diff options
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 194 |
1 files changed, 104 insertions, 90 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 2a316bcea..23058ee99 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.241 2014/02/05 20:13:25 naddy Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.249 2014/07/03 03:47:27 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -165,7 +165,7 @@ int rounds = 0; | |||
165 | /* argv0 */ | 165 | /* argv0 */ |
166 | extern char *__progname; | 166 | extern char *__progname; |
167 | 167 | ||
168 | char hostname[MAXHOSTNAMELEN]; | 168 | char hostname[NI_MAXHOST]; |
169 | 169 | ||
170 | /* moduli.c */ | 170 | /* moduli.c */ |
171 | int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); | 171 | int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); |
@@ -195,6 +195,7 @@ type_bits_valid(int type, u_int32_t *bitsp) | |||
195 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); | 195 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); |
196 | exit(1); | 196 | exit(1); |
197 | } | 197 | } |
198 | #ifdef WITH_OPENSSL | ||
198 | if (type == KEY_DSA && *bitsp != 1024) | 199 | if (type == KEY_DSA && *bitsp != 1024) |
199 | fatal("DSA keys must be 1024 bits"); | 200 | fatal("DSA keys must be 1024 bits"); |
200 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) | 201 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) |
@@ -202,6 +203,7 @@ type_bits_valid(int type, u_int32_t *bitsp) | |||
202 | else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) | 203 | else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) |
203 | fatal("Invalid ECDSA key length - valid lengths are " | 204 | fatal("Invalid ECDSA key length - valid lengths are " |
204 | "256, 384 or 521 bits"); | 205 | "256, 384 or 521 bits"); |
206 | #endif | ||
205 | } | 207 | } |
206 | 208 | ||
207 | static void | 209 | static void |
@@ -278,6 +280,7 @@ load_identity(char *filename) | |||
278 | #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" | 280 | #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----" |
279 | #define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb | 281 | #define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb |
280 | 282 | ||
283 | #ifdef WITH_OPENSSL | ||
281 | static void | 284 | static void |
282 | do_convert_to_ssh2(struct passwd *pw, Key *k) | 285 | do_convert_to_ssh2(struct passwd *pw, Key *k) |
283 | { | 286 | { |
@@ -408,7 +411,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) | |||
408 | Buffer b; | 411 | Buffer b; |
409 | Key *key = NULL; | 412 | Key *key = NULL; |
410 | char *type, *cipher; | 413 | char *type, *cipher; |
411 | u_char *sig, data[] = "abcde12345"; | 414 | u_char *sig = NULL, data[] = "abcde12345"; |
412 | int magic, rlen, ktype, i1, i2, i3, i4; | 415 | int magic, rlen, ktype, i1, i2, i3, i4; |
413 | u_int slen; | 416 | u_int slen; |
414 | u_long e; | 417 | u_long e; |
@@ -479,7 +482,9 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen) | |||
479 | buffer_get_bignum_bits(&b, key->rsa->iqmp); | 482 | buffer_get_bignum_bits(&b, key->rsa->iqmp); |
480 | buffer_get_bignum_bits(&b, key->rsa->q); | 483 | buffer_get_bignum_bits(&b, key->rsa->q); |
481 | buffer_get_bignum_bits(&b, key->rsa->p); | 484 | buffer_get_bignum_bits(&b, key->rsa->p); |
482 | rsa_generate_additional_parameters(key->rsa); | 485 | if (rsa_generate_additional_parameters(key->rsa) != 0) |
486 | fatal("%s: rsa_generate_additional_parameters " | ||
487 | "error", __func__); | ||
483 | break; | 488 | break; |
484 | } | 489 | } |
485 | rlen = buffer_len(&b); | 490 | rlen = buffer_len(&b); |
@@ -711,6 +716,7 @@ do_convert_from(struct passwd *pw) | |||
711 | key_free(k); | 716 | key_free(k); |
712 | exit(0); | 717 | exit(0); |
713 | } | 718 | } |
719 | #endif | ||
714 | 720 | ||
715 | static void | 721 | static void |
716 | do_print_public(struct passwd *pw) | 722 | do_print_public(struct passwd *pw) |
@@ -981,7 +987,7 @@ do_gen_all_hostkeys(struct passwd *pw) | |||
981 | } | 987 | } |
982 | 988 | ||
983 | static void | 989 | static void |
984 | printhost(FILE *f, const char *name, Key *public, int ca, int hash) | 990 | printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash) |
985 | { | 991 | { |
986 | if (print_fingerprint) { | 992 | if (print_fingerprint) { |
987 | enum fp_rep rep; | 993 | enum fp_rep rep; |
@@ -1001,7 +1007,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash) | |||
1001 | } else { | 1007 | } else { |
1002 | if (hash && (name = host_hash(name, NULL, 0)) == NULL) | 1008 | if (hash && (name = host_hash(name, NULL, 0)) == NULL) |
1003 | fatal("hash_host failed"); | 1009 | fatal("hash_host failed"); |
1004 | fprintf(f, "%s%s%s ", ca ? CA_MARKER : "", ca ? " " : "", name); | 1010 | fprintf(f, "%s%s%s ", ca ? CA_MARKER " " : "", |
1011 | revoked ? REVOKE_MARKER " " : "" , name); | ||
1005 | if (!key_write(public, f)) | 1012 | if (!key_write(public, f)) |
1006 | fatal("key_write failed"); | 1013 | fatal("key_write failed"); |
1007 | fprintf(f, "\n"); | 1014 | fprintf(f, "\n"); |
@@ -1016,7 +1023,7 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1016 | char *cp, *cp2, *kp, *kp2; | 1023 | char *cp, *cp2, *kp, *kp2; |
1017 | char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; | 1024 | char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; |
1018 | int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; | 1025 | int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; |
1019 | int ca; | 1026 | int ca, revoked; |
1020 | int found_key = 0; | 1027 | int found_key = 0; |
1021 | 1028 | ||
1022 | if (!have_identity) { | 1029 | if (!have_identity) { |
@@ -1030,6 +1037,7 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1030 | if ((in = fopen(identity_file, "r")) == NULL) | 1037 | if ((in = fopen(identity_file, "r")) == NULL) |
1031 | fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); | 1038 | fatal("%s: %s: %s", __progname, identity_file, strerror(errno)); |
1032 | 1039 | ||
1040 | /* XXX this code is a mess; refactor -djm */ | ||
1033 | /* | 1041 | /* |
1034 | * Find hosts goes to stdout, hash and deletions happen in-place | 1042 | * Find hosts goes to stdout, hash and deletions happen in-place |
1035 | * A corner case is ssh-keygen -HF foo, which should go to stdout | 1043 | * A corner case is ssh-keygen -HF foo, which should go to stdout |
@@ -1073,7 +1081,7 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1073 | fprintf(out, "%s\n", cp); | 1081 | fprintf(out, "%s\n", cp); |
1074 | continue; | 1082 | continue; |
1075 | } | 1083 | } |
1076 | /* Check whether this is a CA key */ | 1084 | /* Check whether this is a CA key or revocation marker */ |
1077 | if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 && | 1085 | if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 && |
1078 | (cp[sizeof(CA_MARKER) - 1] == ' ' || | 1086 | (cp[sizeof(CA_MARKER) - 1] == ' ' || |
1079 | cp[sizeof(CA_MARKER) - 1] == '\t')) { | 1087 | cp[sizeof(CA_MARKER) - 1] == '\t')) { |
@@ -1081,6 +1089,14 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1081 | cp += sizeof(CA_MARKER); | 1089 | cp += sizeof(CA_MARKER); |
1082 | } else | 1090 | } else |
1083 | ca = 0; | 1091 | ca = 0; |
1092 | if (strncasecmp(cp, REVOKE_MARKER, | ||
1093 | sizeof(REVOKE_MARKER) - 1) == 0 && | ||
1094 | (cp[sizeof(REVOKE_MARKER) - 1] == ' ' || | ||
1095 | cp[sizeof(REVOKE_MARKER) - 1] == '\t')) { | ||
1096 | revoked = 1; | ||
1097 | cp += sizeof(REVOKE_MARKER); | ||
1098 | } else | ||
1099 | revoked = 0; | ||
1084 | 1100 | ||
1085 | /* Find the end of the host name portion. */ | 1101 | /* Find the end of the host name portion. */ |
1086 | for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++) | 1102 | for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++) |
@@ -1124,20 +1140,23 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1124 | printf("# Host %s found: " | 1140 | printf("# Host %s found: " |
1125 | "line %d type %s%s\n", name, | 1141 | "line %d type %s%s\n", name, |
1126 | num, key_type(pub), | 1142 | num, key_type(pub), |
1127 | ca ? " (CA key)" : ""); | 1143 | ca ? " (CA key)" : |
1128 | printhost(out, cp, pub, ca, 0); | 1144 | revoked? " (revoked)" : ""); |
1145 | printhost(out, cp, pub, ca, revoked, 0); | ||
1129 | found_key = 1; | 1146 | found_key = 1; |
1130 | } | 1147 | } |
1131 | if (delete_host) { | 1148 | if (delete_host) { |
1132 | if (!c && !ca) | 1149 | if (!c || ca || revoked) { |
1133 | printhost(out, cp, pub, ca, 0); | 1150 | printhost(out, cp, pub, |
1134 | else | 1151 | ca, revoked, 0); |
1152 | } else { | ||
1135 | printf("# Host %s found: " | 1153 | printf("# Host %s found: " |
1136 | "line %d type %s\n", name, | 1154 | "line %d type %s\n", name, |
1137 | num, key_type(pub)); | 1155 | num, key_type(pub)); |
1156 | } | ||
1138 | } | 1157 | } |
1139 | } else if (hash_hosts) | 1158 | } else if (hash_hosts) |
1140 | printhost(out, cp, pub, ca, 0); | 1159 | printhost(out, cp, pub, ca, revoked, 0); |
1141 | } else { | 1160 | } else { |
1142 | if (find_host || delete_host) { | 1161 | if (find_host || delete_host) { |
1143 | c = (match_hostname(name, cp, | 1162 | c = (match_hostname(name, cp, |
@@ -1148,38 +1167,43 @@ do_known_hosts(struct passwd *pw, const char *name) | |||
1148 | "line %d type %s%s\n", name, | 1167 | "line %d type %s%s\n", name, |
1149 | num, key_type(pub), | 1168 | num, key_type(pub), |
1150 | ca ? " (CA key)" : ""); | 1169 | ca ? " (CA key)" : ""); |
1151 | printhost(out, name, pub, | 1170 | printhost(out, name, pub, ca, revoked, |
1152 | ca, hash_hosts && !ca); | 1171 | hash_hosts && !(ca || revoked)); |
1153 | found_key = 1; | 1172 | found_key = 1; |
1154 | } | 1173 | } |
1155 | if (delete_host) { | 1174 | if (delete_host) { |
1156 | if (!c && !ca) | 1175 | if (!c || ca || revoked) { |
1157 | printhost(out, cp, pub, ca, 0); | 1176 | printhost(out, cp, pub, |
1158 | else | 1177 | ca, revoked, 0); |
1178 | } else { | ||
1159 | printf("# Host %s found: " | 1179 | printf("# Host %s found: " |
1160 | "line %d type %s\n", name, | 1180 | "line %d type %s\n", name, |
1161 | num, key_type(pub)); | 1181 | num, key_type(pub)); |
1182 | } | ||
1162 | } | 1183 | } |
1184 | } else if (hash_hosts && (ca || revoked)) { | ||
1185 | /* Don't hash CA and revoked keys' hostnames */ | ||
1186 | printhost(out, cp, pub, ca, revoked, 0); | ||
1187 | has_unhashed = 1; | ||
1163 | } else if (hash_hosts) { | 1188 | } else if (hash_hosts) { |
1189 | /* Hash each hostname separately */ | ||
1164 | for (cp2 = strsep(&cp, ","); | 1190 | for (cp2 = strsep(&cp, ","); |
1165 | cp2 != NULL && *cp2 != '\0'; | 1191 | cp2 != NULL && *cp2 != '\0'; |
1166 | cp2 = strsep(&cp, ",")) { | 1192 | cp2 = strsep(&cp, ",")) { |
1167 | if (ca) { | 1193 | if (strcspn(cp2, "*?!") != |
1168 | fprintf(stderr, "Warning: " | ||
1169 | "ignoring CA key for host: " | ||
1170 | "%.64s\n", cp2); | ||
1171 | printhost(out, cp2, pub, ca, 0); | ||
1172 | } else if (strcspn(cp2, "*?!") != | ||
1173 | strlen(cp2)) { | 1194 | strlen(cp2)) { |
1174 | fprintf(stderr, "Warning: " | 1195 | fprintf(stderr, "Warning: " |
1175 | "ignoring host name with " | 1196 | "ignoring host name with " |
1176 | "metacharacters: %.64s\n", | 1197 | "metacharacters: %.64s\n", |
1177 | cp2); | 1198 | cp2); |
1178 | printhost(out, cp2, pub, ca, 0); | 1199 | printhost(out, cp2, pub, ca, |
1179 | } else | 1200 | revoked, 0); |
1180 | printhost(out, cp2, pub, ca, 1); | 1201 | has_unhashed = 1; |
1202 | } else { | ||
1203 | printhost(out, cp2, pub, ca, | ||
1204 | revoked, 1); | ||
1205 | } | ||
1181 | } | 1206 | } |
1182 | has_unhashed = 1; | ||
1183 | } | 1207 | } |
1184 | } | 1208 | } |
1185 | key_free(pub); | 1209 | key_free(pub); |
@@ -1589,7 +1613,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
1589 | } | 1613 | } |
1590 | } | 1614 | } |
1591 | 1615 | ||
1616 | #ifdef ENABLE_PKCS11 | ||
1592 | pkcs11_init(1); | 1617 | pkcs11_init(1); |
1618 | #endif | ||
1593 | tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); | 1619 | tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
1594 | if (pkcs11provider != NULL) { | 1620 | if (pkcs11provider != NULL) { |
1595 | if ((ca = load_pkcs11_key(tmp)) == NULL) | 1621 | if ((ca = load_pkcs11_key(tmp)) == NULL) |
@@ -1631,12 +1657,12 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
1631 | public->cert->valid_after = cert_valid_from; | 1657 | public->cert->valid_after = cert_valid_from; |
1632 | public->cert->valid_before = cert_valid_to; | 1658 | public->cert->valid_before = cert_valid_to; |
1633 | if (v00) { | 1659 | if (v00) { |
1634 | prepare_options_buf(&public->cert->critical, | 1660 | prepare_options_buf(public->cert->critical, |
1635 | OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); | 1661 | OPTIONS_CRITICAL|OPTIONS_EXTENSIONS); |
1636 | } else { | 1662 | } else { |
1637 | prepare_options_buf(&public->cert->critical, | 1663 | prepare_options_buf(public->cert->critical, |
1638 | OPTIONS_CRITICAL); | 1664 | OPTIONS_CRITICAL); |
1639 | prepare_options_buf(&public->cert->extensions, | 1665 | prepare_options_buf(public->cert->extensions, |
1640 | OPTIONS_EXTENSIONS); | 1666 | OPTIONS_EXTENSIONS); |
1641 | } | 1667 | } |
1642 | public->cert->signature_key = key_from_private(ca); | 1668 | public->cert->signature_key = key_from_private(ca); |
@@ -1672,7 +1698,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv) | |||
1672 | key_free(public); | 1698 | key_free(public); |
1673 | free(out); | 1699 | free(out); |
1674 | } | 1700 | } |
1701 | #ifdef ENABLE_PKCS11 | ||
1675 | pkcs11_terminate(); | 1702 | pkcs11_terminate(); |
1703 | #endif | ||
1676 | exit(0); | 1704 | exit(0); |
1677 | } | 1705 | } |
1678 | 1706 | ||
@@ -1820,8 +1848,8 @@ add_cert_option(char *opt) | |||
1820 | static void | 1848 | static void |
1821 | show_options(const Buffer *optbuf, int v00, int in_critical) | 1849 | show_options(const Buffer *optbuf, int v00, int in_critical) |
1822 | { | 1850 | { |
1823 | char *name; | 1851 | char *name, *arg; |
1824 | u_char *data; | 1852 | const u_char *data; |
1825 | u_int dlen; | 1853 | u_int dlen; |
1826 | Buffer options, option; | 1854 | Buffer options, option; |
1827 | 1855 | ||
@@ -1844,9 +1872,9 @@ show_options(const Buffer *optbuf, int v00, int in_critical) | |||
1844 | else if ((v00 || in_critical) && | 1872 | else if ((v00 || in_critical) && |
1845 | (strcmp(name, "force-command") == 0 || | 1873 | (strcmp(name, "force-command") == 0 || |
1846 | strcmp(name, "source-address") == 0)) { | 1874 | strcmp(name, "source-address") == 0)) { |
1847 | data = buffer_get_string(&option, NULL); | 1875 | arg = buffer_get_cstring(&option, NULL); |
1848 | printf(" %s\n", data); | 1876 | printf(" %s\n", arg); |
1849 | free(data); | 1877 | free(arg); |
1850 | } else { | 1878 | } else { |
1851 | printf(" UNKNOWN OPTION (len %u)\n", | 1879 | printf(" UNKNOWN OPTION (len %u)\n", |
1852 | buffer_len(&option)); | 1880 | buffer_len(&option)); |
@@ -1905,24 +1933,25 @@ do_show_cert(struct passwd *pw) | |||
1905 | printf("\n"); | 1933 | printf("\n"); |
1906 | } | 1934 | } |
1907 | printf(" Critical Options: "); | 1935 | printf(" Critical Options: "); |
1908 | if (buffer_len(&key->cert->critical) == 0) | 1936 | if (buffer_len(key->cert->critical) == 0) |
1909 | printf("(none)\n"); | 1937 | printf("(none)\n"); |
1910 | else { | 1938 | else { |
1911 | printf("\n"); | 1939 | printf("\n"); |
1912 | show_options(&key->cert->critical, v00, 1); | 1940 | show_options(key->cert->critical, v00, 1); |
1913 | } | 1941 | } |
1914 | if (!v00) { | 1942 | if (!v00) { |
1915 | printf(" Extensions: "); | 1943 | printf(" Extensions: "); |
1916 | if (buffer_len(&key->cert->extensions) == 0) | 1944 | if (buffer_len(key->cert->extensions) == 0) |
1917 | printf("(none)\n"); | 1945 | printf("(none)\n"); |
1918 | else { | 1946 | else { |
1919 | printf("\n"); | 1947 | printf("\n"); |
1920 | show_options(&key->cert->extensions, v00, 0); | 1948 | show_options(key->cert->extensions, v00, 0); |
1921 | } | 1949 | } |
1922 | } | 1950 | } |
1923 | exit(0); | 1951 | exit(0); |
1924 | } | 1952 | } |
1925 | 1953 | ||
1954 | #ifdef WITH_OPENSSL | ||
1926 | static void | 1955 | static void |
1927 | load_krl(const char *path, struct ssh_krl **krlp) | 1956 | load_krl(const char *path, struct ssh_krl **krlp) |
1928 | { | 1957 | { |
@@ -2145,60 +2174,40 @@ do_check_krl(struct passwd *pw, int argc, char **argv) | |||
2145 | ssh_krl_free(krl); | 2174 | ssh_krl_free(krl); |
2146 | exit(ret); | 2175 | exit(ret); |
2147 | } | 2176 | } |
2177 | #endif | ||
2148 | 2178 | ||
2149 | static void | 2179 | static void |
2150 | usage(void) | 2180 | usage(void) |
2151 | { | 2181 | { |
2152 | fprintf(stderr, "usage: %s [options]\n", __progname); | 2182 | fprintf(stderr, |
2153 | fprintf(stderr, "Options:\n"); | 2183 | "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]\n" |
2154 | fprintf(stderr, " -A Generate non-existent host keys for all key types.\n"); | 2184 | " [-N new_passphrase] [-C comment] [-f output_keyfile]\n" |
2155 | fprintf(stderr, " -a number Number of KDF rounds for new key format or moduli primality tests.\n"); | 2185 | " ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n" |
2156 | fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); | 2186 | " ssh-keygen -i [-m key_format] [-f input_keyfile]\n" |
2157 | fprintf(stderr, " -b bits Number of bits in the key to create.\n"); | 2187 | " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" |
2158 | fprintf(stderr, " -C comment Provide new comment.\n"); | 2188 | " ssh-keygen -y [-f input_keyfile]\n" |
2159 | fprintf(stderr, " -c Change comment in private and public key files.\n"); | 2189 | " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" |
2190 | " ssh-keygen -l [-f input_keyfile]\n" | ||
2191 | " ssh-keygen -B [-f input_keyfile]\n"); | ||
2160 | #ifdef ENABLE_PKCS11 | 2192 | #ifdef ENABLE_PKCS11 |
2161 | fprintf(stderr, " -D pkcs11 Download public key from pkcs11 token.\n"); | 2193 | fprintf(stderr, |
2194 | " ssh-keygen -D pkcs11\n"); | ||
2162 | #endif | 2195 | #endif |
2163 | fprintf(stderr, " -e Export OpenSSH to foreign format key file.\n"); | 2196 | fprintf(stderr, |
2164 | fprintf(stderr, " -F hostname Find hostname in known hosts file.\n"); | 2197 | " ssh-keygen -F hostname [-f known_hosts_file] [-l]\n" |
2165 | fprintf(stderr, " -f filename Filename of the key file.\n"); | 2198 | " ssh-keygen -H [-f known_hosts_file]\n" |
2166 | fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n"); | 2199 | " ssh-keygen -R hostname [-f known_hosts_file]\n" |
2167 | fprintf(stderr, " -g Use generic DNS resource record format.\n"); | 2200 | " ssh-keygen -r hostname [-f input_keyfile] [-g]\n" |
2168 | fprintf(stderr, " -H Hash names in known_hosts file.\n"); | 2201 | " ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n" |
2169 | fprintf(stderr, " -h Generate host certificate instead of a user certificate.\n"); | 2202 | " ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n" |
2170 | fprintf(stderr, " -I key_id Key identifier to include in certificate.\n"); | 2203 | " [-j start_line] [-K checkpt] [-W generator]\n" |
2171 | fprintf(stderr, " -i Import foreign format to OpenSSH key file.\n"); | 2204 | " ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n" |
2172 | fprintf(stderr, " -J number Screen this number of moduli lines.\n"); | 2205 | " [-O option] [-V validity_interval] [-z serial_number] file ...\n" |
2173 | fprintf(stderr, " -j number Start screening moduli at specified line.\n"); | 2206 | " ssh-keygen -L [-f input_keyfile]\n" |
2174 | fprintf(stderr, " -K checkpt Write checkpoints to this file.\n"); | 2207 | " ssh-keygen -A\n" |
2175 | fprintf(stderr, " -k Generate a KRL file.\n"); | 2208 | " ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n" |
2176 | fprintf(stderr, " -L Print the contents of a certificate.\n"); | 2209 | " file ...\n" |
2177 | fprintf(stderr, " -l Show fingerprint of key file.\n"); | 2210 | " ssh-keygen -Q -f krl_file file ...\n"); |
2178 | fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n"); | ||
2179 | fprintf(stderr, " -m key_fmt Conversion format for -e/-i (PEM|PKCS8|RFC4716).\n"); | ||
2180 | fprintf(stderr, " -N phrase Provide new passphrase.\n"); | ||
2181 | fprintf(stderr, " -n name,... User/host principal names to include in certificate\n"); | ||
2182 | fprintf(stderr, " -O option Specify a certificate option.\n"); | ||
2183 | fprintf(stderr, " -o Enforce new private key format.\n"); | ||
2184 | fprintf(stderr, " -P phrase Provide old passphrase.\n"); | ||
2185 | fprintf(stderr, " -p Change passphrase of private key file.\n"); | ||
2186 | fprintf(stderr, " -Q Test whether key(s) are revoked in KRL.\n"); | ||
2187 | fprintf(stderr, " -q Quiet.\n"); | ||
2188 | fprintf(stderr, " -R hostname Remove host from known_hosts file.\n"); | ||
2189 | fprintf(stderr, " -r hostname Print DNS resource record.\n"); | ||
2190 | fprintf(stderr, " -S start Start point (hex) for generating DH-GEX moduli.\n"); | ||
2191 | fprintf(stderr, " -s ca_key Certify keys with CA key.\n"); | ||
2192 | fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n"); | ||
2193 | fprintf(stderr, " -t type Specify type of key to create.\n"); | ||
2194 | fprintf(stderr, " -u Update KRL rather than creating a new one.\n"); | ||
2195 | fprintf(stderr, " -V from:to Specify certificate validity interval.\n"); | ||
2196 | fprintf(stderr, " -v Verbose.\n"); | ||
2197 | fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n"); | ||
2198 | fprintf(stderr, " -y Read private key file and print public key.\n"); | ||
2199 | fprintf(stderr, " -Z cipher Specify a cipher for new private key format.\n"); | ||
2200 | fprintf(stderr, " -z serial Specify a serial number.\n"); | ||
2201 | |||
2202 | exit(1); | 2211 | exit(1); |
2203 | } | 2212 | } |
2204 | 2213 | ||
@@ -2469,6 +2478,7 @@ main(int argc, char **argv) | |||
2469 | printf("Cannot use -l with -H or -R.\n"); | 2478 | printf("Cannot use -l with -H or -R.\n"); |
2470 | usage(); | 2479 | usage(); |
2471 | } | 2480 | } |
2481 | #ifdef WITH_OPENSSL | ||
2472 | if (gen_krl) { | 2482 | if (gen_krl) { |
2473 | do_gen_krl(pw, update_krl, argc, argv); | 2483 | do_gen_krl(pw, update_krl, argc, argv); |
2474 | return (0); | 2484 | return (0); |
@@ -2477,6 +2487,7 @@ main(int argc, char **argv) | |||
2477 | do_check_krl(pw, argc, argv); | 2487 | do_check_krl(pw, argc, argv); |
2478 | return (0); | 2488 | return (0); |
2479 | } | 2489 | } |
2490 | #endif | ||
2480 | if (ca_key_path != NULL) { | 2491 | if (ca_key_path != NULL) { |
2481 | if (cert_key_id == NULL) | 2492 | if (cert_key_id == NULL) |
2482 | fatal("Must specify key id (-I) when certifying"); | 2493 | fatal("Must specify key id (-I) when certifying"); |
@@ -2494,10 +2505,12 @@ main(int argc, char **argv) | |||
2494 | do_change_passphrase(pw); | 2505 | do_change_passphrase(pw); |
2495 | if (change_comment) | 2506 | if (change_comment) |
2496 | do_change_comment(pw); | 2507 | do_change_comment(pw); |
2508 | #ifdef WITH_OPENSSL | ||
2497 | if (convert_to) | 2509 | if (convert_to) |
2498 | do_convert_to(pw); | 2510 | do_convert_to(pw); |
2499 | if (convert_from) | 2511 | if (convert_from) |
2500 | do_convert_from(pw); | 2512 | do_convert_from(pw); |
2513 | #endif | ||
2501 | if (print_public) | 2514 | if (print_public) |
2502 | do_print_public(pw); | 2515 | do_print_public(pw); |
2503 | if (rr_hostname != NULL) { | 2516 | if (rr_hostname != NULL) { |
@@ -2519,7 +2532,8 @@ main(int argc, char **argv) | |||
2519 | _PATH_HOST_DSA_KEY_FILE, rr_hostname); | 2532 | _PATH_HOST_DSA_KEY_FILE, rr_hostname); |
2520 | n += do_print_resource_record(pw, | 2533 | n += do_print_resource_record(pw, |
2521 | _PATH_HOST_ECDSA_KEY_FILE, rr_hostname); | 2534 | _PATH_HOST_ECDSA_KEY_FILE, rr_hostname); |
2522 | 2535 | n += do_print_resource_record(pw, | |
2536 | _PATH_HOST_ED25519_KEY_FILE, rr_hostname); | ||
2523 | if (n == 0) | 2537 | if (n == 0) |
2524 | fatal("no keys found."); | 2538 | fatal("no keys found."); |
2525 | exit(0); | 2539 | exit(0); |