diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2015-11-08 22:30:20 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-11-09 14:25:40 +1100 |
| commit | 3a424cdd21db08c7b0ded902f97b8f02af5aa485 (patch) | |
| tree | 98ec5fc63238e8b5e0d8ae700f076d766a6d63d3 /ssh-keyscan.c | |
| parent | 69fead5d7cdaa73bdece9fcba80f8e8e70b90346 (diff) | |
upstream commit
Add "ssh-keyscan -c ..." flag to allow fetching
certificates instead of plain keys; ok markus@
Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82
Diffstat (limited to 'ssh-keyscan.c')
| -rw-r--r-- | ssh-keyscan.c | 47 |
1 files changed, 37 insertions, 10 deletions
diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 7db0e10e5..0e5ca609a 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keyscan.c,v 1.102 2015/10/24 22:56:19 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keyscan.c,v 1.103 2015/11/08 22:30:20 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. | 3 | * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. |
| 4 | * | 4 | * |
| @@ -60,6 +60,7 @@ int ssh_port = SSH_DEFAULT_PORT; | |||
| 60 | #define KT_ECDSA 8 | 60 | #define KT_ECDSA 8 |
| 61 | #define KT_ED25519 16 | 61 | #define KT_ED25519 16 |
| 62 | 62 | ||
| 63 | int get_cert = 0; | ||
| 63 | int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519; | 64 | int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519; |
| 64 | 65 | ||
| 65 | int hash_hosts = 0; /* Hash hostname on output */ | 66 | int hash_hosts = 0; /* Hash hostname on output */ |
| @@ -267,11 +268,32 @@ keygrab_ssh2(con *c) | |||
| 267 | int r; | 268 | int r; |
| 268 | 269 | ||
| 269 | enable_compat20(); | 270 | enable_compat20(); |
| 270 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = | 271 | switch (c->c_keytype) { |
| 271 | c->c_keytype == KT_DSA ? "ssh-dss" : | 272 | case KT_DSA: |
| 272 | (c->c_keytype == KT_RSA ? "ssh-rsa" : | 273 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ? |
| 273 | (c->c_keytype == KT_ED25519 ? "ssh-ed25519" : | 274 | "ssh-dss-cert-v01@openssh.com" : "ssh-dss"; |
| 274 | "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521")); | 275 | break; |
| 276 | case KT_RSA: | ||
| 277 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ? | ||
| 278 | "ssh-rsa-cert-v01@openssh.com" : "ssh-rsa"; | ||
| 279 | break; | ||
| 280 | case KT_ED25519: | ||
| 281 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ? | ||
| 282 | "ssh-ed25519-cert-v01@openssh.com" : "ssh-ed25519"; | ||
| 283 | break; | ||
| 284 | case KT_ECDSA: | ||
| 285 | myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ? | ||
| 286 | "ecdsa-sha2-nistp256-cert-v01@openssh.com," | ||
| 287 | "ecdsa-sha2-nistp384-cert-v01@openssh.com," | ||
| 288 | "ecdsa-sha2-nistp521-cert-v01@openssh.com" : | ||
| 289 | "ecdsa-sha2-nistp256," | ||
| 290 | "ecdsa-sha2-nistp384," | ||
| 291 | "ecdsa-sha2-nistp521"; | ||
| 292 | break; | ||
| 293 | default: | ||
| 294 | fatal("unknown key type %d", c->c_keytype); | ||
| 295 | break; | ||
| 296 | } | ||
| 275 | if ((r = kex_setup(c->c_ssh, myproposal)) != 0) { | 297 | if ((r = kex_setup(c->c_ssh, myproposal)) != 0) { |
| 276 | free(c->c_ssh); | 298 | free(c->c_ssh); |
| 277 | fprintf(stderr, "kex_setup: %s\n", ssh_err(r)); | 299 | fprintf(stderr, "kex_setup: %s\n", ssh_err(r)); |
| @@ -304,7 +326,8 @@ keyprint_one(char *host, struct sshkey *key) | |||
| 304 | fatal("host_hash failed"); | 326 | fatal("host_hash failed"); |
| 305 | 327 | ||
| 306 | hostport = put_host_port(host, ssh_port); | 328 | hostport = put_host_port(host, ssh_port); |
| 307 | fprintf(stdout, "%s ", hostport); | 329 | if (!get_cert) |
| 330 | fprintf(stdout, "%s ", hostport); | ||
| 308 | sshkey_write(key, stdout); | 331 | sshkey_write(key, stdout); |
| 309 | fputs("\n", stdout); | 332 | fputs("\n", stdout); |
| 310 | free(hostport); | 333 | free(hostport); |
| @@ -318,7 +341,7 @@ keyprint(con *c, struct sshkey *key) | |||
| 318 | 341 | ||
| 319 | if (key == NULL) | 342 | if (key == NULL) |
| 320 | return; | 343 | return; |
| 321 | if (!hash_hosts && ssh_port == SSH_DEFAULT_PORT) { | 344 | if (get_cert || (!hash_hosts && ssh_port == SSH_DEFAULT_PORT)) { |
| 322 | keyprint_one(hosts, key); | 345 | keyprint_one(hosts, key); |
| 323 | return; | 346 | return; |
| 324 | } | 347 | } |
| @@ -384,6 +407,7 @@ conalloc(char *iname, char *oname, int keytype) | |||
| 384 | if (fdcon[s].c_status) | 407 | if (fdcon[s].c_status) |
| 385 | fatal("conalloc: attempt to reuse fdno %d", s); | 408 | fatal("conalloc: attempt to reuse fdno %d", s); |
| 386 | 409 | ||
| 410 | debug3("%s: oname %s kt %d", __func__, oname, keytype); | ||
| 387 | fdcon[s].c_fd = s; | 411 | fdcon[s].c_fd = s; |
| 388 | fdcon[s].c_status = CS_CON; | 412 | fdcon[s].c_status = CS_CON; |
| 389 | fdcon[s].c_namebase = namebase; | 413 | fdcon[s].c_namebase = namebase; |
| @@ -654,7 +678,7 @@ static void | |||
| 654 | usage(void) | 678 | usage(void) |
| 655 | { | 679 | { |
| 656 | fprintf(stderr, | 680 | fprintf(stderr, |
| 657 | "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n" | 681 | "usage: %s [-46Hcv] [-f file] [-p port] [-T timeout] [-t type]\n" |
| 658 | "\t\t [host | addrlist namelist] ...\n", | 682 | "\t\t [host | addrlist namelist] ...\n", |
| 659 | __progname); | 683 | __progname); |
| 660 | exit(1); | 684 | exit(1); |
| @@ -682,11 +706,14 @@ main(int argc, char **argv) | |||
| 682 | if (argc <= 1) | 706 | if (argc <= 1) |
| 683 | usage(); | 707 | usage(); |
| 684 | 708 | ||
| 685 | while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) { | 709 | while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) { |
| 686 | switch (opt) { | 710 | switch (opt) { |
| 687 | case 'H': | 711 | case 'H': |
| 688 | hash_hosts = 1; | 712 | hash_hosts = 1; |
| 689 | break; | 713 | break; |
| 714 | case 'c': | ||
| 715 | get_cert = 1; | ||
| 716 | break; | ||
| 690 | case 'p': | 717 | case 'p': |
| 691 | ssh_port = a2port(optarg); | 718 | ssh_port = a2port(optarg); |
| 692 | if (ssh_port <= 0) { | 719 | if (ssh_port <= 0) { |