3 files changed, 302 insertions, 98 deletions

diff --git a/ChangeLog b/ChangeLog
index edd7662f2..6ebbabc04 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -138,6 +138,9 @@
    - jakob@cvs.openbsd.org 2001/08/03 10:31:30
      [ssh-add.c ssh-agent.c ssh-keyscan.c]
      improve usage(). ok markus@
+   - markus@cvs.openbsd.org 2001/08/05 23:18:20
+     [ssh-keyscan.1 ssh-keyscan.c]
+     ssh 2 support; from wayned@users.sourceforge.net
 
 20010803
  - (djm) Fix interrupted read in entropy gatherer. Spotted by markus@ on
@@ -6248,4 +6251,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.1462 2001/08/06 22:06:35 mouring Exp $
+$Id: ChangeLog,v 1.1463 2001/08/06 22:41:30 mouring Exp $
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 80119aa21..b348bc252 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keyscan.1,v 1.9 2001/08/02 18:37:35 mpech Exp $
+.\"     $OpenBSD: ssh-keyscan.1,v 1.10 2001/08/05 23:18:20 markus Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -14,9 +14,13 @@
 .Nd gather ssh public keys
 .Sh SYNOPSIS
 .Nm ssh-keyscan
-.Op Fl t Ar timeout
-.Op Ar -- | host | addrlist namelist
-.Op Fl f Ar files ...
+.Op Fl v46
+.Op Fl p Ar port
+.Op Fl T Ar timeout
+.Op Fl t Ar type
+.Op Fl f Ar file
+.Op Ar host | addrlist namelist
+.Op Ar ...
 .Sh DESCRIPTION
 .Nm
 is a utility for gathering the public ssh host keys of a number of
@@ -37,14 +41,28 @@ any encryption.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl t
+.It Fl p Ar port
+Port to connect to on the remote host.
+.It Fl T
 Set the timeout for connection attempts.  If
 .Pa timeout
 seconds have elapsed since a connection was initiated to a host or since the
 last time anything was read from that host, then the connection is
 closed and the host in question considered unavailable.  Default is 5
 seconds.
-.It Fl f
+.It Fl t Ar type
+Specifies the type of the key to fetch from the following hosts.
+The possible values are
+.Dq rsa1
+for protocol version 1 and
+.Dq rsa
+or
+.Dq dsa
+for protocol version 2.
+Multiple values may be specified by separating them with commas.
+The default is
+.Dq rsa1 .
+.It Fl f Ar filename
 Read hosts or
 .Pa addrlist namelist
 pairs from this file, one per line.
@@ -55,6 +73,19 @@ is supplied instead of a filename,
 will read hosts or
 .Pa addrlist namelist
 pairs from the standard input.
+.It Fl v
+Verbose mode.
+Causes
+.Nm
+to print debugging messages about its progress.
+.It Fl 4
+Forces
+.Nm
+to use IPv4 addresses only.
+.It Fl 6
+Forces
+.Nm
+to use IPv6 addresses only.
 .El
 .Sh SECURITY
 If you make an ssh_known_hosts file using
@@ -67,7 +98,10 @@ On the other hand, if your security model allows such a risk,
 can help you detect tampered keyfiles or man in the middle attacks which
 have begun after you created your ssh_known_hosts file.
 .Sh EXAMPLES
-Print the host key for machine
+.Pp
+Print the
+.Pa rsa1
+host key for machine
 .Pa hostname :
 .Bd -literal
 ssh-keyscan hostname
@@ -78,20 +112,36 @@ Find all hosts from the file
 which have new or different keys from those in the sorted file
 .Pa ssh_known_hosts :
 .Bd -literal
-$ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ 
-        diff ssh_known_hosts -
+ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\ 
+        sort -u - ssh_known_hosts | diff ssh_known_hosts -
 .Ed
 .Sh FILES
 .Pa Input format:
+.Bd -literal
 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
+.Ed
 .Pp
-.Pa Output format:
+.Pa Output format for rsa1 keys:
+.Bd -literal
 host-or-namelist bits exponent modulus
+.Ed
+.Pp
+.Pa Output format for rsa and dsa keys:
+.Bd -literal
+host-or-namelist keytype base64-encoded-key
+.Ed
+.Pp
+Where
+.Pa keytype
+is either
+.Dq ssh-rsa
+or
+.Dq ssh-dsa .
 .Pp
 .Pa /etc/ssh_known_hosts
 .Sh BUGS
 It generates "Connection closed by remote host" messages on the consoles
-of all the machines it scans.
+of all the machines it scans if the server is older than version 2.9.
 This is because it opens a connection to the ssh port, reads the public
 key, and drops the connection as soon as it gets the key.
 .Sh SEE ALSO
@@ -99,3 +149,6 @@ key, and drops the connection as soon as it gets the key.
 .Xr sshd 8
 .Sh AUTHORS
 David Mazieres <dm@lcs.mit.edu>
+wrote the initial version, and
+Wayne Davison <wayned@users.sourceforge.net>
+added support for protocol version 2.
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 9908baac4..5a992515e 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -7,7 +7,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.25 2001/08/03 10:31:30 jakob Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.26 2001/08/05 23:18:20 markus Exp $");
 
 #if defined(HAVE_SYS_QUEUE_H) && !defined(HAVE_BOGUS_SYS_QUEUE_H)
 #include <sys/queue.h>
@@ -18,18 +18,37 @@ RCSID("$OpenBSD: ssh-keyscan.c,v 1.25 2001/08/03 10:31:30 jakob Exp $");
 
 #include <openssl/bn.h>
 
+#include <setjmp.h>
 #include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
 #include "key.h"
+#include "kex.h"
+#include "compat.h"
+#include "myproposal.h"
+#include "packet.h"
+#include "dispatch.h"
 #include "buffer.h"
 #include "bufaux.h"
 #include "log.h"
 #include "atomicio.h"
+#include "misc.h"
 
-static int argno = 1;           /* Number of argument currently being parsed */
+/* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
+   Default value is AF_UNSPEC means both IPv4 and IPv6. */
+#ifdef IPV4_DEFAULT
+int IPv4or6 = AF_INET;
+#else
+int IPv4or6 = AF_UNSPEC;
+#endif
 
-int family = AF_UNSPEC;         /* IPv4, IPv6 or both */
+int ssh_port = SSH_DEFAULT_PORT;
+ 
+#define KT_RSA1       1
+#define KT_DSA        2
+#define KT_RSA        4
+ 
+int get_keytypes = KT_RSA1;   /* Get only RSA1 keys by default */
 
 #define MAXMAXFD 256
 
@@ -47,6 +66,8 @@ char *__progname;
 fd_set *read_wait;
 size_t read_wait_size;
 int ncon;
+int nonfatal_fatal = 0;
+jmp_buf kexjmp;
 
 /*
  * Keep a connection structure for each file descriptor.  The state
@@ -62,11 +83,13 @@ typedef struct Connection {
         int c_plen;             /* Packet length field for ssh packet */
         int c_len;              /* Total bytes which must be read. */
         int c_off;              /* Length of data read so far. */
+        int c_keytype;          /* Only one of KT_RSA1, KT_DSA, or KT_RSA */
         char *c_namebase;       /* Address to free for c_name and c_namelist */
         char *c_name;           /* Hostname of connection for errors */
         char *c_namelist;       /* Pointer to other possible addresses */
         char *c_output_name;    /* Hostname of connection for output */
         char *c_data;           /* Data read from this fd */
+        Kex *c_kex;             /* The key-exchange struct for ssh2 */
         struct timeval c_tv;    /* Time at which connection gets aborted */
         TAILQ_ENTRY(Connection) c_link; /* List of connections in timeout order. */
 } con;
@@ -262,8 +285,8 @@ strnnsep(char **stringp, char *delim)
         return (tok);
 }
 
-static void
-keyprint(char *host, char *output_name, char *kd, int len)
+static Key *
+keygrab_ssh1(con *c)
 {
         static Key *rsa;
         static Buffer msg;
@@ -272,12 +295,12 @@ keyprint(char *host, char *output_name, char *kd, int len)
                 buffer_init(&msg);
                 rsa = key_new(KEY_RSA1);
         }
-        buffer_append(&msg, kd, len);
-        buffer_consume(&msg, 8 - (len & 7));    /* padding */
+        buffer_append(&msg, c->c_data, c->c_plen);
+        buffer_consume(&msg, 8 - (c->c_plen & 7));      /* padding */
         if (buffer_get_char(&msg) != (int) SSH_SMSG_PUBLIC_KEY) {
-                error("%s: invalid packet type", host);
+                error("%s: invalid packet type", c->c_name);
                 buffer_clear(&msg);
-                return;
+                return NULL;
         }
         buffer_consume(&msg, 8);                /* cookie */
 
@@ -290,10 +313,70 @@ keyprint(char *host, char *output_name, char *kd, int len)
         (void) buffer_get_int(&msg);
         buffer_get_bignum(&msg, rsa->rsa->e);
         buffer_get_bignum(&msg, rsa->rsa->n);
+
         buffer_clear(&msg);
 
-        fprintf(stdout, "%s ", output_name ? output_name : host);
-        key_write(rsa, stdout);
+        return (rsa);
+}
+
+static int
+hostjump(Key *hostkey)
+{
+        longjmp(kexjmp, (int)hostkey);
+}
+
+static int
+ssh2_capable(int remote_major, int remote_minor)
+{
+        switch (remote_major) {
+        case 1:
+                if (remote_minor == 99)
+                        return 1;
+                break;
+        case 2:
+                return 1;
+        default:
+                break;
+        }
+        return 0;
+}
+
+static Key *
+keygrab_ssh2(con *c)
+{
+        int j;
+
+        packet_set_connection(c->c_fd, c->c_fd);
+        enable_compat20();
+        myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA?
+            "ssh-dss": "ssh-rsa";
+        c->c_kex = kex_setup(myproposal);
+        c->c_kex->verify_host_key = hostjump;
+
+        if (!(j = setjmp(kexjmp))) {
+                nonfatal_fatal = 1;
+                dispatch_run(DISPATCH_BLOCK, &c->c_kex->done, c->c_kex);
+                fprintf(stderr, "Impossible! dispatch_run() returned!\n");
+                exit(1);
+        }
+        nonfatal_fatal = 0;
+        xfree(c->c_kex);
+        c->c_kex = NULL;
+        packet_close();
+        if (j < 0)
+                j = 0;
+
+        return (Key*)(j);
+}
+
+static void
+keyprint(con *c, Key *key)
+{
+        if (!key)
+                return;
+
+        fprintf(stdout, "%s ", c->c_output_name ? c->c_output_name : c->c_name);
+        key_write(key, stdout);
         fputs("\n", stdout);
 }
 
@@ -304,9 +387,9 @@ tcpconnect(char *host)
         char strport[NI_MAXSERV];
         int gaierr, s = -1;
 
-        snprintf(strport, sizeof strport, "%d", SSH_DEFAULT_PORT);
+        snprintf(strport, sizeof strport, "%d", ssh_port);
         memset(&hints, 0, sizeof(hints));
-        hints.ai_family = family;
+        hints.ai_family = IPv4or6;
         hints.ai_socktype = SOCK_STREAM;
         if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
                 fatal("getaddrinfo %s: %s", host, gai_strerror(gaierr));
@@ -331,7 +414,7 @@ tcpconnect(char *host)
 }
 
 static int
-conalloc(char *iname, char *oname)
+conalloc(char *iname, char *oname, int keytype)
 {
         int s;
         char *namebase, *name, *namelist;
@@ -360,6 +443,7 @@ conalloc(char *iname, char *oname)
         fdcon[s].c_data = (char *) &fdcon[s].c_plen;
         fdcon[s].c_len = 4;
         fdcon[s].c_off = 0;
+        fdcon[s].c_keytype = keytype;
         gettimeofday(&fdcon[s].c_tv, NULL);
         fdcon[s].c_tv.tv_sec += timeout;
         TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link);
@@ -379,6 +463,7 @@ confree(int s)
         if (fdcon[s].c_status == CS_KEYS)
                 xfree(fdcon[s].c_data);
         fdcon[s].c_status = CS_UNUSED;
+        fdcon[s].c_keytype = 0;
         TAILQ_REMOVE(&tq, &fdcon[s], c_link);
         FD_CLR(s, read_wait);
         ncon--;
@@ -398,21 +483,16 @@ conrecycle(int s)
 {
         int ret;
         con *c = &fdcon[s];
-        char *iname, *oname;
 
-        iname = xstrdup(c->c_namelist);
-        oname = xstrdup(c->c_output_name);
+        ret = conalloc(c->c_namelist, c->c_output_name, c->c_keytype);
         confree(s);
-        ret = conalloc(iname, oname);
-        xfree(iname);
-        xfree(oname);
         return (ret);
 }
 
 static void
 congreet(int s)
 {
-        char buf[80], *cp;
+        char buf[256], *cp;
         size_t bufsiz;
         int n = 0;
         con *c = &fdcon[s];
@@ -434,12 +514,34 @@ congreet(int s)
         }
         *cp = '\0';
         fprintf(stderr, "# %s %s\n", c->c_name, buf);
-        n = snprintf(buf, sizeof buf, "SSH-1.5-OpenSSH-keyscan\r\n");
+        if (c->c_keytype != KT_RSA1) {
+                int remote_major, remote_minor;
+                char remote_version[sizeof buf];
+
+                if (sscanf(buf, "SSH-%d.%d-%[^\n]\n",
+                    &remote_major, &remote_minor, remote_version) == 3)
+                        compat_datafellows(remote_version);
+                else
+                        datafellows = 0;
+                if (!ssh2_capable(remote_major, remote_minor)) {
+                        debug("%s doesn't support ssh2", c->c_name);
+                        confree(s);
+                        return;
+                }
+        }
+        n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n",
+            c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2,
+            c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2);
         if (atomicio(write, s, buf, n) != n) {
                 error("write (%s): %s", c->c_name, strerror(errno));
                 confree(s);
                 return;
         }
+        if (c->c_keytype != KT_RSA1) {
+                keyprint(c, keygrab_ssh2(c));
+                confree(s);
+                return;
+        }
         c->c_status = CS_SIZE;
         contouch(s);
 }
@@ -472,7 +574,7 @@ conread(int s)
                         c->c_status = CS_KEYS;
                         break;
                 case CS_KEYS:
-                        keyprint(c->c_name, c->c_output_name, c->c_data, c->c_plen);
+                        keyprint(c, keygrab_ssh1(c));
                         confree(s);
                         return;
                         break;
@@ -536,86 +638,128 @@ conloop(void)
         }
 }
 
-static char *
-nexthost(int argc, char **argv)
+static void
+do_host(char *host)
 {
-        static Linebuf *lb;
-
-        for (;;) {
-                if (!lb) {
-                        if (argno >= argc)
-                                return (NULL);
-                        if (argv[argno][0] != '-')
-                                return (argv[argno++]);
-                        if (!strcmp(argv[argno], "--")) {
-                                if (++argno >= argc)
-                                        return (NULL);
-                                return (argv[argno++]);
-                        } else if (!strncmp(argv[argno], "-f", 2)) {
-                                char *fname;
-
-                                if (argv[argno][2])
-                                        fname = &argv[argno++][2];
-                                else if (++argno >= argc) {
-                                        error("missing filename for `-f'");
-                                        return (NULL);
-                                } else
-                                        fname = argv[argno++];
-                                if (!strcmp(fname, "-"))
-                                        fname = NULL;
-                                lb = Linebuf_alloc(fname, error);
-                        } else
-                                error("ignoring invalid/misplaced option `%s'",
-                                    argv[argno++]);
-                } else {
-                        char *line;
-
-                        line = Linebuf_getline(lb);
-                        if (line)
-                                return (line);
-                        Linebuf_free(lb);
-                        lb = NULL;
+        char *name = strnnsep(&host, " \t\n");
+        int j;
+
+        for (j = KT_RSA1; j <= KT_RSA; j *= 2) {
+                if (get_keytypes & j) {
+                        while (ncon >= MAXCON)
+                                conloop();
+                        conalloc(name, *host ? host : name, j);
                 }
         }
 }
 
 static void
+fatal_callback(void *arg)
+{
+        if (nonfatal_fatal)
+                longjmp(kexjmp, -1);
+}
+
+static void
 usage(void)
 {
-        fprintf(stderr, "Usage: %s [options] [ host | addrlist namelist ]\n",
+        fprintf(stderr, "Usage: %s [options] host ...\n",
             __progname);
         fprintf(stderr, "Options:\n");
-        fprintf(stderr, "  -t timeout  Set connection timeout.\n");
         fprintf(stderr, "  -f file     Read hosts or addresses from file.\n");
+        fprintf(stderr, "  -p port     Connect to the specified port.\n");
+        fprintf(stderr, "  -t keytype  Specify the host key type.\n");
+        fprintf(stderr, "  -T timeout  Set connection timeout.\n");
+        fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
+        fprintf(stderr, "  -4          Use IPv4 only.\n");
+        fprintf(stderr, "  -6          Use IPv6 only.\n");
         exit(1);
 }
 
 int
 main(int argc, char **argv)
 {
-        char *host = NULL;
+        int debug_flag = 0, log_level = SYSLOG_LEVEL_INFO;
+        int opt, fopt_count = 0;
+        char *tname;
+ 
+        extern int optind;
+        extern char *optarg;
 
         __progname = get_progname(argv[0]);
         TAILQ_INIT(&tq);
 
-        if (argc <= argno)
+        if (argc <= 1)
                 usage();
 
-        if (argv[1][0] == '-' && argv[1][1] == 't') {
-                argno++;
-                if (argv[1][2])
-                        timeout = atoi(&argv[1][2]);
-                else {
-                        if (argno >= argc)
+        while ((opt = getopt(argc, argv, "v46p:T:t:f:")) != -1) {
+                switch (opt) {
+                case 'p':
+                        ssh_port = a2port(optarg);
+                        if (ssh_port == 0) {
+                                fprintf(stderr, "Bad port '%s'\n", optarg);
+                                exit(1);
+                        }
+                        break;
+                case 'T':
+                        timeout = atoi(optarg);
+                        if (timeout <= 0)
                                 usage();
-                        timeout = atoi(argv[argno++]);
-                }
-                if (timeout <= 0)
+                        break;
+                case 'v':
+                        if (!debug_flag) {
+                                debug_flag = 1;
+                                log_level = SYSLOG_LEVEL_DEBUG1;
+                        }
+                        else if (log_level < SYSLOG_LEVEL_DEBUG3)
+                                log_level++;
+                        else
+                                fatal("Too high debugging level.");
+                        break;
+                case 'f':
+                        if (strcmp(optarg, "-") == 0)
+                                optarg = NULL;
+                        argv[fopt_count++] = optarg;
+                        break;
+                case 't':
+                        get_keytypes = 0;
+                        tname = strtok(optarg, ",");
+                        while (tname) {
+                                int type = key_type_from_name(tname);
+                                switch (type) {
+                                case KEY_RSA1:
+                                        get_keytypes |= KT_RSA1;
+                                        break;
+                                case KEY_DSA:
+                                        get_keytypes |= KT_DSA;
+                                        break;
+                                case KEY_RSA:
+                                        get_keytypes |= KT_RSA;
+                                        break;
+                                case KEY_UNSPEC:
+                                        fatal("unknown key type %s\n", tname);
+                                }
+                                tname = strtok(NULL, ",");
+                        }
+                        break;
+                case '4':
+                        IPv4or6 = AF_INET;
+                        break;
+                case '6':
+                        IPv4or6 = AF_INET6;
+                        break;
+                case '?':
+                default:
                         usage();
+                }
         }
-        if (argc <= argno)
+        if (optind == argc && !fopt_count)
                 usage();
 
+        log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1);
+        fatal_add_cleanup(fatal_callback, NULL);
+
+
         maxfd = fdlim_get(1);
         if (maxfd < 0)
                 fatal("%s: fdlim_get: bad value", __progname);
@@ -632,18 +776,22 @@ main(int argc, char **argv)
         read_wait = xmalloc(read_wait_size);
         memset(read_wait, 0, read_wait_size);
 
-        do {
-                while (ncon < MAXCON) {
-                        char *name;
-
-                        host = nexthost(argc, argv);
-                        if (host == NULL)
-                                break;
-                        name = strnnsep(&host, " \t\n");
-                        conalloc(name, *host ? host : name);
+        if (fopt_count) {
+                Linebuf *lb;
+                char *line;
+                int j;
+
+                for (j = 0; j < fopt_count; j++) {
+                        lb = Linebuf_alloc(argv[j], error);
+                        while ((line = Linebuf_getline(lb)) != NULL)
+                                do_host(line);
+                        Linebuf_free(lb);
                 }
-                conloop();
-        } while (host);
+        }
+
+        while (optind < argc)
+                do_host(argv[optind++]);
+
         while (ncon > 0)
                 conloop();