From 5cbe7ca18df76241a3772cef49e1f6e80709420d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Sep 2007 16:05:50 +1000 Subject: - sobrado@cvs.openbsd.org 2007/09/09 11:38:01 [ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.c] sort synopsis and options in ssh-agent(1); usage is lowercase ok jmc@ --- ssh-keygen.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ssh-keygen.c b/ssh-keygen.c index 04a9b939a..95b0ac850 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.160 2007/01/21 01:41:54 stevesk Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.161 2007/09/09 11:38:01 sobrado Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1006,7 +1006,7 @@ do_change_comment(struct passwd *pw) static void usage(void) { - fprintf(stderr, "Usage: %s [options]\n", __progname); + fprintf(stderr, "usage: %s [options]\n", __progname); fprintf(stderr, "Options:\n"); fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n"); fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); -- cgit v1.2.3 From 14b017d6f2277c83856489054e9c6c1428095bbb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Sep 2007 16:09:15 +1000 Subject: - gilles@cvs.openbsd.org 2007/09/11 15:47:17 [session.c ssh-keygen.c sshlogin.c] use strcspn to properly overwrite '\n' in fgets returned buffer ok pyr@, ray@, millert@, moritz@, chl@ --- ChangeLog | 6 +++++- session.c | 7 ++++--- ssh-keygen.c | 8 +++----- sshlogin.c | 5 ++--- 4 files changed, 14 insertions(+), 12 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 6a200586a..b9a85da00 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,10 @@ [sshpty.c] sort #include NB. RCS ID sync only + - gilles@cvs.openbsd.org 2007/09/11 15:47:17 + [session.c ssh-keygen.c sshlogin.c] + use strcspn to properly overwrite '\n' in fgets returned buffer + ok pyr@, ray@, millert@, moritz@, chl@ 20070914 - (dtucker) [openbsd-compat/bsd-asprintf.c] Plug mem leak in error path. @@ -3238,4 +3242,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4751 2007/09/17 06:07:32 djm Exp $ +$Id: ChangeLog,v 1.4752 2007/09/17 06:09:15 djm Exp $ diff --git a/session.c b/session.c index c19c2ac5a..2b0580b45 100644 --- a/session.c +++ b/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.223 2007/08/23 02:55:51 djm Exp $ */ +/* $OpenBSD: session.c,v 1.224 2007/09/11 15:47:17 gilles Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -897,8 +897,9 @@ read_environment_file(char ***env, u_int *envsize, ; if (!*cp || *cp == '#' || *cp == '\n') continue; - if (strchr(cp, '\n')) - *strchr(cp, '\n') = '\0'; + + cp[strcspn(cp, "\n")] = '\0'; + value = strchr(cp, '='); if (value == NULL) { fprintf(stderr, "Bad line %u in %.100s\n", lineno, diff --git a/ssh-keygen.c b/ssh-keygen.c index 95b0ac850..2b2399c50 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.161 2007/09/09 11:38:01 sobrado Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.162 2007/09/11 15:47:17 gilles Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -141,8 +141,7 @@ ask_filename(struct passwd *pw, const char *prompt) fprintf(stderr, "%s (%s): ", prompt, identity_file); if (fgets(buf, sizeof(buf), stdin) == NULL) exit(1); - if (strchr(buf, '\n')) - *strchr(buf, '\n') = 0; + buf[strcspn(buf, "\n")] = '\0'; if (strcmp(buf, "") != 0) strlcpy(identity_file, buf, sizeof(identity_file)); have_identity = 1; @@ -962,8 +961,7 @@ do_change_comment(struct passwd *pw) key_free(private); exit(1); } - if (strchr(new_comment, '\n')) - *strchr(new_comment, '\n') = 0; + new_comment[strcspn(new_comment, "\n")] = '\0'; } /* Save the file using the new passphrase. */ diff --git a/sshlogin.c b/sshlogin.c index 0059ff8d0..cc35d6024 100644 --- a/sshlogin.c +++ b/sshlogin.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshlogin.c,v 1.25 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: sshlogin.c,v 1.26 2007/09/11 15:47:17 gilles Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -98,8 +98,7 @@ store_lastlog_message(const char *user, uid_t uid) if (last_login_time != 0) { time_string = ctime(&last_login_time); - if (strchr(time_string, '\n')) - *strchr(time_string, '\n') = '\0'; + time_string[strcspn(time_string, "\n")] = '\0'; if (strcmp(hostname, "") == 0) snprintf(buf, sizeof(buf), "Last login: %s\r\n", time_string); -- cgit v1.2.3 From 0f4ed693d655429ad544b36c7305216d155a2d4b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 26 Oct 2007 14:26:32 +1000 Subject: - chl@cvs.openbsd.org 2007/10/02 17:49:58 [ssh-keygen.c] handles zero-sized strings that fgets can return --- ChangeLog | 5 ++++- ssh-keygen.c | 16 +++++++--------- 2 files changed, 11 insertions(+), 10 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 6c5b78e75..a3cc1058b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,9 @@ - dtucker@cvs.openbsd.org 2007/09/29 00:25:51 [auth2.c] Remove unused prototype. ok djm@ + - chl@cvs.openbsd.org 2007/10/02 17:49:58 + [ssh-keygen.c] + handles zero-sized strings that fgets can return 20070927 - (dtucker) [configure.ac atomicio.c] Fall back to including if @@ -3301,4 +3304,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4766 2007/10/26 04:26:15 djm Exp $ +$Id: ChangeLog,v 1.4767 2007/10/26 04:26:32 djm Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index 2b2399c50..657937629 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.162 2007/09/11 15:47:17 gilles Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.163 2007/10/02 17:49:58 chl Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -535,8 +535,7 @@ do_fingerprint(struct passwd *pw) f = fopen(identity_file, "r"); if (f != NULL) { while (fgets(line, sizeof(line), f)) { - i = strlen(line) - 1; - if (line[i] != '\n') { + if ((cp = strchr(line, '\n')) == NULL) { error("line %d too long: %.40s...", num, line); skip = 1; continue; @@ -546,7 +545,7 @@ do_fingerprint(struct passwd *pw) skip = 0; continue; } - line[i] = '\0'; + *cp = '\0'; /* Skip leading whitespace, empty and comment lines. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) @@ -614,7 +613,7 @@ do_known_hosts(struct passwd *pw, const char *name) Key *public; char *cp, *cp2, *kp, *kp2; char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; - int c, i, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; + int c, skip = 0, inplace = 0, num = 1, invalid = 0, has_unhashed = 0; if (!have_identity) { cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid); @@ -649,19 +648,18 @@ do_known_hosts(struct passwd *pw, const char *name) } while (fgets(line, sizeof(line), in)) { - num++; - i = strlen(line) - 1; - if (line[i] != '\n') { + if ((cp = strchr(line, '\n')) == NULL) { error("line %d too long: %.40s...", num, line); skip = 1; invalid = 1; continue; } + num++; if (skip) { skip = 0; continue; } - line[i] = '\0'; + *cp = '\0'; /* Skip leading whitespace, empty and comment lines. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) -- cgit v1.2.3 From a8796f3fcc8584ad01ba0132a0ae1d7d1131febd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 10 Feb 2008 22:24:30 +1100 Subject: - djm@cvs.openbsd.org 2008/01/19 22:22:58 [ssh-keygen.c] when hashing individual hosts (ssh-keygen -Hf hostname), make sure we hash just the specified hostname and not the entire hostspec from the keyfile. It may be of the form "hostname,ipaddr", which would lead to a hash that never matches. report and fix from jp AT devnull.cz --- ChangeLog | 8 +++++++- ssh-keygen.c | 7 ++++--- 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 38e905120..d96f47a11 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,12 @@ [sftp-client.c] fix remote handle leak in do_download() local file open error path; report and fix from sworley AT chkno.net + - djm@cvs.openbsd.org 2008/01/19 22:22:58 + [ssh-keygen.c] + when hashing individual hosts (ssh-keygen -Hf hostname), make sure we + hash just the specified hostname and not the entire hostspec from the + keyfile. It may be of the form "hostname,ipaddr", which would lead to + a hash that never matches. report and fix from jp AT devnull.cz 20080119 - (djm) Silence noice from expr in ssh-copy-id; patch from @@ -3551,4 +3557,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4824 2008/02/10 11:23:41 djm Exp $ +$Id: ChangeLog,v 1.4825 2008/02/10 11:24:30 djm Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index 657937629..6a2c52017 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.163 2007/10/02 17:49:58 chl Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.164 2008/01/19 22:22:58 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -596,7 +596,7 @@ do_fingerprint(struct passwd *pw) } static void -print_host(FILE *f, char *name, Key *public, int hash) +print_host(FILE *f, const char *name, Key *public, int hash) { if (hash && (name = host_hash(name, NULL, 0)) == NULL) fatal("hash_host failed"); @@ -723,7 +723,8 @@ do_known_hosts(struct passwd *pw, const char *name) printf("# Host %s found: " "line %d type %s\n", name, num, key_type(public)); - print_host(out, cp, public, hash_hosts); + print_host(out, name, public, + hash_hosts); } if (delete_host && !c) print_host(out, cp, public, 0); -- cgit v1.2.3 From cb2fbb240718d7ca861f4d283711d6a54bc7a714 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 10 Feb 2008 22:24:55 +1100 Subject: - djm@cvs.openbsd.org 2008/01/19 22:37:19 [ssh-keygen.c] unbreak line numbering (broken in revision 1.164), fix error message --- ChangeLog | 5 ++++- ssh-keygen.c | 13 +++++++------ 2 files changed, 11 insertions(+), 7 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index d96f47a11..066349f4b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,9 @@ hash just the specified hostname and not the entire hostspec from the keyfile. It may be of the form "hostname,ipaddr", which would lead to a hash that never matches. report and fix from jp AT devnull.cz + - djm@cvs.openbsd.org 2008/01/19 22:37:19 + [ssh-keygen.c] + unbreak line numbering (broken in revision 1.164), fix error message 20080119 - (djm) Silence noice from expr in ssh-copy-id; patch from @@ -3557,4 +3560,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4825 2008/02/10 11:24:30 djm Exp $ +$Id: ChangeLog,v 1.4826 2008/02/10 11:24:55 djm Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index 6a2c52017..adacbff0b 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.164 2008/01/19 22:22:58 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.165 2008/01/19 22:37:19 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -504,7 +504,7 @@ do_fingerprint(struct passwd *pw) FILE *f; Key *public; char *comment = NULL, *cp, *ep, line[16*1024], *fp; - int i, skip = 0, num = 1, invalid = 1; + int i, skip = 0, num = 0, invalid = 1; enum fp_rep rep; enum fp_type fptype; struct stat st; @@ -536,7 +536,8 @@ do_fingerprint(struct passwd *pw) if (f != NULL) { while (fgets(line, sizeof(line), f)) { if ((cp = strchr(line, '\n')) == NULL) { - error("line %d too long: %.40s...", num, line); + error("line %d too long: %.40s...", + num + 1, line); skip = 1; continue; } @@ -613,7 +614,7 @@ do_known_hosts(struct passwd *pw, const char *name) Key *public; char *cp, *cp2, *kp, *kp2; char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN]; - int c, skip = 0, inplace = 0, num = 1, invalid = 0, has_unhashed = 0; + int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0; if (!have_identity) { cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid); @@ -649,7 +650,7 @@ do_known_hosts(struct passwd *pw, const char *name) while (fgets(line, sizeof(line), in)) { if ((cp = strchr(line, '\n')) == NULL) { - error("line %d too long: %.40s...", num, line); + error("line %d too long: %.40s...", num + 1, line); skip = 1; invalid = 1; continue; @@ -748,7 +749,7 @@ do_known_hosts(struct passwd *pw, const char *name) fclose(in); if (invalid) { - fprintf(stderr, "%s is not a valid known_host file.\n", + fprintf(stderr, "%s is not a valid known_hosts file.\n", identity_file); if (inplace) { fprintf(stderr, "Not replacing existing known_hosts " -- cgit v1.2.3 From bfaaf960a0204d5ee8ed75af05104737a54b4a52 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 28 Feb 2008 19:13:52 +1100 Subject: - (dtucker) [includes.h ssh-add.c ssh-agent.c ssh-keygen.c ssh.c sshd.c openbsd-compat/openssl-compat.{c,h}] Bug #1437 Move the OpenSSL compat header to after OpenSSL headers, since some versions of OpenSSL have SSLeay_add_all_algorithms as a macro already. --- ChangeLog | 6 +++++- includes.h | 1 - openbsd-compat/openssl-compat.c | 6 ++++-- openbsd-compat/openssl-compat.h | 6 +++--- ssh-add.c | 1 + ssh-agent.c | 1 + ssh-keygen.c | 1 + ssh.c | 1 + sshd.c | 2 ++ 9 files changed, 18 insertions(+), 7 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 0bd8d901a..72261d650 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ 20080228 - (dtucker) [configure.ac] Add -fstack-protector to LDFLAGS too, fixes linking problems on AIX with gcc 4.1.x. + - (dtucker) [includes.h ssh-add.c ssh-agent.c ssh-keygen.c ssh.c sshd.c + openbsd-compat/openssl-compat.{c,h}] Bug #1437 Move the OpenSSL compat + header to after OpenSSL headers, since some versions of OpenSSL have + SSLeay_add_all_algorithms as a macro already. 20080225 - (dtucker) [openbsd-compat/fake-rfc2553.h] rename ssh_gai_strerror hack @@ -3631,4 +3635,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4842 2008/02/28 04:01:13 dtucker Exp $ +$Id: ChangeLog,v 1.4843 2008/02/28 08:13:52 dtucker Exp $ diff --git a/includes.h b/includes.h index af231a9b3..9fcf1b023 100644 --- a/includes.h +++ b/includes.h @@ -166,7 +166,6 @@ #include "platform.h" #include "openbsd-compat/openbsd-compat.h" #include "openbsd-compat/bsd-nextstep.h" -#include "openbsd-compat/openssl-compat.h" #include "entropy.h" diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 9c9cdb98e..49238ba80 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.c,v 1.5 2008/02/25 10:13:47 dtucker Exp $ */ +/* $Id: openssl-compat.c,v 1.6 2008/02/28 08:13:52 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -16,13 +16,15 @@ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS #include "includes.h" #ifdef USE_OPENSSL_ENGINE # include #endif +#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS +#include "openssl-compat.h" + #ifdef SSH_OLD_EVP int ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type, diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index f1d2f19fc..f53695aa8 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.10 2007/06/14 13:47:31 dtucker Exp $ */ +/* $Id: openssl-compat.h,v 1.11 2008/02/28 08:13:52 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -79,8 +79,8 @@ extern const EVP_CIPHER *evp_acss(void); # ifdef SSLeay_add_all_algorithms # undef SSLeay_add_all_algorithms # endif -# define SSLeay_add_all_algorithms() ssh_SSLeay_add_all_algorithms() -#endif +# define SSLeay_add_all_algorithms() ssh_SSLeay_add_all_algorithms() +# endif int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *, unsigned char *, int); diff --git a/ssh-add.c b/ssh-add.c index 7f654a97e..7a43282f2 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -42,6 +42,7 @@ #include #include +#include "openbsd-compat/openssl-compat.h" #include #include diff --git a/ssh-agent.c b/ssh-agent.c index f17948349..6f8727b33 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -51,6 +51,7 @@ #include #include +#include "openbsd-compat/openssl-compat.h" #include #include diff --git a/ssh-keygen.c b/ssh-keygen.c index adacbff0b..69b16e6f5 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -21,6 +21,7 @@ #include #include +#include "openbsd-compat/openssl-compat.h" #include #include diff --git a/ssh.c b/ssh.c index fe2f1adfb..2ed76c9a1 100644 --- a/ssh.c +++ b/ssh.c @@ -72,6 +72,7 @@ #include #include +#include "openbsd-compat/openssl-compat.h" #include "xmalloc.h" #include "ssh.h" diff --git a/sshd.c b/sshd.c index 27c38ba53..9144bbaea 100644 --- a/sshd.c +++ b/sshd.c @@ -75,6 +75,8 @@ #include #include #include +#include "openbsd-compat/openssl-compat.h" + #ifdef HAVE_SECUREWARE #include #include -- cgit v1.2.3 From 0f7e910604a9858d71077a50bffca34299894895 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 8 Jun 2008 12:54:29 +1000 Subject: - djm@cvs.openbsd.org 2008/05/19 15:46:31 [ssh-keygen.c] support -l (print fingerprint) in combination with -F (find host) to search for a host in ~/.ssh/known_hosts and display its fingerprint; ok markus@ --- ChangeLog | 7 ++++++- ssh-keygen.c | 30 +++++++++++++++++++++++------- 2 files changed, 29 insertions(+), 8 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 0695b672a..1b2e5d8a9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,11 @@ we would send the modes corresponding to a zeroed struct termios, whereas we should have been sending an empty list of modes. Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@ + - djm@cvs.openbsd.org 2008/05/19 15:46:31 + [ssh-keygen.c] + support -l (print fingerprint) in combination with -F (find host) to + search for a host in ~/.ssh/known_hosts and display its fingerprint; + ok markus@ 20080604 - (djm) [openbsd-compat/bsd-arc4random.c] Fix math bug that caused bias @@ -4042,4 +4047,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4940 2008/06/08 02:53:20 dtucker Exp $ +$Id: ChangeLog,v 1.4941 2008/06/08 02:54:29 dtucker Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index 69b16e6f5..a03c6575d 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.165 2008/01/19 22:37:19 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.166 2008/05/19 15:46:31 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -600,12 +600,24 @@ do_fingerprint(struct passwd *pw) static void print_host(FILE *f, const char *name, Key *public, int hash) { - if (hash && (name = host_hash(name, NULL, 0)) == NULL) - fatal("hash_host failed"); - fprintf(f, "%s ", name); - if (!key_write(public, f)) - fatal("key_write failed"); - fprintf(f, "\n"); + if (print_fingerprint) { + enum fp_rep rep; + enum fp_type fptype; + char *fp; + + fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; + rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; + fp = key_fingerprint(public, fptype, rep); + printf("%u %s %s\n", key_size(public), fp, name); + xfree(fp); + } else { + if (hash && (name = host_hash(name, NULL, 0)) == NULL) + fatal("hash_host failed"); + fprintf(f, "%s ", name); + if (!key_write(public, f)) + fatal("key_write failed"); + fprintf(f, "\n"); + } } static void @@ -1231,6 +1243,10 @@ main(int argc, char **argv) printf("Can only have one of -p and -c.\n"); usage(); } + if (print_fingerprint && (delete_host || hash_hosts)) { + printf("Cannot use -l with -D or -R.\n"); + usage(); + } if (delete_host || hash_hosts || find_host) do_known_hosts(pw, rr_hostname); if (print_fingerprint || print_bubblebabble) -- cgit v1.2.3 From 9c16ac926376ad87084ae78bac44a813ae5db21f Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 13 Jun 2008 04:40:35 +1000 Subject: - grunk@cvs.openbsd.org 2008/06/11 21:01:35 [ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c sshconnect.c] Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the graphical hash visualization schemes known as "random art", and by Dan Kaminsky's musings on the subject during a BlackOp talk at the 23C3 in Berlin. Scientific publication (original paper): "Hash Visualization: a New Technique to improve Real-World Security", Perrig A. and Song D., 1999, International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99) http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf The algorithm used here is a worm crawling over a discrete plane, leaving a trace (augmenting the field) everywhere it goes. Movement is taken from dgst_raw 2bit-wise. Bumping into walls makes the respective movement vector be ignored for this turn, thus switching to the other color of the chessboard. Graphs are not unambiguous for now, because circles in graphs can be walked in either direction. discussions with several people, help, corrections and ok markus@ djm@ --- ChangeLog | 23 ++++++++++++- key.c | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- key.h | 5 +-- readconf.c | 20 ++++++++++-- readconf.h | 6 +++- ssh-keygen.1 | 9 ++--- ssh-keygen.c | 21 +++++++++--- ssh_config.5 | 8 +++-- sshconnect.c | 26 +++++++++++---- 9 files changed, 199 insertions(+), 24 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 14eb11514..70d5baa58 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,27 @@ - jmc@cvs.openbsd.org 2008/06/11 07:30:37 [sshd.8] kill trailing whitespace; + - grunk@cvs.openbsd.org 2008/06/11 21:01:35 + [ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c + sshconnect.c] + Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the + graphical hash visualization schemes known as "random art", and by + Dan Kaminsky's musings on the subject during a BlackOp talk at the + 23C3 in Berlin. + Scientific publication (original paper): + "Hash Visualization: a New Technique to improve Real-World Security", + Perrig A. and Song D., 1999, International Workshop on Cryptographic + Techniques and E-Commerce (CrypTEC '99) + http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf + The algorithm used here is a worm crawling over a discrete plane, + leaving a trace (augmenting the field) everywhere it goes. + Movement is taken from dgst_raw 2bit-wise. Bumping into walls + makes the respective movement vector be ignored for this turn, + thus switching to the other color of the chessboard. + Graphs are not unambiguous for now, because circles in graphs can be + walked in either direction. + discussions with several people, + help, corrections and ok markus@ djm@ 20080611 - (djm) [channels.c configure.ac] @@ -4165,4 +4186,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4968 2008/06/12 18:32:00 dtucker Exp $ +$Id: ChangeLog,v 1.4969 2008/06/12 18:40:35 dtucker Exp $ diff --git a/key.c b/key.c index 62bf8361d..5d357a8d6 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.69 2007/07/12 05:48:05 ray Exp $ */ +/* $OpenBSD: key.c,v 1.70 2008/06/11 21:01:35 grunk Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,6 +35,7 @@ #include "includes.h" +#include #include #include @@ -295,6 +296,105 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len) return retval; } +/* + * Draw an ASCII-Art representing the fingerprint so human brain can + * profit from its built-in pattern recognition ability. + * This technique is called "random art" and can be found in some + * scientific publications like this original paper: + * + * "Hash Visualization: a New Technique to improve Real-World Security", + * Perrig A. and Song D., 1999, International Workshop on Cryptographic + * Techniques and E-Commerce (CrypTEC '99) + * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf + * + * The subject came up in a talk by Dan Kaminsky, too. + * + * If you see the picture is different, the key is different. + * If the picture looks the same, you still know nothing. + * + * The algorithm used here is a worm crawling over a discrete plane, + * leaving a trace (augmenting the field) everywhere it goes. + * Movement is taken from dgst_raw 2bit-wise. Bumping into walls + * makes the respective movement vector be ignored for this turn. + * Graphs are not unambiguous, because circles in graphs can be + * walked in either direction. + */ +#define FLDSIZE_Y 8 +#define FLDSIZE_X FLDSIZE_Y * 2 +static char * +key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len) +{ + /* + * Chars to be used after each other every time the worm + * intersects with itself. Matter of taste. + */ + char *augmentation_string = " .o+=*BOX@%&#/^"; + char *retval, *p; + char field[FLDSIZE_X][FLDSIZE_Y]; + u_int i, b; + int x, y; + + retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2)); + + /* initialize field */ + memset(field, ' ', FLDSIZE_X * FLDSIZE_Y * sizeof(char)); + x = FLDSIZE_X / 2; + y = FLDSIZE_Y / 2; + field[x][y] = '.'; + + /* process raw key */ + for (i = 0; i < dgst_raw_len; i++) { + int input; + /* each byte conveys four 2-bit move commands */ + input = dgst_raw[i]; + for (b = 0; b < 4; b++) { + /* evaluate 2 bit, rest is shifted later */ + x += (input & 0x1) ? 1 : -1; + y += (input & 0x2) ? 1 : -1; + + /* assure we are still in bounds */ + x = MAX(x, 0); + y = MAX(y, 0); + x = MIN(x, FLDSIZE_X - 1); + y = MIN(y, FLDSIZE_Y - 1); + + /* augment the field */ + p = strchr(augmentation_string, field[x][y]); + if (*++p != '\0') + field[x][y] = *p; + + input = input >> 2; + } + } + + /* fill in retval */ + p = retval; + + /* output upper border */ + *p++ = '+'; + for (i = 0; i < FLDSIZE_X; i++) + *p++ = '-'; + *p++ = '+'; + *p++ = '\n'; + + /* output content */ + for (y = 0; y < FLDSIZE_Y; y++) { + *p++ = '|'; + for (x = 0; x < FLDSIZE_X; x++) + *p++ = field[x][y]; + *p++ = '|'; + *p++ = '\n'; + } + + /* output lower border */ + *p++ = '+'; + for (i = 0; i < FLDSIZE_X; i++) + *p++ = '-'; + *p++ = '+'; + + return retval; +} + char * key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) { @@ -312,6 +412,9 @@ key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) case SSH_FP_BUBBLEBABBLE: retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len); break; + case SSH_FP_RANDOMART: + retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len); + break; default: fatal("key_fingerprint_ex: bad digest representation %d", dgst_rep); diff --git a/key.h b/key.h index 6873dd793..14aac79c2 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.26 2006/08/03 03:34:42 deraadt Exp $ */ +/* $OpenBSD: key.h,v 1.27 2008/06/11 21:01:35 grunk Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -42,7 +42,8 @@ enum fp_type { }; enum fp_rep { SSH_FP_HEX, - SSH_FP_BUBBLEBABBLE + SSH_FP_BUBBLEBABBLE, + SSH_FP_RANDOMART }; /* key is stored in external hardware */ diff --git a/readconf.c b/readconf.c index 3ddb4d392..1d61145c4 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.165 2008/01/19 23:09:49 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.166 2008/06/11 21:01:35 grunk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -452,7 +452,23 @@ parse_flag: case oCheckHostIP: intptr = &options->check_host_ip; - goto parse_flag; + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing CheckHostIP argument.", + filename, linenum); + value = 0; /* To avoid compiler warning... */ + if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0) + value = SSHCTL_CHECKHOSTIP_YES; + else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0) + value = SSHCTL_CHECKHOSTIP_NO; + else if (strcmp(arg, "fingerprint") == 0) + value = SSHCTL_CHECKHOSTIP_FPR; + else + fatal("%.200s line %d: Bad CheckHostIP argument.", + filename, linenum); + if (*activep && *intptr == -1) + *intptr = value; + break; case oVerifyHostKeyDNS: intptr = &options->verify_host_key_dns; diff --git a/readconf.h b/readconf.h index 6257f4b2f..5c16a0ba6 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.72 2008/01/19 23:09:49 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.73 2008/06/11 21:01:35 grunk Exp $ */ /* * Author: Tatu Ylonen @@ -123,6 +123,10 @@ typedef struct { } Options; +#define SSHCTL_CHECKHOSTIP_NO 0 +#define SSHCTL_CHECKHOSTIP_YES 1 +#define SSHCTL_CHECKHOSTIP_FPR 2 + #define SSHCTL_MASTER_NO 0 #define SSHCTL_MASTER_YES 1 #define SSHCTL_MASTER_AUTO 2 diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 877935053..36249b288 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.75 2007/05/31 19:20:16 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.76 2008/06/11 21:01:35 grunk Exp $ .\" .\" -*- nroff -*- .\" @@ -37,7 +37,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 31 2007 $ +.Dd $Mdocdate: June 11 2008 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -257,11 +257,12 @@ RFC 4716 SSH Public Key File Format. This option allows importing keys from several commercial SSH implementations. .It Fl l -Show fingerprint of specified public key file. +Show fingerprint and ASCII art representation of specified public key file. Private RSA1 keys are also supported. For RSA and DSA keys .Nm -tries to find the matching public key file and prints its fingerprint. +tries to find the matching public key file and prints its fingerprint +and representation. .It Fl M Ar memory Specify the amount of memory to use (in megabytes) when generating candidate moduli for DH-GEX. diff --git a/ssh-keygen.c b/ssh-keygen.c index a03c6575d..c22e814da 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.166 2008/05/19 15:46:31 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.167 2008/06/11 21:01:35 grunk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -504,7 +504,7 @@ do_fingerprint(struct passwd *pw) { FILE *f; Key *public; - char *comment = NULL, *cp, *ep, line[16*1024], *fp; + char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; int i, skip = 0, num = 0, invalid = 1; enum fp_rep rep; enum fp_type fptype; @@ -522,9 +522,12 @@ do_fingerprint(struct passwd *pw) public = key_load_public(identity_file, &comment); if (public != NULL) { fp = key_fingerprint(public, fptype, rep); + ra = key_fingerprint(public, fptype, rep); printf("%u %s %s\n", key_size(public), fp, comment); + verbose("%s\n", ra); key_free(public); xfree(comment); + xfree(ra); xfree(fp); exit(0); } @@ -582,8 +585,11 @@ do_fingerprint(struct passwd *pw) } comment = *cp ? cp : comment; fp = key_fingerprint(public, fptype, rep); + ra = key_fingerprint(public, fptype, SSH_FP_RANDOMART); printf("%u %s %s\n", key_size(public), fp, comment ? comment : "no comment"); + verbose("%s\n", ra); + xfree(ra); xfree(fp); key_free(public); invalid = 0; @@ -603,12 +609,14 @@ print_host(FILE *f, const char *name, Key *public, int hash) if (print_fingerprint) { enum fp_rep rep; enum fp_type fptype; - char *fp; + char *fp, *ra; fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; fp = key_fingerprint(public, fptype, rep); - printf("%u %s %s\n", key_size(public), fp, name); + ra = key_fingerprint(public, fptype, SSH_FP_RANDOMART); + printf("%u %s %s\n%s\n", key_size(public), fp, name, ra); + xfree(ra); xfree(fp); } else { if (hash && (name = host_hash(name, NULL, 0)) == NULL) @@ -1451,10 +1459,15 @@ passphrase_again: if (!quiet) { char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); + char *ra = key_fingerprint(public, SSH_FP_MD5, + SSH_FP_RANDOMART); printf("Your public key has been saved in %s.\n", identity_file); printf("The key fingerprint is:\n"); printf("%s %s\n", fp, comment); + printf("The key's randomart image is:\n"); + printf("%s\n", ra); + xfree(ra); xfree(fp); } diff --git a/ssh_config.5 b/ssh_config.5 index d6f3fbf80..28ac724c8 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.106 2008/06/10 18:21:24 dtucker Exp $ -.Dd $Mdocdate: June 10 2008 $ +.\" $OpenBSD: ssh_config.5,v 1.107 2008/06/11 21:01:35 grunk Exp $ +.Dd $Mdocdate: June 11 2008 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -161,6 +161,10 @@ will additionally check the host IP address in the file. This allows ssh to detect if a host key changed due to DNS spoofing. If the option is set to +.Dq fingerprint , +not only the host IP address will be checked, but also an ASCII art +representation of the key will be printed. +If the option is set to .Dq no , the check will not be executed. The default is diff --git a/sshconnect.c b/sshconnect.c index a604c9724..151299614 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sshconnect.c,v 1.203 2007/12/27 14:22:08 dtucker Exp $ */ +/* $OpenBSD: sshconnect.c,v 1.204 2008/06/11 21:01:35 grunk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -602,7 +602,7 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, Key *file_key; const char *type = key_type(host_key); char *ip = NULL, *host = NULL; - char hostline[1000], *hostp, *fp; + char hostline[1000], *hostp, *fp, *ra; HostStatus host_status; HostStatus ip_status; int r, local = 0, host_ip_differ = 0; @@ -740,6 +740,13 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, logit("Warning: Permanently added the %s host " "key for IP address '%.128s' to the list " "of known hosts.", type, ip); + } else if (options.check_host_ip == SSHCTL_CHECKHOSTIP_FPR) { + fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); + ra = key_fingerprint(host_key, SSH_FP_MD5, + SSH_FP_RANDOMART); + logit("Host key fingerprint is %s\n%s\n", fp, ra); + xfree(ra); + xfree(fp); } break; case HOST_NEW: @@ -775,6 +782,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, snprintf(msg1, sizeof(msg1), "."); /* The default */ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); + ra = key_fingerprint(host_key, SSH_FP_MD5, + SSH_FP_RANDOMART); msg2[0] = '\0'; if (options.verify_host_key_dns) { if (matching_host_key_dns) @@ -789,10 +798,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " "established%s\n" - "%s key fingerprint is %s.\n%s" + "%s key fingerprint is %s.\n%s\n%s" "Are you sure you want to continue connecting " "(yes/no)? ", - host, ip, msg1, type, fp, msg2); + host, ip, msg1, type, fp, ra, msg2); + xfree(ra); xfree(fp); if (!confirm(msg)) goto fail; @@ -1063,18 +1073,20 @@ static int show_key_from_file(const char *file, const char *host, int keytype) { Key *found; - char *fp; + char *fp, *ra; int line, ret; found = key_new(keytype); if ((ret = lookup_key_in_hostfile_by_type(file, host, keytype, found, &line))) { fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); + ra = key_fingerprint(found, SSH_FP_MD5, SSH_FP_RANDOMART); logit("WARNING: %s key found for host %s\n" "in %s:%d\n" - "%s key fingerprint %s.", + "%s key fingerprint %s.\n%s\n", key_type(found), host, file, line, - key_type(found), fp); + key_type(found), fp, ra); + xfree(ra); xfree(fp); } key_free(found); -- cgit v1.2.3 From a376a32e8e4b955eb936f96f0900e95e2ea4d2f9 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 13 Jun 2008 04:42:14 +1000 Subject: - grunk@cvs.openbsd.org 2008/06/11 21:38:25 [ssh-keygen.c] ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub would not display you the random art as intended, spotted by canacar@ --- ChangeLog | 6 +++++- ssh-keygen.c | 6 +++--- 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 70d5baa58..a2019d231 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,10 @@ walked in either direction. discussions with several people, help, corrections and ok markus@ djm@ + - grunk@cvs.openbsd.org 2008/06/11 21:38:25 + [ssh-keygen.c] + ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub + would not display you the random art as intended, spotted by canacar@ 20080611 - (djm) [channels.c configure.ac] @@ -4186,4 +4190,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4969 2008/06/12 18:40:35 dtucker Exp $ +$Id: ChangeLog,v 1.4970 2008/06/12 18:42:14 dtucker Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index c22e814da..5d90e7a24 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.167 2008/06/11 21:01:35 grunk Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.168 2008/06/11 21:38:25 grunk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -522,9 +522,9 @@ do_fingerprint(struct passwd *pw) public = key_load_public(identity_file, &comment); if (public != NULL) { fp = key_fingerprint(public, fptype, rep); - ra = key_fingerprint(public, fptype, rep); + ra = key_fingerprint(public, fptype, SSH_FP_RANDOMART); printf("%u %s %s\n", key_size(public), fp, comment); - verbose("%s\n", ra); + verbose("%s", ra); key_free(public); xfree(comment); xfree(ra); -- cgit v1.2.3 From 35c45535ea1812ecc2d2655f068a103e57f3dfb5 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 13 Jun 2008 04:43:15 +1000 Subject: - grunk@cvs.openbsd.org 2008/06/11 22:20:46 [ssh-keygen.c ssh-keygen.1] ssh-keygen would write fingerprints to STDOUT, and random art to STDERR, that is not how it was envisioned. Also correct manpage saying that -v is needed along with -l for it to work. spotted by naddy@ --- ChangeLog | 8 +++++++- ssh-keygen.1 | 7 +++++-- ssh-keygen.c | 11 +++++++---- 3 files changed, 19 insertions(+), 7 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index a2019d231..d9b27bd43 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,12 @@ [ssh-keygen.c] ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub would not display you the random art as intended, spotted by canacar@ + - grunk@cvs.openbsd.org 2008/06/11 22:20:46 + [ssh-keygen.c ssh-keygen.1] + ssh-keygen would write fingerprints to STDOUT, and random art to STDERR, + that is not how it was envisioned. + Also correct manpage saying that -v is needed along with -l for it to work. + spotted by naddy@ 20080611 - (djm) [channels.c configure.ac] @@ -4190,4 +4196,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4970 2008/06/12 18:42:14 dtucker Exp $ +$Id: ChangeLog,v 1.4971 2008/06/12 18:43:15 dtucker Exp $ diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 36249b288..24daa1081 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.76 2008/06/11 21:01:35 grunk Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.77 2008/06/11 22:20:46 grunk Exp $ .\" .\" -*- nroff -*- .\" @@ -257,7 +257,10 @@ RFC 4716 SSH Public Key File Format. This option allows importing keys from several commercial SSH implementations. .It Fl l -Show fingerprint and ASCII art representation of specified public key file. +Show fingerprint of specified public key file. +If invoked along with +.Fl v , +an ASCII art representation of the key is supplied with the fingerprint. Private RSA1 keys are also supported. For RSA and DSA keys .Nm diff --git a/ssh-keygen.c b/ssh-keygen.c index 5d90e7a24..02bd530a0 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.168 2008/06/11 21:38:25 grunk Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.169 2008/06/11 22:20:46 grunk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -72,6 +72,8 @@ int change_comment = 0; int quiet = 0; +int log_level = SYSLOG_LEVEL_INFO; + /* Flag indicating that we want to hash a known_hosts file */ int hash_hosts = 0; /* Flag indicating that we want lookup a host in known_hosts file */ @@ -524,7 +526,8 @@ do_fingerprint(struct passwd *pw) fp = key_fingerprint(public, fptype, rep); ra = key_fingerprint(public, fptype, SSH_FP_RANDOMART); printf("%u %s %s\n", key_size(public), fp, comment); - verbose("%s", ra); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); key_free(public); xfree(comment); xfree(ra); @@ -588,7 +591,8 @@ do_fingerprint(struct passwd *pw) ra = key_fingerprint(public, fptype, SSH_FP_RANDOMART); printf("%u %s %s\n", key_size(public), fp, comment ? comment : "no comment"); - verbose("%s\n", ra); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); xfree(ra); xfree(fp); key_free(public); @@ -1078,7 +1082,6 @@ main(int argc, char **argv) int opt, type, fd, download = 0; u_int32_t memory = 0, generator_wanted = 0, trials = 100; int do_gen_candidates = 0, do_screen_candidates = 0; - int log_level = SYSLOG_LEVEL_INFO; BIGNUM *start = NULL; FILE *f; const char *errstr; -- cgit v1.2.3 From b68fb4ad2118483c84c02633029e86fc20f15bf1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 13 Jun 2008 08:57:27 +1000 Subject: - grunk@cvs.openbsd.org 2008/06/12 21:14:46 [ssh-keygen.c] make ssh-keygen -lf show the key type just as ssh-add -l would do it ok djm@ markus@ --- ChangeLog | 6 +++++- ssh-keygen.c | 12 +++++++----- 2 files changed, 12 insertions(+), 6 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index 652266e3f..c1f93fe73 100644 --- a/ChangeLog +++ b/ChangeLog @@ -129,6 +129,10 @@ [clientloop.c] I was coalescing expected global request confirmation replies at the wrong end of the queue - fix; prompted by markus@ + - grunk@cvs.openbsd.org 2008/06/12 21:14:46 + [ssh-keygen.c] + make ssh-keygen -lf show the key type just as ssh-add -l would do it + ok djm@ markus@ - (dtucker) [clientloop.c serverloop.c] channel_register_filter now takes 2 more args. with djm@ @@ -4293,4 +4297,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4990 2008/06/12 22:56:01 dtucker Exp $ +$Id: ChangeLog,v 1.4991 2008/06/12 22:57:27 dtucker Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index 02bd530a0..eca758c6e 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.169 2008/06/11 22:20:46 grunk Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.170 2008/06/12 21:14:46 grunk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -525,7 +525,8 @@ do_fingerprint(struct passwd *pw) if (public != NULL) { fp = key_fingerprint(public, fptype, rep); ra = key_fingerprint(public, fptype, SSH_FP_RANDOMART); - printf("%u %s %s\n", key_size(public), fp, comment); + printf("%u %s %s (%s)\n", key_size(public), fp, comment, + key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); key_free(public); @@ -589,8 +590,8 @@ do_fingerprint(struct passwd *pw) comment = *cp ? cp : comment; fp = key_fingerprint(public, fptype, rep); ra = key_fingerprint(public, fptype, SSH_FP_RANDOMART); - printf("%u %s %s\n", key_size(public), fp, - comment ? comment : "no comment"); + printf("%u %s %s (%s)\n", key_size(public), fp, + comment ? comment : "no comment", key_type(public)); if (log_level >= SYSLOG_LEVEL_VERBOSE) printf("%s\n", ra); xfree(ra); @@ -619,7 +620,8 @@ print_host(FILE *f, const char *name, Key *public, int hash) rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; fp = key_fingerprint(public, fptype, rep); ra = key_fingerprint(public, fptype, SSH_FP_RANDOMART); - printf("%u %s %s\n%s\n", key_size(public), fp, name, ra); + printf("%u %s %s (%s)\n%s\n", key_size(public), fp, name, + key_type(public), ra); xfree(ra); xfree(fp); } else { -- cgit v1.2.3 From 81dec0589a487b14054657cc5f3aff62d56511da Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 14 Jul 2008 11:28:29 +1000 Subject: - sthen@cvs.openbsd.org 2008/07/13 21:22:52 [ssh-keygen.c] Change "ssh-keygen -F [host] -l" to not display random art unless -v is also specified, making it consistent with the manual and other uses of -l. ok grunk@ --- ChangeLog | 11 ++++++++++- ssh-keygen.c | 8 +++++--- 2 files changed, 15 insertions(+), 4 deletions(-) (limited to 'ssh-keygen.c') diff --git a/ChangeLog b/ChangeLog index a3b7eb02d..6171fe111 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20080714 + - (djm) OpenBSD CVS Sync + - sthen@cvs.openbsd.org 2008/07/13 21:22:52 + [ssh-keygen.c] + Change "ssh-keygen -F [host] -l" to not display random art unless + -v is also specified, making it consistent with the manual and other + uses of -l. + ok grunk@ + 20080712 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2008/07/12 04:52:50 @@ -4633,4 +4642,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5075 2008/07/12 07:12:49 djm Exp $ +$Id: ChangeLog,v 1.5076 2008/07/14 01:28:29 djm Exp $ diff --git a/ssh-keygen.c b/ssh-keygen.c index eca758c6e..f7e284062 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.170 2008/06/12 21:14:46 grunk Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.171 2008/07/13 21:22:52 sthen Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -620,8 +620,10 @@ print_host(FILE *f, const char *name, Key *public, int hash) rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; fp = key_fingerprint(public, fptype, rep); ra = key_fingerprint(public, fptype, SSH_FP_RANDOMART); - printf("%u %s %s (%s)\n%s\n", key_size(public), fp, name, - key_type(public), ra); + printf("%u %s %s (%s)\n", key_size(public), fp, name, + key_type(public)); + if (log_level >= SYSLOG_LEVEL_VERBOSE) + printf("%s\n", ra); xfree(ra); xfree(fp); } else { -- cgit v1.2.3