2020-01-25 01:03:36 +01:00
|
|
|
/* $OpenBSD: ssh-keygen.c,v 1.392 2020/01/25 00:03:36 djm Exp $ */
|
1999-10-27 05:42:43 +02:00
|
|
|
/*
|
1999-11-24 14:26:21 +01:00
|
|
|
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
|
|
|
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
|
|
|
* All rights reserved
|
|
|
|
* Identity and host key generation and maintenance.
|
2000-09-16 04:29:08 +02:00
|
|
|
*
|
|
|
|
* As far as I am concerned, the code I have written for this software
|
|
|
|
* can be used freely for any purpose. Any derived versions of this
|
|
|
|
* software must be clearly marked as such, and if the derived work is
|
|
|
|
* incompatible with the protocol description in the RFC file, it must be
|
|
|
|
* called by a name other than "ssh" or "Secure Shell".
|
1999-11-24 14:26:21 +01:00
|
|
|
*/
|
1999-10-27 05:42:43 +02:00
|
|
|
|
|
|
|
#include "includes.h"
|
2006-03-15 01:45:54 +01:00
|
|
|
|
|
|
|
#include <sys/types.h>
|
2006-07-10 13:08:03 +02:00
|
|
|
#include <sys/socket.h>
|
2006-03-15 01:45:54 +01:00
|
|
|
#include <sys/stat.h>
|
2000-04-29 15:57:08 +02:00
|
|
|
|
2015-01-14 16:21:31 +01:00
|
|
|
#ifdef WITH_OPENSSL
|
2000-04-29 15:57:08 +02:00
|
|
|
#include <openssl/evp.h>
|
|
|
|
#include <openssl/pem.h>
|
2008-02-28 09:13:52 +01:00
|
|
|
#include "openbsd-compat/openssl-compat.h"
|
2015-01-14 16:21:31 +01:00
|
|
|
#endif
|
1999-10-27 05:42:43 +02:00
|
|
|
|
2019-10-09 00:06:35 +02:00
|
|
|
#ifdef HAVE_STDINT_H
|
|
|
|
# include <stdint.h>
|
|
|
|
#endif
|
2006-07-12 14:22:46 +02:00
|
|
|
#include <errno.h>
|
2006-07-10 13:13:46 +02:00
|
|
|
#include <fcntl.h>
|
2006-07-24 06:51:00 +02:00
|
|
|
#include <netdb.h>
|
2006-07-11 10:55:05 +02:00
|
|
|
#ifdef HAVE_PATHS_H
|
|
|
|
# include <paths.h>
|
|
|
|
#endif
|
2006-07-10 12:53:08 +02:00
|
|
|
#include <pwd.h>
|
2006-09-01 07:38:36 +02:00
|
|
|
#include <stdarg.h>
|
2006-08-05 03:37:59 +02:00
|
|
|
#include <stdio.h>
|
2006-08-05 03:34:19 +02:00
|
|
|
#include <stdlib.h>
|
2006-07-24 06:13:33 +02:00
|
|
|
#include <string.h>
|
2006-07-24 06:01:23 +02:00
|
|
|
#include <unistd.h>
|
2015-01-16 07:40:12 +01:00
|
|
|
#include <limits.h>
|
2017-02-10 04:36:40 +01:00
|
|
|
#include <locale.h>
|
2018-07-12 06:49:14 +02:00
|
|
|
#include <time.h>
|
2006-07-10 12:53:08 +02:00
|
|
|
|
1999-10-27 05:42:43 +02:00
|
|
|
#include "xmalloc.h"
|
2015-01-15 10:40:00 +01:00
|
|
|
#include "sshkey.h"
|
2000-04-29 15:57:08 +02:00
|
|
|
#include "authfile.h"
|
2015-01-15 10:40:00 +01:00
|
|
|
#include "sshbuf.h"
|
2001-01-22 06:34:40 +01:00
|
|
|
#include "pathnames.h"
|
|
|
|
#include "log.h"
|
2004-05-13 08:15:47 +02:00
|
|
|
#include "misc.h"
|
2005-03-01 11:48:35 +01:00
|
|
|
#include "match.h"
|
|
|
|
#include "hostfile.h"
|
2006-07-10 12:53:31 +02:00
|
|
|
#include "dns.h"
|
2013-01-18 01:44:04 +01:00
|
|
|
#include "ssh.h"
|
2010-02-26 21:55:05 +01:00
|
|
|
#include "ssh2.h"
|
2015-01-15 10:40:00 +01:00
|
|
|
#include "ssherr.h"
|
2010-02-11 23:21:02 +01:00
|
|
|
#include "ssh-pkcs11.h"
|
2013-01-18 01:44:04 +01:00
|
|
|
#include "atomicio.h"
|
|
|
|
#include "krl.h"
|
2014-12-21 23:27:55 +01:00
|
|
|
#include "digest.h"
|
2017-02-10 04:36:40 +01:00
|
|
|
#include "utf8.h"
|
2017-06-28 03:09:22 +02:00
|
|
|
#include "authfd.h"
|
2019-09-03 10:34:19 +02:00
|
|
|
#include "sshsig.h"
|
2019-10-31 22:17:09 +01:00
|
|
|
#include "ssh-sk.h"
|
|
|
|
#include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
|
2001-07-04 05:44:03 +02:00
|
|
|
|
2015-05-28 06:40:13 +02:00
|
|
|
#ifdef WITH_OPENSSL
|
|
|
|
# define DEFAULT_KEY_TYPE_NAME "rsa"
|
|
|
|
#else
|
|
|
|
# define DEFAULT_KEY_TYPE_NAME "ed25519"
|
|
|
|
#endif
|
|
|
|
|
2019-03-25 16:49:00 +01:00
|
|
|
/*
|
2019-03-25 17:19:44 +01:00
|
|
|
* Default number of bits in the RSA, DSA and ECDSA keys. These value can be
|
|
|
|
* overridden on the command line.
|
|
|
|
*
|
|
|
|
* These values, with the exception of DSA, provide security equivalent to at
|
|
|
|
* least 128 bits of security according to NIST Special Publication 800-57:
|
|
|
|
* Recommendation for Key Management Part 1 rev 4 section 5.6.1.
|
|
|
|
* For DSA it (and FIPS-186-4 section 4.2) specifies that the only size for
|
|
|
|
* which a 160bit hash is acceptable is 1kbit, and since ssh-dss specifies only
|
|
|
|
* SHA1 we limit the DSA key size 1k bits.
|
2019-03-25 16:49:00 +01:00
|
|
|
*/
|
|
|
|
#define DEFAULT_BITS 3072
|
2005-11-05 04:52:18 +01:00
|
|
|
#define DEFAULT_BITS_DSA 1024
|
2010-09-10 03:17:38 +02:00
|
|
|
#define DEFAULT_BITS_ECDSA 256
|
1999-10-27 05:42:43 +02:00
|
|
|
|
2019-01-23 05:16:22 +01:00
|
|
|
static int quiet = 0;
|
2010-03-04 21:39:35 +01:00
|
|
|
|
1999-11-17 07:29:08 +01:00
|
|
|
/* Flag indicating that we just want to see the key fingerprint */
|
2019-01-23 05:16:22 +01:00
|
|
|
static int print_fingerprint = 0;
|
|
|
|
static int print_bubblebabble = 0;
|
1999-11-17 07:29:08 +01:00
|
|
|
|
2014-12-21 23:27:55 +01:00
|
|
|
/* Hash algorithm to use for fingerprints. */
|
2019-01-23 05:16:22 +01:00
|
|
|
static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
|
2014-12-21 23:27:55 +01:00
|
|
|
|
1999-11-21 08:31:57 +01:00
|
|
|
/* The identity file name, given on the command line or entered by the user. */
|
2019-09-24 14:50:46 +02:00
|
|
|
static char identity_file[PATH_MAX];
|
2019-01-23 05:16:22 +01:00
|
|
|
static int have_identity = 0;
|
1999-10-27 05:42:43 +02:00
|
|
|
|
|
|
|
/* This is set to the passphrase if given on the command line. */
|
2019-01-23 05:16:22 +01:00
|
|
|
static char *identity_passphrase = NULL;
|
1999-10-27 05:42:43 +02:00
|
|
|
|
|
|
|
/* This is set to the new passphrase if given on the command line. */
|
2019-01-23 05:16:22 +01:00
|
|
|
static char *identity_new_passphrase = NULL;
|
2010-04-16 07:56:21 +02:00
|
|
|
|
2010-02-26 21:55:05 +01:00
|
|
|
/* Key type when certifying */
|
2019-01-23 05:16:22 +01:00
|
|
|
static u_int cert_key_type = SSH2_CERT_TYPE_USER;
|
2010-02-26 21:55:05 +01:00
|
|
|
|
|
|
|
/* "key ID" of signed key */
|
2019-01-23 05:16:22 +01:00
|
|
|
static char *cert_key_id = NULL;
|
2010-02-26 21:55:05 +01:00
|
|
|
|
|
|
|
/* Comma-separated list of principal names for certifying keys */
|
2019-01-23 05:16:22 +01:00
|
|
|
static char *cert_principals = NULL;
|
2010-02-26 21:55:05 +01:00
|
|
|
|
|
|
|
/* Validity period for certificates */
|
2019-01-23 05:16:22 +01:00
|
|
|
static u_int64_t cert_valid_from = 0;
|
|
|
|
static u_int64_t cert_valid_to = ~0ULL;
|
2010-02-26 21:55:05 +01:00
|
|
|
|
2010-04-16 07:56:21 +02:00
|
|
|
/* Certificate options */
|
2019-11-25 01:54:23 +01:00
|
|
|
#define CERTOPT_X_FWD (1)
|
|
|
|
#define CERTOPT_AGENT_FWD (1<<1)
|
|
|
|
#define CERTOPT_PORT_FWD (1<<2)
|
|
|
|
#define CERTOPT_PTY (1<<3)
|
|
|
|
#define CERTOPT_USER_RC (1<<4)
|
|
|
|
#define CERTOPT_NO_REQUIRE_USER_PRESENCE (1<<5)
|
2010-05-21 06:58:32 +02:00
|
|
|
#define CERTOPT_DEFAULT (CERTOPT_X_FWD|CERTOPT_AGENT_FWD| \
|
|
|
|
CERTOPT_PORT_FWD|CERTOPT_PTY|CERTOPT_USER_RC)
|
2019-01-23 05:16:22 +01:00
|
|
|
static u_int32_t certflags_flags = CERTOPT_DEFAULT;
|
|
|
|
static char *certflags_command = NULL;
|
|
|
|
static char *certflags_src_addr = NULL;
|
2010-02-26 21:55:05 +01:00
|
|
|
|
2017-04-29 06:12:25 +02:00
|
|
|
/* Arbitrary extensions specified by user */
|
|
|
|
struct cert_userext {
|
|
|
|
char *key;
|
|
|
|
char *val;
|
|
|
|
int crit;
|
|
|
|
};
|
2019-01-23 05:16:22 +01:00
|
|
|
static struct cert_userext *cert_userext;
|
|
|
|
static size_t ncert_userext;
|
2017-04-29 06:12:25 +02:00
|
|
|
|
2010-07-02 05:35:01 +02:00
|
|
|
/* Conversion to/from various formats */
|
|
|
|
enum {
|
|
|
|
FMT_RFC4716,
|
|
|
|
FMT_PKCS8,
|
|
|
|
FMT_PEM
|
|
|
|
} convert_format = FMT_RFC4716;
|
2000-11-13 12:57:25 +01:00
|
|
|
|
2019-01-23 05:16:22 +01:00
|
|
|
static char *key_type_name = NULL;
|
2000-04-29 15:57:08 +02:00
|
|
|
|
2010-08-05 05:05:31 +02:00
|
|
|
/* Load key from this PKCS#11 provider */
|
2019-01-23 05:16:22 +01:00
|
|
|
static char *pkcs11provider = NULL;
|
2010-07-02 05:35:01 +02:00
|
|
|
|
2019-10-31 22:17:09 +01:00
|
|
|
/* FIDO/U2F provider to use */
|
|
|
|
static char *sk_provider = NULL;
|
|
|
|
|
2019-07-15 15:16:29 +02:00
|
|
|
/* Format for writing private keys */
|
|
|
|
static int private_key_format = SSHKEY_PRIVATE_OPENSSH;
|
2013-12-07 00:41:55 +01:00
|
|
|
|
|
|
|
/* Cipher for new-format private keys */
|
2019-07-15 15:16:29 +02:00
|
|
|
static char *openssh_format_cipher = NULL;
|
2013-12-07 00:41:55 +01:00
|
|
|
|
2019-12-30 04:30:09 +01:00
|
|
|
/* Number of KDF rounds to derive new format keys. */
|
2019-01-23 05:16:22 +01:00
|
|
|
static int rounds = 0;
|
2013-12-07 00:41:55 +01:00
|
|
|
|
1999-11-21 08:31:57 +01:00
|
|
|
/* argv0 */
|
|
|
|
extern char *__progname;
|
1999-10-27 05:42:43 +02:00
|
|
|
|
2019-01-23 05:16:22 +01:00
|
|
|
static char hostname[NI_MAXHOST];
|
2000-04-29 15:57:08 +02:00
|
|
|
|
2015-05-28 09:37:31 +02:00
|
|
|
#ifdef WITH_OPENSSL
|
2004-05-13 08:24:32 +02:00
|
|
|
/* moduli.c */
|
2005-05-26 04:16:18 +02:00
|
|
|
int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
|
2012-07-06 05:44:19 +02:00
|
|
|
int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long,
|
|
|
|
unsigned long);
|
2015-05-28 09:37:31 +02:00
|
|
|
#endif
|
2004-05-13 08:24:32 +02:00
|
|
|
|
2011-05-05 06:06:15 +02:00
|
|
|
static void
|
2015-01-18 14:22:28 +01:00
|
|
|
type_bits_valid(int type, const char *name, u_int32_t *bitsp)
|
2011-05-05 06:06:15 +02:00
|
|
|
{
|
2015-04-17 15:19:22 +02:00
|
|
|
if (type == KEY_UNSPEC)
|
|
|
|
fatal("unknown key type %s", key_type_name);
|
2011-05-05 06:14:52 +02:00
|
|
|
if (*bitsp == 0) {
|
2015-01-30 13:10:17 +01:00
|
|
|
#ifdef WITH_OPENSSL
|
2019-08-05 23:45:27 +02:00
|
|
|
u_int nid;
|
|
|
|
|
|
|
|
switch(type) {
|
|
|
|
case KEY_DSA:
|
2011-05-05 06:14:52 +02:00
|
|
|
*bitsp = DEFAULT_BITS_DSA;
|
2019-08-05 23:45:27 +02:00
|
|
|
break;
|
|
|
|
case KEY_ECDSA:
|
2015-01-18 14:22:28 +01:00
|
|
|
if (name != NULL &&
|
|
|
|
(nid = sshkey_ecdsa_nid_from_name(name)) > 0)
|
|
|
|
*bitsp = sshkey_curve_nid_to_bits(nid);
|
|
|
|
if (*bitsp == 0)
|
|
|
|
*bitsp = DEFAULT_BITS_ECDSA;
|
2019-08-05 23:45:27 +02:00
|
|
|
break;
|
|
|
|
case KEY_RSA:
|
2011-05-05 06:14:52 +02:00
|
|
|
*bitsp = DEFAULT_BITS;
|
2019-08-05 23:45:27 +02:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
#endif
|
2011-05-05 06:06:15 +02:00
|
|
|
}
|
2015-01-14 16:21:31 +01:00
|
|
|
#ifdef WITH_OPENSSL
|
2017-05-08 01:15:59 +02:00
|
|
|
switch (type) {
|
|
|
|
case KEY_DSA:
|
|
|
|
if (*bitsp != 1024)
|
|
|
|
fatal("Invalid DSA key length: must be 1024 bits");
|
|
|
|
break;
|
|
|
|
case KEY_RSA:
|
|
|
|
if (*bitsp < SSH_RSA_MINIMUM_MODULUS_SIZE)
|
|
|
|
fatal("Invalid RSA key length: minimum is %d bits",
|
|
|
|
SSH_RSA_MINIMUM_MODULUS_SIZE);
|
2019-08-05 23:45:27 +02:00
|
|
|
else if (*bitsp > OPENSSL_RSA_MAX_MODULUS_BITS)
|
|
|
|
fatal("Invalid RSA key length: maximum is %d bits",
|
|
|
|
OPENSSL_RSA_MAX_MODULUS_BITS);
|
2017-05-08 01:15:59 +02:00
|
|
|
break;
|
|
|
|
case KEY_ECDSA:
|
|
|
|
if (sshkey_ecdsa_bits_to_nid(*bitsp) == -1)
|
|
|
|
fatal("Invalid ECDSA key length: valid lengths are "
|
2018-11-09 07:41:59 +01:00
|
|
|
#ifdef OPENSSL_HAS_NISTP521
|
2017-05-08 01:15:59 +02:00
|
|
|
"256, 384 or 521 bits");
|
2018-11-09 07:41:59 +01:00
|
|
|
#else
|
|
|
|
"256 or 384 bits");
|
|
|
|
#endif
|
2017-05-08 01:15:59 +02:00
|
|
|
}
|
2014-05-15 06:24:09 +02:00
|
|
|
#endif
|
2011-05-05 06:06:15 +02:00
|
|
|
}
|
|
|
|
|
2019-09-03 10:27:52 +02:00
|
|
|
/*
|
|
|
|
* Checks whether a file exists and, if so, asks the user whether they wish
|
|
|
|
* to overwrite it.
|
|
|
|
* Returns nonzero if the file does not already exist or if the user agrees to
|
|
|
|
* overwrite, or zero otherwise.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
confirm_overwrite(const char *filename)
|
|
|
|
{
|
|
|
|
char yesno[3];
|
|
|
|
struct stat st;
|
|
|
|
|
|
|
|
if (stat(filename, &st) != 0)
|
|
|
|
return 1;
|
|
|
|
printf("%s already exists.\n", filename);
|
|
|
|
printf("Overwrite (y/n)? ");
|
|
|
|
fflush(stdout);
|
|
|
|
if (fgets(yesno, sizeof(yesno), stdin) == NULL)
|
|
|
|
return 0;
|
|
|
|
if (yesno[0] != 'y' && yesno[0] != 'Y')
|
|
|
|
return 0;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2001-06-25 07:01:22 +02:00
|
|
|
static void
|
1999-11-21 08:31:57 +01:00
|
|
|
ask_filename(struct passwd *pw, const char *prompt)
|
1999-10-27 05:42:43 +02:00
|
|
|
{
|
1999-11-24 14:26:21 +01:00
|
|
|
char buf[1024];
|
2000-11-29 02:18:44 +01:00
|
|
|
char *name = NULL;
|
|
|
|
|
2002-02-19 05:22:47 +01:00
|
|
|
if (key_type_name == NULL)
|
2001-01-22 06:34:40 +01:00
|
|
|
name = _PATH_SSH_CLIENT_ID_RSA;
|
2006-03-26 05:07:26 +02:00
|
|
|
else {
|
2015-01-15 10:40:00 +01:00
|
|
|
switch (sshkey_type_from_name(key_type_name)) {
|
2010-04-16 07:56:21 +02:00
|
|
|
case KEY_DSA_CERT:
|
2002-02-19 05:22:47 +01:00
|
|
|
case KEY_DSA:
|
|
|
|
name = _PATH_SSH_CLIENT_ID_DSA;
|
|
|
|
break;
|
2010-11-11 04:17:02 +01:00
|
|
|
#ifdef OPENSSL_HAS_ECC
|
2010-08-31 14:41:14 +02:00
|
|
|
case KEY_ECDSA_CERT:
|
|
|
|
case KEY_ECDSA:
|
|
|
|
name = _PATH_SSH_CLIENT_ID_ECDSA;
|
|
|
|
break;
|
2019-10-31 22:17:09 +01:00
|
|
|
case KEY_ECDSA_SK_CERT:
|
|
|
|
case KEY_ECDSA_SK:
|
|
|
|
name = _PATH_SSH_CLIENT_ID_ECDSA_SK;
|
|
|
|
break;
|
2010-11-11 04:17:02 +01:00
|
|
|
#endif
|
2010-04-16 07:56:21 +02:00
|
|
|
case KEY_RSA_CERT:
|
2002-02-19 05:22:47 +01:00
|
|
|
case KEY_RSA:
|
|
|
|
name = _PATH_SSH_CLIENT_ID_RSA;
|
|
|
|
break;
|
2013-12-07 01:24:01 +01:00
|
|
|
case KEY_ED25519:
|
|
|
|
case KEY_ED25519_CERT:
|
|
|
|
name = _PATH_SSH_CLIENT_ID_ED25519;
|
|
|
|
break;
|
2019-11-12 20:33:08 +01:00
|
|
|
case KEY_ED25519_SK:
|
|
|
|
case KEY_ED25519_SK_CERT:
|
|
|
|
name = _PATH_SSH_CLIENT_ID_ED25519_SK;
|
|
|
|
break;
|
2018-02-23 16:58:37 +01:00
|
|
|
case KEY_XMSS:
|
|
|
|
case KEY_XMSS_CERT:
|
|
|
|
name = _PATH_SSH_CLIENT_ID_XMSS;
|
|
|
|
break;
|
2002-02-19 05:22:47 +01:00
|
|
|
default:
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("bad key type");
|
2002-02-19 05:22:47 +01:00
|
|
|
}
|
2006-03-26 05:07:26 +02:00
|
|
|
}
|
2015-04-17 15:19:22 +02:00
|
|
|
snprintf(identity_file, sizeof(identity_file),
|
|
|
|
"%s/%s", pw->pw_dir, name);
|
|
|
|
printf("%s (%s): ", prompt, identity_file);
|
|
|
|
fflush(stdout);
|
1999-11-24 14:26:21 +01:00
|
|
|
if (fgets(buf, sizeof(buf), stdin) == NULL)
|
|
|
|
exit(1);
|
2007-09-17 08:09:15 +02:00
|
|
|
buf[strcspn(buf, "\n")] = '\0';
|
1999-11-24 14:26:21 +01:00
|
|
|
if (strcmp(buf, "") != 0)
|
|
|
|
strlcpy(identity_file, buf, sizeof(identity_file));
|
|
|
|
have_identity = 1;
|
1999-11-17 07:29:08 +01:00
|
|
|
}
|
1999-10-27 05:42:43 +02:00
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
static struct sshkey *
|
2019-09-03 01:46:46 +02:00
|
|
|
load_identity(const char *filename, char **commentp)
|
2000-04-29 15:57:08 +02:00
|
|
|
{
|
2001-03-26 15:44:06 +02:00
|
|
|
char *pass;
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *prv;
|
|
|
|
int r;
|
2001-03-26 15:44:06 +02:00
|
|
|
|
2019-09-02 01:47:32 +02:00
|
|
|
if (commentp != NULL)
|
|
|
|
*commentp = NULL;
|
|
|
|
if ((r = sshkey_load_private(filename, "", &prv, commentp)) == 0)
|
2015-01-15 10:40:00 +01:00
|
|
|
return prv;
|
|
|
|
if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
|
|
|
|
fatal("Load key \"%s\": %s", filename, ssh_err(r));
|
|
|
|
if (identity_passphrase)
|
|
|
|
pass = xstrdup(identity_passphrase);
|
|
|
|
else
|
|
|
|
pass = read_passphrase("Enter passphrase: ", RP_ALLOW_STDIN);
|
2019-09-02 01:47:32 +02:00
|
|
|
r = sshkey_load_private(filename, pass, &prv, commentp);
|
2015-01-15 10:40:00 +01:00
|
|
|
explicit_bzero(pass, strlen(pass));
|
|
|
|
free(pass);
|
|
|
|
if (r != 0)
|
|
|
|
fatal("Load key \"%s\": %s", filename, ssh_err(r));
|
2001-03-26 15:44:06 +02:00
|
|
|
return prv;
|
2000-04-29 15:57:08 +02:00
|
|
|
}
|
|
|
|
|
2000-10-14 07:23:11 +02:00
|
|
|
#define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----"
|
2002-06-21 02:41:51 +02:00
|
|
|
#define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----"
|
2000-10-14 07:23:11 +02:00
|
|
|
#define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
|
2001-02-05 13:42:17 +01:00
|
|
|
#define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb
|
2000-04-29 15:57:08 +02:00
|
|
|
|
2014-05-15 06:24:09 +02:00
|
|
|
#ifdef WITH_OPENSSL
|
2001-06-25 07:01:22 +02:00
|
|
|
static void
|
2015-01-15 10:40:00 +01:00
|
|
|
do_convert_to_ssh2(struct passwd *pw, struct sshkey *k)
|
2000-04-29 15:57:08 +02:00
|
|
|
{
|
2019-07-16 15:18:39 +02:00
|
|
|
struct sshbuf *b;
|
|
|
|
char comment[61], *b64;
|
2015-01-15 10:40:00 +01:00
|
|
|
int r;
|
2000-04-29 15:57:08 +02:00
|
|
|
|
2019-07-16 15:18:39 +02:00
|
|
|
if ((b = sshbuf_new()) == NULL)
|
|
|
|
fatal("%s: sshbuf_new failed", __func__);
|
|
|
|
if ((r = sshkey_putb(k, b)) != 0)
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("key_to_blob failed: %s", ssh_err(r));
|
2019-07-16 15:18:39 +02:00
|
|
|
if ((b64 = sshbuf_dtob64_string(b, 1)) == NULL)
|
|
|
|
fatal("%s: sshbuf_dtob64_string failed", __func__);
|
|
|
|
|
2010-01-12 09:41:57 +01:00
|
|
|
/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */
|
|
|
|
snprintf(comment, sizeof(comment),
|
|
|
|
"%u-bit %s, converted by %s@%s from OpenSSH",
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_size(k), sshkey_type(k),
|
2000-04-29 15:57:08 +02:00
|
|
|
pw->pw_name, hostname);
|
2010-01-12 09:41:57 +01:00
|
|
|
|
2019-07-16 15:18:39 +02:00
|
|
|
sshkey_free(k);
|
|
|
|
sshbuf_free(b);
|
|
|
|
|
2010-01-12 09:41:57 +01:00
|
|
|
fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN);
|
2019-07-16 15:18:39 +02:00
|
|
|
fprintf(stdout, "Comment: \"%s\"\n%s", comment, b64);
|
2000-10-14 07:23:11 +02:00
|
|
|
fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END);
|
2019-07-16 15:18:39 +02:00
|
|
|
free(b64);
|
2000-04-29 15:57:08 +02:00
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
2010-07-02 05:35:01 +02:00
|
|
|
static void
|
2015-01-15 10:40:00 +01:00
|
|
|
do_convert_to_pkcs8(struct sshkey *k)
|
2010-07-02 05:35:01 +02:00
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
switch (sshkey_type_plain(k->type)) {
|
2010-07-02 05:35:01 +02:00
|
|
|
case KEY_RSA:
|
|
|
|
if (!PEM_write_RSA_PUBKEY(stdout, k->rsa))
|
|
|
|
fatal("PEM_write_RSA_PUBKEY failed");
|
|
|
|
break;
|
|
|
|
case KEY_DSA:
|
|
|
|
if (!PEM_write_DSA_PUBKEY(stdout, k->dsa))
|
|
|
|
fatal("PEM_write_DSA_PUBKEY failed");
|
|
|
|
break;
|
2010-09-10 03:39:26 +02:00
|
|
|
#ifdef OPENSSL_HAS_ECC
|
2010-08-31 14:41:14 +02:00
|
|
|
case KEY_ECDSA:
|
|
|
|
if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa))
|
|
|
|
fatal("PEM_write_EC_PUBKEY failed");
|
|
|
|
break;
|
2010-09-10 03:39:26 +02:00
|
|
|
#endif
|
2010-07-02 05:35:01 +02:00
|
|
|
default:
|
2015-01-15 10:40:00 +01:00
|
|
|
fatal("%s: unsupported key type %s", __func__, sshkey_type(k));
|
2010-07-02 05:35:01 +02:00
|
|
|
}
|
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2015-01-15 10:40:00 +01:00
|
|
|
do_convert_to_pem(struct sshkey *k)
|
2010-07-02 05:35:01 +02:00
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
switch (sshkey_type_plain(k->type)) {
|
2010-07-02 05:35:01 +02:00
|
|
|
case KEY_RSA:
|
|
|
|
if (!PEM_write_RSAPublicKey(stdout, k->rsa))
|
|
|
|
fatal("PEM_write_RSAPublicKey failed");
|
|
|
|
break;
|
2020-01-24 01:00:31 +01:00
|
|
|
case KEY_DSA:
|
|
|
|
if (!PEM_write_DSA_PUBKEY(stdout, k->dsa))
|
|
|
|
fatal("PEM_write_DSA_PUBKEY failed");
|
|
|
|
break;
|
|
|
|
case KEY_ECDSA:
|
|
|
|
if (!PEM_write_EC_PUBKEY(stdout, k->ecdsa))
|
|
|
|
fatal("PEM_write_EC_PUBKEY failed");
|
|
|
|
break;
|
2010-07-02 05:35:01 +02:00
|
|
|
default:
|
2015-01-15 10:40:00 +01:00
|
|
|
fatal("%s: unsupported key type %s", __func__, sshkey_type(k));
|
2010-07-02 05:35:01 +02:00
|
|
|
}
|
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
do_convert_to(struct passwd *pw)
|
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *k;
|
2010-07-02 05:35:01 +02:00
|
|
|
struct stat st;
|
2015-01-15 10:40:00 +01:00
|
|
|
int r;
|
2010-07-02 05:35:01 +02:00
|
|
|
|
|
|
|
if (!have_identity)
|
|
|
|
ask_filename(pw, "Enter file in which the key is");
|
2019-06-28 15:35:04 +02:00
|
|
|
if (stat(identity_file, &st) == -1)
|
2010-07-02 05:35:01 +02:00
|
|
|
fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_load_public(identity_file, &k, NULL)) != 0)
|
2019-09-02 01:47:32 +02:00
|
|
|
k = load_identity(identity_file, NULL);
|
2010-07-02 05:35:01 +02:00
|
|
|
switch (convert_format) {
|
|
|
|
case FMT_RFC4716:
|
|
|
|
do_convert_to_ssh2(pw, k);
|
|
|
|
break;
|
|
|
|
case FMT_PKCS8:
|
|
|
|
do_convert_to_pkcs8(k);
|
|
|
|
break;
|
|
|
|
case FMT_PEM:
|
|
|
|
do_convert_to_pem(k);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
fatal("%s: unknown key format %d", __func__, convert_format);
|
|
|
|
}
|
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
/*
|
|
|
|
* This is almost exactly the bignum1 encoding, but with 32 bit for length
|
|
|
|
* instead of 16.
|
|
|
|
*/
|
2001-06-25 07:01:22 +02:00
|
|
|
static void
|
2015-01-15 10:40:00 +01:00
|
|
|
buffer_get_bignum_bits(struct sshbuf *b, BIGNUM *value)
|
2000-10-14 07:23:11 +02:00
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
u_int bytes, bignum_bits;
|
|
|
|
int r;
|
|
|
|
|
|
|
|
if ((r = sshbuf_get_u32(b, &bignum_bits)) != 0)
|
|
|
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
|
|
bytes = (bignum_bits + 7) / 8;
|
|
|
|
if (sshbuf_len(b) < bytes)
|
|
|
|
fatal("%s: input buffer too small: need %d have %zu",
|
|
|
|
__func__, bytes, sshbuf_len(b));
|
|
|
|
if (BN_bin2bn(sshbuf_ptr(b), bytes, value) == NULL)
|
|
|
|
fatal("%s: BN_bin2bn failed", __func__);
|
|
|
|
if ((r = sshbuf_consume(b, bytes)) != 0)
|
|
|
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
2000-10-14 07:23:11 +02:00
|
|
|
}
|
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
static struct sshkey *
|
2019-07-16 15:18:39 +02:00
|
|
|
do_convert_private_ssh2(struct sshbuf *b)
|
2000-10-14 07:23:11 +02:00
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *key = NULL;
|
2001-06-25 07:04:58 +02:00
|
|
|
char *type, *cipher;
|
2015-01-15 10:40:00 +01:00
|
|
|
u_char e1, e2, e3, *sig = NULL, data[] = "abcde12345";
|
|
|
|
int r, rlen, ktype;
|
|
|
|
u_int magic, i1, i2, i3, i4;
|
|
|
|
size_t slen;
|
2001-06-25 06:47:54 +02:00
|
|
|
u_long e;
|
2018-09-13 04:08:33 +02:00
|
|
|
BIGNUM *dsa_p = NULL, *dsa_q = NULL, *dsa_g = NULL;
|
|
|
|
BIGNUM *dsa_pub_key = NULL, *dsa_priv_key = NULL;
|
|
|
|
BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
|
|
|
|
BIGNUM *rsa_p = NULL, *rsa_q = NULL, *rsa_iqmp = NULL;
|
2019-07-16 15:18:39 +02:00
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshbuf_get_u32(b, &magic)) != 0)
|
|
|
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
2000-10-14 07:23:11 +02:00
|
|
|
|
|
|
|
if (magic != SSH_COM_PRIVATE_KEY_MAGIC) {
|
2015-01-15 10:40:00 +01:00
|
|
|
error("bad magic 0x%x != 0x%x", magic,
|
|
|
|
SSH_COM_PRIVATE_KEY_MAGIC);
|
2000-10-14 07:23:11 +02:00
|
|
|
return NULL;
|
|
|
|
}
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshbuf_get_u32(b, &i1)) != 0 ||
|
|
|
|
(r = sshbuf_get_cstring(b, &type, NULL)) != 0 ||
|
|
|
|
(r = sshbuf_get_cstring(b, &cipher, NULL)) != 0 ||
|
|
|
|
(r = sshbuf_get_u32(b, &i2)) != 0 ||
|
|
|
|
(r = sshbuf_get_u32(b, &i3)) != 0 ||
|
|
|
|
(r = sshbuf_get_u32(b, &i4)) != 0)
|
|
|
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
2007-01-05 06:30:16 +01:00
|
|
|
debug("ignore (%d %d %d %d)", i1, i2, i3, i4);
|
2000-10-14 07:23:11 +02:00
|
|
|
if (strcmp(cipher, "none") != 0) {
|
|
|
|
error("unsupported cipher %s", cipher);
|
2013-06-01 23:31:17 +02:00
|
|
|
free(cipher);
|
|
|
|
free(type);
|
2000-10-14 07:23:11 +02:00
|
|
|
return NULL;
|
|
|
|
}
|
2013-06-01 23:31:17 +02:00
|
|
|
free(cipher);
|
2000-10-14 07:23:11 +02:00
|
|
|
|
2001-03-29 02:29:54 +02:00
|
|
|
if (strstr(type, "dsa")) {
|
|
|
|
ktype = KEY_DSA;
|
|
|
|
} else if (strstr(type, "rsa")) {
|
|
|
|
ktype = KEY_RSA;
|
|
|
|
} else {
|
2013-06-01 23:31:17 +02:00
|
|
|
free(type);
|
2000-10-14 07:23:11 +02:00
|
|
|
return NULL;
|
|
|
|
}
|
2018-09-14 06:17:44 +02:00
|
|
|
if ((key = sshkey_new(ktype)) == NULL)
|
|
|
|
fatal("sshkey_new failed");
|
2013-06-01 23:31:17 +02:00
|
|
|
free(type);
|
2001-03-29 02:29:54 +02:00
|
|
|
|
|
|
|
switch (key->type) {
|
|
|
|
case KEY_DSA:
|
2018-09-13 04:08:33 +02:00
|
|
|
if ((dsa_p = BN_new()) == NULL ||
|
|
|
|
(dsa_q = BN_new()) == NULL ||
|
|
|
|
(dsa_g = BN_new()) == NULL ||
|
|
|
|
(dsa_pub_key = BN_new()) == NULL ||
|
|
|
|
(dsa_priv_key = BN_new()) == NULL)
|
|
|
|
fatal("%s: BN_new", __func__);
|
|
|
|
buffer_get_bignum_bits(b, dsa_p);
|
|
|
|
buffer_get_bignum_bits(b, dsa_g);
|
|
|
|
buffer_get_bignum_bits(b, dsa_q);
|
|
|
|
buffer_get_bignum_bits(b, dsa_pub_key);
|
|
|
|
buffer_get_bignum_bits(b, dsa_priv_key);
|
|
|
|
if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g))
|
|
|
|
fatal("%s: DSA_set0_pqg failed", __func__);
|
|
|
|
dsa_p = dsa_q = dsa_g = NULL; /* transferred */
|
|
|
|
if (!DSA_set0_key(key->dsa, dsa_pub_key, dsa_priv_key))
|
|
|
|
fatal("%s: DSA_set0_key failed", __func__);
|
|
|
|
dsa_pub_key = dsa_priv_key = NULL; /* transferred */
|
2001-03-29 02:29:54 +02:00
|
|
|
break;
|
|
|
|
case KEY_RSA:
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshbuf_get_u8(b, &e1)) != 0 ||
|
|
|
|
(e1 < 30 && (r = sshbuf_get_u8(b, &e2)) != 0) ||
|
|
|
|
(e1 < 30 && (r = sshbuf_get_u8(b, &e3)) != 0))
|
|
|
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
|
|
e = e1;
|
2001-06-25 06:47:54 +02:00
|
|
|
debug("e %lx", e);
|
|
|
|
if (e < 30) {
|
|
|
|
e <<= 8;
|
2015-01-15 10:40:00 +01:00
|
|
|
e += e2;
|
2001-06-25 06:47:54 +02:00
|
|
|
debug("e %lx", e);
|
|
|
|
e <<= 8;
|
2015-01-15 10:40:00 +01:00
|
|
|
e += e3;
|
2001-06-25 06:47:54 +02:00
|
|
|
debug("e %lx", e);
|
|
|
|
}
|
2018-09-13 04:08:33 +02:00
|
|
|
if ((rsa_e = BN_new()) == NULL)
|
|
|
|
fatal("%s: BN_new", __func__);
|
|
|
|
if (!BN_set_word(rsa_e, e)) {
|
|
|
|
BN_clear_free(rsa_e);
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(key);
|
2001-03-29 02:29:54 +02:00
|
|
|
return NULL;
|
|
|
|
}
|
2018-09-13 04:08:33 +02:00
|
|
|
if ((rsa_n = BN_new()) == NULL ||
|
|
|
|
(rsa_d = BN_new()) == NULL ||
|
|
|
|
(rsa_p = BN_new()) == NULL ||
|
|
|
|
(rsa_q = BN_new()) == NULL ||
|
|
|
|
(rsa_iqmp = BN_new()) == NULL)
|
|
|
|
fatal("%s: BN_new", __func__);
|
|
|
|
buffer_get_bignum_bits(b, rsa_d);
|
|
|
|
buffer_get_bignum_bits(b, rsa_n);
|
|
|
|
buffer_get_bignum_bits(b, rsa_iqmp);
|
|
|
|
buffer_get_bignum_bits(b, rsa_q);
|
|
|
|
buffer_get_bignum_bits(b, rsa_p);
|
|
|
|
if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, rsa_d))
|
|
|
|
fatal("%s: RSA_set0_key failed", __func__);
|
|
|
|
rsa_n = rsa_e = rsa_d = NULL; /* transferred */
|
|
|
|
if (!RSA_set0_factors(key->rsa, rsa_p, rsa_q))
|
|
|
|
fatal("%s: RSA_set0_factors failed", __func__);
|
|
|
|
rsa_p = rsa_q = NULL; /* transferred */
|
|
|
|
if ((r = ssh_rsa_complete_crt_parameters(key, rsa_iqmp)) != 0)
|
2015-01-15 10:40:00 +01:00
|
|
|
fatal("generate RSA parameters failed: %s", ssh_err(r));
|
2018-09-13 04:08:33 +02:00
|
|
|
BN_clear_free(rsa_iqmp);
|
2001-03-29 02:29:54 +02:00
|
|
|
break;
|
|
|
|
}
|
2015-01-15 10:40:00 +01:00
|
|
|
rlen = sshbuf_len(b);
|
2001-12-06 19:00:18 +01:00
|
|
|
if (rlen != 0)
|
2019-07-16 15:18:39 +02:00
|
|
|
error("%s: remaining bytes in key blob %d", __func__, rlen);
|
2001-06-25 07:04:58 +02:00
|
|
|
|
|
|
|
/* try the key */
|
2019-10-31 22:23:19 +01:00
|
|
|
if (sshkey_sign(key, &sig, &slen, data, sizeof(data),
|
|
|
|
NULL, NULL, 0) != 0 ||
|
|
|
|
sshkey_verify(key, sig, slen, data, sizeof(data),
|
2019-11-25 01:51:37 +01:00
|
|
|
NULL, 0, NULL) != 0) {
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(key);
|
|
|
|
free(sig);
|
|
|
|
return NULL;
|
|
|
|
}
|
2013-06-01 23:31:17 +02:00
|
|
|
free(sig);
|
2000-10-14 07:23:11 +02:00
|
|
|
return key;
|
|
|
|
}
|
|
|
|
|
2006-03-15 02:05:40 +01:00
|
|
|
static int
|
|
|
|
get_line(FILE *fp, char *line, size_t len)
|
|
|
|
{
|
|
|
|
int c;
|
|
|
|
size_t pos = 0;
|
|
|
|
|
|
|
|
line[0] = '\0';
|
|
|
|
while ((c = fgetc(fp)) != EOF) {
|
2015-04-17 15:19:22 +02:00
|
|
|
if (pos >= len - 1)
|
|
|
|
fatal("input line too long.");
|
2006-03-26 05:07:26 +02:00
|
|
|
switch (c) {
|
2006-03-15 02:05:40 +01:00
|
|
|
case '\r':
|
|
|
|
c = fgetc(fp);
|
2015-04-17 15:19:22 +02:00
|
|
|
if (c != EOF && c != '\n' && ungetc(c, fp) == EOF)
|
|
|
|
fatal("unget: %s", strerror(errno));
|
2006-03-15 02:05:40 +01:00
|
|
|
return pos;
|
|
|
|
case '\n':
|
|
|
|
return pos;
|
|
|
|
}
|
|
|
|
line[pos++] = c;
|
|
|
|
line[pos] = '\0';
|
|
|
|
}
|
2007-01-05 06:29:55 +01:00
|
|
|
/* We reached EOF */
|
|
|
|
return -1;
|
2006-03-15 02:05:40 +01:00
|
|
|
}
|
|
|
|
|
2001-06-25 07:01:22 +02:00
|
|
|
static void
|
2015-01-15 10:40:00 +01:00
|
|
|
do_convert_from_ssh2(struct passwd *pw, struct sshkey **k, int *private)
|
2000-04-29 15:57:08 +02:00
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
int r, blen, escaped = 0;
|
2002-04-02 22:26:26 +02:00
|
|
|
u_int len;
|
2006-03-15 02:05:40 +01:00
|
|
|
char line[1024];
|
2019-07-16 15:18:39 +02:00
|
|
|
struct sshbuf *buf;
|
2000-04-29 15:57:08 +02:00
|
|
|
char encoded[8096];
|
|
|
|
FILE *fp;
|
|
|
|
|
2019-07-16 15:18:39 +02:00
|
|
|
if ((buf = sshbuf_new()) == NULL)
|
|
|
|
fatal("sshbuf_new failed");
|
2010-06-26 01:39:07 +02:00
|
|
|
if ((fp = fopen(identity_file, "r")) == NULL)
|
|
|
|
fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
|
2000-04-29 15:57:08 +02:00
|
|
|
encoded[0] = '\0';
|
2006-03-15 02:05:40 +01:00
|
|
|
while ((blen = get_line(fp, line, sizeof(line))) != -1) {
|
2013-07-18 08:13:02 +02:00
|
|
|
if (blen > 0 && line[blen - 1] == '\\')
|
2000-05-09 03:02:59 +02:00
|
|
|
escaped++;
|
2000-04-29 15:57:08 +02:00
|
|
|
if (strncmp(line, "----", 4) == 0 ||
|
|
|
|
strstr(line, ": ") != NULL) {
|
2000-10-14 07:23:11 +02:00
|
|
|
if (strstr(line, SSH_COM_PRIVATE_BEGIN) != NULL)
|
2010-07-02 05:35:01 +02:00
|
|
|
*private = 1;
|
2001-06-25 07:04:58 +02:00
|
|
|
if (strstr(line, " END ") != NULL) {
|
|
|
|
break;
|
|
|
|
}
|
2001-04-24 18:59:28 +02:00
|
|
|
/* fprintf(stderr, "ignore: %s", line); */
|
2000-04-29 15:57:08 +02:00
|
|
|
continue;
|
|
|
|
}
|
2000-05-09 03:02:59 +02:00
|
|
|
if (escaped) {
|
|
|
|
escaped--;
|
2001-04-24 18:59:28 +02:00
|
|
|
/* fprintf(stderr, "escaped: %s", line); */
|
2000-05-09 03:02:59 +02:00
|
|
|
continue;
|
2000-04-29 15:57:08 +02:00
|
|
|
}
|
|
|
|
strlcat(encoded, line, sizeof(encoded));
|
|
|
|
}
|
2002-04-02 22:26:26 +02:00
|
|
|
len = strlen(encoded);
|
|
|
|
if (((len % 4) == 3) &&
|
|
|
|
(encoded[len-1] == '=') &&
|
|
|
|
(encoded[len-2] == '=') &&
|
|
|
|
(encoded[len-3] == '='))
|
|
|
|
encoded[len-3] = '\0';
|
2019-07-16 15:18:39 +02:00
|
|
|
if ((r = sshbuf_b64tod(buf, encoded)) != 0)
|
|
|
|
fatal("%s: base64 decoding failed: %s", __func__, ssh_err(r));
|
2015-01-15 10:40:00 +01:00
|
|
|
if (*private)
|
2019-07-16 15:18:39 +02:00
|
|
|
*k = do_convert_private_ssh2(buf);
|
|
|
|
else if ((r = sshkey_fromb(buf, k)) != 0)
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("decode blob failed: %s", ssh_err(r));
|
2019-10-16 08:03:30 +02:00
|
|
|
sshbuf_free(buf);
|
2010-07-02 05:35:01 +02:00
|
|
|
fclose(fp);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2015-01-15 10:40:00 +01:00
|
|
|
do_convert_from_pkcs8(struct sshkey **k, int *private)
|
2010-07-02 05:35:01 +02:00
|
|
|
{
|
|
|
|
EVP_PKEY *pubkey;
|
|
|
|
FILE *fp;
|
|
|
|
|
|
|
|
if ((fp = fopen(identity_file, "r")) == NULL)
|
|
|
|
fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
|
|
|
|
if ((pubkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL)) == NULL) {
|
|
|
|
fatal("%s: %s is not a recognised public key format", __func__,
|
|
|
|
identity_file);
|
|
|
|
}
|
|
|
|
fclose(fp);
|
2018-09-13 04:08:33 +02:00
|
|
|
switch (EVP_PKEY_base_id(pubkey)) {
|
2010-07-02 05:35:01 +02:00
|
|
|
case EVP_PKEY_RSA:
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
|
|
|
|
fatal("sshkey_new failed");
|
2010-07-02 05:35:01 +02:00
|
|
|
(*k)->type = KEY_RSA;
|
|
|
|
(*k)->rsa = EVP_PKEY_get1_RSA(pubkey);
|
|
|
|
break;
|
|
|
|
case EVP_PKEY_DSA:
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
|
|
|
|
fatal("sshkey_new failed");
|
2010-07-02 05:35:01 +02:00
|
|
|
(*k)->type = KEY_DSA;
|
|
|
|
(*k)->dsa = EVP_PKEY_get1_DSA(pubkey);
|
|
|
|
break;
|
2010-09-10 03:39:26 +02:00
|
|
|
#ifdef OPENSSL_HAS_ECC
|
2010-08-31 14:41:14 +02:00
|
|
|
case EVP_PKEY_EC:
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
|
|
|
|
fatal("sshkey_new failed");
|
2010-08-31 14:41:14 +02:00
|
|
|
(*k)->type = KEY_ECDSA;
|
|
|
|
(*k)->ecdsa = EVP_PKEY_get1_EC_KEY(pubkey);
|
2015-01-15 10:40:00 +01:00
|
|
|
(*k)->ecdsa_nid = sshkey_ecdsa_key_to_nid((*k)->ecdsa);
|
2010-08-31 14:41:14 +02:00
|
|
|
break;
|
2010-09-10 03:39:26 +02:00
|
|
|
#endif
|
2010-07-02 05:35:01 +02:00
|
|
|
default:
|
|
|
|
fatal("%s: unsupported pubkey type %d", __func__,
|
2018-09-13 04:08:33 +02:00
|
|
|
EVP_PKEY_base_id(pubkey));
|
2010-07-02 05:35:01 +02:00
|
|
|
}
|
|
|
|
EVP_PKEY_free(pubkey);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2015-01-15 10:40:00 +01:00
|
|
|
do_convert_from_pem(struct sshkey **k, int *private)
|
2010-07-02 05:35:01 +02:00
|
|
|
{
|
|
|
|
FILE *fp;
|
|
|
|
RSA *rsa;
|
|
|
|
|
|
|
|
if ((fp = fopen(identity_file, "r")) == NULL)
|
|
|
|
fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
|
|
|
|
if ((rsa = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL)) != NULL) {
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
|
|
|
|
fatal("sshkey_new failed");
|
2010-07-02 05:35:01 +02:00
|
|
|
(*k)->type = KEY_RSA;
|
|
|
|
(*k)->rsa = rsa;
|
|
|
|
fclose(fp);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
fatal("%s: unrecognised raw private key format", __func__);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
do_convert_from(struct passwd *pw)
|
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *k = NULL;
|
|
|
|
int r, private = 0, ok = 0;
|
2010-07-02 05:35:01 +02:00
|
|
|
struct stat st;
|
|
|
|
|
|
|
|
if (!have_identity)
|
|
|
|
ask_filename(pw, "Enter file in which the key is");
|
2019-06-28 15:35:04 +02:00
|
|
|
if (stat(identity_file, &st) == -1)
|
2010-07-02 05:35:01 +02:00
|
|
|
fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
|
|
|
|
|
|
|
|
switch (convert_format) {
|
|
|
|
case FMT_RFC4716:
|
|
|
|
do_convert_from_ssh2(pw, &k, &private);
|
|
|
|
break;
|
|
|
|
case FMT_PKCS8:
|
|
|
|
do_convert_from_pkcs8(&k, &private);
|
|
|
|
break;
|
|
|
|
case FMT_PEM:
|
|
|
|
do_convert_from_pem(&k, &private);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
fatal("%s: unknown key format %d", __func__, convert_format);
|
|
|
|
}
|
|
|
|
|
2015-01-30 01:59:19 +01:00
|
|
|
if (!private) {
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_write(k, stdout)) == 0)
|
|
|
|
ok = 1;
|
2010-07-02 05:35:01 +02:00
|
|
|
if (ok)
|
|
|
|
fprintf(stdout, "\n");
|
2015-01-30 01:59:19 +01:00
|
|
|
} else {
|
2010-07-02 05:35:01 +02:00
|
|
|
switch (k->type) {
|
|
|
|
case KEY_DSA:
|
|
|
|
ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL,
|
|
|
|
NULL, 0, NULL, NULL);
|
|
|
|
break;
|
2010-09-10 03:39:26 +02:00
|
|
|
#ifdef OPENSSL_HAS_ECC
|
2010-08-31 14:41:14 +02:00
|
|
|
case KEY_ECDSA:
|
|
|
|
ok = PEM_write_ECPrivateKey(stdout, k->ecdsa, NULL,
|
|
|
|
NULL, 0, NULL, NULL);
|
|
|
|
break;
|
2010-09-10 03:39:26 +02:00
|
|
|
#endif
|
2010-07-02 05:35:01 +02:00
|
|
|
case KEY_RSA:
|
|
|
|
ok = PEM_write_RSAPrivateKey(stdout, k->rsa, NULL,
|
|
|
|
NULL, 0, NULL, NULL);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
fatal("%s: unsupported key type %s", __func__,
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_type(k));
|
2010-07-02 05:35:01 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-04-17 15:19:22 +02:00
|
|
|
if (!ok)
|
|
|
|
fatal("key write failed");
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(k);
|
2000-04-29 15:57:08 +02:00
|
|
|
exit(0);
|
|
|
|
}
|
2014-05-15 06:24:09 +02:00
|
|
|
#endif
|
2000-04-29 15:57:08 +02:00
|
|
|
|
2001-06-25 07:01:22 +02:00
|
|
|
static void
|
2000-04-29 15:57:08 +02:00
|
|
|
do_print_public(struct passwd *pw)
|
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *prv;
|
2000-04-29 15:57:08 +02:00
|
|
|
struct stat st;
|
2015-01-15 10:40:00 +01:00
|
|
|
int r;
|
2019-09-02 01:47:32 +02:00
|
|
|
char *comment = NULL;
|
2000-04-29 15:57:08 +02:00
|
|
|
|
|
|
|
if (!have_identity)
|
|
|
|
ask_filename(pw, "Enter file in which the key is");
|
2019-06-28 15:35:04 +02:00
|
|
|
if (stat(identity_file, &st) == -1)
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("%s: %s", identity_file, strerror(errno));
|
2019-09-02 01:47:32 +02:00
|
|
|
prv = load_identity(identity_file, &comment);
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_write(prv, stdout)) != 0)
|
2017-05-30 16:16:41 +02:00
|
|
|
error("sshkey_write failed: %s", ssh_err(r));
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(prv);
|
2019-09-02 01:47:32 +02:00
|
|
|
if (comment != NULL && *comment != '\0')
|
|
|
|
fprintf(stdout, " %s", comment);
|
2000-04-29 15:57:08 +02:00
|
|
|
fprintf(stdout, "\n");
|
2019-09-02 01:47:32 +02:00
|
|
|
free(comment);
|
2000-04-29 15:57:08 +02:00
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
2001-07-04 05:44:03 +02:00
|
|
|
static void
|
2010-08-05 05:05:31 +02:00
|
|
|
do_download(struct passwd *pw)
|
2001-08-06 23:44:05 +02:00
|
|
|
{
|
2010-02-11 23:21:02 +01:00
|
|
|
#ifdef ENABLE_PKCS11
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey **keys = NULL;
|
2010-02-11 23:21:02 +01:00
|
|
|
int i, nkeys;
|
2015-01-15 10:40:00 +01:00
|
|
|
enum sshkey_fp_rep rep;
|
2014-12-21 23:27:55 +01:00
|
|
|
int fptype;
|
2020-01-25 01:03:36 +01:00
|
|
|
char *fp, *ra, **comments = NULL;
|
2001-08-06 23:44:05 +02:00
|
|
|
|
2014-12-21 23:27:55 +01:00
|
|
|
fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
|
|
|
|
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
|
2013-01-09 06:44:54 +01:00
|
|
|
|
2019-02-10 17:35:41 +01:00
|
|
|
pkcs11_init(1);
|
2020-01-25 01:03:36 +01:00
|
|
|
nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys, &comments);
|
2010-02-11 23:21:02 +01:00
|
|
|
if (nkeys <= 0)
|
|
|
|
fatal("cannot read public key from pkcs11");
|
|
|
|
for (i = 0; i < nkeys; i++) {
|
2013-01-09 05:58:00 +01:00
|
|
|
if (print_fingerprint) {
|
2015-01-15 10:40:00 +01:00
|
|
|
fp = sshkey_fingerprint(keys[i], fptype, rep);
|
|
|
|
ra = sshkey_fingerprint(keys[i], fingerprint_hash,
|
2013-01-09 05:58:00 +01:00
|
|
|
SSH_FP_RANDOMART);
|
2015-01-28 23:36:00 +01:00
|
|
|
if (fp == NULL || ra == NULL)
|
|
|
|
fatal("%s: sshkey_fingerprint fail", __func__);
|
2015-01-15 10:40:00 +01:00
|
|
|
printf("%u %s %s (PKCS11 key)\n", sshkey_size(keys[i]),
|
|
|
|
fp, sshkey_type(keys[i]));
|
2019-01-23 05:16:22 +01:00
|
|
|
if (log_level_get() >= SYSLOG_LEVEL_VERBOSE)
|
2013-01-09 05:58:00 +01:00
|
|
|
printf("%s\n", ra);
|
2013-06-01 23:31:17 +02:00
|
|
|
free(ra);
|
|
|
|
free(fp);
|
2013-01-09 05:58:00 +01:00
|
|
|
} else {
|
2015-01-15 10:40:00 +01:00
|
|
|
(void) sshkey_write(keys[i], stdout); /* XXX check */
|
2020-01-25 01:03:36 +01:00
|
|
|
fprintf(stdout, "%s%s\n",
|
|
|
|
*(comments[i]) == '\0' ? "" : " ", comments[i]);
|
2013-01-09 05:58:00 +01:00
|
|
|
}
|
2020-01-25 01:03:36 +01:00
|
|
|
free(comments[i]);
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(keys[i]);
|
2002-03-26 04:17:42 +01:00
|
|
|
}
|
2020-01-25 01:03:36 +01:00
|
|
|
free(comments);
|
2013-06-01 23:31:17 +02:00
|
|
|
free(keys);
|
2010-02-11 23:21:02 +01:00
|
|
|
pkcs11_terminate();
|
2001-08-06 23:44:05 +02:00
|
|
|
exit(0);
|
2010-02-11 23:21:02 +01:00
|
|
|
#else
|
|
|
|
fatal("no pkcs11 support");
|
|
|
|
#endif /* ENABLE_PKCS11 */
|
2001-08-06 23:44:05 +02:00
|
|
|
}
|
2001-07-04 05:44:03 +02:00
|
|
|
|
2015-11-16 23:53:07 +01:00
|
|
|
static struct sshkey *
|
|
|
|
try_read_key(char **cpp)
|
|
|
|
{
|
|
|
|
struct sshkey *ret;
|
|
|
|
int r;
|
|
|
|
|
|
|
|
if ((ret = sshkey_new(KEY_UNSPEC)) == NULL)
|
|
|
|
fatal("sshkey_new failed");
|
|
|
|
if ((r = sshkey_read(ret, cpp)) == 0)
|
|
|
|
return ret;
|
|
|
|
/* Not a key */
|
|
|
|
sshkey_free(ret);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2001-06-25 07:01:22 +02:00
|
|
|
static void
|
2015-11-16 23:53:07 +01:00
|
|
|
fingerprint_one_key(const struct sshkey *public, const char *comment)
|
1999-11-17 07:29:08 +01:00
|
|
|
{
|
2015-11-16 23:53:07 +01:00
|
|
|
char *fp = NULL, *ra = NULL;
|
2015-01-15 10:40:00 +01:00
|
|
|
enum sshkey_fp_rep rep;
|
2014-12-21 23:27:55 +01:00
|
|
|
int fptype;
|
1999-11-24 14:26:21 +01:00
|
|
|
|
2014-12-21 23:27:55 +01:00
|
|
|
fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
|
|
|
|
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
|
2015-11-16 23:53:07 +01:00
|
|
|
fp = sshkey_fingerprint(public, fptype, rep);
|
|
|
|
ra = sshkey_fingerprint(public, fingerprint_hash, SSH_FP_RANDOMART);
|
|
|
|
if (fp == NULL || ra == NULL)
|
|
|
|
fatal("%s: sshkey_fingerprint failed", __func__);
|
2017-02-10 04:36:40 +01:00
|
|
|
mprintf("%u %s %s (%s)\n", sshkey_size(public), fp,
|
2015-11-16 23:53:07 +01:00
|
|
|
comment ? comment : "no comment", sshkey_type(public));
|
2019-01-23 05:16:22 +01:00
|
|
|
if (log_level_get() >= SYSLOG_LEVEL_VERBOSE)
|
2015-11-16 23:53:07 +01:00
|
|
|
printf("%s\n", ra);
|
|
|
|
free(ra);
|
|
|
|
free(fp);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
fingerprint_private(const char *path)
|
|
|
|
{
|
|
|
|
struct stat st;
|
|
|
|
char *comment = NULL;
|
|
|
|
struct sshkey *public = NULL;
|
|
|
|
int r;
|
|
|
|
|
2019-06-28 15:35:04 +02:00
|
|
|
if (stat(identity_file, &st) == -1)
|
2015-11-16 23:53:07 +01:00
|
|
|
fatal("%s: %s", path, strerror(errno));
|
2015-11-18 09:37:28 +01:00
|
|
|
if ((r = sshkey_load_public(path, &public, &comment)) != 0) {
|
|
|
|
debug("load public \"%s\": %s", path, ssh_err(r));
|
|
|
|
if ((r = sshkey_load_private(path, NULL,
|
|
|
|
&public, &comment)) != 0) {
|
|
|
|
debug("load private \"%s\": %s", path, ssh_err(r));
|
|
|
|
fatal("%s is not a key file.", path);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-11-16 23:53:07 +01:00
|
|
|
fingerprint_one_key(public, comment);
|
|
|
|
sshkey_free(public);
|
|
|
|
free(comment);
|
|
|
|
}
|
- OpenBSD CVS updates to v1.2.3
[ssh.h atomicio.c]
- int atomicio -> ssize_t (for alpha). ok deraadt@
[auth-rsa.c]
- delay MD5 computation until client sends response, free() early, cleanup.
[cipher.c]
- void* -> unsigned char*, ok niels@
[hostfile.c]
- remove unused variable 'len'. fix comments.
- remove unused variable
[log-client.c log-server.c]
- rename a cpp symbol, to avoid param.h collision
[packet.c]
- missing xfree()
- getsockname() requires initialized tolen; andy@guildsoftware.com
- use getpeername() in packet_connection_is_on_socket(), fixes sshd -i;
from Holger.Trapp@Informatik.TU-Chemnitz.DE
[pty.c pty.h]
- register cleanup for pty earlier. move code for pty-owner handling to
pty.c ok provos@, dugsong@
[readconf.c]
- turn off x11-fwd for the client, too.
[rsa.c]
- PKCS#1 padding
[scp.c]
- allow '.' in usernames; from jedgar@fxp.org
[servconf.c]
- typo: ignore_user_known_hosts int->flag; naddy@mips.rhein-neckar.de
- sync with sshd_config
[ssh-keygen.c]
- enable ssh-keygen -l -f ~/.ssh/known_hosts, ok deraadt@
[ssh.1]
- Change invalid 'CHAT' loglevel to 'VERBOSE'
[ssh.c]
- suppress AAAA query host when '-4' is used; from shin@nd.net.fujitsu.co.jp
- turn off x11-fwd for the client, too.
[sshconnect.c]
- missing xfree()
- retry rresvport_af(), too. from sumikawa@ebina.hitachi.co.jp.
- read error vs. "Connection closed by remote host"
[sshd.8]
- ie. -> i.e.,
- do not link to a commercial page..
- sync with sshd_config
[sshd.c]
- no need for poll.h; from bright@wintelcom.net
- log with level log() not fatal() if peer behaves badly.
- don't panic if client behaves strange. ok deraadt@
- make no-port-forwarding for RSA keys deny both -L and -R style fwding
- delay close() of pty until the pty has been chowned back to root
- oops, fix comment, too.
- missing xfree()
- move XAUTHORITY to subdir. ok dugsong@. fixes debian bug #57907, too.
(http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907)
- register cleanup for pty earlier. move code for pty-owner handling to
pty.c ok provos@, dugsong@
- create x11 cookie file
- fix pr 1113, fclose() -> pclose(), todo: remote popen()
- version 1.2.3
- Cleaned up
2000-03-09 11:27:49 +01:00
|
|
|
|
2015-11-16 23:53:07 +01:00
|
|
|
static void
|
|
|
|
do_fingerprint(struct passwd *pw)
|
|
|
|
{
|
|
|
|
FILE *f;
|
|
|
|
struct sshkey *public = NULL;
|
2018-06-06 20:29:18 +02:00
|
|
|
char *comment = NULL, *cp, *ep, *line = NULL;
|
|
|
|
size_t linesize = 0;
|
2015-11-16 23:53:07 +01:00
|
|
|
int i, invalid = 1;
|
|
|
|
const char *path;
|
2016-05-02 10:49:03 +02:00
|
|
|
u_long lnum = 0;
|
- OpenBSD CVS updates to v1.2.3
[ssh.h atomicio.c]
- int atomicio -> ssize_t (for alpha). ok deraadt@
[auth-rsa.c]
- delay MD5 computation until client sends response, free() early, cleanup.
[cipher.c]
- void* -> unsigned char*, ok niels@
[hostfile.c]
- remove unused variable 'len'. fix comments.
- remove unused variable
[log-client.c log-server.c]
- rename a cpp symbol, to avoid param.h collision
[packet.c]
- missing xfree()
- getsockname() requires initialized tolen; andy@guildsoftware.com
- use getpeername() in packet_connection_is_on_socket(), fixes sshd -i;
from Holger.Trapp@Informatik.TU-Chemnitz.DE
[pty.c pty.h]
- register cleanup for pty earlier. move code for pty-owner handling to
pty.c ok provos@, dugsong@
[readconf.c]
- turn off x11-fwd for the client, too.
[rsa.c]
- PKCS#1 padding
[scp.c]
- allow '.' in usernames; from jedgar@fxp.org
[servconf.c]
- typo: ignore_user_known_hosts int->flag; naddy@mips.rhein-neckar.de
- sync with sshd_config
[ssh-keygen.c]
- enable ssh-keygen -l -f ~/.ssh/known_hosts, ok deraadt@
[ssh.1]
- Change invalid 'CHAT' loglevel to 'VERBOSE'
[ssh.c]
- suppress AAAA query host when '-4' is used; from shin@nd.net.fujitsu.co.jp
- turn off x11-fwd for the client, too.
[sshconnect.c]
- missing xfree()
- retry rresvport_af(), too. from sumikawa@ebina.hitachi.co.jp.
- read error vs. "Connection closed by remote host"
[sshd.8]
- ie. -> i.e.,
- do not link to a commercial page..
- sync with sshd_config
[sshd.c]
- no need for poll.h; from bright@wintelcom.net
- log with level log() not fatal() if peer behaves badly.
- don't panic if client behaves strange. ok deraadt@
- make no-port-forwarding for RSA keys deny both -L and -R style fwding
- delay close() of pty until the pty has been chowned back to root
- oops, fix comment, too.
- missing xfree()
- move XAUTHORITY to subdir. ok dugsong@. fixes debian bug #57907, too.
(http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907)
- register cleanup for pty earlier. move code for pty-owner handling to
pty.c ok provos@, dugsong@
- create x11 cookie file
- fix pr 1113, fclose() -> pclose(), todo: remote popen()
- version 1.2.3
- Cleaned up
2000-03-09 11:27:49 +01:00
|
|
|
|
2015-11-16 23:53:07 +01:00
|
|
|
if (!have_identity)
|
|
|
|
ask_filename(pw, "Enter file in which the key is");
|
|
|
|
path = identity_file;
|
|
|
|
|
|
|
|
if (strcmp(identity_file, "-") == 0) {
|
|
|
|
f = stdin;
|
|
|
|
path = "(stdin)";
|
|
|
|
} else if ((f = fopen(path, "r")) == NULL)
|
|
|
|
fatal("%s: %s: %s", __progname, path, strerror(errno));
|
|
|
|
|
2018-06-06 20:29:18 +02:00
|
|
|
while (getline(&line, &linesize, f) != -1) {
|
|
|
|
lnum++;
|
2015-11-16 23:53:07 +01:00
|
|
|
cp = line;
|
|
|
|
cp[strcspn(cp, "\n")] = '\0';
|
|
|
|
/* Trim leading space and comments */
|
|
|
|
cp = line + strspn(line, " \t");
|
|
|
|
if (*cp == '#' || *cp == '\0')
|
2010-06-26 01:39:07 +02:00
|
|
|
continue;
|
2015-11-16 23:53:07 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Input may be plain keys, private keys, authorized_keys
|
|
|
|
* or known_hosts.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Try private keys first. Assume a key is private if
|
|
|
|
* "SSH PRIVATE KEY" appears on the first line and we're
|
|
|
|
* not reading from stdin (XXX support private keys on stdin).
|
|
|
|
*/
|
|
|
|
if (lnum == 1 && strcmp(identity_file, "-") != 0 &&
|
2015-11-18 09:37:28 +01:00
|
|
|
strstr(cp, "PRIVATE KEY") != NULL) {
|
2018-06-06 20:29:18 +02:00
|
|
|
free(line);
|
2015-11-16 23:53:07 +01:00
|
|
|
fclose(f);
|
|
|
|
fingerprint_private(path);
|
|
|
|
exit(0);
|
2010-06-26 01:39:07 +02:00
|
|
|
}
|
2015-11-16 23:53:07 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If it's not a private key, then this must be prepared to
|
|
|
|
* accept a public key prefixed with a hostname or options.
|
|
|
|
* Try a bare key first, otherwise skip the leading stuff.
|
|
|
|
*/
|
|
|
|
if ((public = try_read_key(&cp)) == NULL) {
|
|
|
|
i = strtol(cp, &ep, 10);
|
|
|
|
if (i == 0 || ep == NULL ||
|
|
|
|
(*ep != ' ' && *ep != '\t')) {
|
|
|
|
int quoted = 0;
|
|
|
|
|
|
|
|
comment = cp;
|
|
|
|
for (; *cp && (quoted || (*cp != ' ' &&
|
|
|
|
*cp != '\t')); cp++) {
|
|
|
|
if (*cp == '\\' && cp[1] == '"')
|
|
|
|
cp++; /* Skip both */
|
|
|
|
else if (*cp == '"')
|
|
|
|
quoted = !quoted;
|
|
|
|
}
|
|
|
|
if (!*cp)
|
|
|
|
continue;
|
|
|
|
*cp++ = '\0';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* Retry after parsing leading hostname/key options */
|
|
|
|
if (public == NULL && (public = try_read_key(&cp)) == NULL) {
|
2016-05-02 10:49:03 +02:00
|
|
|
debug("%s:%lu: not a public key", path, lnum);
|
2010-06-26 01:39:07 +02:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2015-11-16 23:53:07 +01:00
|
|
|
/* Find trailing comment, if any */
|
|
|
|
for (; *cp == ' ' || *cp == '\t'; cp++)
|
2010-06-26 01:39:07 +02:00
|
|
|
;
|
2015-11-16 23:53:07 +01:00
|
|
|
if (*cp != '\0' && *cp != '#')
|
2010-06-26 01:39:07 +02:00
|
|
|
comment = cp;
|
2015-11-16 23:53:07 +01:00
|
|
|
|
|
|
|
fingerprint_one_key(public, comment);
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(public);
|
2015-11-16 23:53:07 +01:00
|
|
|
invalid = 0; /* One good key in the file is sufficient */
|
- OpenBSD CVS updates to v1.2.3
[ssh.h atomicio.c]
- int atomicio -> ssize_t (for alpha). ok deraadt@
[auth-rsa.c]
- delay MD5 computation until client sends response, free() early, cleanup.
[cipher.c]
- void* -> unsigned char*, ok niels@
[hostfile.c]
- remove unused variable 'len'. fix comments.
- remove unused variable
[log-client.c log-server.c]
- rename a cpp symbol, to avoid param.h collision
[packet.c]
- missing xfree()
- getsockname() requires initialized tolen; andy@guildsoftware.com
- use getpeername() in packet_connection_is_on_socket(), fixes sshd -i;
from Holger.Trapp@Informatik.TU-Chemnitz.DE
[pty.c pty.h]
- register cleanup for pty earlier. move code for pty-owner handling to
pty.c ok provos@, dugsong@
[readconf.c]
- turn off x11-fwd for the client, too.
[rsa.c]
- PKCS#1 padding
[scp.c]
- allow '.' in usernames; from jedgar@fxp.org
[servconf.c]
- typo: ignore_user_known_hosts int->flag; naddy@mips.rhein-neckar.de
- sync with sshd_config
[ssh-keygen.c]
- enable ssh-keygen -l -f ~/.ssh/known_hosts, ok deraadt@
[ssh.1]
- Change invalid 'CHAT' loglevel to 'VERBOSE'
[ssh.c]
- suppress AAAA query host when '-4' is used; from shin@nd.net.fujitsu.co.jp
- turn off x11-fwd for the client, too.
[sshconnect.c]
- missing xfree()
- retry rresvport_af(), too. from sumikawa@ebina.hitachi.co.jp.
- read error vs. "Connection closed by remote host"
[sshd.8]
- ie. -> i.e.,
- do not link to a commercial page..
- sync with sshd_config
[sshd.c]
- no need for poll.h; from bright@wintelcom.net
- log with level log() not fatal() if peer behaves badly.
- don't panic if client behaves strange. ok deraadt@
- make no-port-forwarding for RSA keys deny both -L and -R style fwding
- delay close() of pty until the pty has been chowned back to root
- oops, fix comment, too.
- missing xfree()
- move XAUTHORITY to subdir. ok dugsong@. fixes debian bug #57907, too.
(http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907)
- register cleanup for pty earlier. move code for pty-owner handling to
pty.c ok provos@, dugsong@
- create x11 cookie file
- fix pr 1113, fclose() -> pclose(), todo: remote popen()
- version 1.2.3
- Cleaned up
2000-03-09 11:27:49 +01:00
|
|
|
}
|
2010-06-26 01:39:07 +02:00
|
|
|
fclose(f);
|
2018-06-06 20:29:18 +02:00
|
|
|
free(line);
|
2010-06-26 01:39:07 +02:00
|
|
|
|
2015-04-17 15:19:22 +02:00
|
|
|
if (invalid)
|
2015-11-16 23:53:07 +01:00
|
|
|
fatal("%s is not a public key file.", path);
|
1999-11-24 14:26:21 +01:00
|
|
|
exit(0);
|
1999-11-17 07:29:08 +01:00
|
|
|
}
|
|
|
|
|
2011-05-05 06:06:15 +02:00
|
|
|
static void
|
|
|
|
do_gen_all_hostkeys(struct passwd *pw)
|
|
|
|
{
|
|
|
|
struct {
|
|
|
|
char *key_type;
|
|
|
|
char *key_type_display;
|
|
|
|
char *path;
|
|
|
|
} key_types[] = {
|
2015-03-23 07:06:38 +01:00
|
|
|
#ifdef WITH_OPENSSL
|
2011-05-05 06:06:15 +02:00
|
|
|
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },
|
|
|
|
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },
|
2012-02-05 21:41:27 +01:00
|
|
|
#ifdef OPENSSL_HAS_ECC
|
2011-05-05 06:06:15 +02:00
|
|
|
{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },
|
2015-03-23 07:06:38 +01:00
|
|
|
#endif /* OPENSSL_HAS_ECC */
|
|
|
|
#endif /* WITH_OPENSSL */
|
2013-12-07 01:24:01 +01:00
|
|
|
{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE },
|
2018-02-23 16:58:37 +01:00
|
|
|
#ifdef WITH_XMSS
|
|
|
|
{ "xmss", "XMSS",_PATH_HOST_XMSS_KEY_FILE },
|
|
|
|
#endif /* WITH_XMSS */
|
2011-05-05 06:06:15 +02:00
|
|
|
{ NULL, NULL, NULL }
|
|
|
|
};
|
|
|
|
|
2019-08-08 10:02:57 +02:00
|
|
|
u_int32_t bits = 0;
|
2011-05-05 06:06:15 +02:00
|
|
|
int first = 0;
|
|
|
|
struct stat st;
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *private, *public;
|
2017-07-07 05:53:12 +02:00
|
|
|
char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;
|
2015-01-15 10:40:00 +01:00
|
|
|
int i, type, fd, r;
|
2011-05-05 06:06:15 +02:00
|
|
|
FILE *f;
|
|
|
|
|
|
|
|
for (i = 0; key_types[i].key_type; i++) {
|
2017-07-07 05:53:12 +02:00
|
|
|
public = private = NULL;
|
|
|
|
prv_tmp = pub_tmp = prv_file = pub_file = NULL;
|
|
|
|
|
|
|
|
xasprintf(&prv_file, "%s%s",
|
|
|
|
identity_file, key_types[i].path);
|
|
|
|
|
|
|
|
/* Check whether private key exists and is not zero-length */
|
|
|
|
if (stat(prv_file, &st) == 0) {
|
|
|
|
if (st.st_size != 0)
|
|
|
|
goto next;
|
|
|
|
} else if (errno != ENOENT) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("Could not stat %s: %s", key_types[i].path,
|
2011-05-05 06:06:15 +02:00
|
|
|
strerror(errno));
|
2017-07-07 05:53:12 +02:00
|
|
|
goto failnext;
|
2011-05-05 06:06:15 +02:00
|
|
|
}
|
|
|
|
|
2017-07-07 05:53:12 +02:00
|
|
|
/*
|
|
|
|
* Private key doesn't exist or is invalid; proceed with
|
|
|
|
* key generation.
|
|
|
|
*/
|
|
|
|
xasprintf(&prv_tmp, "%s%s.XXXXXXXXXX",
|
|
|
|
identity_file, key_types[i].path);
|
|
|
|
xasprintf(&pub_tmp, "%s%s.pub.XXXXXXXXXX",
|
|
|
|
identity_file, key_types[i].path);
|
|
|
|
xasprintf(&pub_file, "%s%s.pub",
|
|
|
|
identity_file, key_types[i].path);
|
|
|
|
|
2011-05-05 06:06:15 +02:00
|
|
|
if (first == 0) {
|
|
|
|
first = 1;
|
|
|
|
printf("%s: generating new host keys: ", __progname);
|
|
|
|
}
|
|
|
|
printf("%s ", key_types[i].key_type_display);
|
|
|
|
fflush(stdout);
|
2015-01-15 10:40:00 +01:00
|
|
|
type = sshkey_type_from_name(key_types[i].key_type);
|
2017-07-07 05:53:12 +02:00
|
|
|
if ((fd = mkstemp(prv_tmp)) == -1) {
|
|
|
|
error("Could not save your public key in %s: %s",
|
|
|
|
prv_tmp, strerror(errno));
|
|
|
|
goto failnext;
|
|
|
|
}
|
|
|
|
close(fd); /* just using mkstemp() to generate/reserve a name */
|
2011-05-05 06:06:15 +02:00
|
|
|
bits = 0;
|
2015-01-18 14:22:28 +01:00
|
|
|
type_bits_valid(type, NULL, &bits);
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_generate(type, bits, &private)) != 0) {
|
2017-05-30 16:16:41 +02:00
|
|
|
error("sshkey_generate failed: %s", ssh_err(r));
|
2017-07-07 05:53:12 +02:00
|
|
|
goto failnext;
|
2011-05-05 06:06:15 +02:00
|
|
|
}
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_from_private(private, &public)) != 0)
|
|
|
|
fatal("sshkey_from_private failed: %s", ssh_err(r));
|
2011-05-05 06:06:15 +02:00
|
|
|
snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,
|
|
|
|
hostname);
|
2017-07-07 05:53:12 +02:00
|
|
|
if ((r = sshkey_save_private(private, prv_tmp, "",
|
2019-07-15 15:16:29 +02:00
|
|
|
comment, private_key_format, openssh_format_cipher,
|
|
|
|
rounds)) != 0) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("Saving key \"%s\" failed: %s",
|
2017-07-07 05:53:12 +02:00
|
|
|
prv_tmp, ssh_err(r));
|
|
|
|
goto failnext;
|
2011-05-05 06:06:15 +02:00
|
|
|
}
|
2017-07-07 05:53:12 +02:00
|
|
|
if ((fd = mkstemp(pub_tmp)) == -1) {
|
|
|
|
error("Could not save your public key in %s: %s",
|
|
|
|
pub_tmp, strerror(errno));
|
|
|
|
goto failnext;
|
2011-05-05 06:06:15 +02:00
|
|
|
}
|
2017-07-07 05:53:12 +02:00
|
|
|
(void)fchmod(fd, 0644);
|
2011-05-05 06:06:15 +02:00
|
|
|
f = fdopen(fd, "w");
|
|
|
|
if (f == NULL) {
|
2017-07-07 05:53:12 +02:00
|
|
|
error("fdopen %s failed: %s", pub_tmp, strerror(errno));
|
2014-08-21 03:08:52 +02:00
|
|
|
close(fd);
|
2017-07-07 05:53:12 +02:00
|
|
|
goto failnext;
|
2011-05-05 06:06:15 +02:00
|
|
|
}
|
2015-01-16 16:55:07 +01:00
|
|
|
if ((r = sshkey_write(public, f)) != 0) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("write key failed: %s", ssh_err(r));
|
2014-08-21 03:08:52 +02:00
|
|
|
fclose(f);
|
2017-07-07 05:53:12 +02:00
|
|
|
goto failnext;
|
2011-05-05 06:06:15 +02:00
|
|
|
}
|
|
|
|
fprintf(f, " %s\n", comment);
|
2017-07-07 05:53:12 +02:00
|
|
|
if (ferror(f) != 0) {
|
|
|
|
error("write key failed: %s", strerror(errno));
|
|
|
|
fclose(f);
|
|
|
|
goto failnext;
|
|
|
|
}
|
|
|
|
if (fclose(f) != 0) {
|
|
|
|
error("key close failed: %s", strerror(errno));
|
|
|
|
goto failnext;
|
|
|
|
}
|
2011-05-05 06:06:15 +02:00
|
|
|
|
2017-07-07 05:53:12 +02:00
|
|
|
/* Rename temporary files to their permanent locations. */
|
|
|
|
if (rename(pub_tmp, pub_file) != 0) {
|
|
|
|
error("Unable to move %s into position: %s",
|
|
|
|
pub_file, strerror(errno));
|
|
|
|
goto failnext;
|
|
|
|
}
|
|
|
|
if (rename(prv_tmp, prv_file) != 0) {
|
|
|
|
error("Unable to move %s into position: %s",
|
|
|
|
key_types[i].path, strerror(errno));
|
|
|
|
failnext:
|
|
|
|
first = 0;
|
|
|
|
goto next;
|
|
|
|
}
|
|
|
|
next:
|
|
|
|
sshkey_free(private);
|
|
|
|
sshkey_free(public);
|
|
|
|
free(prv_tmp);
|
|
|
|
free(pub_tmp);
|
|
|
|
free(prv_file);
|
|
|
|
free(pub_file);
|
2011-05-05 06:06:15 +02:00
|
|
|
}
|
|
|
|
if (first != 0)
|
|
|
|
printf("\n");
|
|
|
|
}
|
|
|
|
|
2015-01-18 22:49:42 +01:00
|
|
|
struct known_hosts_ctx {
|
2015-01-18 22:51:19 +01:00
|
|
|
const char *host; /* Hostname searched for in find/delete case */
|
|
|
|
FILE *out; /* Output file, stdout for find_hosts case */
|
|
|
|
int has_unhashed; /* When hashing, original had unhashed hosts */
|
|
|
|
int found_key; /* For find/delete, host was found */
|
|
|
|
int invalid; /* File contained invalid items; don't delete */
|
2019-01-23 05:16:22 +01:00
|
|
|
int hash_hosts; /* Hash hostnames as we go */
|
|
|
|
int find_host; /* Search for specific hostname */
|
|
|
|
int delete_host; /* Delete host from known_hosts */
|
2015-01-18 22:49:42 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
static int
|
|
|
|
known_hosts_hash(struct hostkey_foreach_line *l, void *_ctx)
|
2005-03-01 11:48:35 +01:00
|
|
|
{
|
2015-01-18 22:49:42 +01:00
|
|
|
struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
|
|
|
|
char *hashed, *cp, *hosts, *ohosts;
|
|
|
|
int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);
|
2017-03-06 03:03:20 +01:00
|
|
|
int was_hashed = l->hosts && l->hosts[0] == HASH_DELIM;
|
2015-01-18 22:49:42 +01:00
|
|
|
|
2015-02-16 23:08:57 +01:00
|
|
|
switch (l->status) {
|
|
|
|
case HKF_STATUS_OK:
|
|
|
|
case HKF_STATUS_MATCHED:
|
|
|
|
/*
|
|
|
|
* Don't hash hosts already already hashed, with wildcard
|
|
|
|
* characters or a CA/revocation marker.
|
|
|
|
*/
|
2017-03-03 07:13:11 +01:00
|
|
|
if (was_hashed || has_wild || l->marker != MRK_NONE) {
|
2015-02-16 23:08:57 +01:00
|
|
|
fprintf(ctx->out, "%s\n", l->line);
|
2019-01-23 05:16:22 +01:00
|
|
|
if (has_wild && !ctx->find_host) {
|
2017-03-06 01:44:51 +01:00
|
|
|
logit("%s:%lu: ignoring host name "
|
2015-04-17 15:19:22 +02:00
|
|
|
"with wildcard: %.64s", l->path,
|
2015-02-16 23:08:57 +01:00
|
|
|
l->linenum, l->hosts);
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* Split any comma-separated hostnames from the host list,
|
|
|
|
* hash and store separately.
|
|
|
|
*/
|
|
|
|
ohosts = hosts = xstrdup(l->hosts);
|
|
|
|
while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') {
|
2017-03-10 05:26:06 +01:00
|
|
|
lowercase(cp);
|
2015-02-16 23:08:57 +01:00
|
|
|
if ((hashed = host_hash(cp, NULL, 0)) == NULL)
|
|
|
|
fatal("hash_host failed");
|
|
|
|
fprintf(ctx->out, "%s %s\n", hashed, l->rawkey);
|
|
|
|
ctx->has_unhashed = 1;
|
|
|
|
}
|
|
|
|
free(ohosts);
|
|
|
|
return 0;
|
|
|
|
case HKF_STATUS_INVALID:
|
|
|
|
/* Retain invalid lines, but mark file as invalid. */
|
2015-01-18 22:49:42 +01:00
|
|
|
ctx->invalid = 1;
|
2017-03-06 01:44:51 +01:00
|
|
|
logit("%s:%lu: invalid line", l->path, l->linenum);
|
2015-02-16 23:08:57 +01:00
|
|
|
/* FALLTHROUGH */
|
|
|
|
default:
|
2015-01-18 22:49:42 +01:00
|
|
|
fprintf(ctx->out, "%s\n", l->line);
|
|
|
|
return 0;
|
|
|
|
}
|
2015-02-16 23:08:57 +01:00
|
|
|
/* NOTREACHED */
|
|
|
|
return -1;
|
2015-01-18 22:49:42 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
known_hosts_find_delete(struct hostkey_foreach_line *l, void *_ctx)
|
|
|
|
{
|
|
|
|
struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;
|
2015-05-21 14:01:19 +02:00
|
|
|
enum sshkey_fp_rep rep;
|
|
|
|
int fptype;
|
2019-07-19 05:38:01 +02:00
|
|
|
char *fp = NULL, *ra = NULL;
|
2015-05-21 14:01:19 +02:00
|
|
|
|
|
|
|
fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
|
|
|
|
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
|
2015-01-18 22:49:42 +01:00
|
|
|
|
2015-02-16 23:08:57 +01:00
|
|
|
if (l->status == HKF_STATUS_MATCHED) {
|
2019-01-23 05:16:22 +01:00
|
|
|
if (ctx->delete_host) {
|
2015-01-18 22:49:42 +01:00
|
|
|
if (l->marker != MRK_NONE) {
|
|
|
|
/* Don't remove CA and revocation lines */
|
|
|
|
fprintf(ctx->out, "%s\n", l->line);
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Hostname matches and has no CA/revoke
|
|
|
|
* marker, delete it by *not* writing the
|
|
|
|
* line to ctx->out.
|
|
|
|
*/
|
|
|
|
ctx->found_key = 1;
|
|
|
|
if (!quiet)
|
2017-03-06 01:44:51 +01:00
|
|
|
printf("# Host %s found: line %lu\n",
|
2015-01-18 22:49:42 +01:00
|
|
|
ctx->host, l->linenum);
|
|
|
|
}
|
|
|
|
return 0;
|
2019-01-23 05:16:22 +01:00
|
|
|
} else if (ctx->find_host) {
|
2015-01-18 22:49:42 +01:00
|
|
|
ctx->found_key = 1;
|
|
|
|
if (!quiet) {
|
2017-03-06 01:44:51 +01:00
|
|
|
printf("# Host %s found: line %lu %s\n",
|
2015-01-18 22:49:42 +01:00
|
|
|
ctx->host,
|
|
|
|
l->linenum, l->marker == MRK_CA ? "CA" :
|
|
|
|
(l->marker == MRK_REVOKE ? "REVOKED" : ""));
|
|
|
|
}
|
2019-01-23 05:16:22 +01:00
|
|
|
if (ctx->hash_hosts)
|
2015-01-18 22:49:42 +01:00
|
|
|
known_hosts_hash(l, ctx);
|
2015-05-21 14:01:19 +02:00
|
|
|
else if (print_fingerprint) {
|
|
|
|
fp = sshkey_fingerprint(l->key, fptype, rep);
|
2019-07-19 05:38:01 +02:00
|
|
|
ra = sshkey_fingerprint(l->key,
|
|
|
|
fingerprint_hash, SSH_FP_RANDOMART);
|
|
|
|
if (fp == NULL || ra == NULL)
|
|
|
|
fatal("%s: sshkey_fingerprint failed",
|
|
|
|
__func__);
|
2020-01-22 05:51:51 +01:00
|
|
|
mprintf("%s %s %s%s%s\n", ctx->host,
|
|
|
|
sshkey_type(l->key), fp,
|
|
|
|
l->comment[0] ? " " : "",
|
|
|
|
l->comment);
|
2019-07-19 05:38:01 +02:00
|
|
|
if (log_level_get() >= SYSLOG_LEVEL_VERBOSE)
|
|
|
|
printf("%s\n", ra);
|
|
|
|
free(ra);
|
2015-05-21 14:01:19 +02:00
|
|
|
free(fp);
|
|
|
|
} else
|
2015-01-18 22:49:42 +01:00
|
|
|
fprintf(ctx->out, "%s\n", l->line);
|
|
|
|
return 0;
|
|
|
|
}
|
2019-01-23 05:16:22 +01:00
|
|
|
} else if (ctx->delete_host) {
|
2015-01-18 22:49:42 +01:00
|
|
|
/* Retain non-matching hosts when deleting */
|
|
|
|
if (l->status == HKF_STATUS_INVALID) {
|
|
|
|
ctx->invalid = 1;
|
2017-03-06 01:44:51 +01:00
|
|
|
logit("%s:%lu: invalid line", l->path, l->linenum);
|
2015-01-18 22:49:42 +01:00
|
|
|
}
|
|
|
|
fprintf(ctx->out, "%s\n", l->line);
|
2008-06-08 04:54:29 +02:00
|
|
|
}
|
2015-01-18 22:49:42 +01:00
|
|
|
return 0;
|
2005-03-01 11:48:35 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2019-01-23 05:16:22 +01:00
|
|
|
do_known_hosts(struct passwd *pw, const char *name, int find_host,
|
|
|
|
int delete_host, int hash_hosts)
|
2005-03-01 11:48:35 +01:00
|
|
|
{
|
2015-01-19 01:32:54 +01:00
|
|
|
char *cp, tmp[PATH_MAX], old[PATH_MAX];
|
2015-01-18 22:51:19 +01:00
|
|
|
int r, fd, oerrno, inplace = 0;
|
2015-01-18 22:49:42 +01:00
|
|
|
struct known_hosts_ctx ctx;
|
2015-05-21 14:01:19 +02:00
|
|
|
u_int foreach_options;
|
2005-03-01 11:48:35 +01:00
|
|
|
|
|
|
|
if (!have_identity) {
|
|
|
|
cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);
|
|
|
|
if (strlcpy(identity_file, cp, sizeof(identity_file)) >=
|
|
|
|
sizeof(identity_file))
|
|
|
|
fatal("Specified known hosts path too long");
|
2013-06-01 23:31:17 +02:00
|
|
|
free(cp);
|
2005-03-01 11:48:35 +01:00
|
|
|
have_identity = 1;
|
|
|
|
}
|
|
|
|
|
2015-01-18 22:49:42 +01:00
|
|
|
memset(&ctx, 0, sizeof(ctx));
|
|
|
|
ctx.out = stdout;
|
|
|
|
ctx.host = name;
|
2019-01-23 05:16:22 +01:00
|
|
|
ctx.hash_hosts = hash_hosts;
|
|
|
|
ctx.find_host = find_host;
|
|
|
|
ctx.delete_host = delete_host;
|
2015-01-18 22:49:42 +01:00
|
|
|
|
2005-03-01 11:48:35 +01:00
|
|
|
/*
|
|
|
|
* Find hosts goes to stdout, hash and deletions happen in-place
|
|
|
|
* A corner case is ssh-keygen -HF foo, which should go to stdout
|
|
|
|
*/
|
|
|
|
if (!find_host && (hash_hosts || delete_host)) {
|
|
|
|
if (strlcpy(tmp, identity_file, sizeof(tmp)) >= sizeof(tmp) ||
|
|
|
|
strlcat(tmp, ".XXXXXXXXXX", sizeof(tmp)) >= sizeof(tmp) ||
|
|
|
|
strlcpy(old, identity_file, sizeof(old)) >= sizeof(old) ||
|
|
|
|
strlcat(old, ".old", sizeof(old)) >= sizeof(old))
|
|
|
|
fatal("known_hosts path too long");
|
|
|
|
umask(077);
|
2015-01-18 22:49:42 +01:00
|
|
|
if ((fd = mkstemp(tmp)) == -1)
|
2005-03-01 11:48:35 +01:00
|
|
|
fatal("mkstemp: %s", strerror(errno));
|
2015-01-18 22:49:42 +01:00
|
|
|
if ((ctx.out = fdopen(fd, "w")) == NULL) {
|
|
|
|
oerrno = errno;
|
2005-03-01 11:48:35 +01:00
|
|
|
unlink(tmp);
|
2015-01-18 22:49:42 +01:00
|
|
|
fatal("fdopen: %s", strerror(oerrno));
|
2005-03-01 11:48:35 +01:00
|
|
|
}
|
2015-01-18 22:51:19 +01:00
|
|
|
inplace = 1;
|
2005-03-01 11:48:35 +01:00
|
|
|
}
|
2015-01-18 22:49:42 +01:00
|
|
|
/* XXX support identity_file == "-" for stdin */
|
2015-05-21 14:01:19 +02:00
|
|
|
foreach_options = find_host ? HKF_WANT_MATCH : 0;
|
|
|
|
foreach_options |= print_fingerprint ? HKF_WANT_PARSE_KEY : 0;
|
2018-06-01 06:21:29 +02:00
|
|
|
if ((r = hostkeys_foreach(identity_file, (find_host || !hash_hosts) ?
|
2018-06-01 05:51:34 +02:00
|
|
|
known_hosts_find_delete : known_hosts_hash, &ctx, name, NULL,
|
|
|
|
foreach_options)) != 0) {
|
2015-11-28 07:50:52 +01:00
|
|
|
if (inplace)
|
|
|
|
unlink(tmp);
|
2015-01-18 22:49:42 +01:00
|
|
|
fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r));
|
2015-11-28 07:50:52 +01:00
|
|
|
}
|
2005-03-01 11:48:35 +01:00
|
|
|
|
2015-01-18 22:51:19 +01:00
|
|
|
if (inplace)
|
2015-01-18 22:49:42 +01:00
|
|
|
fclose(ctx.out);
|
2005-03-01 11:48:35 +01:00
|
|
|
|
2015-01-18 22:49:42 +01:00
|
|
|
if (ctx.invalid) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("%s is not a valid known_hosts file.", identity_file);
|
2015-01-18 22:51:19 +01:00
|
|
|
if (inplace) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("Not replacing existing known_hosts "
|
|
|
|
"file because of errors");
|
2005-03-01 11:48:35 +01:00
|
|
|
unlink(tmp);
|
|
|
|
}
|
|
|
|
exit(1);
|
2015-01-18 22:49:42 +01:00
|
|
|
} else if (delete_host && !ctx.found_key) {
|
2015-04-17 15:19:22 +02:00
|
|
|
logit("Host %s not found in %s", name, identity_file);
|
2015-08-20 01:17:51 +02:00
|
|
|
if (inplace)
|
|
|
|
unlink(tmp);
|
2015-01-18 22:51:19 +01:00
|
|
|
} else if (inplace) {
|
2005-03-01 11:48:35 +01:00
|
|
|
/* Backup existing file */
|
|
|
|
if (unlink(old) == -1 && errno != ENOENT)
|
|
|
|
fatal("unlink %.100s: %s", old, strerror(errno));
|
|
|
|
if (link(identity_file, old) == -1)
|
|
|
|
fatal("link %.100s to %.100s: %s", identity_file, old,
|
|
|
|
strerror(errno));
|
|
|
|
/* Move new one into place */
|
|
|
|
if (rename(tmp, identity_file) == -1) {
|
|
|
|
error("rename\"%s\" to \"%s\": %s", tmp, identity_file,
|
|
|
|
strerror(errno));
|
|
|
|
unlink(tmp);
|
|
|
|
unlink(old);
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
2015-04-17 15:19:22 +02:00
|
|
|
printf("%s updated.\n", identity_file);
|
|
|
|
printf("Original contents retained as %s\n", old);
|
2015-01-18 22:49:42 +01:00
|
|
|
if (ctx.has_unhashed) {
|
2015-04-17 15:19:22 +02:00
|
|
|
logit("WARNING: %s contains unhashed entries", old);
|
|
|
|
logit("Delete this file to ensure privacy "
|
|
|
|
"of hostnames");
|
2005-03-01 11:48:35 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-01-18 22:49:42 +01:00
|
|
|
exit (find_host && !ctx.found_key);
|
2005-03-01 11:48:35 +01:00
|
|
|
}
|
|
|
|
|
1999-11-24 14:26:21 +01:00
|
|
|
/*
|
|
|
|
* Perform changing a passphrase. The argument is the passwd structure
|
|
|
|
* for the current user.
|
|
|
|
*/
|
2001-06-25 07:01:22 +02:00
|
|
|
static void
|
1999-11-17 07:29:08 +01:00
|
|
|
do_change_passphrase(struct passwd *pw)
|
|
|
|
{
|
1999-11-24 14:26:21 +01:00
|
|
|
char *comment;
|
|
|
|
char *old_passphrase, *passphrase1, *passphrase2;
|
|
|
|
struct stat st;
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *private;
|
|
|
|
int r;
|
1999-11-24 14:26:21 +01:00
|
|
|
|
|
|
|
if (!have_identity)
|
|
|
|
ask_filename(pw, "Enter file in which the key is");
|
2019-06-28 15:35:04 +02:00
|
|
|
if (stat(identity_file, &st) == -1)
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("%s: %s", identity_file, strerror(errno));
|
1999-11-24 14:26:21 +01:00
|
|
|
/* Try to load the file with empty passphrase. */
|
2015-01-15 10:40:00 +01:00
|
|
|
r = sshkey_load_private(identity_file, "", &private, &comment);
|
|
|
|
if (r == SSH_ERR_KEY_WRONG_PASSPHRASE) {
|
1999-11-24 14:26:21 +01:00
|
|
|
if (identity_passphrase)
|
|
|
|
old_passphrase = xstrdup(identity_passphrase);
|
|
|
|
else
|
2001-06-25 07:20:31 +02:00
|
|
|
old_passphrase =
|
|
|
|
read_passphrase("Enter old passphrase: ",
|
|
|
|
RP_ALLOW_STDIN);
|
2015-01-15 10:40:00 +01:00
|
|
|
r = sshkey_load_private(identity_file, old_passphrase,
|
|
|
|
&private, &comment);
|
2014-02-04 01:20:14 +01:00
|
|
|
explicit_bzero(old_passphrase, strlen(old_passphrase));
|
2013-06-01 23:31:17 +02:00
|
|
|
free(old_passphrase);
|
2015-01-15 10:40:00 +01:00
|
|
|
if (r != 0)
|
|
|
|
goto badkey;
|
|
|
|
} else if (r != 0) {
|
|
|
|
badkey:
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("Failed to load key %s: %s", identity_file, ssh_err(r));
|
1999-11-24 14:26:21 +01:00
|
|
|
}
|
2015-02-26 21:45:47 +01:00
|
|
|
if (comment)
|
2017-02-10 04:36:40 +01:00
|
|
|
mprintf("Key has comment '%s'\n", comment);
|
1999-11-24 14:26:21 +01:00
|
|
|
|
|
|
|
/* Ask the new passphrase (twice). */
|
|
|
|
if (identity_new_passphrase) {
|
|
|
|
passphrase1 = xstrdup(identity_new_passphrase);
|
|
|
|
passphrase2 = NULL;
|
|
|
|
} else {
|
|
|
|
passphrase1 =
|
2001-06-25 07:20:31 +02:00
|
|
|
read_passphrase("Enter new passphrase (empty for no "
|
|
|
|
"passphrase): ", RP_ALLOW_STDIN);
|
|
|
|
passphrase2 = read_passphrase("Enter same passphrase again: ",
|
2001-12-21 04:45:46 +01:00
|
|
|
RP_ALLOW_STDIN);
|
1999-11-24 14:26:21 +01:00
|
|
|
|
|
|
|
/* Verify that they are the same. */
|
|
|
|
if (strcmp(passphrase1, passphrase2) != 0) {
|
2014-02-04 01:20:14 +01:00
|
|
|
explicit_bzero(passphrase1, strlen(passphrase1));
|
|
|
|
explicit_bzero(passphrase2, strlen(passphrase2));
|
2013-06-01 23:31:17 +02:00
|
|
|
free(passphrase1);
|
|
|
|
free(passphrase2);
|
1999-11-24 14:26:21 +01:00
|
|
|
printf("Pass phrases do not match. Try again.\n");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
/* Destroy the other copy. */
|
2014-02-04 01:20:14 +01:00
|
|
|
explicit_bzero(passphrase2, strlen(passphrase2));
|
2013-06-01 23:31:17 +02:00
|
|
|
free(passphrase2);
|
1999-10-27 05:42:43 +02:00
|
|
|
}
|
|
|
|
|
1999-11-24 14:26:21 +01:00
|
|
|
/* Save the file using the new passphrase. */
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_save_private(private, identity_file, passphrase1,
|
2019-07-15 15:16:29 +02:00
|
|
|
comment, private_key_format, openssh_format_cipher, rounds)) != 0) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("Saving key \"%s\" failed: %s.",
|
2015-01-15 10:40:00 +01:00
|
|
|
identity_file, ssh_err(r));
|
2014-02-04 01:20:14 +01:00
|
|
|
explicit_bzero(passphrase1, strlen(passphrase1));
|
2013-06-01 23:31:17 +02:00
|
|
|
free(passphrase1);
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(private);
|
2013-06-01 23:31:17 +02:00
|
|
|
free(comment);
|
1999-11-24 14:26:21 +01:00
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
/* Destroy the passphrase and the copy of the key in memory. */
|
2014-02-04 01:20:14 +01:00
|
|
|
explicit_bzero(passphrase1, strlen(passphrase1));
|
2013-06-01 23:31:17 +02:00
|
|
|
free(passphrase1);
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(private); /* Destroys contents */
|
2013-06-01 23:31:17 +02:00
|
|
|
free(comment);
|
1999-11-24 14:26:21 +01:00
|
|
|
|
|
|
|
printf("Your identification has been saved with the new passphrase.\n");
|
|
|
|
exit(0);
|
|
|
|
}
|
1999-10-27 05:42:43 +02:00
|
|
|
|
2003-05-15 02:19:46 +02:00
|
|
|
/*
|
|
|
|
* Print the SSHFP RR.
|
|
|
|
*/
|
2006-03-26 04:48:01 +02:00
|
|
|
static int
|
2019-01-23 05:16:22 +01:00
|
|
|
do_print_resource_record(struct passwd *pw, char *fname, char *hname,
|
|
|
|
int print_generic)
|
2003-05-15 02:19:46 +02:00
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *public;
|
2003-05-15 02:19:46 +02:00
|
|
|
char *comment = NULL;
|
|
|
|
struct stat st;
|
2015-01-15 10:40:00 +01:00
|
|
|
int r;
|
2003-05-15 02:19:46 +02:00
|
|
|
|
2006-03-26 04:48:01 +02:00
|
|
|
if (fname == NULL)
|
2013-07-18 08:13:37 +02:00
|
|
|
fatal("%s: no filename", __func__);
|
2019-06-28 15:35:04 +02:00
|
|
|
if (stat(fname, &st) == -1) {
|
2006-03-26 04:48:01 +02:00
|
|
|
if (errno == ENOENT)
|
|
|
|
return 0;
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("%s: %s", fname, strerror(errno));
|
2003-05-15 02:19:46 +02:00
|
|
|
}
|
2015-04-17 15:19:22 +02:00
|
|
|
if ((r = sshkey_load_public(fname, &public, &comment)) != 0)
|
|
|
|
fatal("Failed to read v2 public key from \"%s\": %s.",
|
2015-01-15 10:40:00 +01:00
|
|
|
fname, ssh_err(r));
|
|
|
|
export_dns_rr(hname, public, stdout, print_generic);
|
|
|
|
sshkey_free(public);
|
|
|
|
free(comment);
|
|
|
|
return 1;
|
2003-05-15 02:19:46 +02:00
|
|
|
}
|
|
|
|
|
1999-11-24 14:26:21 +01:00
|
|
|
/*
|
|
|
|
* Change the comment of a private key file.
|
|
|
|
*/
|
2001-06-25 07:01:22 +02:00
|
|
|
static void
|
2019-01-23 05:16:22 +01:00
|
|
|
do_change_comment(struct passwd *pw, const char *identity_comment)
|
1999-10-27 05:42:43 +02:00
|
|
|
{
|
2001-03-09 19:19:24 +01:00
|
|
|
char new_comment[1024], *comment, *passphrase;
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *private;
|
|
|
|
struct sshkey *public;
|
1999-11-24 14:26:21 +01:00
|
|
|
struct stat st;
|
|
|
|
FILE *f;
|
2015-01-15 10:40:00 +01:00
|
|
|
int r, fd;
|
1999-11-24 14:26:21 +01:00
|
|
|
|
|
|
|
if (!have_identity)
|
|
|
|
ask_filename(pw, "Enter file in which the key is");
|
2019-06-28 15:35:04 +02:00
|
|
|
if (stat(identity_file, &st) == -1)
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("%s: %s", identity_file, strerror(errno));
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_load_private(identity_file, "",
|
|
|
|
&private, &comment)) == 0)
|
|
|
|
passphrase = xstrdup("");
|
2015-04-17 15:19:22 +02:00
|
|
|
else if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
|
|
|
|
fatal("Cannot load private key \"%s\": %s.",
|
2015-01-15 10:40:00 +01:00
|
|
|
identity_file, ssh_err(r));
|
2015-04-17 15:19:22 +02:00
|
|
|
else {
|
1999-11-24 14:26:21 +01:00
|
|
|
if (identity_passphrase)
|
|
|
|
passphrase = xstrdup(identity_passphrase);
|
|
|
|
else if (identity_new_passphrase)
|
|
|
|
passphrase = xstrdup(identity_new_passphrase);
|
|
|
|
else
|
2001-06-25 07:20:31 +02:00
|
|
|
passphrase = read_passphrase("Enter passphrase: ",
|
|
|
|
RP_ALLOW_STDIN);
|
1999-11-24 14:26:21 +01:00
|
|
|
/* Try to load using the passphrase. */
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_load_private(identity_file, passphrase,
|
|
|
|
&private, &comment)) != 0) {
|
2014-02-04 01:20:14 +01:00
|
|
|
explicit_bzero(passphrase, strlen(passphrase));
|
2013-06-01 23:31:17 +02:00
|
|
|
free(passphrase);
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("Cannot load private key \"%s\": %s.",
|
2015-01-15 10:40:00 +01:00
|
|
|
identity_file, ssh_err(r));
|
1999-11-24 14:26:21 +01:00
|
|
|
}
|
|
|
|
}
|
2015-11-21 00:04:01 +01:00
|
|
|
|
2018-02-23 16:58:37 +01:00
|
|
|
if (private->type != KEY_ED25519 && private->type != KEY_XMSS &&
|
2019-07-15 15:16:29 +02:00
|
|
|
private_key_format != SSHKEY_PRIVATE_OPENSSH) {
|
2017-05-01 01:18:44 +02:00
|
|
|
error("Comments are only supported for keys stored in "
|
2015-11-21 00:04:01 +01:00
|
|
|
"the new format (-o).");
|
2015-03-31 13:06:49 +02:00
|
|
|
explicit_bzero(passphrase, strlen(passphrase));
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(private);
|
2001-03-26 15:44:06 +02:00
|
|
|
exit(1);
|
2001-12-21 04:45:46 +01:00
|
|
|
}
|
2017-02-08 21:32:43 +01:00
|
|
|
if (comment)
|
2019-05-29 10:30:26 +02:00
|
|
|
printf("Old comment: %s\n", comment);
|
2017-02-08 21:32:43 +01:00
|
|
|
else
|
2019-05-29 10:30:26 +02:00
|
|
|
printf("No existing comment\n");
|
1999-11-24 14:26:21 +01:00
|
|
|
|
|
|
|
if (identity_comment) {
|
|
|
|
strlcpy(new_comment, identity_comment, sizeof(new_comment));
|
|
|
|
} else {
|
2019-05-29 10:30:26 +02:00
|
|
|
printf("New comment: ");
|
1999-11-24 14:26:21 +01:00
|
|
|
fflush(stdout);
|
|
|
|
if (!fgets(new_comment, sizeof(new_comment), stdin)) {
|
2014-02-04 01:20:14 +01:00
|
|
|
explicit_bzero(passphrase, strlen(passphrase));
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(private);
|
1999-11-24 14:26:21 +01:00
|
|
|
exit(1);
|
|
|
|
}
|
2007-09-17 08:09:15 +02:00
|
|
|
new_comment[strcspn(new_comment, "\n")] = '\0';
|
1999-11-24 14:26:21 +01:00
|
|
|
}
|
2019-05-29 10:30:26 +02:00
|
|
|
if (comment != NULL && strcmp(comment, new_comment) == 0) {
|
|
|
|
printf("No change to comment\n");
|
|
|
|
free(passphrase);
|
|
|
|
sshkey_free(private);
|
|
|
|
free(comment);
|
|
|
|
exit(0);
|
|
|
|
}
|
1999-11-24 14:26:21 +01:00
|
|
|
|
|
|
|
/* Save the file using the new passphrase. */
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_save_private(private, identity_file, passphrase,
|
2019-07-15 15:16:29 +02:00
|
|
|
new_comment, private_key_format, openssh_format_cipher,
|
|
|
|
rounds)) != 0) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("Saving key \"%s\" failed: %s",
|
2015-01-15 10:40:00 +01:00
|
|
|
identity_file, ssh_err(r));
|
2014-02-04 01:20:14 +01:00
|
|
|
explicit_bzero(passphrase, strlen(passphrase));
|
2013-06-01 23:31:17 +02:00
|
|
|
free(passphrase);
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(private);
|
2013-06-01 23:31:17 +02:00
|
|
|
free(comment);
|
1999-11-24 14:26:21 +01:00
|
|
|
exit(1);
|
1999-10-27 05:42:43 +02:00
|
|
|
}
|
2014-02-04 01:20:14 +01:00
|
|
|
explicit_bzero(passphrase, strlen(passphrase));
|
2013-06-01 23:31:17 +02:00
|
|
|
free(passphrase);
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_from_private(private, &public)) != 0)
|
2017-05-30 16:16:41 +02:00
|
|
|
fatal("sshkey_from_private failed: %s", ssh_err(r));
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(private);
|
1999-11-24 14:26:21 +01:00
|
|
|
|
|
|
|
strlcat(identity_file, ".pub", sizeof(identity_file));
|
2001-03-09 19:19:24 +01:00
|
|
|
fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
|
2015-04-17 15:19:22 +02:00
|
|
|
if (fd == -1)
|
|
|
|
fatal("Could not save your public key in %s", identity_file);
|
2001-03-09 19:19:24 +01:00
|
|
|
f = fdopen(fd, "w");
|
2015-04-17 15:19:22 +02:00
|
|
|
if (f == NULL)
|
|
|
|
fatal("fdopen %s failed: %s", identity_file, strerror(errno));
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_write(public, f)) != 0)
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("write key failed: %s", ssh_err(r));
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(public);
|
2000-04-29 15:57:08 +02:00
|
|
|
fprintf(f, " %s\n", new_comment);
|
1999-11-24 14:26:21 +01:00
|
|
|
fclose(f);
|
|
|
|
|
2013-06-01 23:31:17 +02:00
|
|
|
free(comment);
|
1999-11-24 14:26:21 +01:00
|
|
|
|
2019-05-29 10:30:26 +02:00
|
|
|
if (strlen(new_comment) > 0)
|
|
|
|
printf("Comment '%s' applied\n", new_comment);
|
|
|
|
else
|
|
|
|
printf("Comment removed\n");
|
|
|
|
|
1999-11-24 14:26:21 +01:00
|
|
|
exit(0);
|
1999-10-27 05:42:43 +02:00
|
|
|
}
|
|
|
|
|
2010-02-26 21:55:05 +01:00
|
|
|
static void
|
2015-01-15 10:40:00 +01:00
|
|
|
add_flag_option(struct sshbuf *c, const char *name)
|
2010-02-26 21:55:05 +01:00
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
int r;
|
|
|
|
|
2010-02-26 21:55:05 +01:00
|
|
|
debug3("%s: %s", __func__, name);
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshbuf_put_cstring(c, name)) != 0 ||
|
|
|
|
(r = sshbuf_put_string(c, NULL, 0)) != 0)
|
|
|
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
2010-02-26 21:55:05 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2015-01-15 10:40:00 +01:00
|
|
|
add_string_option(struct sshbuf *c, const char *name, const char *value)
|
2010-02-26 21:55:05 +01:00
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshbuf *b;
|
|
|
|
int r;
|
2010-02-26 21:55:05 +01:00
|
|
|
|
|
|
|
debug3("%s: %s=%s", __func__, name, value);
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((b = sshbuf_new()) == NULL)
|
|
|
|
fatal("%s: sshbuf_new failed", __func__);
|
|
|
|
if ((r = sshbuf_put_cstring(b, value)) != 0 ||
|
|
|
|
(r = sshbuf_put_cstring(c, name)) != 0 ||
|
|
|
|
(r = sshbuf_put_stringb(c, b)) != 0)
|
|
|
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
|
|
|
|
|
|
|
sshbuf_free(b);
|
2010-02-26 21:55:05 +01:00
|
|
|
}
|
|
|
|
|
2010-05-21 06:58:32 +02:00
|
|
|
#define OPTIONS_CRITICAL 1
|
|
|
|
#define OPTIONS_EXTENSIONS 2
|
2010-02-26 21:55:05 +01:00
|
|
|
static void
|
2015-01-15 10:40:00 +01:00
|
|
|
prepare_options_buf(struct sshbuf *c, int which)
|
2010-02-26 21:55:05 +01:00
|
|
|
{
|
2017-04-29 06:12:25 +02:00
|
|
|
size_t i;
|
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
sshbuf_reset(c);
|
2010-08-05 05:03:51 +02:00
|
|
|
if ((which & OPTIONS_CRITICAL) != 0 &&
|
|
|
|
certflags_command != NULL)
|
|
|
|
add_string_option(c, "force-command", certflags_command);
|
2011-05-05 06:17:18 +02:00
|
|
|
if ((which & OPTIONS_EXTENSIONS) != 0 &&
|
|
|
|
(certflags_flags & CERTOPT_X_FWD) != 0)
|
|
|
|
add_flag_option(c, "permit-X11-forwarding");
|
2010-05-21 06:58:32 +02:00
|
|
|
if ((which & OPTIONS_EXTENSIONS) != 0 &&
|
|
|
|
(certflags_flags & CERTOPT_AGENT_FWD) != 0)
|
2010-04-16 07:56:21 +02:00
|
|
|
add_flag_option(c, "permit-agent-forwarding");
|
2010-05-21 06:58:32 +02:00
|
|
|
if ((which & OPTIONS_EXTENSIONS) != 0 &&
|
|
|
|
(certflags_flags & CERTOPT_PORT_FWD) != 0)
|
2010-04-16 07:56:21 +02:00
|
|
|
add_flag_option(c, "permit-port-forwarding");
|
2010-05-21 06:58:32 +02:00
|
|
|
if ((which & OPTIONS_EXTENSIONS) != 0 &&
|
|
|
|
(certflags_flags & CERTOPT_PTY) != 0)
|
2010-04-16 07:56:21 +02:00
|
|
|
add_flag_option(c, "permit-pty");
|
2010-05-21 06:58:32 +02:00
|
|
|
if ((which & OPTIONS_EXTENSIONS) != 0 &&
|
|
|
|
(certflags_flags & CERTOPT_USER_RC) != 0)
|
2010-04-16 07:56:21 +02:00
|
|
|
add_flag_option(c, "permit-user-rc");
|
2019-11-25 01:54:23 +01:00
|
|
|
if ((which & OPTIONS_CRITICAL) != 0 &&
|
|
|
|
(certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0)
|
|
|
|
add_flag_option(c, "no-touch-required");
|
2010-05-21 06:58:32 +02:00
|
|
|
if ((which & OPTIONS_CRITICAL) != 0 &&
|
|
|
|
certflags_src_addr != NULL)
|
|
|
|
add_string_option(c, "source-address", certflags_src_addr);
|
2017-04-29 06:12:25 +02:00
|
|
|
for (i = 0; i < ncert_userext; i++) {
|
|
|
|
if ((cert_userext[i].crit && (which & OPTIONS_EXTENSIONS)) ||
|
|
|
|
(!cert_userext[i].crit && (which & OPTIONS_CRITICAL)))
|
|
|
|
continue;
|
|
|
|
if (cert_userext[i].val == NULL)
|
|
|
|
add_flag_option(c, cert_userext[i].key);
|
|
|
|
else {
|
|
|
|
add_string_option(c, cert_userext[i].key,
|
|
|
|
cert_userext[i].val);
|
|
|
|
}
|
|
|
|
}
|
2010-02-26 21:55:05 +01:00
|
|
|
}
|
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
static struct sshkey *
|
2010-08-05 05:05:31 +02:00
|
|
|
load_pkcs11_key(char *path)
|
|
|
|
{
|
|
|
|
#ifdef ENABLE_PKCS11
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey **keys = NULL, *public, *private = NULL;
|
|
|
|
int r, i, nkeys;
|
2010-08-05 05:05:31 +02:00
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_load_public(path, &public, NULL)) != 0)
|
|
|
|
fatal("Couldn't load CA public key \"%s\": %s",
|
|
|
|
path, ssh_err(r));
|
2010-08-05 05:05:31 +02:00
|
|
|
|
2020-01-25 01:03:36 +01:00
|
|
|
nkeys = pkcs11_add_provider(pkcs11provider, identity_passphrase,
|
|
|
|
&keys, NULL);
|
2010-08-05 05:05:31 +02:00
|
|
|
debug3("%s: %d keys", __func__, nkeys);
|
|
|
|
if (nkeys <= 0)
|
|
|
|
fatal("cannot read public key from pkcs11");
|
|
|
|
for (i = 0; i < nkeys; i++) {
|
2015-01-15 10:40:00 +01:00
|
|
|
if (sshkey_equal_public(public, keys[i])) {
|
2010-08-05 05:05:31 +02:00
|
|
|
private = keys[i];
|
|
|
|
continue;
|
|
|
|
}
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(keys[i]);
|
2010-08-05 05:05:31 +02:00
|
|
|
}
|
2013-06-01 23:31:17 +02:00
|
|
|
free(keys);
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(public);
|
2010-08-05 05:05:31 +02:00
|
|
|
return private;
|
|
|
|
#else
|
|
|
|
fatal("no pkcs11 support");
|
|
|
|
#endif /* ENABLE_PKCS11 */
|
|
|
|
}
|
|
|
|
|
2017-06-28 03:09:22 +02:00
|
|
|
/* Signer for sshkey_certify_custom that uses the agent */
|
|
|
|
static int
|
2019-06-21 06:21:04 +02:00
|
|
|
agent_signer(struct sshkey *key, u_char **sigp, size_t *lenp,
|
2017-06-28 03:09:22 +02:00
|
|
|
const u_char *data, size_t datalen,
|
2019-10-31 22:28:27 +01:00
|
|
|
const char *alg, const char *provider, u_int compat, void *ctx)
|
2017-06-28 03:09:22 +02:00
|
|
|
{
|
|
|
|
int *agent_fdp = (int *)ctx;
|
|
|
|
|
|
|
|
return ssh_agent_sign(*agent_fdp, key, sigp, lenp,
|
|
|
|
data, datalen, alg, compat);
|
|
|
|
}
|
|
|
|
|
2010-02-26 21:55:05 +01:00
|
|
|
static void
|
2019-01-23 05:16:22 +01:00
|
|
|
do_ca_sign(struct passwd *pw, const char *ca_key_path, int prefer_agent,
|
2019-01-23 05:51:02 +01:00
|
|
|
unsigned long long cert_serial, int cert_serial_autoinc,
|
|
|
|
int argc, char **argv)
|
2010-02-26 21:55:05 +01:00
|
|
|
{
|
2017-06-28 03:09:22 +02:00
|
|
|
int r, i, fd, found, agent_fd = -1;
|
2010-02-26 21:55:05 +01:00
|
|
|
u_int n;
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *ca, *public;
|
2019-12-10 23:37:20 +01:00
|
|
|
char valid[64], *otmp, *tmp, *cp, *out, *comment;
|
|
|
|
char *ca_fp = NULL, **plist = NULL;
|
2010-02-26 21:55:05 +01:00
|
|
|
FILE *f;
|
2017-06-28 03:09:22 +02:00
|
|
|
struct ssh_identitylist *agent_ids;
|
|
|
|
size_t j;
|
2019-12-10 23:37:20 +01:00
|
|
|
struct notifier_ctx *notifier = NULL;
|
2010-04-16 07:56:21 +02:00
|
|
|
|
2014-05-15 06:24:09 +02:00
|
|
|
#ifdef ENABLE_PKCS11
|
2010-08-05 05:05:31 +02:00
|
|
|
pkcs11_init(1);
|
2014-05-15 06:24:09 +02:00
|
|
|
#endif
|
2010-08-05 05:05:31 +02:00
|
|
|
tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
|
|
|
|
if (pkcs11provider != NULL) {
|
2017-06-28 03:09:22 +02:00
|
|
|
/* If a PKCS#11 token was specified then try to use it */
|
2010-08-05 05:05:31 +02:00
|
|
|
if ((ca = load_pkcs11_key(tmp)) == NULL)
|
|
|
|
fatal("No PKCS#11 key matching %s found", ca_key_path);
|
2017-06-28 03:09:22 +02:00
|
|
|
} else if (prefer_agent) {
|
|
|
|
/*
|
|
|
|
* Agent signature requested. Try to use agent after making
|
|
|
|
* sure the public key specified is actually present in the
|
|
|
|
* agent.
|
|
|
|
*/
|
|
|
|
if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0)
|
|
|
|
fatal("Cannot load CA public key %s: %s",
|
|
|
|
tmp, ssh_err(r));
|
|
|
|
if ((r = ssh_get_authentication_socket(&agent_fd)) != 0)
|
|
|
|
fatal("Cannot use public key for CA signature: %s",
|
|
|
|
ssh_err(r));
|
|
|
|
if ((r = ssh_fetch_identitylist(agent_fd, &agent_ids)) != 0)
|
|
|
|
fatal("Retrieve agent key list: %s", ssh_err(r));
|
|
|
|
found = 0;
|
|
|
|
for (j = 0; j < agent_ids->nkeys; j++) {
|
|
|
|
if (sshkey_equal(ca, agent_ids->keys[j])) {
|
|
|
|
found = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!found)
|
|
|
|
fatal("CA key %s not found in agent", tmp);
|
|
|
|
ssh_free_identitylist(agent_ids);
|
|
|
|
ca->flags |= SSHKEY_FLAG_EXT;
|
|
|
|
} else {
|
|
|
|
/* CA key is assumed to be a private key on the filesystem */
|
2019-09-02 01:47:32 +02:00
|
|
|
ca = load_identity(tmp, NULL);
|
2017-06-28 03:09:22 +02:00
|
|
|
}
|
2013-06-01 23:31:17 +02:00
|
|
|
free(tmp);
|
2010-08-05 05:05:31 +02:00
|
|
|
|
2020-01-24 01:27:04 +01:00
|
|
|
if (key_type_name != NULL) {
|
|
|
|
if (sshkey_type_from_name(key_type_name) != ca->type) {
|
|
|
|
fatal("CA key type %s doesn't match specified %s",
|
|
|
|
sshkey_ssh_name(ca), key_type_name);
|
|
|
|
}
|
|
|
|
} else if (ca->type == KEY_RSA) {
|
|
|
|
/* Default to a good signature algorithm */
|
|
|
|
key_type_name = "rsa-sha2-512";
|
2016-05-02 11:36:42 +02:00
|
|
|
}
|
2019-12-10 23:37:20 +01:00
|
|
|
ca_fp = sshkey_fingerprint(ca, fingerprint_hash, SSH_FP_DEFAULT);
|
2016-05-02 11:36:42 +02:00
|
|
|
|
2010-02-26 21:55:05 +01:00
|
|
|
for (i = 0; i < argc; i++) {
|
|
|
|
/* Split list of principals */
|
|
|
|
n = 0;
|
|
|
|
if (cert_principals != NULL) {
|
|
|
|
otmp = tmp = xstrdup(cert_principals);
|
|
|
|
plist = NULL;
|
|
|
|
for (; (cp = strsep(&tmp, ",")) != NULL; n++) {
|
2015-04-24 03:36:00 +02:00
|
|
|
plist = xreallocarray(plist, n + 1, sizeof(*plist));
|
2010-02-26 21:55:05 +01:00
|
|
|
if (*(plist[n] = xstrdup(cp)) == '\0')
|
|
|
|
fatal("Empty principal name");
|
|
|
|
}
|
2013-06-01 23:31:17 +02:00
|
|
|
free(otmp);
|
2010-02-26 21:55:05 +01:00
|
|
|
}
|
2018-02-10 06:48:46 +01:00
|
|
|
if (n > SSHKEY_CERT_MAX_PRINCIPALS)
|
|
|
|
fatal("Too many certificate principals specified");
|
2019-07-16 15:18:39 +02:00
|
|
|
|
2010-02-26 21:55:05 +01:00
|
|
|
tmp = tilde_expand_filename(argv[i], pw->pw_uid);
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_load_public(tmp, &public, &comment)) != 0)
|
|
|
|
fatal("%s: unable to open \"%s\": %s",
|
|
|
|
__func__, tmp, ssh_err(r));
|
2019-11-18 07:24:17 +01:00
|
|
|
if (sshkey_is_cert(public))
|
2010-02-26 21:55:05 +01:00
|
|
|
fatal("%s: key \"%s\" type %s cannot be certified",
|
2015-01-15 10:40:00 +01:00
|
|
|
__func__, tmp, sshkey_type(public));
|
2010-02-26 21:55:05 +01:00
|
|
|
|
|
|
|
/* Prepare certificate to sign */
|
2015-07-03 05:43:18 +02:00
|
|
|
if ((r = sshkey_to_certified(public)) != 0)
|
2015-01-15 10:40:00 +01:00
|
|
|
fatal("Could not upgrade key %s to certificate: %s",
|
|
|
|
tmp, ssh_err(r));
|
2010-02-26 21:55:05 +01:00
|
|
|
public->cert->type = cert_key_type;
|
2010-04-16 07:56:21 +02:00
|
|
|
public->cert->serial = (u_int64_t)cert_serial;
|
2010-02-26 21:55:05 +01:00
|
|
|
public->cert->key_id = xstrdup(cert_key_id);
|
|
|
|
public->cert->nprincipals = n;
|
|
|
|
public->cert->principals = plist;
|
|
|
|
public->cert->valid_after = cert_valid_from;
|
|
|
|
public->cert->valid_before = cert_valid_to;
|
2015-07-03 05:43:18 +02:00
|
|
|
prepare_options_buf(public->cert->critical, OPTIONS_CRITICAL);
|
|
|
|
prepare_options_buf(public->cert->extensions,
|
|
|
|
OPTIONS_EXTENSIONS);
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_from_private(ca,
|
|
|
|
&public->cert->signature_key)) != 0)
|
2017-05-30 16:16:41 +02:00
|
|
|
fatal("sshkey_from_private (ca key): %s", ssh_err(r));
|
2010-02-26 21:55:05 +01:00
|
|
|
|
2017-06-28 03:09:22 +02:00
|
|
|
if (agent_fd != -1 && (ca->flags & SSHKEY_FLAG_EXT) != 0) {
|
|
|
|
if ((r = sshkey_certify_custom(public, ca,
|
2019-10-31 22:23:19 +01:00
|
|
|
key_type_name, sk_provider, agent_signer,
|
|
|
|
&agent_fd)) != 0)
|
2017-06-28 03:09:22 +02:00
|
|
|
fatal("Couldn't certify key %s via agent: %s",
|
|
|
|
tmp, ssh_err(r));
|
|
|
|
} else {
|
2019-12-10 23:37:20 +01:00
|
|
|
if (sshkey_is_sk(ca) &&
|
|
|
|
(ca->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
|
|
|
|
notifier = notify_start(0,
|
|
|
|
"Confirm user presence for key %s %s",
|
|
|
|
sshkey_type(ca), ca_fp);
|
|
|
|
}
|
|
|
|
r = sshkey_certify(public, ca, key_type_name,
|
|
|
|
sk_provider);
|
|
|
|
notify_complete(notifier);
|
|
|
|
if (r != 0)
|
2017-06-28 03:09:22 +02:00
|
|
|
fatal("Couldn't certify key %s: %s",
|
|
|
|
tmp, ssh_err(r));
|
|
|
|
}
|
2010-02-26 21:55:05 +01:00
|
|
|
|
|
|
|
if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)
|
|
|
|
*cp = '\0';
|
|
|
|
xasprintf(&out, "%s-cert.pub", tmp);
|
2013-06-01 23:31:17 +02:00
|
|
|
free(tmp);
|
2010-02-26 21:55:05 +01:00
|
|
|
|
|
|
|
if ((fd = open(out, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1)
|
|
|
|
fatal("Could not open \"%s\" for writing: %s", out,
|
|
|
|
strerror(errno));
|
|
|
|
if ((f = fdopen(fd, "w")) == NULL)
|
|
|
|
fatal("%s: fdopen: %s", __func__, strerror(errno));
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_write(public, f)) != 0)
|
|
|
|
fatal("Could not write certified key to %s: %s",
|
|
|
|
out, ssh_err(r));
|
2010-02-26 21:55:05 +01:00
|
|
|
fprintf(f, " %s\n", comment);
|
|
|
|
fclose(f);
|
|
|
|
|
2010-04-16 07:56:21 +02:00
|
|
|
if (!quiet) {
|
2015-11-19 02:12:32 +01:00
|
|
|
sshkey_format_cert_validity(public->cert,
|
2015-11-19 02:08:55 +01:00
|
|
|
valid, sizeof(valid));
|
2010-04-16 07:56:21 +02:00
|
|
|
logit("Signed %s key %s: id \"%s\" serial %llu%s%s "
|
2015-11-19 02:12:32 +01:00
|
|
|
"valid %s", sshkey_cert_type(public),
|
2011-01-11 07:20:29 +01:00
|
|
|
out, public->cert->key_id,
|
|
|
|
(unsigned long long)public->cert->serial,
|
2010-02-26 21:55:05 +01:00
|
|
|
cert_principals != NULL ? " for " : "",
|
|
|
|
cert_principals != NULL ? cert_principals : "",
|
2015-11-19 02:08:55 +01:00
|
|
|
valid);
|
2010-04-16 07:56:21 +02:00
|
|
|
}
|
2010-02-26 21:55:05 +01:00
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(public);
|
2013-06-01 23:31:17 +02:00
|
|
|
free(out);
|
2019-01-23 05:51:02 +01:00
|
|
|
if (cert_serial_autoinc)
|
|
|
|
cert_serial++;
|
2010-02-26 21:55:05 +01:00
|
|
|
}
|
2019-12-10 23:37:20 +01:00
|
|
|
free(ca_fp);
|
2014-05-15 06:24:09 +02:00
|
|
|
#ifdef ENABLE_PKCS11
|
2010-08-05 05:05:31 +02:00
|
|
|
pkcs11_terminate();
|
2014-05-15 06:24:09 +02:00
|
|
|
#endif
|
2010-02-26 21:55:05 +01:00
|
|
|
exit(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static u_int64_t
|
|
|
|
parse_relative_time(const char *s, time_t now)
|
|
|
|
{
|
|
|
|
int64_t mul, secs;
|
|
|
|
|
|
|
|
mul = *s == '-' ? -1 : 1;
|
|
|
|
|
|
|
|
if ((secs = convtime(s + 1)) == -1)
|
|
|
|
fatal("Invalid relative certificate time %s", s);
|
|
|
|
if (mul == -1 && secs > now)
|
|
|
|
fatal("Certificate time %s cannot be represented", s);
|
|
|
|
return now + (u_int64_t)(secs * mul);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
parse_cert_times(char *timespec)
|
|
|
|
{
|
|
|
|
char *from, *to;
|
|
|
|
time_t now = time(NULL);
|
|
|
|
int64_t secs;
|
|
|
|
|
|
|
|
/* +timespec relative to now */
|
|
|
|
if (*timespec == '+' && strchr(timespec, ':') == NULL) {
|
|
|
|
if ((secs = convtime(timespec + 1)) == -1)
|
|
|
|
fatal("Invalid relative certificate life %s", timespec);
|
|
|
|
cert_valid_to = now + secs;
|
|
|
|
/*
|
|
|
|
* Backdate certificate one minute to avoid problems on hosts
|
|
|
|
* with poorly-synchronised clocks.
|
|
|
|
*/
|
|
|
|
cert_valid_from = ((now - 59)/ 60) * 60;
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* from:to, where
|
2017-11-03 06:14:04 +01:00
|
|
|
* from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "always"
|
|
|
|
* to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "forever"
|
2010-02-26 21:55:05 +01:00
|
|
|
*/
|
|
|
|
from = xstrdup(timespec);
|
|
|
|
to = strchr(from, ':');
|
|
|
|
if (to == NULL || from == to || *(to + 1) == '\0')
|
2010-03-04 04:17:22 +01:00
|
|
|
fatal("Invalid certificate life specification %s", timespec);
|
2010-02-26 21:55:05 +01:00
|
|
|
*to++ = '\0';
|
|
|
|
|
|
|
|
if (*from == '-' || *from == '+')
|
|
|
|
cert_valid_from = parse_relative_time(from, now);
|
2017-11-03 06:14:04 +01:00
|
|
|
else if (strcmp(from, "always") == 0)
|
|
|
|
cert_valid_from = 0;
|
2018-03-12 01:52:01 +01:00
|
|
|
else if (parse_absolute_time(from, &cert_valid_from) != 0)
|
|
|
|
fatal("Invalid from time \"%s\"", from);
|
2010-02-26 21:55:05 +01:00
|
|
|
|
|
|
|
if (*to == '-' || *to == '+')
|
2013-10-23 07:31:31 +02:00
|
|
|
cert_valid_to = parse_relative_time(to, now);
|
2017-11-03 06:14:04 +01:00
|
|
|
else if (strcmp(to, "forever") == 0)
|
|
|
|
cert_valid_to = ~(u_int64_t)0;
|
2018-03-12 01:52:01 +01:00
|
|
|
else if (parse_absolute_time(to, &cert_valid_to) != 0)
|
|
|
|
fatal("Invalid to time \"%s\"", to);
|
2010-02-26 21:55:05 +01:00
|
|
|
|
|
|
|
if (cert_valid_to <= cert_valid_from)
|
|
|
|
fatal("Empty certificate validity interval");
|
2013-06-01 23:31:17 +02:00
|
|
|
free(from);
|
2010-02-26 21:55:05 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2010-04-16 07:56:21 +02:00
|
|
|
add_cert_option(char *opt)
|
2010-02-26 21:55:05 +01:00
|
|
|
{
|
2017-04-29 06:12:25 +02:00
|
|
|
char *val, *cp;
|
|
|
|
int iscrit = 0;
|
2010-02-26 21:55:05 +01:00
|
|
|
|
2011-05-05 06:14:08 +02:00
|
|
|
if (strcasecmp(opt, "clear") == 0)
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags = 0;
|
2010-02-26 21:55:05 +01:00
|
|
|
else if (strcasecmp(opt, "no-x11-forwarding") == 0)
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags &= ~CERTOPT_X_FWD;
|
2010-02-26 21:55:05 +01:00
|
|
|
else if (strcasecmp(opt, "permit-x11-forwarding") == 0)
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags |= CERTOPT_X_FWD;
|
2010-02-26 21:55:05 +01:00
|
|
|
else if (strcasecmp(opt, "no-agent-forwarding") == 0)
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags &= ~CERTOPT_AGENT_FWD;
|
2010-02-26 21:55:05 +01:00
|
|
|
else if (strcasecmp(opt, "permit-agent-forwarding") == 0)
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags |= CERTOPT_AGENT_FWD;
|
2010-02-26 21:55:05 +01:00
|
|
|
else if (strcasecmp(opt, "no-port-forwarding") == 0)
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags &= ~CERTOPT_PORT_FWD;
|
2010-02-26 21:55:05 +01:00
|
|
|
else if (strcasecmp(opt, "permit-port-forwarding") == 0)
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags |= CERTOPT_PORT_FWD;
|
2010-02-26 21:55:05 +01:00
|
|
|
else if (strcasecmp(opt, "no-pty") == 0)
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags &= ~CERTOPT_PTY;
|
2010-02-26 21:55:05 +01:00
|
|
|
else if (strcasecmp(opt, "permit-pty") == 0)
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags |= CERTOPT_PTY;
|
2010-02-26 21:55:05 +01:00
|
|
|
else if (strcasecmp(opt, "no-user-rc") == 0)
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags &= ~CERTOPT_USER_RC;
|
2010-02-26 21:55:05 +01:00
|
|
|
else if (strcasecmp(opt, "permit-user-rc") == 0)
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags |= CERTOPT_USER_RC;
|
2019-11-25 01:54:23 +01:00
|
|
|
else if (strcasecmp(opt, "touch-required") == 0)
|
|
|
|
certflags_flags &= ~CERTOPT_NO_REQUIRE_USER_PRESENCE;
|
|
|
|
else if (strcasecmp(opt, "no-touch-required") == 0)
|
|
|
|
certflags_flags |= CERTOPT_NO_REQUIRE_USER_PRESENCE;
|
2010-02-26 21:55:05 +01:00
|
|
|
else if (strncasecmp(opt, "force-command=", 14) == 0) {
|
|
|
|
val = opt + 14;
|
|
|
|
if (*val == '\0')
|
2010-04-16 07:56:21 +02:00
|
|
|
fatal("Empty force-command option");
|
2010-05-21 06:58:32 +02:00
|
|
|
if (certflags_command != NULL)
|
2010-02-26 21:55:05 +01:00
|
|
|
fatal("force-command already specified");
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_command = xstrdup(val);
|
2010-02-26 21:55:05 +01:00
|
|
|
} else if (strncasecmp(opt, "source-address=", 15) == 0) {
|
|
|
|
val = opt + 15;
|
|
|
|
if (*val == '\0')
|
2010-04-16 07:56:21 +02:00
|
|
|
fatal("Empty source-address option");
|
2010-05-21 06:58:32 +02:00
|
|
|
if (certflags_src_addr != NULL)
|
2010-02-26 21:55:05 +01:00
|
|
|
fatal("source-address already specified");
|
|
|
|
if (addr_match_cidr_list(NULL, val) != 0)
|
|
|
|
fatal("Invalid source-address list");
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_src_addr = xstrdup(val);
|
2017-04-29 06:12:25 +02:00
|
|
|
} else if (strncasecmp(opt, "extension:", 10) == 0 ||
|
|
|
|
(iscrit = (strncasecmp(opt, "critical:", 9) == 0))) {
|
|
|
|
val = xstrdup(strchr(opt, ':') + 1);
|
|
|
|
if ((cp = strchr(val, '=')) != NULL)
|
|
|
|
*cp++ = '\0';
|
|
|
|
cert_userext = xreallocarray(cert_userext, ncert_userext + 1,
|
|
|
|
sizeof(*cert_userext));
|
|
|
|
cert_userext[ncert_userext].key = val;
|
|
|
|
cert_userext[ncert_userext].val = cp == NULL ?
|
|
|
|
NULL : xstrdup(cp);
|
|
|
|
cert_userext[ncert_userext].crit = iscrit;
|
|
|
|
ncert_userext++;
|
2010-02-26 21:55:05 +01:00
|
|
|
} else
|
2010-04-16 07:56:21 +02:00
|
|
|
fatal("Unsupported certificate option \"%s\"", opt);
|
2010-02-26 21:55:05 +01:00
|
|
|
}
|
|
|
|
|
2010-06-26 01:48:02 +02:00
|
|
|
static void
|
2015-07-03 05:43:18 +02:00
|
|
|
show_options(struct sshbuf *optbuf, int in_critical)
|
2010-06-26 01:48:02 +02:00
|
|
|
{
|
2014-05-15 05:48:26 +02:00
|
|
|
char *name, *arg;
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshbuf *options, *option = NULL;
|
|
|
|
int r;
|
|
|
|
|
|
|
|
if ((options = sshbuf_fromb(optbuf)) == NULL)
|
|
|
|
fatal("%s: sshbuf_fromb failed", __func__);
|
|
|
|
while (sshbuf_len(options) != 0) {
|
|
|
|
sshbuf_free(option);
|
|
|
|
option = NULL;
|
|
|
|
if ((r = sshbuf_get_cstring(options, &name, NULL)) != 0 ||
|
|
|
|
(r = sshbuf_froms(options, &option)) != 0)
|
|
|
|
fatal("%s: buffer error: %s", __func__, ssh_err(r));
|
2010-06-26 01:48:02 +02:00
|
|
|
printf(" %s", name);
|
2015-07-03 05:43:18 +02:00
|
|
|
if (!in_critical &&
|
2010-06-26 01:48:02 +02:00
|
|
|
(strcmp(name, "permit-X11-forwarding") == 0 ||
|
|
|
|
strcmp(name, "permit-agent-forwarding") == 0 ||
|
|
|
|
strcmp(name, "permit-port-forwarding") == 0 ||
|
|
|
|
strcmp(name, "permit-pty") == 0 ||
|
2019-11-25 01:54:23 +01:00
|
|
|
strcmp(name, "permit-user-rc") == 0 ||
|
|
|
|
strcmp(name, "no-touch-required") == 0)) {
|
2010-06-26 01:48:02 +02:00
|
|
|
printf("\n");
|
2019-11-25 01:54:23 +01:00
|
|
|
} else if (in_critical &&
|
2010-06-26 01:48:02 +02:00
|
|
|
(strcmp(name, "force-command") == 0 ||
|
|
|
|
strcmp(name, "source-address") == 0)) {
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshbuf_get_cstring(option, &arg, NULL)) != 0)
|
|
|
|
fatal("%s: buffer error: %s",
|
|
|
|
__func__, ssh_err(r));
|
2014-05-15 05:48:26 +02:00
|
|
|
printf(" %s\n", arg);
|
|
|
|
free(arg);
|
2010-06-26 01:48:02 +02:00
|
|
|
} else {
|
2015-01-15 10:40:00 +01:00
|
|
|
printf(" UNKNOWN OPTION (len %zu)\n",
|
|
|
|
sshbuf_len(option));
|
|
|
|
sshbuf_reset(option);
|
2010-06-26 01:48:02 +02:00
|
|
|
}
|
2013-06-01 23:31:17 +02:00
|
|
|
free(name);
|
2015-01-15 10:40:00 +01:00
|
|
|
if (sshbuf_len(option) != 0)
|
2010-06-26 01:48:02 +02:00
|
|
|
fatal("Option corrupt: extra data at end");
|
|
|
|
}
|
2015-01-15 10:40:00 +01:00
|
|
|
sshbuf_free(option);
|
|
|
|
sshbuf_free(options);
|
2010-06-26 01:48:02 +02:00
|
|
|
}
|
|
|
|
|
2010-03-04 21:39:35 +01:00
|
|
|
static void
|
2015-11-13 05:34:15 +01:00
|
|
|
print_cert(struct sshkey *key)
|
2010-03-04 21:39:35 +01:00
|
|
|
{
|
2015-11-19 02:08:55 +01:00
|
|
|
char valid[64], *key_fp, *ca_fp;
|
2015-07-03 05:43:18 +02:00
|
|
|
u_int i;
|
2010-04-16 07:56:21 +02:00
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
|
|
|
|
ca_fp = sshkey_fingerprint(key->cert->signature_key,
|
2014-12-21 23:27:55 +01:00
|
|
|
fingerprint_hash, SSH_FP_DEFAULT);
|
2015-01-28 23:36:00 +01:00
|
|
|
if (key_fp == NULL || ca_fp == NULL)
|
|
|
|
fatal("%s: sshkey_fingerprint fail", __func__);
|
2015-11-19 02:08:55 +01:00
|
|
|
sshkey_format_cert_validity(key->cert, valid, sizeof(valid));
|
2010-03-04 21:39:35 +01:00
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
printf(" Type: %s %s certificate\n", sshkey_ssh_name(key),
|
|
|
|
sshkey_cert_type(key));
|
|
|
|
printf(" Public key: %s %s\n", sshkey_type(key), key_fp);
|
2018-10-19 05:12:42 +02:00
|
|
|
printf(" Signing CA: %s %s (using %s)\n",
|
|
|
|
sshkey_type(key->cert->signature_key), ca_fp,
|
|
|
|
key->cert->signature_type);
|
2010-04-16 07:56:21 +02:00
|
|
|
printf(" Key ID: \"%s\"\n", key->cert->key_id);
|
2015-07-03 05:43:18 +02:00
|
|
|
printf(" Serial: %llu\n", (unsigned long long)key->cert->serial);
|
2015-11-19 02:08:55 +01:00
|
|
|
printf(" Valid: %s\n", valid);
|
2010-03-04 21:39:35 +01:00
|
|
|
printf(" Principals: ");
|
|
|
|
if (key->cert->nprincipals == 0)
|
|
|
|
printf("(none)\n");
|
|
|
|
else {
|
|
|
|
for (i = 0; i < key->cert->nprincipals; i++)
|
|
|
|
printf("\n %s",
|
|
|
|
key->cert->principals[i]);
|
|
|
|
printf("\n");
|
|
|
|
}
|
2010-04-16 07:56:21 +02:00
|
|
|
printf(" Critical Options: ");
|
2015-01-15 10:40:00 +01:00
|
|
|
if (sshbuf_len(key->cert->critical) == 0)
|
2010-03-04 21:39:35 +01:00
|
|
|
printf("(none)\n");
|
|
|
|
else {
|
|
|
|
printf("\n");
|
2015-07-03 05:43:18 +02:00
|
|
|
show_options(key->cert->critical, 1);
|
2010-04-16 07:56:21 +02:00
|
|
|
}
|
2015-07-03 05:43:18 +02:00
|
|
|
printf(" Extensions: ");
|
|
|
|
if (sshbuf_len(key->cert->extensions) == 0)
|
|
|
|
printf("(none)\n");
|
|
|
|
else {
|
|
|
|
printf("\n");
|
|
|
|
show_options(key->cert->extensions, 0);
|
2010-03-04 21:39:35 +01:00
|
|
|
}
|
2015-11-13 05:34:15 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
do_show_cert(struct passwd *pw)
|
|
|
|
{
|
|
|
|
struct sshkey *key = NULL;
|
|
|
|
struct stat st;
|
|
|
|
int r, is_stdin = 0, ok = 0;
|
|
|
|
FILE *f;
|
2018-06-06 20:29:18 +02:00
|
|
|
char *cp, *line = NULL;
|
2015-11-13 05:34:15 +01:00
|
|
|
const char *path;
|
2018-06-06 20:29:18 +02:00
|
|
|
size_t linesize = 0;
|
2016-05-02 10:49:03 +02:00
|
|
|
u_long lnum = 0;
|
2015-11-13 05:34:15 +01:00
|
|
|
|
|
|
|
if (!have_identity)
|
|
|
|
ask_filename(pw, "Enter file in which the key is");
|
2019-06-28 15:35:04 +02:00
|
|
|
if (strcmp(identity_file, "-") != 0 && stat(identity_file, &st) == -1)
|
2015-11-13 05:34:15 +01:00
|
|
|
fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
|
|
|
|
|
|
|
|
path = identity_file;
|
|
|
|
if (strcmp(path, "-") == 0) {
|
|
|
|
f = stdin;
|
|
|
|
path = "(stdin)";
|
|
|
|
is_stdin = 1;
|
|
|
|
} else if ((f = fopen(identity_file, "r")) == NULL)
|
|
|
|
fatal("fopen %s: %s", identity_file, strerror(errno));
|
|
|
|
|
2018-06-06 20:29:18 +02:00
|
|
|
while (getline(&line, &linesize, f) != -1) {
|
|
|
|
lnum++;
|
2015-11-13 05:34:15 +01:00
|
|
|
sshkey_free(key);
|
|
|
|
key = NULL;
|
|
|
|
/* Trim leading space and comments */
|
|
|
|
cp = line + strspn(line, " \t");
|
|
|
|
if (*cp == '#' || *cp == '\0')
|
|
|
|
continue;
|
|
|
|
if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
|
2017-05-30 16:16:41 +02:00
|
|
|
fatal("sshkey_new");
|
2015-11-13 05:34:15 +01:00
|
|
|
if ((r = sshkey_read(key, &cp)) != 0) {
|
|
|
|
error("%s:%lu: invalid key: %s", path,
|
|
|
|
lnum, ssh_err(r));
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (!sshkey_is_cert(key)) {
|
|
|
|
error("%s:%lu is not a certificate", path, lnum);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
ok = 1;
|
|
|
|
if (!is_stdin && lnum == 1)
|
|
|
|
printf("%s:\n", path);
|
|
|
|
else
|
|
|
|
printf("%s:%lu:\n", path, lnum);
|
|
|
|
print_cert(key);
|
|
|
|
}
|
2018-06-06 20:29:18 +02:00
|
|
|
free(line);
|
2015-11-13 05:34:15 +01:00
|
|
|
sshkey_free(key);
|
|
|
|
fclose(f);
|
|
|
|
exit(ok ? 0 : 1);
|
2010-03-04 21:39:35 +01:00
|
|
|
}
|
|
|
|
|
2013-01-18 01:44:04 +01:00
|
|
|
static void
|
|
|
|
load_krl(const char *path, struct ssh_krl **krlp)
|
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshbuf *krlbuf;
|
|
|
|
int r, fd;
|
2013-01-18 01:44:04 +01:00
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((krlbuf = sshbuf_new()) == NULL)
|
|
|
|
fatal("sshbuf_new failed");
|
2013-01-18 01:44:04 +01:00
|
|
|
if ((fd = open(path, O_RDONLY)) == -1)
|
|
|
|
fatal("open %s: %s", path, strerror(errno));
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_load_file(fd, krlbuf)) != 0)
|
|
|
|
fatal("Unable to load KRL: %s", ssh_err(r));
|
2013-01-18 01:44:04 +01:00
|
|
|
close(fd);
|
|
|
|
/* XXX check sigs */
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = ssh_krl_from_blob(krlbuf, krlp, NULL, 0)) != 0 ||
|
2013-01-18 01:44:04 +01:00
|
|
|
*krlp == NULL)
|
2015-01-15 10:40:00 +01:00
|
|
|
fatal("Invalid KRL file: %s", ssh_err(r));
|
|
|
|
sshbuf_free(krlbuf);
|
2013-01-18 01:44:04 +01:00
|
|
|
}
|
|
|
|
|
2018-09-12 03:21:34 +02:00
|
|
|
static void
|
|
|
|
hash_to_blob(const char *cp, u_char **blobp, size_t *lenp,
|
|
|
|
const char *file, u_long lnum)
|
|
|
|
{
|
|
|
|
char *tmp;
|
|
|
|
size_t tlen;
|
|
|
|
struct sshbuf *b;
|
|
|
|
int r;
|
|
|
|
|
|
|
|
if (strncmp(cp, "SHA256:", 7) != 0)
|
|
|
|
fatal("%s:%lu: unsupported hash algorithm", file, lnum);
|
|
|
|
cp += 7;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* OpenSSH base64 hashes omit trailing '='
|
|
|
|
* characters; put them back for decode.
|
|
|
|
*/
|
|
|
|
tlen = strlen(cp);
|
|
|
|
tmp = xmalloc(tlen + 4 + 1);
|
|
|
|
strlcpy(tmp, cp, tlen + 1);
|
|
|
|
while ((tlen % 4) != 0) {
|
|
|
|
tmp[tlen++] = '=';
|
|
|
|
tmp[tlen] = '\0';
|
|
|
|
}
|
|
|
|
if ((b = sshbuf_new()) == NULL)
|
|
|
|
fatal("%s: sshbuf_new failed", __func__);
|
|
|
|
if ((r = sshbuf_b64tod(b, tmp)) != 0)
|
|
|
|
fatal("%s:%lu: decode hash failed: %s", file, lnum, ssh_err(r));
|
|
|
|
free(tmp);
|
|
|
|
*lenp = sshbuf_len(b);
|
|
|
|
*blobp = xmalloc(*lenp);
|
|
|
|
memcpy(*blobp, sshbuf_ptr(b), *lenp);
|
|
|
|
sshbuf_free(b);
|
|
|
|
}
|
|
|
|
|
2013-01-18 01:44:04 +01:00
|
|
|
static void
|
2015-01-30 02:10:33 +01:00
|
|
|
update_krl_from_file(struct passwd *pw, const char *file, int wild_ca,
|
2015-01-15 10:40:00 +01:00
|
|
|
const struct sshkey *ca, struct ssh_krl *krl)
|
2013-01-18 01:44:04 +01:00
|
|
|
{
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *key = NULL;
|
2013-01-18 01:44:04 +01:00
|
|
|
u_long lnum = 0;
|
2018-06-06 20:29:18 +02:00
|
|
|
char *path, *cp, *ep, *line = NULL;
|
2018-09-12 03:21:34 +02:00
|
|
|
u_char *blob = NULL;
|
|
|
|
size_t blen = 0, linesize = 0;
|
2013-01-18 01:44:04 +01:00
|
|
|
unsigned long long serial, serial2;
|
2018-09-12 03:21:34 +02:00
|
|
|
int i, was_explicit_key, was_sha1, was_sha256, was_hash, r;
|
2013-01-18 01:44:04 +01:00
|
|
|
FILE *krl_spec;
|
|
|
|
|
|
|
|
path = tilde_expand_filename(file, pw->pw_uid);
|
|
|
|
if (strcmp(path, "-") == 0) {
|
|
|
|
krl_spec = stdin;
|
|
|
|
free(path);
|
|
|
|
path = xstrdup("(standard input)");
|
|
|
|
} else if ((krl_spec = fopen(path, "r")) == NULL)
|
|
|
|
fatal("fopen %s: %s", path, strerror(errno));
|
|
|
|
|
|
|
|
if (!quiet)
|
|
|
|
printf("Revoking from %s\n", path);
|
2018-06-06 20:29:18 +02:00
|
|
|
while (getline(&line, &linesize, krl_spec) != -1) {
|
|
|
|
lnum++;
|
2018-09-12 03:21:34 +02:00
|
|
|
was_explicit_key = was_sha1 = was_sha256 = was_hash = 0;
|
2013-01-18 01:44:04 +01:00
|
|
|
cp = line + strspn(line, " \t");
|
|
|
|
/* Trim trailing space, comments and strip \n */
|
|
|
|
for (i = 0, r = -1; cp[i] != '\0'; i++) {
|
|
|
|
if (cp[i] == '#' || cp[i] == '\n') {
|
|
|
|
cp[i] = '\0';
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (cp[i] == ' ' || cp[i] == '\t') {
|
|
|
|
/* Remember the start of a span of whitespace */
|
|
|
|
if (r == -1)
|
|
|
|
r = i;
|
|
|
|
} else
|
|
|
|
r = -1;
|
|
|
|
}
|
|
|
|
if (r != -1)
|
|
|
|
cp[r] = '\0';
|
|
|
|
if (*cp == '\0')
|
|
|
|
continue;
|
|
|
|
if (strncasecmp(cp, "serial:", 7) == 0) {
|
2015-01-30 02:10:33 +01:00
|
|
|
if (ca == NULL && !wild_ca) {
|
2013-08-20 18:42:58 +02:00
|
|
|
fatal("revoking certificates by serial number "
|
2013-01-18 01:44:04 +01:00
|
|
|
"requires specification of a CA key");
|
|
|
|
}
|
|
|
|
cp += 7;
|
|
|
|
cp = cp + strspn(cp, " \t");
|
|
|
|
errno = 0;
|
|
|
|
serial = strtoull(cp, &ep, 0);
|
|
|
|
if (*cp == '\0' || (*ep != '\0' && *ep != '-'))
|
|
|
|
fatal("%s:%lu: invalid serial \"%s\"",
|
|
|
|
path, lnum, cp);
|
|
|
|
if (errno == ERANGE && serial == ULLONG_MAX)
|
|
|
|
fatal("%s:%lu: serial out of range",
|
|
|
|
path, lnum);
|
|
|
|
serial2 = serial;
|
|
|
|
if (*ep == '-') {
|
|
|
|
cp = ep + 1;
|
|
|
|
errno = 0;
|
|
|
|
serial2 = strtoull(cp, &ep, 0);
|
|
|
|
if (*cp == '\0' || *ep != '\0')
|
|
|
|
fatal("%s:%lu: invalid serial \"%s\"",
|
|
|
|
path, lnum, cp);
|
|
|
|
if (errno == ERANGE && serial2 == ULLONG_MAX)
|
|
|
|
fatal("%s:%lu: serial out of range",
|
|
|
|
path, lnum);
|
|
|
|
if (serial2 <= serial)
|
|
|
|
fatal("%s:%lu: invalid serial range "
|
|
|
|
"%llu:%llu", path, lnum,
|
|
|
|
(unsigned long long)serial,
|
|
|
|
(unsigned long long)serial2);
|
|
|
|
}
|
|
|
|
if (ssh_krl_revoke_cert_by_serial_range(krl,
|
|
|
|
ca, serial, serial2) != 0) {
|
|
|
|
fatal("%s: revoke serial failed",
|
|
|
|
__func__);
|
|
|
|
}
|
|
|
|
} else if (strncasecmp(cp, "id:", 3) == 0) {
|
2015-01-30 02:10:33 +01:00
|
|
|
if (ca == NULL && !wild_ca) {
|
2013-08-20 18:43:27 +02:00
|
|
|
fatal("revoking certificates by key ID "
|
2013-01-18 01:44:04 +01:00
|
|
|
"requires specification of a CA key");
|
|
|
|
}
|
|
|
|
cp += 3;
|
|
|
|
cp = cp + strspn(cp, " \t");
|
|
|
|
if (ssh_krl_revoke_cert_by_key_id(krl, ca, cp) != 0)
|
|
|
|
fatal("%s: revoke key ID failed", __func__);
|
2018-09-12 03:21:34 +02:00
|
|
|
} else if (strncasecmp(cp, "hash:", 5) == 0) {
|
|
|
|
cp += 5;
|
|
|
|
cp = cp + strspn(cp, " \t");
|
|
|
|
hash_to_blob(cp, &blob, &blen, file, lnum);
|
|
|
|
r = ssh_krl_revoke_key_sha256(krl, blob, blen);
|
2013-01-18 01:44:04 +01:00
|
|
|
} else {
|
|
|
|
if (strncasecmp(cp, "key:", 4) == 0) {
|
|
|
|
cp += 4;
|
|
|
|
cp = cp + strspn(cp, " \t");
|
|
|
|
was_explicit_key = 1;
|
|
|
|
} else if (strncasecmp(cp, "sha1:", 5) == 0) {
|
|
|
|
cp += 5;
|
|
|
|
cp = cp + strspn(cp, " \t");
|
|
|
|
was_sha1 = 1;
|
2018-09-12 03:21:34 +02:00
|
|
|
} else if (strncasecmp(cp, "sha256:", 7) == 0) {
|
|
|
|
cp += 7;
|
|
|
|
cp = cp + strspn(cp, " \t");
|
|
|
|
was_sha256 = 1;
|
2013-01-18 01:44:04 +01:00
|
|
|
/*
|
|
|
|
* Just try to process the line as a key.
|
|
|
|
* Parsing will fail if it isn't.
|
|
|
|
*/
|
|
|
|
}
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
|
2017-05-30 16:16:41 +02:00
|
|
|
fatal("sshkey_new");
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_read(key, &cp)) != 0)
|
|
|
|
fatal("%s:%lu: invalid key: %s",
|
|
|
|
path, lnum, ssh_err(r));
|
2013-01-18 01:44:04 +01:00
|
|
|
if (was_explicit_key)
|
|
|
|
r = ssh_krl_revoke_key_explicit(krl, key);
|
2018-09-12 03:21:34 +02:00
|
|
|
else if (was_sha1) {
|
|
|
|
if (sshkey_fingerprint_raw(key,
|
|
|
|
SSH_DIGEST_SHA1, &blob, &blen) != 0) {
|
|
|
|
fatal("%s:%lu: fingerprint failed",
|
|
|
|
file, lnum);
|
|
|
|
}
|
|
|
|
r = ssh_krl_revoke_key_sha1(krl, blob, blen);
|
|
|
|
} else if (was_sha256) {
|
|
|
|
if (sshkey_fingerprint_raw(key,
|
|
|
|
SSH_DIGEST_SHA256, &blob, &blen) != 0) {
|
|
|
|
fatal("%s:%lu: fingerprint failed",
|
|
|
|
file, lnum);
|
|
|
|
}
|
|
|
|
r = ssh_krl_revoke_key_sha256(krl, blob, blen);
|
|
|
|
} else
|
2013-01-18 01:44:04 +01:00
|
|
|
r = ssh_krl_revoke_key(krl, key);
|
|
|
|
if (r != 0)
|
2015-01-15 10:40:00 +01:00
|
|
|
fatal("%s: revoke key failed: %s",
|
|
|
|
__func__, ssh_err(r));
|
2018-09-12 03:21:34 +02:00
|
|
|
freezero(blob, blen);
|
|
|
|
blob = NULL;
|
|
|
|
blen = 0;
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(key);
|
2013-01-18 01:44:04 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if (strcmp(path, "-") != 0)
|
|
|
|
fclose(krl_spec);
|
2018-06-06 20:29:18 +02:00
|
|
|
free(line);
|
2013-04-23 07:23:24 +02:00
|
|
|
free(path);
|
2013-01-18 01:44:04 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
2019-01-23 05:16:22 +01:00
|
|
|
do_gen_krl(struct passwd *pw, int updating, const char *ca_key_path,
|
|
|
|
unsigned long long krl_version, const char *krl_comment,
|
|
|
|
int argc, char **argv)
|
2013-01-18 01:44:04 +01:00
|
|
|
{
|
|
|
|
struct ssh_krl *krl;
|
|
|
|
struct stat sb;
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *ca = NULL;
|
2015-01-30 02:10:33 +01:00
|
|
|
int fd, i, r, wild_ca = 0;
|
2013-01-18 01:44:04 +01:00
|
|
|
char *tmp;
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshbuf *kbuf;
|
2013-01-18 01:44:04 +01:00
|
|
|
|
|
|
|
if (*identity_file == '\0')
|
|
|
|
fatal("KRL generation requires an output file");
|
|
|
|
if (stat(identity_file, &sb) == -1) {
|
|
|
|
if (errno != ENOENT)
|
|
|
|
fatal("Cannot access KRL \"%s\": %s",
|
|
|
|
identity_file, strerror(errno));
|
|
|
|
if (updating)
|
|
|
|
fatal("KRL \"%s\" does not exist", identity_file);
|
|
|
|
}
|
|
|
|
if (ca_key_path != NULL) {
|
2015-01-30 02:10:33 +01:00
|
|
|
if (strcasecmp(ca_key_path, "none") == 0)
|
|
|
|
wild_ca = 1;
|
|
|
|
else {
|
|
|
|
tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
|
|
|
|
if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0)
|
|
|
|
fatal("Cannot load CA public key %s: %s",
|
|
|
|
tmp, ssh_err(r));
|
|
|
|
free(tmp);
|
|
|
|
}
|
2013-01-18 01:44:04 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
if (updating)
|
|
|
|
load_krl(identity_file, &krl);
|
|
|
|
else if ((krl = ssh_krl_init()) == NULL)
|
|
|
|
fatal("couldn't create KRL");
|
|
|
|
|
2019-01-23 05:16:22 +01:00
|
|
|
if (krl_version != 0)
|
|
|
|
ssh_krl_set_version(krl, krl_version);
|
|
|
|
if (krl_comment != NULL)
|
|
|
|
ssh_krl_set_comment(krl, krl_comment);
|
2013-01-18 01:44:04 +01:00
|
|
|
|
|
|
|
for (i = 0; i < argc; i++)
|
2015-01-30 02:10:33 +01:00
|
|
|
update_krl_from_file(pw, argv[i], wild_ca, ca, krl);
|
2013-01-18 01:44:04 +01:00
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((kbuf = sshbuf_new()) == NULL)
|
|
|
|
fatal("sshbuf_new failed");
|
|
|
|
if (ssh_krl_to_blob(krl, kbuf, NULL, 0) != 0)
|
2013-01-18 01:44:04 +01:00
|
|
|
fatal("Couldn't generate KRL");
|
|
|
|
if ((fd = open(identity_file, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1)
|
|
|
|
fatal("open %s: %s", identity_file, strerror(errno));
|
2018-07-09 23:59:10 +02:00
|
|
|
if (atomicio(vwrite, fd, sshbuf_mutable_ptr(kbuf), sshbuf_len(kbuf)) !=
|
2015-01-15 10:40:00 +01:00
|
|
|
sshbuf_len(kbuf))
|
2013-01-18 01:44:04 +01:00
|
|
|
fatal("write %s: %s", identity_file, strerror(errno));
|
|
|
|
close(fd);
|
2015-01-15 10:40:00 +01:00
|
|
|
sshbuf_free(kbuf);
|
2013-01-18 01:44:04 +01:00
|
|
|
ssh_krl_free(krl);
|
2015-12-11 03:31:47 +01:00
|
|
|
sshkey_free(ca);
|
2013-01-18 01:44:04 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
do_check_krl(struct passwd *pw, int argc, char **argv)
|
|
|
|
{
|
|
|
|
int i, r, ret = 0;
|
|
|
|
char *comment;
|
|
|
|
struct ssh_krl *krl;
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *k;
|
2013-01-18 01:44:04 +01:00
|
|
|
|
|
|
|
if (*identity_file == '\0')
|
|
|
|
fatal("KRL checking requires an input file");
|
|
|
|
load_krl(identity_file, &krl);
|
|
|
|
for (i = 0; i < argc; i++) {
|
2015-01-15 10:40:00 +01:00
|
|
|
if ((r = sshkey_load_public(argv[i], &k, &comment)) != 0)
|
|
|
|
fatal("Cannot load public key %s: %s",
|
|
|
|
argv[i], ssh_err(r));
|
2013-01-18 01:44:04 +01:00
|
|
|
r = ssh_krl_check_key(krl, k);
|
|
|
|
printf("%s%s%s%s: %s\n", argv[i],
|
|
|
|
*comment ? " (" : "", comment, *comment ? ")" : "",
|
|
|
|
r == 0 ? "ok" : "REVOKED");
|
|
|
|
if (r != 0)
|
|
|
|
ret = 1;
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(k);
|
2013-01-18 01:44:04 +01:00
|
|
|
free(comment);
|
|
|
|
}
|
|
|
|
ssh_krl_free(krl);
|
|
|
|
exit(ret);
|
|
|
|
}
|
|
|
|
|
2019-09-03 10:34:19 +02:00
|
|
|
static struct sshkey *
|
|
|
|
load_sign_key(const char *keypath, const struct sshkey *pubkey)
|
|
|
|
{
|
|
|
|
size_t i, slen, plen = strlen(keypath);
|
|
|
|
char *privpath = xstrdup(keypath);
|
|
|
|
const char *suffixes[] = { "-cert.pub", ".pub", NULL };
|
|
|
|
struct sshkey *ret = NULL, *privkey = NULL;
|
|
|
|
int r;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If passed a public key filename, then try to locate the correponding
|
|
|
|
* private key. This lets us specify certificates on the command-line
|
|
|
|
* and have ssh-keygen find the appropriate private key.
|
|
|
|
*/
|
|
|
|
for (i = 0; suffixes[i]; i++) {
|
|
|
|
slen = strlen(suffixes[i]);
|
|
|
|
if (plen <= slen ||
|
|
|
|
strcmp(privpath + plen - slen, suffixes[i]) != 0)
|
|
|
|
continue;
|
|
|
|
privpath[plen - slen] = '\0';
|
|
|
|
debug("%s: %s looks like a public key, using private key "
|
|
|
|
"path %s instead", __func__, keypath, privpath);
|
|
|
|
}
|
|
|
|
if ((privkey = load_identity(privpath, NULL)) == NULL) {
|
|
|
|
error("Couldn't load identity %s", keypath);
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
if (!sshkey_equal_public(pubkey, privkey)) {
|
|
|
|
error("Public key %s doesn't match private %s",
|
|
|
|
keypath, privpath);
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
if (sshkey_is_cert(pubkey) && !sshkey_is_cert(privkey)) {
|
|
|
|
/*
|
|
|
|
* Graft the certificate onto the private key to make
|
|
|
|
* it capable of signing.
|
|
|
|
*/
|
|
|
|
if ((r = sshkey_to_certified(privkey)) != 0) {
|
|
|
|
error("%s: sshkey_to_certified: %s", __func__,
|
|
|
|
ssh_err(r));
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
if ((r = sshkey_cert_copy(pubkey, privkey)) != 0) {
|
|
|
|
error("%s: sshkey_cert_copy: %s", __func__, ssh_err(r));
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* success */
|
|
|
|
ret = privkey;
|
|
|
|
privkey = NULL;
|
|
|
|
done:
|
|
|
|
sshkey_free(privkey);
|
|
|
|
free(privpath);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
sign_one(struct sshkey *signkey, const char *filename, int fd,
|
|
|
|
const char *sig_namespace, sshsig_signer *signer, void *signer_ctx)
|
|
|
|
{
|
|
|
|
struct sshbuf *sigbuf = NULL, *abuf = NULL;
|
|
|
|
int r = SSH_ERR_INTERNAL_ERROR, wfd = -1, oerrno;
|
2019-11-12 23:36:44 +01:00
|
|
|
char *wfile = NULL, *asig = NULL, *fp = NULL;
|
2019-09-03 10:34:19 +02:00
|
|
|
|
|
|
|
if (!quiet) {
|
|
|
|
if (fd == STDIN_FILENO)
|
|
|
|
fprintf(stderr, "Signing data on standard input\n");
|
|
|
|
else
|
|
|
|
fprintf(stderr, "Signing file %s\n", filename);
|
|
|
|
}
|
2019-11-12 23:36:44 +01:00
|
|
|
if (signer == NULL && sshkey_is_sk(signkey) &&
|
|
|
|
(signkey->sk_flags & SSH_SK_USER_PRESENCE_REQD)) {
|
|
|
|
if ((fp = sshkey_fingerprint(signkey, fingerprint_hash,
|
|
|
|
SSH_FP_DEFAULT)) == NULL)
|
|
|
|
fatal("%s: sshkey_fingerprint failed", __func__);
|
|
|
|
fprintf(stderr, "Confirm user presence for key %s %s\n",
|
|
|
|
sshkey_type(signkey), fp);
|
|
|
|
free(fp);
|
|
|
|
}
|
2019-10-31 22:23:19 +01:00
|
|
|
if ((r = sshsig_sign_fd(signkey, NULL, sk_provider, fd, sig_namespace,
|
2019-09-03 10:34:19 +02:00
|
|
|
&sigbuf, signer, signer_ctx)) != 0) {
|
|
|
|
error("Signing %s failed: %s", filename, ssh_err(r));
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if ((r = sshsig_armor(sigbuf, &abuf)) != 0) {
|
|
|
|
error("%s: sshsig_armor: %s", __func__, ssh_err(r));
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if ((asig = sshbuf_dup_string(abuf)) == NULL) {
|
|
|
|
error("%s: buffer error", __func__);
|
|
|
|
r = SSH_ERR_ALLOC_FAIL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (fd == STDIN_FILENO) {
|
|
|
|
fputs(asig, stdout);
|
|
|
|
fflush(stdout);
|
|
|
|
} else {
|
|
|
|
xasprintf(&wfile, "%s.sig", filename);
|
|
|
|
if (confirm_overwrite(wfile)) {
|
|
|
|
if ((wfd = open(wfile, O_WRONLY|O_CREAT|O_TRUNC,
|
|
|
|
0666)) == -1) {
|
|
|
|
oerrno = errno;
|
|
|
|
error("Cannot open %s: %s",
|
|
|
|
wfile, strerror(errno));
|
|
|
|
errno = oerrno;
|
|
|
|
r = SSH_ERR_SYSTEM_ERROR;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if (atomicio(vwrite, wfd, asig,
|
|
|
|
strlen(asig)) != strlen(asig)) {
|
|
|
|
oerrno = errno;
|
|
|
|
error("Cannot write to %s: %s",
|
|
|
|
wfile, strerror(errno));
|
|
|
|
errno = oerrno;
|
|
|
|
r = SSH_ERR_SYSTEM_ERROR;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
if (!quiet) {
|
|
|
|
fprintf(stderr, "Write signature to %s\n",
|
|
|
|
wfile);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* success */
|
|
|
|
r = 0;
|
|
|
|
out:
|
|
|
|
free(wfile);
|
|
|
|
free(asig);
|
|
|
|
sshbuf_free(abuf);
|
|
|
|
sshbuf_free(sigbuf);
|
|
|
|
if (wfd != -1)
|
|
|
|
close(wfd);
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2020-01-23 03:43:48 +01:00
|
|
|
sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv)
|
2019-09-03 10:34:19 +02:00
|
|
|
{
|
|
|
|
int i, fd = -1, r, ret = -1;
|
|
|
|
int agent_fd = -1;
|
|
|
|
struct sshkey *pubkey = NULL, *privkey = NULL, *signkey = NULL;
|
|
|
|
sshsig_signer *signer = NULL;
|
|
|
|
|
|
|
|
/* Check file arguments. */
|
|
|
|
for (i = 0; i < argc; i++) {
|
|
|
|
if (strcmp(argv[i], "-") != 0)
|
|
|
|
continue;
|
|
|
|
if (i > 0 || argc > 1)
|
|
|
|
fatal("Cannot sign mix of paths and standard input");
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((r = sshkey_load_public(keypath, &pubkey, NULL)) != 0) {
|
|
|
|
error("Couldn't load public key %s: %s", keypath, ssh_err(r));
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((r = ssh_get_authentication_socket(&agent_fd)) != 0)
|
|
|
|
debug("Couldn't get agent socket: %s", ssh_err(r));
|
|
|
|
else {
|
|
|
|
if ((r = ssh_agent_has_key(agent_fd, pubkey)) == 0)
|
|
|
|
signer = agent_signer;
|
|
|
|
else
|
|
|
|
debug("Couldn't find key in agent: %s", ssh_err(r));
|
|
|
|
}
|
|
|
|
|
|
|
|
if (signer == NULL) {
|
|
|
|
/* Not using agent - try to load private key */
|
|
|
|
if ((privkey = load_sign_key(keypath, pubkey)) == NULL)
|
|
|
|
goto done;
|
|
|
|
signkey = privkey;
|
|
|
|
} else {
|
|
|
|
/* Will use key in agent */
|
|
|
|
signkey = pubkey;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (argc == 0) {
|
|
|
|
if ((r = sign_one(signkey, "(stdin)", STDIN_FILENO,
|
|
|
|
sig_namespace, signer, &agent_fd)) != 0)
|
|
|
|
goto done;
|
|
|
|
} else {
|
|
|
|
for (i = 0; i < argc; i++) {
|
|
|
|
if (strcmp(argv[i], "-") == 0)
|
|
|
|
fd = STDIN_FILENO;
|
|
|
|
else if ((fd = open(argv[i], O_RDONLY)) == -1) {
|
|
|
|
error("Cannot open %s for signing: %s",
|
|
|
|
argv[i], strerror(errno));
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
if ((r = sign_one(signkey, argv[i], fd, sig_namespace,
|
|
|
|
signer, &agent_fd)) != 0)
|
|
|
|
goto done;
|
|
|
|
if (fd != STDIN_FILENO)
|
|
|
|
close(fd);
|
|
|
|
fd = -1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
done:
|
|
|
|
if (fd != -1 && fd != STDIN_FILENO)
|
|
|
|
close(fd);
|
|
|
|
sshkey_free(pubkey);
|
|
|
|
sshkey_free(privkey);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2020-01-23 03:43:48 +01:00
|
|
|
sig_verify(const char *signature, const char *sig_namespace,
|
|
|
|
const char *principal, const char *allowed_keys, const char *revoked_keys)
|
2019-09-03 10:34:19 +02:00
|
|
|
{
|
|
|
|
int r, ret = -1, sigfd = -1;
|
|
|
|
struct sshbuf *sigbuf = NULL, *abuf = NULL;
|
|
|
|
struct sshkey *sign_key = NULL;
|
|
|
|
char *fp = NULL;
|
2019-11-25 01:51:37 +01:00
|
|
|
struct sshkey_sig_details *sig_details = NULL;
|
2019-09-03 10:34:19 +02:00
|
|
|
|
2019-11-25 01:51:37 +01:00
|
|
|
memset(&sig_details, 0, sizeof(sig_details));
|
2019-09-03 10:34:19 +02:00
|
|
|
if ((abuf = sshbuf_new()) == NULL)
|
|
|
|
fatal("%s: sshbuf_new() failed", __func__);
|
|
|
|
|
|
|
|
if ((sigfd = open(signature, O_RDONLY)) < 0) {
|
|
|
|
error("Couldn't open signature file %s", signature);
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((r = sshkey_load_file(sigfd, abuf)) != 0) {
|
|
|
|
error("Couldn't read signature file: %s", ssh_err(r));
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) {
|
|
|
|
error("%s: sshsig_armor: %s", __func__, ssh_err(r));
|
2020-01-23 03:43:48 +01:00
|
|
|
goto done;
|
2019-09-03 10:34:19 +02:00
|
|
|
}
|
|
|
|
if ((r = sshsig_verify_fd(sigbuf, STDIN_FILENO, sig_namespace,
|
2019-11-25 01:51:37 +01:00
|
|
|
&sign_key, &sig_details)) != 0)
|
2019-09-03 10:34:19 +02:00
|
|
|
goto done; /* sshsig_verify() prints error */
|
|
|
|
|
|
|
|
if ((fp = sshkey_fingerprint(sign_key, fingerprint_hash,
|
|
|
|
SSH_FP_DEFAULT)) == NULL)
|
|
|
|
fatal("%s: sshkey_fingerprint failed", __func__);
|
|
|
|
debug("Valid (unverified) signature from key %s", fp);
|
2019-11-25 01:51:37 +01:00
|
|
|
if (sig_details != NULL) {
|
|
|
|
debug2("%s: signature details: counter = %u, flags = 0x%02x",
|
|
|
|
__func__, sig_details->sk_counter, sig_details->sk_flags);
|
|
|
|
}
|
2019-09-03 10:34:19 +02:00
|
|
|
free(fp);
|
|
|
|
fp = NULL;
|
|
|
|
|
|
|
|
if (revoked_keys != NULL) {
|
2019-09-03 10:35:27 +02:00
|
|
|
if ((r = sshkey_check_revoked(sign_key, revoked_keys)) != 0) {
|
|
|
|
debug3("sshkey_check_revoked failed: %s", ssh_err(r));
|
|
|
|
goto done;
|
|
|
|
}
|
2019-09-03 10:34:19 +02:00
|
|
|
}
|
|
|
|
|
2019-09-16 05:23:02 +02:00
|
|
|
if (allowed_keys != NULL &&
|
|
|
|
(r = sshsig_check_allowed_keys(allowed_keys, sign_key,
|
|
|
|
principal, sig_namespace)) != 0) {
|
2019-09-03 10:34:19 +02:00
|
|
|
debug3("sshsig_check_allowed_keys failed: %s", ssh_err(r));
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
/* success */
|
|
|
|
ret = 0;
|
|
|
|
done:
|
|
|
|
if (!quiet) {
|
|
|
|
if (ret == 0) {
|
|
|
|
if ((fp = sshkey_fingerprint(sign_key, fingerprint_hash,
|
|
|
|
SSH_FP_DEFAULT)) == NULL) {
|
|
|
|
fatal("%s: sshkey_fingerprint failed",
|
|
|
|
__func__);
|
|
|
|
}
|
2019-09-16 05:23:02 +02:00
|
|
|
if (principal == NULL) {
|
|
|
|
printf("Good \"%s\" signature with %s key %s\n",
|
|
|
|
sig_namespace, sshkey_type(sign_key), fp);
|
|
|
|
|
|
|
|
} else {
|
|
|
|
printf("Good \"%s\" signature for %s with %s key %s\n",
|
|
|
|
sig_namespace, principal,
|
|
|
|
sshkey_type(sign_key), fp);
|
|
|
|
}
|
2019-09-03 10:34:19 +02:00
|
|
|
} else {
|
|
|
|
printf("Could not verify signature.\n");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (sigfd != -1)
|
|
|
|
close(sigfd);
|
|
|
|
sshbuf_free(sigbuf);
|
|
|
|
sshbuf_free(abuf);
|
|
|
|
sshkey_free(sign_key);
|
2019-11-25 01:51:37 +01:00
|
|
|
sshkey_sig_details_free(sig_details);
|
2019-09-03 10:34:19 +02:00
|
|
|
free(fp);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2020-01-23 03:43:48 +01:00
|
|
|
static int
|
2020-01-24 00:31:52 +01:00
|
|
|
sig_find_principals(const char *signature, const char *allowed_keys) {
|
2020-01-23 03:43:48 +01:00
|
|
|
int r, ret = -1, sigfd = -1;
|
|
|
|
struct sshbuf *sigbuf = NULL, *abuf = NULL;
|
|
|
|
struct sshkey *sign_key = NULL;
|
2020-01-24 06:33:01 +01:00
|
|
|
char *principals = NULL, *cp, *tmp;
|
2020-01-23 03:43:48 +01:00
|
|
|
|
|
|
|
if ((abuf = sshbuf_new()) == NULL)
|
|
|
|
fatal("%s: sshbuf_new() failed", __func__);
|
|
|
|
|
|
|
|
if ((sigfd = open(signature, O_RDONLY)) < 0) {
|
|
|
|
error("Couldn't open signature file %s", signature);
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((r = sshkey_load_file(sigfd, abuf)) != 0) {
|
|
|
|
error("Couldn't read signature file: %s", ssh_err(r));
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
if ((r = sshsig_dearmor(abuf, &sigbuf)) != 0) {
|
|
|
|
error("%s: sshsig_armor: %s", __func__, ssh_err(r));
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
if ((r = sshsig_get_pubkey(sigbuf, &sign_key)) != 0) {
|
|
|
|
error("%s: sshsig_get_pubkey: %s",
|
2020-01-24 00:31:52 +01:00
|
|
|
__func__, ssh_err(r));
|
2020-01-23 03:43:48 +01:00
|
|
|
goto done;
|
|
|
|
}
|
2020-01-24 00:31:52 +01:00
|
|
|
if ((r = sshsig_find_principals(allowed_keys, sign_key,
|
|
|
|
&principals)) != 0) {
|
2020-01-23 03:43:48 +01:00
|
|
|
error("%s: sshsig_get_principal: %s",
|
|
|
|
__func__, ssh_err(r));
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
ret = 0;
|
|
|
|
done:
|
|
|
|
if (ret == 0 ) {
|
2020-01-24 06:33:01 +01:00
|
|
|
/* Emit matching principals one per line */
|
|
|
|
tmp = principals;
|
|
|
|
while ((cp = strsep(&tmp, ",")) != NULL && *cp != '\0')
|
|
|
|
puts(cp);
|
2020-01-23 03:43:48 +01:00
|
|
|
} else {
|
2020-01-24 06:33:01 +01:00
|
|
|
fprintf(stderr, "No principal matched.\n");
|
2020-01-23 03:43:48 +01:00
|
|
|
}
|
|
|
|
if (sigfd != -1)
|
|
|
|
close(sigfd);
|
|
|
|
sshbuf_free(sigbuf);
|
|
|
|
sshbuf_free(abuf);
|
|
|
|
sshkey_free(sign_key);
|
2020-01-24 00:31:52 +01:00
|
|
|
free(principals);
|
2020-01-23 03:43:48 +01:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2019-12-30 04:30:09 +01:00
|
|
|
static void
|
|
|
|
do_moduli_gen(const char *out_file, char **opts, size_t nopts)
|
|
|
|
{
|
|
|
|
#ifdef WITH_OPENSSL
|
|
|
|
/* Moduli generation/screening */
|
|
|
|
u_int32_t memory = 0;
|
|
|
|
BIGNUM *start = NULL;
|
|
|
|
int moduli_bits = 0;
|
|
|
|
FILE *out;
|
|
|
|
size_t i;
|
|
|
|
const char *errstr;
|
|
|
|
|
|
|
|
/* Parse options */
|
|
|
|
for (i = 0; i < nopts; i++) {
|
|
|
|
if (strncmp(opts[i], "memory=", 7) == 0) {
|
|
|
|
memory = (u_int32_t)strtonum(opts[i]+7, 1,
|
|
|
|
UINT_MAX, &errstr);
|
|
|
|
if (errstr) {
|
|
|
|
fatal("Memory limit is %s: %s",
|
|
|
|
errstr, opts[i]+7);
|
|
|
|
}
|
|
|
|
} else if (strncmp(opts[i], "start=", 6) == 0) {
|
|
|
|
/* XXX - also compare length against bits */
|
|
|
|
if (BN_hex2bn(&start, opts[i]+6) == 0)
|
|
|
|
fatal("Invalid start point.");
|
|
|
|
} else if (strncmp(opts[i], "bits=", 5) == 0) {
|
|
|
|
moduli_bits = (int)strtonum(opts[i]+5, 1,
|
|
|
|
INT_MAX, &errstr);
|
|
|
|
if (errstr) {
|
|
|
|
fatal("Invalid number: %s (%s)",
|
|
|
|
opts[i]+12, errstr);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
fatal("Option \"%s\" is unsupported for moduli "
|
|
|
|
"generation", opts[i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((out = fopen(out_file, "w")) == NULL) {
|
|
|
|
fatal("Couldn't open modulus candidate file \"%s\": %s",
|
|
|
|
out_file, strerror(errno));
|
|
|
|
}
|
|
|
|
setvbuf(out, NULL, _IOLBF, 0);
|
|
|
|
|
|
|
|
if (moduli_bits == 0)
|
|
|
|
moduli_bits = DEFAULT_BITS;
|
|
|
|
if (gen_candidates(out, memory, moduli_bits, start) != 0)
|
|
|
|
fatal("modulus candidate generation failed");
|
|
|
|
#else /* WITH_OPENSSL */
|
|
|
|
fatal("Moduli generation is not supported");
|
|
|
|
#endif /* WITH_OPENSSL */
|
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
do_moduli_screen(const char *out_file, char **opts, size_t nopts)
|
|
|
|
{
|
|
|
|
#ifdef WITH_OPENSSL
|
|
|
|
/* Moduli generation/screening */
|
|
|
|
char *checkpoint = NULL;
|
|
|
|
u_int32_t generator_wanted = 0;
|
|
|
|
unsigned long start_lineno = 0, lines_to_process = 0;
|
|
|
|
int prime_tests = 0;
|
|
|
|
FILE *out, *in = stdin;
|
|
|
|
size_t i;
|
|
|
|
const char *errstr;
|
|
|
|
|
|
|
|
/* Parse options */
|
|
|
|
for (i = 0; i < nopts; i++) {
|
|
|
|
if (strncmp(opts[i], "lines=", 6) == 0) {
|
|
|
|
lines_to_process = strtoul(opts[i]+6, NULL, 10);
|
|
|
|
} else if (strncmp(opts[i], "start-line=", 11) == 0) {
|
|
|
|
start_lineno = strtoul(opts[i]+11, NULL, 10);
|
|
|
|
} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
|
|
|
|
checkpoint = xstrdup(opts[i]+11);
|
|
|
|
} else if (strncmp(opts[i], "generator=", 10) == 0) {
|
|
|
|
generator_wanted = (u_int32_t)strtonum(
|
|
|
|
opts[i]+10, 1, UINT_MAX, &errstr);
|
|
|
|
if (errstr != NULL) {
|
|
|
|
fatal("Generator invalid: %s (%s)",
|
|
|
|
opts[i]+10, errstr);
|
|
|
|
}
|
|
|
|
} else if (strncmp(opts[i], "prime-tests=", 12) == 0) {
|
|
|
|
prime_tests = (int)strtonum(opts[i]+12, 1,
|
|
|
|
INT_MAX, &errstr);
|
|
|
|
if (errstr) {
|
|
|
|
fatal("Invalid number: %s (%s)",
|
|
|
|
opts[i]+12, errstr);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
fatal("Option \"%s\" is unsupported for moduli "
|
|
|
|
"screening", opts[i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (have_identity && strcmp(identity_file, "-") != 0) {
|
|
|
|
if ((in = fopen(identity_file, "r")) == NULL) {
|
|
|
|
fatal("Couldn't open modulus candidate "
|
|
|
|
"file \"%s\": %s", identity_file,
|
|
|
|
strerror(errno));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((out = fopen(out_file, "a")) == NULL) {
|
|
|
|
fatal("Couldn't open moduli file \"%s\": %s",
|
|
|
|
out_file, strerror(errno));
|
|
|
|
}
|
|
|
|
setvbuf(out, NULL, _IOLBF, 0);
|
|
|
|
if (prime_test(in, out, prime_tests == 0 ? 100 : prime_tests,
|
|
|
|
generator_wanted, checkpoint,
|
|
|
|
start_lineno, lines_to_process) != 0)
|
|
|
|
fatal("modulus screening failed");
|
|
|
|
#else /* WITH_OPENSSL */
|
|
|
|
fatal("Moduli screening is not supported");
|
|
|
|
#endif /* WITH_OPENSSL */
|
|
|
|
}
|
|
|
|
|
2020-01-02 23:40:09 +01:00
|
|
|
static char *
|
|
|
|
private_key_passphrase(void)
|
|
|
|
{
|
|
|
|
char *passphrase1, *passphrase2;
|
|
|
|
|
|
|
|
/* Ask for a passphrase (twice). */
|
|
|
|
if (identity_passphrase)
|
|
|
|
passphrase1 = xstrdup(identity_passphrase);
|
|
|
|
else if (identity_new_passphrase)
|
|
|
|
passphrase1 = xstrdup(identity_new_passphrase);
|
|
|
|
else {
|
|
|
|
passphrase_again:
|
|
|
|
passphrase1 =
|
|
|
|
read_passphrase("Enter passphrase (empty for no "
|
|
|
|
"passphrase): ", RP_ALLOW_STDIN);
|
|
|
|
passphrase2 = read_passphrase("Enter same passphrase again: ",
|
|
|
|
RP_ALLOW_STDIN);
|
|
|
|
if (strcmp(passphrase1, passphrase2) != 0) {
|
|
|
|
/*
|
|
|
|
* The passphrases do not match. Clear them and
|
|
|
|
* retry.
|
|
|
|
*/
|
|
|
|
freezero(passphrase1, strlen(passphrase1));
|
|
|
|
freezero(passphrase2, strlen(passphrase2));
|
|
|
|
printf("Passphrases do not match. Try again.\n");
|
|
|
|
goto passphrase_again;
|
|
|
|
}
|
|
|
|
/* Clear the other copy of the passphrase. */
|
|
|
|
freezero(passphrase2, strlen(passphrase2));
|
|
|
|
}
|
|
|
|
return passphrase1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static const char *
|
|
|
|
skip_ssh_url_preamble(const char *s)
|
|
|
|
{
|
|
|
|
if (strncmp(s, "ssh://", 6) == 0)
|
|
|
|
return s + 6;
|
|
|
|
else if (strncmp(s, "ssh:", 4) == 0)
|
|
|
|
return s + 4;
|
|
|
|
return s;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2020-01-06 03:00:46 +01:00
|
|
|
do_download_sk(const char *skprovider, const char *device)
|
2020-01-02 23:40:09 +01:00
|
|
|
{
|
|
|
|
struct sshkey **keys;
|
|
|
|
size_t nkeys, i;
|
|
|
|
int r, ok = -1;
|
|
|
|
char *fp, *pin, *pass = NULL, *path, *pubpath;
|
|
|
|
const char *ext;
|
|
|
|
|
|
|
|
if (skprovider == NULL)
|
|
|
|
fatal("Cannot download keys without provider");
|
|
|
|
|
|
|
|
pin = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN);
|
2020-01-06 03:00:46 +01:00
|
|
|
if ((r = sshsk_load_resident(skprovider, device, pin,
|
|
|
|
&keys, &nkeys)) != 0) {
|
2020-01-02 23:40:09 +01:00
|
|
|
freezero(pin, strlen(pin));
|
|
|
|
error("Unable to load resident keys: %s", ssh_err(r));
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
if (nkeys == 0)
|
|
|
|
logit("No keys to download");
|
|
|
|
freezero(pin, strlen(pin));
|
|
|
|
|
|
|
|
for (i = 0; i < nkeys; i++) {
|
|
|
|
if (keys[i]->type != KEY_ECDSA_SK &&
|
|
|
|
keys[i]->type != KEY_ED25519_SK) {
|
|
|
|
error("Unsupported key type %s (%d)",
|
|
|
|
sshkey_type(keys[i]), keys[i]->type);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if ((fp = sshkey_fingerprint(keys[i],
|
|
|
|
fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
|
|
|
|
fatal("%s: sshkey_fingerprint failed", __func__);
|
|
|
|
debug("%s: key %zu: %s %s %s (flags 0x%02x)", __func__, i,
|
|
|
|
sshkey_type(keys[i]), fp, keys[i]->sk_application,
|
|
|
|
keys[i]->sk_flags);
|
|
|
|
ext = skip_ssh_url_preamble(keys[i]->sk_application);
|
|
|
|
xasprintf(&path, "id_%s_rk%s%s",
|
|
|
|
keys[i]->type == KEY_ECDSA_SK ? "ecdsa_sk" : "ed25519_sk",
|
|
|
|
*ext == '\0' ? "" : "_", ext);
|
|
|
|
|
|
|
|
/* If the file already exists, ask the user to confirm. */
|
|
|
|
if (!confirm_overwrite(path)) {
|
|
|
|
free(path);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Save the key with the application string as the comment */
|
|
|
|
if (pass == NULL)
|
|
|
|
pass = private_key_passphrase();
|
|
|
|
if ((r = sshkey_save_private(keys[i], path, pass,
|
|
|
|
keys[i]->sk_application, private_key_format,
|
|
|
|
openssh_format_cipher, rounds)) != 0) {
|
|
|
|
error("Saving key \"%s\" failed: %s",
|
|
|
|
path, ssh_err(r));
|
|
|
|
free(path);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (!quiet) {
|
|
|
|
printf("Saved %s key%s%s to %s\n",
|
|
|
|
sshkey_type(keys[i]),
|
|
|
|
*ext != '\0' ? " " : "",
|
|
|
|
*ext != '\0' ? keys[i]->sk_application : "",
|
|
|
|
path);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Save public key too */
|
|
|
|
xasprintf(&pubpath, "%s.pub", path);
|
|
|
|
free(path);
|
|
|
|
if ((r = sshkey_save_public(keys[i], pubpath,
|
|
|
|
keys[i]->sk_application)) != 0) {
|
|
|
|
free(pubpath);
|
|
|
|
error("Saving public key \"%s\" failed: %s",
|
|
|
|
pubpath, ssh_err(r));
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
free(pubpath);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (i >= nkeys)
|
|
|
|
ok = 0; /* success */
|
|
|
|
if (pass != NULL)
|
|
|
|
freezero(pass, strlen(pass));
|
|
|
|
for (i = 0; i < nkeys; i++)
|
|
|
|
sshkey_free(keys[i]);
|
|
|
|
free(keys);
|
|
|
|
return ok ? 0 : -1;
|
|
|
|
}
|
|
|
|
|
2001-06-25 07:01:22 +02:00
|
|
|
static void
|
1999-11-21 08:31:57 +01:00
|
|
|
usage(void)
|
|
|
|
{
|
2014-04-20 05:01:30 +02:00
|
|
|
fprintf(stderr,
|
2019-10-03 19:07:50 +02:00
|
|
|
"usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]\n"
|
2019-11-19 00:16:49 +01:00
|
|
|
" [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n"
|
2020-01-14 16:07:30 +01:00
|
|
|
" [-N new_passphrase] [-O option] [-w provider]\n"
|
2019-10-03 19:07:50 +02:00
|
|
|
" ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]\n"
|
|
|
|
" [-P old_passphrase]\n"
|
|
|
|
" ssh-keygen -i [-f input_keyfile] [-m key_format]\n"
|
|
|
|
" ssh-keygen -e [-f input_keyfile] [-m key_format]\n"
|
2014-04-20 05:01:30 +02:00
|
|
|
" ssh-keygen -y [-f input_keyfile]\n"
|
2019-10-03 19:07:50 +02:00
|
|
|
" ssh-keygen -c [-C comment] [-f keyfile] [-P passphrase]\n"
|
2015-02-24 16:24:05 +01:00
|
|
|
" ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n"
|
2017-05-01 01:18:44 +02:00
|
|
|
" ssh-keygen -B [-f input_keyfile]\n");
|
2010-02-11 23:21:02 +01:00
|
|
|
#ifdef ENABLE_PKCS11
|
2014-04-20 05:01:30 +02:00
|
|
|
fprintf(stderr,
|
|
|
|
" ssh-keygen -D pkcs11\n");
|
2010-02-11 23:21:02 +01:00
|
|
|
#endif
|
2014-04-20 05:01:30 +02:00
|
|
|
fprintf(stderr,
|
2019-09-29 18:31:57 +02:00
|
|
|
" ssh-keygen -F hostname [-lv] [-f known_hosts_file]\n"
|
2014-04-20 05:01:30 +02:00
|
|
|
" ssh-keygen -H [-f known_hosts_file]\n"
|
2020-01-14 16:07:30 +01:00
|
|
|
" ssh-keygen -K [-w provider]\n"
|
2014-04-20 05:01:30 +02:00
|
|
|
" ssh-keygen -R hostname [-f known_hosts_file]\n"
|
2019-09-29 18:31:57 +02:00
|
|
|
" ssh-keygen -r hostname [-g] [-f input_keyfile]\n"
|
2015-05-28 09:37:31 +02:00
|
|
|
#ifdef WITH_OPENSSL
|
2020-01-14 16:07:30 +01:00
|
|
|
" ssh-keygen -M generate [-O option] output_file\n"
|
|
|
|
" ssh-keygen -M screen [-f input_file] [-O option] output_file\n"
|
2015-05-28 09:37:31 +02:00
|
|
|
#endif
|
2019-10-03 19:07:50 +02:00
|
|
|
" ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]\n"
|
|
|
|
" [-n principals] [-O option] [-V validity_interval]\n"
|
|
|
|
" [-z serial_number] file ...\n"
|
2014-04-20 05:01:30 +02:00
|
|
|
" ssh-keygen -L [-f input_keyfile]\n"
|
2019-10-03 19:07:50 +02:00
|
|
|
" ssh-keygen -A [-f prefix_path]\n"
|
2014-04-20 05:01:30 +02:00
|
|
|
" ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"
|
|
|
|
" file ...\n"
|
2019-09-03 22:51:49 +02:00
|
|
|
" ssh-keygen -Q -f krl_file file ...\n"
|
2020-01-24 00:31:52 +01:00
|
|
|
" ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file\n"
|
2019-10-03 19:07:50 +02:00
|
|
|
" ssh-keygen -Y check-novalidate -n namespace -s signature_file\n"
|
|
|
|
" ssh-keygen -Y sign -f key_file -n namespace file ...\n"
|
|
|
|
" ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n"
|
|
|
|
" -n namespace -s signature_file [-r revocation_file]\n");
|
1999-11-24 14:26:21 +01:00
|
|
|
exit(1);
|
1999-11-21 08:31:57 +01:00
|
|
|
}
|
|
|
|
|
1999-11-24 14:26:21 +01:00
|
|
|
/*
|
|
|
|
* Main program for key management.
|
|
|
|
*/
|
1999-10-27 05:42:43 +02:00
|
|
|
int
|
2007-01-05 06:22:57 +01:00
|
|
|
main(int argc, char **argv)
|
1999-10-27 05:42:43 +02:00
|
|
|
{
|
2020-01-02 23:40:09 +01:00
|
|
|
char dotsshdir[PATH_MAX], comment[1024], *passphrase;
|
2015-05-28 09:37:31 +02:00
|
|
|
char *rr_hostname = NULL, *ep, *fp, *ra;
|
2015-01-15 10:40:00 +01:00
|
|
|
struct sshkey *private, *public;
|
1999-11-24 14:26:21 +01:00
|
|
|
struct passwd *pw;
|
|
|
|
struct stat st;
|
2020-01-02 23:40:09 +01:00
|
|
|
int r, opt, type;
|
2019-01-23 05:16:22 +01:00
|
|
|
int change_passphrase = 0, change_comment = 0, show_cert = 0;
|
|
|
|
int find_host = 0, delete_host = 0, hash_hosts = 0;
|
2015-05-28 09:37:31 +02:00
|
|
|
int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0;
|
2019-01-23 05:16:22 +01:00
|
|
|
int prefer_agent = 0, convert_to = 0, convert_from = 0;
|
2019-01-23 05:51:02 +01:00
|
|
|
int print_public = 0, print_generic = 0, cert_serial_autoinc = 0;
|
2020-01-02 23:40:09 +01:00
|
|
|
int do_gen_candidates = 0, do_screen_candidates = 0, download_sk = 0;
|
2019-12-30 10:49:52 +01:00
|
|
|
unsigned long long cert_serial = 0;
|
2019-12-30 04:28:41 +01:00
|
|
|
char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL;
|
2020-01-06 03:00:46 +01:00
|
|
|
char *sk_application = NULL, *sk_device = NULL, *sk_user = NULL;
|
2019-12-30 04:28:41 +01:00
|
|
|
size_t i, nopts = 0;
|
2019-08-08 10:02:57 +02:00
|
|
|
u_int32_t bits = 0;
|
2019-11-25 01:55:58 +01:00
|
|
|
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD;
|
2015-05-28 09:37:31 +02:00
|
|
|
const char *errstr;
|
2019-01-23 05:16:22 +01:00
|
|
|
int log_level = SYSLOG_LEVEL_INFO;
|
2019-09-03 10:34:19 +02:00
|
|
|
char *sign_op = NULL;
|
2000-11-13 12:57:25 +01:00
|
|
|
|
1999-11-24 14:26:21 +01:00
|
|
|
extern int optind;
|
|
|
|
extern char *optarg;
|
|
|
|
|
2005-10-03 10:11:24 +02:00
|
|
|
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
|
|
|
sanitise_stdfd();
|
|
|
|
|
2007-01-14 00:19:59 +01:00
|
|
|
__progname = ssh_get_progname(argv[0]);
|
2000-07-09 14:42:32 +02:00
|
|
|
|
2002-07-20 21:05:40 +02:00
|
|
|
seed_rng();
|
2000-04-29 15:57:08 +02:00
|
|
|
|
2018-11-23 00:40:06 +01:00
|
|
|
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
|
|
|
|
|
2017-02-10 04:36:40 +01:00
|
|
|
msetlocale();
|
|
|
|
|
1999-11-25 01:54:57 +01:00
|
|
|
/* we need this for the home * directory. */
|
1999-11-24 14:26:21 +01:00
|
|
|
pw = getpwuid(getuid());
|
2015-04-17 15:19:22 +02:00
|
|
|
if (!pw)
|
|
|
|
fatal("No user exists for uid %lu", (u_long)getuid());
|
2019-06-28 15:35:04 +02:00
|
|
|
if (gethostname(hostname, sizeof(hostname)) == -1)
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("gethostname: %s", strerror(errno));
|
1999-11-25 01:54:57 +01:00
|
|
|
|
2019-10-31 22:17:09 +01:00
|
|
|
sk_provider = getenv("SSH_SK_PROVIDER");
|
|
|
|
|
2020-01-02 23:40:09 +01:00
|
|
|
/* Remaining characters: dGjJSTWx */
|
|
|
|
while ((opt = getopt(argc, argv, "ABHKLQUXceghiklopquvy"
|
2019-12-30 04:30:09 +01:00
|
|
|
"C:D:E:F:I:M:N:O:P:R:V:Y:Z:"
|
2019-12-30 10:49:52 +01:00
|
|
|
"a:b:f:g:m:n:r:s:t:w:z:")) != -1) {
|
1999-11-24 14:26:21 +01:00
|
|
|
switch (opt) {
|
2011-05-05 06:06:15 +02:00
|
|
|
case 'A':
|
|
|
|
gen_all_hostkeys = 1;
|
|
|
|
break;
|
1999-11-24 14:26:21 +01:00
|
|
|
case 'b':
|
2019-08-08 10:02:57 +02:00
|
|
|
bits = (u_int32_t)strtonum(optarg, 1, UINT32_MAX,
|
|
|
|
&errstr);
|
2005-05-26 04:19:39 +02:00
|
|
|
if (errstr)
|
|
|
|
fatal("Bits has bad value %s (%s)",
|
|
|
|
optarg, errstr);
|
1999-11-24 14:26:21 +01:00
|
|
|
break;
|
2014-12-21 23:27:55 +01:00
|
|
|
case 'E':
|
|
|
|
fingerprint_hash = ssh_digest_alg_by_name(optarg);
|
|
|
|
if (fingerprint_hash == -1)
|
|
|
|
fatal("Invalid hash algorithm \"%s\"", optarg);
|
|
|
|
break;
|
2005-03-01 11:48:35 +01:00
|
|
|
case 'F':
|
|
|
|
find_host = 1;
|
|
|
|
rr_hostname = optarg;
|
|
|
|
break;
|
|
|
|
case 'H':
|
|
|
|
hash_hosts = 1;
|
|
|
|
break;
|
2010-02-26 21:55:05 +01:00
|
|
|
case 'I':
|
|
|
|
cert_key_id = optarg;
|
|
|
|
break;
|
2005-03-01 11:48:35 +01:00
|
|
|
case 'R':
|
|
|
|
delete_host = 1;
|
|
|
|
rr_hostname = optarg;
|
|
|
|
break;
|
2010-03-04 21:39:35 +01:00
|
|
|
case 'L':
|
|
|
|
show_cert = 1;
|
|
|
|
break;
|
1999-11-24 14:26:21 +01:00
|
|
|
case 'l':
|
|
|
|
print_fingerprint = 1;
|
|
|
|
break;
|
2001-03-12 04:02:17 +01:00
|
|
|
case 'B':
|
|
|
|
print_bubblebabble = 1;
|
|
|
|
break;
|
2010-07-02 05:35:01 +02:00
|
|
|
case 'm':
|
|
|
|
if (strcasecmp(optarg, "RFC4716") == 0 ||
|
|
|
|
strcasecmp(optarg, "ssh2") == 0) {
|
|
|
|
convert_format = FMT_RFC4716;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (strcasecmp(optarg, "PKCS8") == 0) {
|
|
|
|
convert_format = FMT_PKCS8;
|
2019-07-15 15:16:29 +02:00
|
|
|
private_key_format = SSHKEY_PRIVATE_PKCS8;
|
2010-07-02 05:35:01 +02:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (strcasecmp(optarg, "PEM") == 0) {
|
|
|
|
convert_format = FMT_PEM;
|
2019-07-15 15:16:29 +02:00
|
|
|
private_key_format = SSHKEY_PRIVATE_PEM;
|
2010-07-02 05:35:01 +02:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
fatal("Unsupported conversion format \"%s\"", optarg);
|
2010-02-26 21:55:05 +01:00
|
|
|
case 'n':
|
|
|
|
cert_principals = optarg;
|
|
|
|
break;
|
2013-12-07 00:41:55 +01:00
|
|
|
case 'o':
|
2018-08-08 03:16:01 +02:00
|
|
|
/* no-op; new format is already the default */
|
2013-12-07 00:41:55 +01:00
|
|
|
break;
|
1999-11-24 14:26:21 +01:00
|
|
|
case 'p':
|
|
|
|
change_passphrase = 1;
|
|
|
|
break;
|
|
|
|
case 'c':
|
|
|
|
change_comment = 1;
|
|
|
|
break;
|
|
|
|
case 'f':
|
2015-05-28 09:37:31 +02:00
|
|
|
if (strlcpy(identity_file, optarg,
|
|
|
|
sizeof(identity_file)) >= sizeof(identity_file))
|
2005-05-26 04:16:18 +02:00
|
|
|
fatal("Identity filename too long");
|
1999-11-24 14:26:21 +01:00
|
|
|
have_identity = 1;
|
|
|
|
break;
|
2003-05-15 02:19:46 +02:00
|
|
|
case 'g':
|
|
|
|
print_generic = 1;
|
|
|
|
break;
|
2020-01-02 23:40:09 +01:00
|
|
|
case 'K':
|
|
|
|
download_sk = 1;
|
|
|
|
break;
|
1999-11-24 14:26:21 +01:00
|
|
|
case 'P':
|
|
|
|
identity_passphrase = optarg;
|
|
|
|
break;
|
|
|
|
case 'N':
|
|
|
|
identity_new_passphrase = optarg;
|
|
|
|
break;
|
2013-01-18 01:44:04 +01:00
|
|
|
case 'Q':
|
|
|
|
check_krl = 1;
|
|
|
|
break;
|
2010-02-26 21:55:05 +01:00
|
|
|
case 'O':
|
2019-12-30 04:28:41 +01:00
|
|
|
opts = xrecallocarray(opts, nopts, nopts + 1,
|
|
|
|
sizeof(*opts));
|
|
|
|
opts[nopts++] = xstrdup(optarg);
|
2010-02-26 21:55:05 +01:00
|
|
|
break;
|
2013-12-07 00:41:55 +01:00
|
|
|
case 'Z':
|
2019-07-15 15:16:29 +02:00
|
|
|
openssh_format_cipher = optarg;
|
2013-12-07 00:41:55 +01:00
|
|
|
break;
|
1999-11-24 14:26:21 +01:00
|
|
|
case 'C':
|
|
|
|
identity_comment = optarg;
|
|
|
|
break;
|
|
|
|
case 'q':
|
|
|
|
quiet = 1;
|
|
|
|
break;
|
2001-04-22 19:15:46 +02:00
|
|
|
case 'e':
|
|
|
|
/* export key */
|
2010-07-02 05:35:01 +02:00
|
|
|
convert_to = 1;
|
2000-04-29 15:57:08 +02:00
|
|
|
break;
|
2010-02-26 21:55:05 +01:00
|
|
|
case 'h':
|
|
|
|
cert_key_type = SSH2_CERT_TYPE_HOST;
|
2010-05-21 06:58:32 +02:00
|
|
|
certflags_flags = 0;
|
2010-02-26 21:55:05 +01:00
|
|
|
break;
|
2013-01-18 01:44:04 +01:00
|
|
|
case 'k':
|
|
|
|
gen_krl = 1;
|
|
|
|
break;
|
2001-04-22 19:15:46 +02:00
|
|
|
case 'i':
|
2000-04-29 15:57:08 +02:00
|
|
|
case 'X':
|
2001-04-22 19:15:46 +02:00
|
|
|
/* import key */
|
2010-07-02 05:35:01 +02:00
|
|
|
convert_from = 1;
|
2000-04-29 15:57:08 +02:00
|
|
|
break;
|
|
|
|
case 'y':
|
|
|
|
print_public = 1;
|
|
|
|
break;
|
2010-02-26 21:55:05 +01:00
|
|
|
case 's':
|
|
|
|
ca_key_path = optarg;
|
|
|
|
break;
|
2000-11-13 12:57:25 +01:00
|
|
|
case 't':
|
|
|
|
key_type_name = optarg;
|
|
|
|
break;
|
2001-08-06 23:44:05 +02:00
|
|
|
case 'D':
|
2010-02-11 23:21:02 +01:00
|
|
|
pkcs11provider = optarg;
|
2001-07-04 05:44:03 +02:00
|
|
|
break;
|
2017-06-28 03:09:22 +02:00
|
|
|
case 'U':
|
|
|
|
prefer_agent = 1;
|
|
|
|
break;
|
2013-01-18 01:44:04 +01:00
|
|
|
case 'u':
|
|
|
|
update_krl = 1;
|
|
|
|
break;
|
2003-12-31 01:34:51 +01:00
|
|
|
case 'v':
|
|
|
|
if (log_level == SYSLOG_LEVEL_INFO)
|
|
|
|
log_level = SYSLOG_LEVEL_DEBUG1;
|
|
|
|
else {
|
2004-07-17 08:12:08 +02:00
|
|
|
if (log_level >= SYSLOG_LEVEL_DEBUG1 &&
|
2003-12-31 01:34:51 +01:00
|
|
|
log_level < SYSLOG_LEVEL_DEBUG3)
|
|
|
|
log_level++;
|
|
|
|
}
|
|
|
|
break;
|
2003-05-15 02:19:46 +02:00
|
|
|
case 'r':
|
2005-03-01 11:48:35 +01:00
|
|
|
rr_hostname = optarg;
|
2003-05-15 02:19:46 +02:00
|
|
|
break;
|
2003-08-02 14:40:07 +02:00
|
|
|
case 'a':
|
2013-12-07 00:41:55 +01:00
|
|
|
rounds = (int)strtonum(optarg, 1, INT_MAX, &errstr);
|
2005-05-26 04:16:18 +02:00
|
|
|
if (errstr)
|
2013-12-07 00:41:55 +01:00
|
|
|
fatal("Invalid number: %s (%s)",
|
2005-05-26 04:16:18 +02:00
|
|
|
optarg, errstr);
|
2003-08-02 14:40:07 +02:00
|
|
|
break;
|
2015-05-28 09:37:31 +02:00
|
|
|
case 'V':
|
|
|
|
parse_cert_times(optarg);
|
|
|
|
break;
|
2019-09-03 10:34:19 +02:00
|
|
|
case 'Y':
|
|
|
|
sign_op = optarg;
|
2019-11-18 02:59:48 +01:00
|
|
|
break;
|
2019-10-31 22:17:09 +01:00
|
|
|
case 'w':
|
|
|
|
sk_provider = optarg;
|
|
|
|
break;
|
2015-05-28 09:37:31 +02:00
|
|
|
case 'z':
|
|
|
|
errno = 0;
|
2019-01-23 05:51:02 +01:00
|
|
|
if (*optarg == '+') {
|
|
|
|
cert_serial_autoinc = 1;
|
|
|
|
optarg++;
|
|
|
|
}
|
2015-05-28 09:37:31 +02:00
|
|
|
cert_serial = strtoull(optarg, &ep, 10);
|
|
|
|
if (*optarg < '0' || *optarg > '9' || *ep != '\0' ||
|
|
|
|
(errno == ERANGE && cert_serial == ULLONG_MAX))
|
|
|
|
fatal("Invalid serial number \"%s\"", optarg);
|
|
|
|
break;
|
2016-09-12 05:30:50 +02:00
|
|
|
case 'M':
|
2019-12-30 04:30:09 +01:00
|
|
|
if (strcmp(optarg, "generate") == 0)
|
|
|
|
do_gen_candidates = 1;
|
|
|
|
else if (strcmp(optarg, "screen") == 0)
|
|
|
|
do_screen_candidates = 1;
|
|
|
|
else
|
|
|
|
fatal("Unsupported moduli option %s", optarg);
|
2016-09-12 05:30:50 +02:00
|
|
|
break;
|
1999-11-24 14:26:21 +01:00
|
|
|
case '?':
|
|
|
|
default:
|
|
|
|
usage();
|
|
|
|
}
|
|
|
|
}
|
2003-12-31 01:34:51 +01:00
|
|
|
|
2019-11-14 22:27:29 +01:00
|
|
|
#ifdef ENABLE_SK_INTERNAL
|
|
|
|
if (sk_provider == NULL)
|
|
|
|
sk_provider = "internal";
|
|
|
|
#endif
|
|
|
|
|
2003-12-31 01:34:51 +01:00
|
|
|
/* reinit */
|
2007-01-05 06:22:57 +01:00
|
|
|
log_init(argv[0], log_level, SYSLOG_FACILITY_USER, 1);
|
2003-12-31 01:34:51 +01:00
|
|
|
|
2010-02-26 21:55:05 +01:00
|
|
|
argv += optind;
|
|
|
|
argc -= optind;
|
|
|
|
|
2019-09-03 10:34:19 +02:00
|
|
|
if (sign_op != NULL) {
|
2020-01-24 00:31:52 +01:00
|
|
|
if (strncmp(sign_op, "find-principals", 15) == 0) {
|
2020-01-23 03:43:48 +01:00
|
|
|
if (ca_key_path == NULL) {
|
2020-01-24 00:31:52 +01:00
|
|
|
error("Too few arguments for find-principals:"
|
2020-01-23 03:43:48 +01:00
|
|
|
"missing signature file");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
if (!have_identity) {
|
2020-01-24 00:31:52 +01:00
|
|
|
error("Too few arguments for find-principals:"
|
2020-01-23 03:43:48 +01:00
|
|
|
"missing allowed keys file");
|
|
|
|
exit(1);
|
|
|
|
}
|
2020-01-24 00:31:52 +01:00
|
|
|
return sig_find_principals(ca_key_path, identity_file);
|
2020-01-24 06:33:01 +01:00
|
|
|
} else if (strncmp(sign_op, "sign", 4) == 0) {
|
|
|
|
if (cert_principals == NULL ||
|
|
|
|
*cert_principals == '\0') {
|
|
|
|
error("Too few arguments for sign: "
|
|
|
|
"missing namespace");
|
|
|
|
exit(1);
|
|
|
|
}
|
2019-09-03 10:34:19 +02:00
|
|
|
if (!have_identity) {
|
|
|
|
error("Too few arguments for sign: "
|
|
|
|
"missing key");
|
|
|
|
exit(1);
|
|
|
|
}
|
2020-01-23 03:43:48 +01:00
|
|
|
return sig_sign(identity_file, cert_principals,
|
|
|
|
argc, argv);
|
2019-09-16 05:23:02 +02:00
|
|
|
} else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
|
|
|
|
if (ca_key_path == NULL) {
|
|
|
|
error("Too few arguments for check-novalidate: "
|
|
|
|
"missing signature file");
|
|
|
|
exit(1);
|
|
|
|
}
|
2020-01-23 03:43:48 +01:00
|
|
|
return sig_verify(ca_key_path, cert_principals,
|
|
|
|
NULL, NULL, NULL);
|
2019-09-03 10:34:19 +02:00
|
|
|
} else if (strncmp(sign_op, "verify", 6) == 0) {
|
2020-01-24 06:33:01 +01:00
|
|
|
if (cert_principals == NULL ||
|
|
|
|
*cert_principals == '\0') {
|
|
|
|
error("Too few arguments for verify: "
|
|
|
|
"missing namespace");
|
|
|
|
exit(1);
|
|
|
|
}
|
2019-09-03 10:34:19 +02:00
|
|
|
if (ca_key_path == NULL) {
|
|
|
|
error("Too few arguments for verify: "
|
|
|
|
"missing signature file");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
if (!have_identity) {
|
|
|
|
error("Too few arguments for sign: "
|
|
|
|
"missing allowed keys file");
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
if (cert_key_id == NULL) {
|
|
|
|
error("Too few arguments for verify: "
|
|
|
|
"missing principal ID");
|
|
|
|
exit(1);
|
|
|
|
}
|
2020-01-23 03:43:48 +01:00
|
|
|
return sig_verify(ca_key_path, cert_principals,
|
2019-09-03 10:34:19 +02:00
|
|
|
cert_key_id, identity_file, rr_hostname);
|
|
|
|
}
|
2020-01-24 06:33:01 +01:00
|
|
|
error("Unsupported operation for -Y: \"%s\"", sign_op);
|
2019-09-03 10:34:19 +02:00
|
|
|
usage();
|
|
|
|
/* NOTREACHED */
|
|
|
|
}
|
|
|
|
|
2010-02-26 21:55:05 +01:00
|
|
|
if (ca_key_path != NULL) {
|
2013-01-18 01:44:04 +01:00
|
|
|
if (argc < 1 && !gen_krl) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("Too few arguments.");
|
2010-02-26 21:55:05 +01:00
|
|
|
usage();
|
|
|
|
}
|
2019-12-30 04:30:09 +01:00
|
|
|
} else if (argc > 0 && !gen_krl && !check_krl &&
|
|
|
|
!do_gen_candidates && !do_screen_candidates) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("Too many arguments.");
|
1999-11-24 14:26:21 +01:00
|
|
|
usage();
|
|
|
|
}
|
|
|
|
if (change_passphrase && change_comment) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("Can only have one of -p and -c.");
|
1999-11-24 14:26:21 +01:00
|
|
|
usage();
|
|
|
|
}
|
2008-06-08 04:54:29 +02:00
|
|
|
if (print_fingerprint && (delete_host || hash_hosts)) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("Cannot use -l with -H or -R.");
|
2008-06-08 04:54:29 +02:00
|
|
|
usage();
|
|
|
|
}
|
2013-01-18 01:44:04 +01:00
|
|
|
if (gen_krl) {
|
2019-01-23 05:16:22 +01:00
|
|
|
do_gen_krl(pw, update_krl, ca_key_path,
|
|
|
|
cert_serial, identity_comment, argc, argv);
|
2013-01-18 01:44:04 +01:00
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
if (check_krl) {
|
|
|
|
do_check_krl(pw, argc, argv);
|
|
|
|
return (0);
|
|
|
|
}
|
2010-02-26 21:55:05 +01:00
|
|
|
if (ca_key_path != NULL) {
|
|
|
|
if (cert_key_id == NULL)
|
|
|
|
fatal("Must specify key id (-I) when certifying");
|
2019-12-30 04:28:41 +01:00
|
|
|
for (i = 0; i < nopts; i++)
|
|
|
|
add_cert_option(opts[i]);
|
2019-01-23 05:51:02 +01:00
|
|
|
do_ca_sign(pw, ca_key_path, prefer_agent,
|
|
|
|
cert_serial, cert_serial_autoinc, argc, argv);
|
2010-02-26 21:55:05 +01:00
|
|
|
}
|
2010-03-04 21:39:35 +01:00
|
|
|
if (show_cert)
|
|
|
|
do_show_cert(pw);
|
2019-01-23 05:16:22 +01:00
|
|
|
if (delete_host || hash_hosts || find_host) {
|
|
|
|
do_known_hosts(pw, rr_hostname, find_host,
|
|
|
|
delete_host, hash_hosts);
|
|
|
|
}
|
2013-01-09 05:58:00 +01:00
|
|
|
if (pkcs11provider != NULL)
|
|
|
|
do_download(pw);
|
2020-01-06 03:00:46 +01:00
|
|
|
if (download_sk) {
|
|
|
|
for (i = 0; i < nopts; i++) {
|
|
|
|
if (strncasecmp(opts[i], "device=", 7) == 0) {
|
|
|
|
sk_device = xstrdup(opts[i] + 7);
|
|
|
|
} else {
|
|
|
|
fatal("Option \"%s\" is unsupported for "
|
|
|
|
"FIDO authenticator download", opts[i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return do_download_sk(sk_provider, sk_device);
|
|
|
|
}
|
2001-03-12 04:02:17 +01:00
|
|
|
if (print_fingerprint || print_bubblebabble)
|
1999-11-24 14:26:21 +01:00
|
|
|
do_fingerprint(pw);
|
|
|
|
if (change_passphrase)
|
|
|
|
do_change_passphrase(pw);
|
2002-03-11 12:53:29 +01:00
|
|
|
if (change_comment)
|
2019-01-23 05:16:22 +01:00
|
|
|
do_change_comment(pw, identity_comment);
|
2014-05-15 06:24:09 +02:00
|
|
|
#ifdef WITH_OPENSSL
|
2010-07-02 05:35:01 +02:00
|
|
|
if (convert_to)
|
|
|
|
do_convert_to(pw);
|
|
|
|
if (convert_from)
|
|
|
|
do_convert_from(pw);
|
2019-09-06 09:53:40 +02:00
|
|
|
#else /* WITH_OPENSSL */
|
|
|
|
if (convert_to || convert_from)
|
|
|
|
fatal("key conversion disabled at compile time");
|
|
|
|
#endif /* WITH_OPENSSL */
|
2000-04-29 15:57:08 +02:00
|
|
|
if (print_public)
|
|
|
|
do_print_public(pw);
|
2005-03-01 11:48:35 +01:00
|
|
|
if (rr_hostname != NULL) {
|
2006-03-26 04:48:01 +02:00
|
|
|
unsigned int n = 0;
|
|
|
|
|
|
|
|
if (have_identity) {
|
2019-01-23 05:16:22 +01:00
|
|
|
n = do_print_resource_record(pw, identity_file,
|
|
|
|
rr_hostname, print_generic);
|
2015-04-17 15:19:22 +02:00
|
|
|
if (n == 0)
|
|
|
|
fatal("%s: %s", identity_file, strerror(errno));
|
2006-03-26 04:48:01 +02:00
|
|
|
exit(0);
|
|
|
|
} else {
|
|
|
|
|
|
|
|
n += do_print_resource_record(pw,
|
2019-01-23 05:16:22 +01:00
|
|
|
_PATH_HOST_RSA_KEY_FILE, rr_hostname,
|
|
|
|
print_generic);
|
2006-03-26 04:48:01 +02:00
|
|
|
n += do_print_resource_record(pw,
|
2019-01-23 05:16:22 +01:00
|
|
|
_PATH_HOST_DSA_KEY_FILE, rr_hostname,
|
|
|
|
print_generic);
|
2012-06-20 13:51:11 +02:00
|
|
|
n += do_print_resource_record(pw,
|
2019-01-23 05:16:22 +01:00
|
|
|
_PATH_HOST_ECDSA_KEY_FILE, rr_hostname,
|
|
|
|
print_generic);
|
2014-05-15 05:45:58 +02:00
|
|
|
n += do_print_resource_record(pw,
|
2019-01-23 05:16:22 +01:00
|
|
|
_PATH_HOST_ED25519_KEY_FILE, rr_hostname,
|
|
|
|
print_generic);
|
2018-02-23 16:58:37 +01:00
|
|
|
n += do_print_resource_record(pw,
|
2019-01-23 05:16:22 +01:00
|
|
|
_PATH_HOST_XMSS_KEY_FILE, rr_hostname,
|
|
|
|
print_generic);
|
2006-03-26 04:48:01 +02:00
|
|
|
if (n == 0)
|
|
|
|
fatal("no keys found.");
|
|
|
|
exit(0);
|
|
|
|
}
|
2003-05-15 02:19:46 +02:00
|
|
|
}
|
1999-11-24 14:26:21 +01:00
|
|
|
|
2019-12-30 04:30:09 +01:00
|
|
|
if (do_gen_candidates || do_screen_candidates) {
|
|
|
|
if (argc <= 0)
|
|
|
|
fatal("No output file specified");
|
|
|
|
else if (argc > 1)
|
|
|
|
fatal("Too many output files specified");
|
|
|
|
}
|
2003-08-02 14:40:07 +02:00
|
|
|
if (do_gen_candidates) {
|
2019-12-30 04:30:09 +01:00
|
|
|
do_moduli_gen(argv[0], opts, nopts);
|
|
|
|
return 0;
|
2003-08-02 14:40:07 +02:00
|
|
|
}
|
|
|
|
if (do_screen_candidates) {
|
2019-12-30 04:30:09 +01:00
|
|
|
do_moduli_screen(argv[0], opts, nopts);
|
|
|
|
return 0;
|
2003-08-02 14:40:07 +02:00
|
|
|
}
|
|
|
|
|
2011-05-05 06:06:15 +02:00
|
|
|
if (gen_all_hostkeys) {
|
|
|
|
do_gen_all_hostkeys(pw);
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2005-11-05 05:15:49 +01:00
|
|
|
if (key_type_name == NULL)
|
2015-05-28 06:40:13 +02:00
|
|
|
key_type_name = DEFAULT_KEY_TYPE_NAME;
|
2005-11-05 05:15:49 +01:00
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
type = sshkey_type_from_name(key_type_name);
|
2015-01-18 14:22:28 +01:00
|
|
|
type_bits_valid(type, key_type_name, &bits);
|
2011-05-05 06:06:15 +02:00
|
|
|
|
2005-11-29 03:10:24 +01:00
|
|
|
if (!quiet)
|
2015-01-15 10:40:00 +01:00
|
|
|
printf("Generating public/private %s key pair.\n",
|
|
|
|
key_type_name);
|
2019-11-12 20:33:08 +01:00
|
|
|
switch (type) {
|
|
|
|
case KEY_ECDSA_SK:
|
|
|
|
case KEY_ED25519_SK:
|
2019-12-30 10:49:52 +01:00
|
|
|
for (i = 0; i < nopts; i++) {
|
|
|
|
if (strcasecmp(opts[i], "no-touch-required") == 0) {
|
|
|
|
sk_flags &= ~SSH_SK_USER_PRESENCE_REQD;
|
|
|
|
} else if (strcasecmp(opts[i], "resident") == 0) {
|
|
|
|
sk_flags |= SSH_SK_RESIDENT_KEY;
|
2020-01-06 03:00:46 +01:00
|
|
|
} else if (strncasecmp(opts[i], "device=", 7) == 0) {
|
|
|
|
sk_device = xstrdup(opts[i] + 7);
|
|
|
|
} else if (strncasecmp(opts[i], "user=", 5) == 0) {
|
|
|
|
sk_user = xstrdup(opts[i] + 5);
|
|
|
|
} else if (strncasecmp(opts[i],
|
|
|
|
"application=", 12) == 0) {
|
|
|
|
sk_application = xstrdup(opts[i] + 12);
|
2019-12-30 10:49:52 +01:00
|
|
|
} else {
|
|
|
|
fatal("Option \"%s\" is unsupported for "
|
|
|
|
"FIDO authenticator enrollment", opts[i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!quiet) {
|
|
|
|
printf("You may need to touch your security key "
|
|
|
|
"to authorize key generation.\n");
|
|
|
|
}
|
2020-01-02 23:40:09 +01:00
|
|
|
passphrase = NULL;
|
2019-12-30 10:24:45 +01:00
|
|
|
for (i = 0 ; i < 3; i++) {
|
|
|
|
fflush(stdout);
|
2020-01-06 03:00:46 +01:00
|
|
|
r = sshsk_enroll(type, sk_provider, sk_device,
|
|
|
|
sk_application == NULL ? "ssh:" : sk_application,
|
|
|
|
sk_user, sk_flags, passphrase, NULL,
|
|
|
|
&private, NULL);
|
2019-12-30 10:24:45 +01:00
|
|
|
if (r == 0)
|
|
|
|
break;
|
|
|
|
if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
|
|
|
|
exit(1); /* error message already printed */
|
2020-01-02 23:40:09 +01:00
|
|
|
if (passphrase != NULL)
|
|
|
|
freezero(passphrase, strlen(passphrase));
|
|
|
|
passphrase = read_passphrase("Enter PIN for security "
|
2019-12-30 10:24:45 +01:00
|
|
|
"key: ", RP_ALLOW_STDIN);
|
2019-11-25 01:57:27 +01:00
|
|
|
}
|
2020-01-02 23:40:09 +01:00
|
|
|
if (passphrase != NULL)
|
|
|
|
freezero(passphrase, strlen(passphrase));
|
2019-12-30 10:24:45 +01:00
|
|
|
if (i > 3)
|
|
|
|
fatal("Too many incorrect PINs");
|
2020-01-02 23:40:09 +01:00
|
|
|
break;
|
2019-11-12 20:33:08 +01:00
|
|
|
default:
|
|
|
|
if ((r = sshkey_generate(type, bits, &private)) != 0)
|
|
|
|
fatal("sshkey_generate failed");
|
|
|
|
break;
|
|
|
|
}
|
2015-04-17 15:19:22 +02:00
|
|
|
if ((r = sshkey_from_private(private, &public)) != 0)
|
2017-05-30 16:16:41 +02:00
|
|
|
fatal("sshkey_from_private failed: %s\n", ssh_err(r));
|
1999-11-24 14:26:21 +01:00
|
|
|
|
|
|
|
if (!have_identity)
|
|
|
|
ask_filename(pw, "Enter file in which to save the key");
|
|
|
|
|
2005-11-05 05:14:59 +01:00
|
|
|
/* Create ~/.ssh directory if it doesn't already exist. */
|
2010-05-10 03:52:00 +02:00
|
|
|
snprintf(dotsshdir, sizeof dotsshdir, "%s/%s",
|
|
|
|
pw->pw_dir, _PATH_SSH_USER_DIR);
|
|
|
|
if (strstr(identity_file, dotsshdir) != NULL) {
|
2019-06-28 15:35:04 +02:00
|
|
|
if (stat(dotsshdir, &st) == -1) {
|
2010-05-10 03:52:00 +02:00
|
|
|
if (errno != ENOENT) {
|
|
|
|
error("Could not stat %s: %s", dotsshdir,
|
|
|
|
strerror(errno));
|
2019-06-28 15:35:04 +02:00
|
|
|
} else if (mkdir(dotsshdir, 0700) == -1) {
|
2010-05-10 03:52:00 +02:00
|
|
|
error("Could not create directory '%s': %s",
|
|
|
|
dotsshdir, strerror(errno));
|
|
|
|
} else if (!quiet)
|
|
|
|
printf("Created directory '%s'.\n", dotsshdir);
|
|
|
|
}
|
1999-11-24 14:26:21 +01:00
|
|
|
}
|
|
|
|
/* If the file already exists, ask the user to confirm. */
|
2019-09-03 10:27:52 +02:00
|
|
|
if (!confirm_overwrite(identity_file))
|
|
|
|
exit(1);
|
1999-11-24 14:26:21 +01:00
|
|
|
|
2020-01-02 23:40:09 +01:00
|
|
|
/* Determine the passphrase for the private key */
|
|
|
|
passphrase = private_key_passphrase();
|
1999-11-24 14:26:21 +01:00
|
|
|
if (identity_comment) {
|
|
|
|
strlcpy(comment, identity_comment, sizeof(comment));
|
|
|
|
} else {
|
2008-11-11 06:31:43 +01:00
|
|
|
/* Create default comment field for the passphrase. */
|
1999-11-24 14:26:21 +01:00
|
|
|
snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Save the key with the given passphrase and comment. */
|
2020-01-02 23:40:09 +01:00
|
|
|
if ((r = sshkey_save_private(private, identity_file, passphrase,
|
2019-07-15 15:16:29 +02:00
|
|
|
comment, private_key_format, openssh_format_cipher, rounds)) != 0) {
|
2015-04-17 15:19:22 +02:00
|
|
|
error("Saving key \"%s\" failed: %s",
|
2015-01-15 10:40:00 +01:00
|
|
|
identity_file, ssh_err(r));
|
2020-01-02 23:40:09 +01:00
|
|
|
freezero(passphrase, strlen(passphrase));
|
1999-11-24 14:26:21 +01:00
|
|
|
exit(1);
|
|
|
|
}
|
2020-01-02 23:40:09 +01:00
|
|
|
freezero(passphrase, strlen(passphrase));
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(private);
|
1999-11-24 14:26:21 +01:00
|
|
|
|
2020-01-02 23:40:09 +01:00
|
|
|
if (!quiet) {
|
2020-01-23 08:54:04 +01:00
|
|
|
printf("Your identification has been saved in %s\n",
|
2020-01-02 23:40:09 +01:00
|
|
|
identity_file);
|
|
|
|
}
|
1999-11-24 14:26:21 +01:00
|
|
|
|
|
|
|
strlcat(identity_file, ".pub", sizeof(identity_file));
|
2020-01-02 23:40:09 +01:00
|
|
|
if ((r = sshkey_save_public(public, identity_file, comment)) != 0) {
|
2015-04-17 15:19:22 +02:00
|
|
|
fatal("Unable to save public key to %s: %s",
|
|
|
|
identity_file, strerror(errno));
|
2020-01-02 23:40:09 +01:00
|
|
|
}
|
1999-11-24 14:26:21 +01:00
|
|
|
|
|
|
|
if (!quiet) {
|
2015-01-28 23:36:00 +01:00
|
|
|
fp = sshkey_fingerprint(public, fingerprint_hash,
|
2014-12-21 23:27:55 +01:00
|
|
|
SSH_FP_DEFAULT);
|
2015-01-28 23:36:00 +01:00
|
|
|
ra = sshkey_fingerprint(public, fingerprint_hash,
|
- grunk@cvs.openbsd.org 2008/06/11 21:01:35
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c
sshconnect.c]
Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the
graphical hash visualization schemes known as "random art", and by
Dan Kaminsky's musings on the subject during a BlackOp talk at the
23C3 in Berlin.
Scientific publication (original paper):
"Hash Visualization: a New Technique to improve Real-World Security",
Perrig A. and Song D., 1999, International Workshop on Cryptographic
Techniques and E-Commerce (CrypTEC '99)
http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
The algorithm used here is a worm crawling over a discrete plane,
leaving a trace (augmenting the field) everywhere it goes.
Movement is taken from dgst_raw 2bit-wise. Bumping into walls
makes the respective movement vector be ignored for this turn,
thus switching to the other color of the chessboard.
Graphs are not unambiguous for now, because circles in graphs can be
walked in either direction.
discussions with several people,
help, corrections and ok markus@ djm@
2008-06-12 20:40:35 +02:00
|
|
|
SSH_FP_RANDOMART);
|
2015-01-28 23:36:00 +01:00
|
|
|
if (fp == NULL || ra == NULL)
|
|
|
|
fatal("sshkey_fingerprint failed");
|
2020-01-23 08:54:04 +01:00
|
|
|
printf("Your public key has been saved in %s\n",
|
2000-04-29 15:57:08 +02:00
|
|
|
identity_file);
|
1999-11-24 14:26:21 +01:00
|
|
|
printf("The key fingerprint is:\n");
|
2001-03-13 05:57:58 +01:00
|
|
|
printf("%s %s\n", fp, comment);
|
- grunk@cvs.openbsd.org 2008/06/11 21:01:35
[ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c
sshconnect.c]
Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the
graphical hash visualization schemes known as "random art", and by
Dan Kaminsky's musings on the subject during a BlackOp talk at the
23C3 in Berlin.
Scientific publication (original paper):
"Hash Visualization: a New Technique to improve Real-World Security",
Perrig A. and Song D., 1999, International Workshop on Cryptographic
Techniques and E-Commerce (CrypTEC '99)
http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
The algorithm used here is a worm crawling over a discrete plane,
leaving a trace (augmenting the field) everywhere it goes.
Movement is taken from dgst_raw 2bit-wise. Bumping into walls
makes the respective movement vector be ignored for this turn,
thus switching to the other color of the chessboard.
Graphs are not unambiguous for now, because circles in graphs can be
walked in either direction.
discussions with several people,
help, corrections and ok markus@ djm@
2008-06-12 20:40:35 +02:00
|
|
|
printf("The key's randomart image is:\n");
|
|
|
|
printf("%s\n", ra);
|
2013-06-01 23:31:17 +02:00
|
|
|
free(ra);
|
|
|
|
free(fp);
|
1999-10-27 05:42:43 +02:00
|
|
|
}
|
2000-04-29 15:57:08 +02:00
|
|
|
|
2015-01-15 10:40:00 +01:00
|
|
|
sshkey_free(public);
|
1999-11-24 14:26:21 +01:00
|
|
|
exit(0);
|
1999-10-27 05:42:43 +02:00
|
|
|
}
|