slen; |
414 | u_long e; | 417 | u_long e; |
@@ -479,7 +482,9 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) | |||
479 | buffer_get_bignum_bits(&b, key->rsa->iqmp); | 482 | buffer_get_bignum_bits(&b, key->rsa->iqmp); |
480 | buffer_get_bignum_bits(&b, key->rsa->q); | 483 | buffer_get_bignum_bits(&b, key->rsa->q); |
481 | buffer_get_bignum_bits(&b, key->rsa->p); | 484 | buffer_get_bignum_bits(&b, key->rsa->p); |
482 | rsa_generate_additional_parameters(key->rsa); | 485 | if (rsa_generate_additional_parameters(key->rsa) != 0) |
486 | fatal("%s: rsa_generate_additional_parameters " | ||
487 | "error", __func__); | ||
483 | break; | 488 | break; |
484 | } | 489 | } |
485 | rlen = buffer_len(&b); | 490 | rlen = buffer_len(&b); |
@@ -711,6 +716,7 @@ do_convert_from(struct passwd *pw) | |||
711 | key_free(k); | 716 | key_free(k); |
712 | exit(0); | 717 | exit(0); |
713 | } | 718 | } |
719 | #endif | ||
714 | 720 | ||
715 | static void | 721 | static void |
716 | do_print_public(struct passwd *pw) | 722 | do_print_public(struct passwd *pw) |
@@ -981,7 +987,7 @@ do_gen_all_hostkeys(struct passwd *pw) | |||
981 | } | 987 | } |
982 | 988 | ||
983 | static void | 989 | static void |
984 | printhost(FILE *f, const char *name, Key *public, int ca, int hash) | 990 | printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash) |
985 | { | 991 | { |
986 | if (print_fingerprint) { | 992 | if (print_fingerprint) { |
987 | enum fp_rep rep; | 993 | enum fp_rep rep; |
@@ -1001,7 +1007,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash) | |||
1001 | } else { | 1007 | } else { |
1002 | if (hash && (name = host_hash(name, NULL, 0)) == NULL) | 1008 | if (hash && (name = host_hash(name, NULL, 0)) == NULL) |
1003 | fatal("hash_host failed"); | 1009 | fatal("hash_host failed"); |
1004 | fprintf(f, "%s%s%s ", ca ? CA_MARKER : "", ca ? " " : "", name); | 1010 | fprintf(f, "%s%s%s ", ca ? CA_MARKER " " : "", |
1011 | revoked ? REVOKE_MARKER " " : "" , name); | ||
1005 | if (!key_write(public, f)) | 1012 | if (!key_write(public, f)) |
1006 | fatal("key_write failed"); | 1013 | fatal("key_write failed"); |
1007 | fprintf(f, "\n"); | 1014 | fprintf(f, "\n"); |
@@ -1016,7 +1023,7 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1016 | char *cp, *cp2, *kp, *kp2; | 1023 | char *cp, *cp2, *kp, *kp2; |
1017 | char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; | 1024 | char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; |
1018 | int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; | 1025 | int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; |
1019 | int ca; | 1026 | int ca, revoked; |
1020 | int found_key = 0; | 1027 | int found_key = 0; |
1021 | 1028 | ||
1022 | if (!have_identity) { | 1029 | if (!have_identity) { |
@@ -1030,6 +1037,7 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1030 | if ((in = fopen(identity_file, "r")) == NULL) | 1037 | if ((in = fopen(identity_file, "r")) == NULL) |
1031 | fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); | 1038 | fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
1032 | 1039 | ||
1040 | /* XXX this code is a mess; refactor -djm */ | ||
1033 | /* | 1041 | /* |
1034 | * Find hosts goes to stdout, hash and deletions happen in-place | 1042 | * Find hosts goes to stdout, hash and deletions happen in-place |
1035 | * A corner case is ssh-keygen -HF foo, which should go to stdout | 1043 | * A corner case is ssh-keygen -HF foo, which should go to stdout |
@@ -1073,7 +1081,7 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1073 | fprintf(out, "%s\n", cp); | 1081 | fprintf(out, "%s\n", cp); |
1074 | continue; | 1082 | continue; |
1075 | } | 1083 | } |
1076 | /* Check whether this is a CA key */ | 1084 | /* Check whether this is a CA key or revocation marker */ |
1077 | if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 && | 1085 | if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 && |
1078 | (cp[sizeof(CA_MARKER) - 1] == ' ' || | 1086 | (cp[sizeof(CA_MARKER) - 1] == ' ' || |
1079 | cp[sizeof(CA_MARKER) - 1] == '\t')) { | 1087 | cp[sizeof(CA_MARKER) - 1] == '\t')) { |
@@ -1081,6 +1089,14 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1081 | cp += sizeof(CA_MARKER); | 1089 | cp += sizeof(CA_MARKER); |
1082 | } else | 1090 | } else |
1083 | ca = 0; | 1091 | ca = 0; |
1092 | if (strncasecmp(cp, REVOKE_MARKER, | ||
1093 | sizeof(REVOKE_MARKER) - 1) == 0 && | ||
1094 | (cp[sizeof(REVOKE_MARKER) - 1] == ' ' || | ||
1095 | cp[sizeof(REVOKE_MARKER) - 1] == '\t')) { | ||
1096 | revoked = 1; | ||
1097 | cp += sizeof(REVOKE_MARKER); | ||
1098 | } else | ||
1099 | revoked = 0; | ||
1084 | 1100 | ||
1085 | /* Find the end of the host name portion. */ | 1101 | /* Find the end of the host name portion. */ |
1086 | for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++) | 1102 | for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++) |
@@ -1124,20 +1140,23 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1124 | printf("# Host %s found: " | 1140 | printf("# Host %s found: " |
1125 | "line %d type %s%s\n", name, | 1141 | "line %d type %s%s\n", name, |
1126 | num, key_type(pub), | 1142 | num, key_type(pub), |
1127 | ca ? " (CA key)" : ""); | 1143 | ca ? " (CA key)" : |
1128 | printhost(out, cp, pub, ca, 0); | 1144 | revoked? " (revoked)" : ""); |
1145 | printhost(out, cp, pub, ca, revoked, 0); | ||
1129 | found_key = 1; | 1146 | found_key = 1; |
1130 | } | 1147 | } |
1131 | if (delete_host) { | 1148 | if (delete_host) { |
1132 | if (!c && !ca) | 1149 | if (!c || ca || revoked) { |
1133 | printhost(out, cp, pub, ca, 0); | 1150 | printhost(out, cp, pub, |
1134 | else | 1151 | ca, revoked, 0); |
1152 | } else { | ||
1135 | printf("# Host %s found: " | 1153 | printf("# Host %s found: " |
1136 | "line %d type %s\n", name, | 1154 | "line %d type %s\n", name, |
1137 | num, key_type(pub)); | 1155 | num, key_type(pub)); |
1156 | } | ||
1138 | } | 1157 | } |
1139 | } else if (hash_hosts) | 1158 | } else if (hash_hosts) |
1140 | printhost(out, cp, pub, ca, 0); | 1159 | printhost(out, cp, pub, ca, revoked, 0); |
1141 | } else { | 1160 | } else { |
1142 | if (find_host || delete_host) { | 1161 | if (find_host || delete_host) { |
1143 | c = (match_hostname(name, cp, | 1162 | c = (match_hostname(name, cp, |
@@ -1148,38 +1167,43 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1148 | "line %d type %s%s\n", name, | 1167 | "line %d type %s%s\n", name, |
1149 | num, key_type(pub), | 1168 | num, key_type(pub), |
1150 | ca ? " (CA key)" : ""); | 1169 | ca ? " (CA key)" : ""); |
1151 | printhost(out, name, pub, | 1170 | printhost(out, name, pub, ca, revoked, |
1152 | ca, hash_hosts && !ca); | 1171 | hash_hosts && !(ca || revoked)); |
1153 | found_key = 1; | 1172 | found_key = 1; |
1154 | } | 1173 | } |
1155 | if (delete_host) { | 1174 | if (delete_host) { |
1156 | if (!c && !ca) | 1175 | if (!c || ca || revoked) { |
1157 | printhost(out, cp, pub, ca, 0); | 1176 | printhost(out, cp, pub, |
1158 | else | 1177 | ca, revoked, 0); |
1178 | } else { | ||
1159 | printf("# Host %s found: " | 1179 | printf("# Host %s found: " |
1160 | "line %d type %s\n", name, | 1180 | "line %d type %s\n", name, |
1161 | num, key_type(pub)); | 1181 | num, key_type(pub)); |
1182 | } | ||
1162 | } | 1183 | } |
1184 | } else if (hash_hosts && (ca || revoked)) { | ||
1185 | /* Don't hash CA and revoked keys' hostnames */ | ||
1186 | printhost(out, cp, pub, ca, revoked, 0); | ||
1187 | has_unhashed = 1; | ||
1163 | } else if (hash_hosts) { | 1188 | } else if (hash_hosts) { |
1189 | /* Hash each hostname separately */ | ||
1164 | for (cp2 = strsep(&cp, ","); | 1190 | for (cp2 = strsep(&cp, ","); |
1165 | cp2 != NULL && *cp2 != '\0'; | 1191 | cp2 != NULL && *cp2 != '\0'; |
1166 | cp2 = strsep(&cp, ",")) { | 1192 | cp2 = strsep(&cp, ",")) { |
1167 | if (ca) { | 1193 | if (strcspn(cp2, "*?!") != |
1168 | fprintf(stderr, "Warning: " | ||
1169 | "ignoring CA key for host: " | ||
1170 | "%.64s\n", cp2); | ||
1171 | printhost(out, cp2, pub, ca, 0); | ||
1172 | } else if (strcspn(cp2, "*?!") != | ||
1173 | strlen(cp2)) { | 1194 | strlen(cp2)) { |
1174 | fprintf(stderr, "Warning: " | 1195 | fprintf(stderr, "Warning: " |
1175 | "ignoring host name with " | 1196 | "ignoring host name with " |
1176 | "metacharacters: %.64s\n", | 1197 | "metacharacters: %.64s\n", |
1177 | cp2); | 1198 | cp2); |
1178 | printhost(out, cp2, pub, ca, 0); | 1199 | printhost(out, cp2, pub, ca, |
1179 | } else | 1200 | revoked, 0); |
1180 | printhost(out, cp2, pub, ca, 1); | 1201 | has_unhashed = 1; |
1202 | } else { | ||
1203 | printhost(out, cp2, pub, ca, | ||
1204 | revoked, 1); | ||
1205 | } | ||
1181 | } | 1206 | } |
1182 | has_unhashed = 1; | ||
1183 | } | 1207 | } |
1184 | } | 1208 | } |
1185 | key_free(pub); | 1209 | key_free(pub); |
@@ -1589,7 +1613,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
1589 | } | 1613 | } |
1590 | } | 1614 | } |
1591 | 1615 | ||
1616 | #ifdef ENABLE_PKCS11 | ||
1592 | pkcs11_init(1); | 1617 | pkcs11_init(1); |
1618 | #endif | ||
1593 | tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); | 1619 | tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
1594 | if (pkcs11provider != NULL) { | 1620 | if (pkcs11provider != NULL) { |
1595 | if ((ca = load_pkcs11_key(tmp)) == NULL) | 1621 | if ((ca = load_pkcs11_key(tmp)) == NULL) |
@@ -1631,12 +1657,12 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
1631 | public->cert->valid_after = cert_valid_from; | 1657 | public->cert->valid_after = cert_valid_from; |
1632 | public->cert->valid_before = cert_valid_to; | 1658 | public->cert->valid_before = cert_valid_to; |
1633 | if (v00) { | 1659 | if (v00) { |
1634 | prepare_options_buf(&public->cert->critical, | 1660 | prepare_options_buf(public->cert->critical, |
1635 | OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); | 1661 | OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); |
1636 | } else { | 1662 | } else { |
1637 | prepare_options_buf(&public->cert->critical, | 1663 | prepare_options_buf(public->cert->critical, |
1638 | OPTIONS_CRITICAL); | 1664 | OPTIONS_CRITICAL); |
1639 | prepare_options_buf(&public->cert->extensions, | 1665 | prepare_options_buf(public->cert->extensions, |
1640 | OPTIONS_EXTENSIONS); | 1666 | OPTIONS_EXTENSIONS); |
1641 | } | 1667 | } |
1642 | public->cert->signature_key = key_from_private(ca); | 1668 | public->cert->signature_key = key_from_private(ca); |
@@ -1672,7 +1698,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
1672 | key_free(public); | 1698 | key_free(public); |
1673 | free(out); | 1699 | free(out); |
1674 | } | 1700 | } |
1701 | #ifdef ENABLE_PKCS11 | ||
1675 | pkcs11_terminate(); | 1702 | pkcs11_terminate(); |
1703 | #endif | ||
1676 | exit(0); | 1704 | exit(0); |
1677 | } | 1705 | } |
1678 | 1706 | ||
@@ -1820,8 +1848,8 @@ add_cert_option(char *opt) | |||
1820 | static void | 1848 | static void |
1821 | show_options(const Buffer *optbuf, int v00, int in_critical) | 1849 | show_options(const Buffer *optbuf, int v00, int in_critical) |
1822 | { | 1850 | { |
1823 | char *name; | 1851 | char *name, *arg; |
1824 | u_char *data; | 1852 | const u_char *data; |
1825 | u_int dlen; | 1853 | u_int dlen; |
1826 | Buffer options, option; | 1854 | Buffer options, option; |
1827 | 1855 | ||
@@ -1844,9 +1872,9 @@ show_options(const Buffer *optbuf, int v00, int in_critical) | |||
1844 | else if ((v00 || in_critical) && | 1872 | else if ((v00 || in_critical) && |
1845 | (strcmp(name, "force-command") == 0 || | 1873 | (strcmp(name, "force-command") == 0 || |
1846 | strcmp(name, "source-address") == 0)) { | 1874 | strcmp(name, "source-address") == 0)) { |
1847 | data = buffer_get_string(&option, NULL); | 1875 | arg = buffer_get_cstring(&option, NULL); |
1848 | printf(" %s\n", data); | 1876 | printf(" %s\n", arg); |
1849 | free(data); | 1877 | free(arg); |
1850 | } else { | 1878 | } else { |
1851 | printf(" UNKNOWN OPTION (len %u)\n", | 1879 | printf(" UNKNOWN OPTION (len %u)\n", |
1852 | buffer_len(&option)); | 1880 | buffer_len(&option)); |
@@ -1905,24 +1933,25 @@ do_show_cert(struct passwd *pw) | |||
1905 | printf("\n"); | 1933 | printf("\n"); |
1906 | } | 1934 | } |
1907 | printf(" Critical Options: "); | 1935 | printf(" Critical Options: "); |
1908 | if (buffer_len(&key->cert->critical) == 0) | 1936 | if (buffer_len(key->cert->critical) == 0) |
1909 | printf("(none)\n"); | 1937 | printf("(none)\n"); |
1910 | else { | 1938 | else { |
1911 | printf("\n"); | 1939 | printf("\n"); |
1912 | show_options(&key->cert->critical, v00, 1); | 1940 | show_options(key->cert->critical, v00, 1); |
1913 | } | 1941 | } |
1914 | if (!v00) { | 1942 | if (!v00) { |
1915 | printf(" Extensions: "); | 1943 | printf(" Extensions: "); |
1916 | if (buffer_len(&key->cert->extensions) == 0) | 1944 | if (buffer_len(key->cert->extensions) == 0) |
1917 | printf("(none)\n"); | 1945 | printf("(none)\n"); |
1918 | else { | 1946 | else { |
1919 | printf("\n"); | 1947 | printf("\n"); |
1920 | show_options(&key->cert->extensions, v00, 0); | 1948 | show_options(key->cert->extensions, v00, 0); |
1921 | } | 1949 | } |
1922 | } | 1950 | } |
1923 | exit(0); | 1951 | exit(0); |
1924 | } | 1952 | } |
1925 | 1953 | ||
1954 | #ifdef WITH_OPENSSL | ||
1926 | static void | 1955 | static void |
1927 | load_krl(const char *path, struct ssh_krl **krlp) | 1956 | load_krl(const char *path, struct ssh_krl **krlp) |
1928 | { | 1957 | { |
@@ -2145,60 +2174,40 @@ do_check_krl(struct passwd *pw, int argc, char **argv) | |||
2145 | ssh_krl_free(krl); | 2174 | ssh_krl_free(krl); |
2146 | exit(ret); | 2175 | exit(ret); |
2147 | } | 2176 | } |
2177 | #endif | ||
2148 | 2178 | ||
2149 | static void | 2179 | static void |
2150 | usage(void) | 2180 | usage(void) |
2151 | { | 2181 | { |
2152 | fprintf(stderr, "usage: %s [options]\n", __progname); | 2182 | fprintf(stderr, |
2153 | fprintf(stderr, "Options:\n"); | 2183 | "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]\n" |
2154 | fprintf(stderr, " -A Generate non-existent host keys for all key types.\n"); | 2184 | " [-N new_passphrase] [-C comment] [-f output_keyfile]\n" |
2155 | fprintf(stderr, " -a number Number of KDF rounds for new key format or moduli primality tests.\n"); | 2185 | " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n" |
2156 | fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); | 2186 | " ssh-keygen -i [-m key_format] [-f input_keyfile]\n" |
2157 | fprintf(stderr, " -b bits Number of bits in the key to create.\n"); | 2187 | " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" |
2158 | fprintf(stderr, " -C comment Provide new comment.\n"); | 2188 | " ssh-keygen -y [-f input_keyfile]\n" |
2159 | fprintf(stderr, " -c Change comment in private and public key files.\n"); | 2189 | " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" |
2190 | " ssh-keygen -l [-f input_keyfile]\n" | ||
2191 | " ssh-keygen -B [-f input_keyfile]\n"); | ||
2160 | #ifdef ENABLE_PKCS11 | 2192 | #ifdef ENABLE_PKCS11 |
2161 | fprintf(stderr, " -D pkcs11 Download public key from pkcs11 token.\n"); | 2193 | fprintf(stderr, |
2194 | " ssh-keygen -D pkcs11\n"); | ||
2162 | #endif | 2195 | #endif |
2163 | fprintf(stderr, " -e Export OpenSSH to foreign format key file.\n"); | 2196 | fprintf(stderr, |
2164 | fprintf(stderr, " -F hostname Find hostname in known hosts file.\n"); | 2197 | " ssh-keygen -F hostname [-f known_hosts_file] [-l]\n" |
2165 | fprintf(stderr, " -f filename Filename of the key file.\n"); | 2198 | " ssh-keygen -H [-f known_hosts_file]\n" |
2166 | fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n"); | 2199 | " ssh-keygen -R hostname [-f known_hosts_file]\n" |
2167 | fprintf(stderr, " -g Use generic DNS resource record format.\n"); | 2200 | " ssh-keygen -r hostname [-f input_keyfile] [-g]\n" |
2168 | fprintf(stderr, " -H Hash names in known_hosts file.\n"); | 2201 | " ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n" |
2169 | fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n"); | 2202 | " ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n" |
2170 | fprintf(stderr, " -I key_id Key identifier to include in certificate.\n"); | 2203 | " [-j start_line] [-K checkpt] [-W generator]\n" |
2171 | fprintf(stderr, " -i Import foreign format to OpenSSH key file.\n"); | 2204 | " ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n" |
2172 | fprintf(stderr, " -J number Screen this number of moduli lines.\n"); | 2205 | " [-O option] [-V validity_interval] [-z serial_number] file ...\n" |
2173 | fprintf(stderr, " -j number Start screening moduli at specified line.\n"); | 2206 | " ssh-keygen -L [-f input_keyfile]\n" |
2174 | fprintf(stderr, " -K checkpt Write checkpoints to this file.\n"); | 2207 | " ssh-keygen -A\n" |
2175 | fprintf(stderr, " -k Generate a KRL file.\n"); | 2208 | " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" |
2176 | fprintf(stderr, " -L Print the contents of a certificate.\n"); | 2209 | " file ...\n" |
2177 | fprintf(stderr, " -l Show fingerprint of key file.\n"); | 2210 | " ssh-keygen -Q -f krl_file file ...\n"); |
2178 | fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); | ||
2179 | fprintf(stderr, " -m key_fmt Conversion format for -e/-i (PEM|PKCS8|RFC4716).\n"); | ||
2180 | fprintf(stderr, " -N phrase Provide new passphrase.\n"); | ||
2181 | fprintf(stderr, " -n name,... User/host principal names to include in certificate\n"); | ||
2182 | fprintf(stderr, " -O option Specify a certificate option.\n"); | ||
2183 | fprintf(stderr, " -o Enforce new private key format.\n"); | ||
2184 | fprintf(stderr, " -P phrase Provide old passphrase.\n"); | ||
2185 | fprintf(stderr, " -p Change passphrase of private key file.\n"); | ||
2186 | fprintf(stderr, " -Q Test whether key(s) are revoked in KRL.\n"); | ||
2187 | fprintf(stderr, " -q Quiet.\n"); | ||
2188 | fprintf(stderr, " -R hostname Remove host from known_hosts file.\n"); | ||
2189 | fprintf(stderr, " -r hostname Print DNS resource record.\n"); | ||
2190 | fprintf(stderr, " -S start Start point (hex) for generating DH-GEX moduli.\n"); | ||
2191 | fprintf(stderr, " -s ca_key Certify keys with CA key.\n"); | ||
2192 | fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n"); | ||
2193 | fprintf(stderr, " -t type Specify type of key to create.\n"); | ||
2194 | fprintf(stderr, " -u Update KRL rather than creating a new one.\n"); | ||
2195 | fprintf(stderr, " -V from:to Specify certificate validity interval.\n"); | ||
2196 | fprintf(stderr, " -v Verbose.\n"); | ||
2197 | fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n"); | ||
2198 | fprintf(stderr, " -y Read private key file and print public key.\n"); | ||
2199 | fprintf(stderr, " -Z cipher Specify a cipher for new private key format.\n"); | ||
2200 | fprintf(stderr, " -z serial Specify a serial number.\n"); | ||
2201 | |||
2202 | exit(1); | 2211 | exit(1); |
2203 | } | 2212 | } |
2204 | 2213 | ||
@@ -2469,6 +2478,7 @@ main(int argc, char **argv) | |||
2469 | printf("Cannot use -l with -H or -R.\n"); | 2478 | printf("Cannot use -l with -H or -R.\n"); |
2470 | usage(); | 2479 | usage(); |
2471 | } | 2480 | } |
2481 | #ifdef WITH_OPENSSL | ||
2472 | if (gen_krl) { | 2482 | if (gen_krl) { |
2473 | do_gen_krl(pw, update_krl, argc, argv); | 2483 | do_gen_krl(pw, update_krl, argc, argv); |
2474 | return (0); | 2484 | return (0); |
@@ -2477,6 +2487,7 @@ main(int argc, char **argv) | |||
2477 | do_check_krl(pw, argc, argv); | 2487 | do_check_krl(pw, argc, argv); |
2478 | return (0); | 2488 | return (0); |
2479 | } | 2489 | } |
2490 | #endif | ||
2480 | if (ca_key_path != NULL) { | 2491 | if (ca_key_path != NULL) { |
2481 | if (cert_key_id == NULL) | 2492 | if (cert_key_id == NULL) |
2482 | fatal("Must specify key id (-I) when certifying"); | 2493 | fatal("Must specify key id (-I) when certifying"); |
@@ -2494,10 +2505,12 @@ main(int argc, char **argv) | |||
2494 | do_change_passphrase(pw); | 2505 | do_change_passphrase(pw); |
2495 | if (change_comment) | 2506 | if (change_comment) |
2496 | do_change_comment(pw); | 2507 | do_change_comment(pw); |
2508 | #ifdef WITH_OPENSSL | ||
2497 | if (convert_to) | 2509 | if (convert_to) |
2498 | do_convert_to(pw); | 2510 | do_convert_to(pw); |
2499 | if (convert_from) | 2511 | if (convert_from) |
2500 | do_convert_from(pw); | 2512 | do_convert_from(pw); |
2513 | #endif | ||
2501 | if (print_public) | 2514 | if (print_public) |
2502 | do_print_public(pw); | 2515 | do_print_public(pw); |
2503 | if (rr_hostname != NULL) { | 2516 | if (rr_hostname != NULL) { |
@@ -2519,7 +2532,8 @@ main(int argc, char **argv) | |||
2519 | _PATH_HOST_DSA_KEY_FILE, rr_hostname); | 2532 | _PATH_HOST_DSA_KEY_FILE, rr_hostname); |
2520 | n += do_print_resource_record(pw, | 2533 | n += do_print_resource_record(pw, |
2521 | _PATH_HOST_ECDSA_KEY_FILE, rr_hostname); | 2534 | _PATH_HOST_ECDSA_KEY_FILE, rr_hostname); |
2522 | 2535 | n += do_print_resource_record(pw, | |
2536 | _PATH_HOST_ED25519_KEY_FILE, rr_hostname); | ||
2523 | if (n == 0) | 2537 | if (n == 0) |
2524 | fatal("no keys found."); | 2538 | fatal("no keys found."); |
2525 | exit(0); | 2539 | exit(0); |