summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ssh-keyscan.18
-rw-r--r--ssh-keyscan.c47
2 files changed, 42 insertions, 13 deletions
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 6bbc480cd..12eb5810b 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
1.\" $OpenBSD: ssh-keyscan.1,v 1.36 2014/08/30 15:33:50 sobrado Exp $ 1.\" $OpenBSD: ssh-keyscan.1,v 1.37 2015/11/08 22:30:20 djm Exp $
2.\" 2.\"
3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4.\" 4.\"
@@ -6,7 +6,7 @@
6.\" permitted provided that due credit is given to the author and the 6.\" permitted provided that due credit is given to the author and the
7.\" OpenBSD project by leaving this copyright notice intact. 7.\" OpenBSD project by leaving this copyright notice intact.
8.\" 8.\"
9.Dd $Mdocdate: August 30 2014 $ 9.Dd $Mdocdate: November 8 2015 $
10.Dt SSH-KEYSCAN 1 10.Dt SSH-KEYSCAN 1
11.Os 11.Os
12.Sh NAME 12.Sh NAME
@@ -15,7 +15,7 @@
15.Sh SYNOPSIS 15.Sh SYNOPSIS
16.Nm ssh-keyscan 16.Nm ssh-keyscan
17.Bk -words 17.Bk -words
18.Op Fl 46Hv 18.Op Fl 46Hcv
19.Op Fl f Ar file 19.Op Fl f Ar file
20.Op Fl p Ar port 20.Op Fl p Ar port
21.Op Fl T Ar timeout 21.Op Fl T Ar timeout
@@ -54,6 +54,8 @@ to use IPv4 addresses only.
54Forces 54Forces
55.Nm 55.Nm
56to use IPv6 addresses only. 56to use IPv6 addresses only.
57.It Fl c
58Request certificates from target hosts instead of plain keys.
57.It Fl f Ar file 59.It Fl f Ar file
58Read hosts or 60Read hosts or
59.Dq addrlist namelist 61.Dq addrlist namelist
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 7db0e10e5..0e5ca609a 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keyscan.c,v 1.102 2015/10/24 22:56:19 djm Exp $ */ 1/* $OpenBSD: ssh-keyscan.c,v 1.103 2015/11/08 22:30:20 djm Exp $ */
2/* 2/*
3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. 3 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
4 * 4 *
@@ -60,6 +60,7 @@ int ssh_port = SSH_DEFAULT_PORT;
60#define KT_ECDSA 8 60#define KT_ECDSA 8
61#define KT_ED25519 16 61#define KT_ED25519 16
62 62
63int get_cert = 0;
63int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519; 64int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
64 65
65int hash_hosts = 0; /* Hash hostname on output */ 66int hash_hosts = 0; /* Hash hostname on output */
@@ -267,11 +268,32 @@ keygrab_ssh2(con *c)
267 int r; 268 int r;
268 269
269 enable_compat20(); 270 enable_compat20();
270 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = 271 switch (c->c_keytype) {
271 c->c_keytype == KT_DSA ? "ssh-dss" : 272 case KT_DSA:
272 (c->c_keytype == KT_RSA ? "ssh-rsa" : 273 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
273 (c->c_keytype == KT_ED25519 ? "ssh-ed25519" : 274 "ssh-dss-cert-v01@openssh.com" : "ssh-dss";
274 "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521")); 275 break;
276 case KT_RSA:
277 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
278 "ssh-rsa-cert-v01@openssh.com" : "ssh-rsa";
279 break;
280 case KT_ED25519:
281 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
282 "ssh-ed25519-cert-v01@openssh.com" : "ssh-ed25519";
283 break;
284 case KT_ECDSA:
285 myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
286 "ecdsa-sha2-nistp256-cert-v01@openssh.com,"
287 "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
288 "ecdsa-sha2-nistp521-cert-v01@openssh.com" :
289 "ecdsa-sha2-nistp256,"
290 "ecdsa-sha2-nistp384,"
291 "ecdsa-sha2-nistp521";
292 break;
293 default:
294 fatal("unknown key type %d", c->c_keytype);
295 break;
296 }
275 if ((r = kex_setup(c->c_ssh, myproposal)) != 0) { 297 if ((r = kex_setup(c->c_ssh, myproposal)) != 0) {
276 free(c->c_ssh); 298 free(c->c_ssh);
277 fprintf(stderr, "kex_setup: %s\n", ssh_err(r)); 299 fprintf(stderr, "kex_setup: %s\n", ssh_err(r));
@@ -304,7 +326,8 @@ keyprint_one(char *host, struct sshkey *key)
304 fatal("host_hash failed"); 326 fatal("host_hash failed");
305 327
306 hostport = put_host_port(host, ssh_port); 328 hostport = put_host_port(host, ssh_port);
307 fprintf(stdout, "%s ", hostport); 329 if (!get_cert)
330 fprintf(stdout, "%s ", hostport);
308 sshkey_write(key, stdout); 331 sshkey_write(key, stdout);
309 fputs("\n", stdout); 332 fputs("\n", stdout);
310 free(hostport); 333 free(hostport);
@@ -318,7 +341,7 @@ keyprint(con *c, struct sshkey *key)
318 341
319 if (key == NULL) 342 if (key == NULL)
320 return; 343 return;
321 if (!hash_hosts && ssh_port == SSH_DEFAULT_PORT) { 344 if (get_cert || (!hash_hosts && ssh_port == SSH_DEFAULT_PORT)) {
322 keyprint_one(hosts, key); 345 keyprint_one(hosts, key);
323 return; 346 return;
324 } 347 }
@@ -384,6 +407,7 @@ conalloc(char *iname, char *oname, int keytype)
384 if (fdcon[s].c_status) 407 if (fdcon[s].c_status)
385 fatal("conalloc: attempt to reuse fdno %d", s); 408 fatal("conalloc: attempt to reuse fdno %d", s);
386 409
410 debug3("%s: oname %s kt %d", __func__, oname, keytype);
387 fdcon[s].c_fd = s; 411 fdcon[s].c_fd = s;
388 fdcon[s].c_status = CS_CON; 412 fdcon[s].c_status = CS_CON;
389 fdcon[s].c_namebase = namebase; 413 fdcon[s].c_namebase = namebase;
@@ -654,7 +678,7 @@ static void
654usage(void) 678usage(void)
655{ 679{
656 fprintf(stderr, 680 fprintf(stderr,
657 "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n" 681 "usage: %s [-46Hcv] [-f file] [-p port] [-T timeout] [-t type]\n"
658 "\t\t [host | addrlist namelist] ...\n", 682 "\t\t [host | addrlist namelist] ...\n",
659 __progname); 683 __progname);
660 exit(1); 684 exit(1);
@@ -682,11 +706,14 @@ main(int argc, char **argv)
682 if (argc <= 1) 706 if (argc <= 1)
683 usage(); 707 usage();
684 708
685 while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) { 709 while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
686 switch (opt) { 710 switch (opt) {
687 case 'H': 711 case 'H':
688 hash_hosts = 1; 712 hash_hosts = 1;
689 break; 713 break;
714 case 'c':
715 get_cert = 1;
716 break;
690 case 'p': 717 case 'p':
691 ssh_port = a2port(optarg); 718 ssh_port = a2port(optarg);
692 if (ssh_port <= 0) { 719 if (ssh_port <= 0) {