upstream commit
Add "ssh-keyscan -c ..." flag to allow fetching certificates instead of plain keys; ok markus@ Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82
This commit is contained in:
parent
69fead5d7c
commit
3a424cdd21
|
@ -1,4 +1,4 @@
|
||||||
.\" $OpenBSD: ssh-keyscan.1,v 1.36 2014/08/30 15:33:50 sobrado Exp $
|
.\" $OpenBSD: ssh-keyscan.1,v 1.37 2015/11/08 22:30:20 djm Exp $
|
||||||
.\"
|
.\"
|
||||||
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
||||||
.\"
|
.\"
|
||||||
|
@ -6,7 +6,7 @@
|
||||||
.\" permitted provided that due credit is given to the author and the
|
.\" permitted provided that due credit is given to the author and the
|
||||||
.\" OpenBSD project by leaving this copyright notice intact.
|
.\" OpenBSD project by leaving this copyright notice intact.
|
||||||
.\"
|
.\"
|
||||||
.Dd $Mdocdate: August 30 2014 $
|
.Dd $Mdocdate: November 8 2015 $
|
||||||
.Dt SSH-KEYSCAN 1
|
.Dt SSH-KEYSCAN 1
|
||||||
.Os
|
.Os
|
||||||
.Sh NAME
|
.Sh NAME
|
||||||
|
@ -15,7 +15,7 @@
|
||||||
.Sh SYNOPSIS
|
.Sh SYNOPSIS
|
||||||
.Nm ssh-keyscan
|
.Nm ssh-keyscan
|
||||||
.Bk -words
|
.Bk -words
|
||||||
.Op Fl 46Hv
|
.Op Fl 46Hcv
|
||||||
.Op Fl f Ar file
|
.Op Fl f Ar file
|
||||||
.Op Fl p Ar port
|
.Op Fl p Ar port
|
||||||
.Op Fl T Ar timeout
|
.Op Fl T Ar timeout
|
||||||
|
@ -54,6 +54,8 @@ to use IPv4 addresses only.
|
||||||
Forces
|
Forces
|
||||||
.Nm
|
.Nm
|
||||||
to use IPv6 addresses only.
|
to use IPv6 addresses only.
|
||||||
|
.It Fl c
|
||||||
|
Request certificates from target hosts instead of plain keys.
|
||||||
.It Fl f Ar file
|
.It Fl f Ar file
|
||||||
Read hosts or
|
Read hosts or
|
||||||
.Dq addrlist namelist
|
.Dq addrlist namelist
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $OpenBSD: ssh-keyscan.c,v 1.102 2015/10/24 22:56:19 djm Exp $ */
|
/* $OpenBSD: ssh-keyscan.c,v 1.103 2015/11/08 22:30:20 djm Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
|
||||||
*
|
*
|
||||||
|
@ -60,6 +60,7 @@ int ssh_port = SSH_DEFAULT_PORT;
|
||||||
#define KT_ECDSA 8
|
#define KT_ECDSA 8
|
||||||
#define KT_ED25519 16
|
#define KT_ED25519 16
|
||||||
|
|
||||||
|
int get_cert = 0;
|
||||||
int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
|
int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
|
||||||
|
|
||||||
int hash_hosts = 0; /* Hash hostname on output */
|
int hash_hosts = 0; /* Hash hostname on output */
|
||||||
|
@ -267,11 +268,32 @@ keygrab_ssh2(con *c)
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
enable_compat20();
|
enable_compat20();
|
||||||
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
|
switch (c->c_keytype) {
|
||||||
c->c_keytype == KT_DSA ? "ssh-dss" :
|
case KT_DSA:
|
||||||
(c->c_keytype == KT_RSA ? "ssh-rsa" :
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
|
||||||
(c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
|
"ssh-dss-cert-v01@openssh.com" : "ssh-dss";
|
||||||
"ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"));
|
break;
|
||||||
|
case KT_RSA:
|
||||||
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
|
||||||
|
"ssh-rsa-cert-v01@openssh.com" : "ssh-rsa";
|
||||||
|
break;
|
||||||
|
case KT_ED25519:
|
||||||
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
|
||||||
|
"ssh-ed25519-cert-v01@openssh.com" : "ssh-ed25519";
|
||||||
|
break;
|
||||||
|
case KT_ECDSA:
|
||||||
|
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
|
||||||
|
"ecdsa-sha2-nistp256-cert-v01@openssh.com,"
|
||||||
|
"ecdsa-sha2-nistp384-cert-v01@openssh.com,"
|
||||||
|
"ecdsa-sha2-nistp521-cert-v01@openssh.com" :
|
||||||
|
"ecdsa-sha2-nistp256,"
|
||||||
|
"ecdsa-sha2-nistp384,"
|
||||||
|
"ecdsa-sha2-nistp521";
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
fatal("unknown key type %d", c->c_keytype);
|
||||||
|
break;
|
||||||
|
}
|
||||||
if ((r = kex_setup(c->c_ssh, myproposal)) != 0) {
|
if ((r = kex_setup(c->c_ssh, myproposal)) != 0) {
|
||||||
free(c->c_ssh);
|
free(c->c_ssh);
|
||||||
fprintf(stderr, "kex_setup: %s\n", ssh_err(r));
|
fprintf(stderr, "kex_setup: %s\n", ssh_err(r));
|
||||||
|
@ -304,6 +326,7 @@ keyprint_one(char *host, struct sshkey *key)
|
||||||
fatal("host_hash failed");
|
fatal("host_hash failed");
|
||||||
|
|
||||||
hostport = put_host_port(host, ssh_port);
|
hostport = put_host_port(host, ssh_port);
|
||||||
|
if (!get_cert)
|
||||||
fprintf(stdout, "%s ", hostport);
|
fprintf(stdout, "%s ", hostport);
|
||||||
sshkey_write(key, stdout);
|
sshkey_write(key, stdout);
|
||||||
fputs("\n", stdout);
|
fputs("\n", stdout);
|
||||||
|
@ -318,7 +341,7 @@ keyprint(con *c, struct sshkey *key)
|
||||||
|
|
||||||
if (key == NULL)
|
if (key == NULL)
|
||||||
return;
|
return;
|
||||||
if (!hash_hosts && ssh_port == SSH_DEFAULT_PORT) {
|
if (get_cert || (!hash_hosts && ssh_port == SSH_DEFAULT_PORT)) {
|
||||||
keyprint_one(hosts, key);
|
keyprint_one(hosts, key);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@ -384,6 +407,7 @@ conalloc(char *iname, char *oname, int keytype)
|
||||||
if (fdcon[s].c_status)
|
if (fdcon[s].c_status)
|
||||||
fatal("conalloc: attempt to reuse fdno %d", s);
|
fatal("conalloc: attempt to reuse fdno %d", s);
|
||||||
|
|
||||||
|
debug3("%s: oname %s kt %d", __func__, oname, keytype);
|
||||||
fdcon[s].c_fd = s;
|
fdcon[s].c_fd = s;
|
||||||
fdcon[s].c_status = CS_CON;
|
fdcon[s].c_status = CS_CON;
|
||||||
fdcon[s].c_namebase = namebase;
|
fdcon[s].c_namebase = namebase;
|
||||||
|
@ -654,7 +678,7 @@ static void
|
||||||
usage(void)
|
usage(void)
|
||||||
{
|
{
|
||||||
fprintf(stderr,
|
fprintf(stderr,
|
||||||
"usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n"
|
"usage: %s [-46Hcv] [-f file] [-p port] [-T timeout] [-t type]\n"
|
||||||
"\t\t [host | addrlist namelist] ...\n",
|
"\t\t [host | addrlist namelist] ...\n",
|
||||||
__progname);
|
__progname);
|
||||||
exit(1);
|
exit(1);
|
||||||
|
@ -682,11 +706,14 @@ main(int argc, char **argv)
|
||||||
if (argc <= 1)
|
if (argc <= 1)
|
||||||
usage();
|
usage();
|
||||||
|
|
||||||
while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) {
|
while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
|
||||||
switch (opt) {
|
switch (opt) {
|
||||||
case 'H':
|
case 'H':
|
||||||
hash_hosts = 1;
|
hash_hosts = 1;
|
||||||
break;
|
break;
|
||||||
|
case 'c':
|
||||||
|
get_cert = 1;
|
||||||
|
break;
|
||||||
case 'p':
|
case 'p':
|
||||||
ssh_port = a2port(optarg);
|
ssh_port = a2port(optarg);
|
||||||
if (ssh_port <= 0) {
|
if (ssh_port <= 0) {
|
||||||
|
|
Loading…
Reference in New Issue