diff options
-rw-r--r-- | ssh-keygen.1 | 10 | ||||
-rw-r--r-- | ssh-keygen.c | 17 |
2 files changed, 20 insertions, 7 deletions
diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 474f4294a..0c284a295 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 | |||
@@ -1,4 +1,4 @@ | |||
1 | .\" $OpenBSD: ssh-keygen.1,v 1.155 2019/01/22 11:40:42 djm Exp $ | 1 | .\" $OpenBSD: ssh-keygen.1,v 1.156 2019/01/23 04:51:02 djm Exp $ |
2 | .\" | 2 | .\" |
3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | .\" Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -35,7 +35,7 @@ | |||
35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 35 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 36 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
37 | .\" | 37 | .\" |
38 | .Dd $Mdocdate: January 22 2019 $ | 38 | .Dd $Mdocdate: January 23 2019 $ |
39 | .Dt SSH-KEYGEN 1 | 39 | .Dt SSH-KEYGEN 1 |
40 | .Os | 40 | .Os |
41 | .Sh NAME | 41 | .Sh NAME |
@@ -640,6 +640,12 @@ OpenSSH format file and print an OpenSSH public key to stdout. | |||
640 | .It Fl z Ar serial_number | 640 | .It Fl z Ar serial_number |
641 | Specifies a serial number to be embedded in the certificate to distinguish | 641 | Specifies a serial number to be embedded in the certificate to distinguish |
642 | this certificate from others from the same CA. | 642 | this certificate from others from the same CA. |
643 | If the | ||
644 | .Ar serial_number | ||
645 | is prefixed with a | ||
646 | .Sq + | ||
647 | character, then the serial number will be incremented for each certificate | ||
648 | signed on a single command-line. | ||
643 | The default serial number is zero. | 649 | The default serial number is zero. |
644 | .Pp | 650 | .Pp |
645 | When generating a KRL, the | 651 | When generating a KRL, the |
diff --git a/ssh-keygen.c b/ssh-keygen.c index ffb92fd94..992491f15 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.325 2019/01/23 04:16:22 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.326 2019/01/23 04:51:02 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1645,7 +1645,8 @@ agent_signer(const struct sshkey *key, u_char **sigp, size_t *lenp, | |||
1645 | 1645 | ||
1646 | static void | 1646 | static void |
1647 | do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, | 1647 | do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, |
1648 | unsigned long long cert_serial, int argc, char **argv) | 1648 | unsigned long long cert_serial, int cert_serial_autoinc, |
1649 | int argc, char **argv) | ||
1649 | { | 1650 | { |
1650 | int r, i, fd, found, agent_fd = -1; | 1651 | int r, i, fd, found, agent_fd = -1; |
1651 | u_int n; | 1652 | u_int n; |
@@ -1785,6 +1786,8 @@ do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent, | |||
1785 | 1786 | ||
1786 | sshkey_free(public); | 1787 | sshkey_free(public); |
1787 | free(out); | 1788 | free(out); |
1789 | if (cert_serial_autoinc) | ||
1790 | cert_serial++; | ||
1788 | } | 1791 | } |
1789 | #ifdef ENABLE_PKCS11 | 1792 | #ifdef ENABLE_PKCS11 |
1790 | pkcs11_terminate(); | 1793 | pkcs11_terminate(); |
@@ -2414,7 +2417,7 @@ main(int argc, char **argv) | |||
2414 | int find_host = 0, delete_host = 0, hash_hosts = 0; | 2417 | int find_host = 0, delete_host = 0, hash_hosts = 0; |
2415 | int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; | 2418 | int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; |
2416 | int prefer_agent = 0, convert_to = 0, convert_from = 0; | 2419 | int prefer_agent = 0, convert_to = 0, convert_from = 0; |
2417 | int print_public = 0, print_generic = 0; | 2420 | int print_public = 0, print_generic = 0, cert_serial_autoinc = 0; |
2418 | unsigned long long cert_serial = 0; | 2421 | unsigned long long cert_serial = 0; |
2419 | char *identity_comment = NULL, *ca_key_path = NULL; | 2422 | char *identity_comment = NULL, *ca_key_path = NULL; |
2420 | u_int bits = 0; | 2423 | u_int bits = 0; |
@@ -2610,6 +2613,10 @@ main(int argc, char **argv) | |||
2610 | break; | 2613 | break; |
2611 | case 'z': | 2614 | case 'z': |
2612 | errno = 0; | 2615 | errno = 0; |
2616 | if (*optarg == '+') { | ||
2617 | cert_serial_autoinc = 1; | ||
2618 | optarg++; | ||
2619 | } | ||
2613 | cert_serial = strtoull(optarg, &ep, 10); | 2620 | cert_serial = strtoull(optarg, &ep, 10); |
2614 | if (*optarg < '0' || *optarg > '9' || *ep != '\0' || | 2621 | if (*optarg < '0' || *optarg > '9' || *ep != '\0' || |
2615 | (errno == ERANGE && cert_serial == ULLONG_MAX)) | 2622 | (errno == ERANGE && cert_serial == ULLONG_MAX)) |
@@ -2700,8 +2707,8 @@ main(int argc, char **argv) | |||
2700 | if (ca_key_path != NULL) { | 2707 | if (ca_key_path != NULL) { |
2701 | if (cert_key_id == NULL) | 2708 | if (cert_key_id == NULL) |
2702 | fatal("Must specify key id (-I) when certifying"); | 2709 | fatal("Must specify key id (-I) when certifying"); |
2703 | do_ca_sign(pw, ca_key_path, prefer_agent, cert_serial, | 2710 | do_ca_sign(pw, ca_key_path, prefer_agent, |
2704 | argc, argv); | 2711 | cert_serial, cert_serial_autoinc, argc, argv); |
2705 | } | 2712 | } |
2706 | if (show_cert) | 2713 | if (show_cert) |
2707 | do_show_cert(pw); | 2714 | do_show_cert(pw); |