tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

Add "ssh-keyscan -c ..." flag to allow fetching
 certificates instead of plain keys; ok markus@

Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82
This commit is contained in:
djm@openbsd.org 2015-11-08 22:30:20 +00:00 committed by Damien Miller
parent 69fead5d7c
commit 3a424cdd21
2 changed files with 42 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
ssh-keyscan.1
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: ssh-keyscan.1,v 1.36 2014/08/30 15:33:50 sobrado Exp $ .\" $OpenBSD: ssh-keyscan.1,v 1.37 2015/11/08 22:30:20 djm Exp $
.\" .\"
.\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
.\" .\"
@ -6,7 +6,7 @@
.\" permitted provided that due credit is given to the author and the .\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact. .\" OpenBSD project by leaving this copyright notice intact.
.\" .\"
.Dd $Mdocdate: August 30 2014 $ .Dd $Mdocdate: November 8 2015 $
.Dt SSH-KEYSCAN 1 .Dt SSH-KEYSCAN 1
.Os .Os
.Sh NAME .Sh NAME
@ -15,7 +15,7 @@
.Sh SYNOPSIS .Sh SYNOPSIS
.Nm ssh-keyscan .Nm ssh-keyscan
.Bk -words .Bk -words
.Op Fl 46Hv .Op Fl 46Hcv
.Op Fl f Ar file .Op Fl f Ar file
.Op Fl p Ar port .Op Fl p Ar port
.Op Fl T Ar timeout .Op Fl T Ar timeout
@ -54,6 +54,8 @@ to use IPv4 addresses only.
Forces Forces
.Nm .Nm
to use IPv6 addresses only. to use IPv6 addresses only.
.It Fl c
Request certificates from target hosts instead of plain keys.
.It Fl f Ar file .It Fl f Ar file
Read hosts or Read hosts or
.Dq addrlist namelist .Dq addrlist namelist

47
ssh-keyscan.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: ssh-keyscan.c,v 1.102 2015/10/24 22:56:19 djm Exp $ */ /* $OpenBSD: ssh-keyscan.c,v 1.103 2015/11/08 22:30:20 djm Exp $ */
/* /*
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
* *
@ -60,6 +60,7 @@ int ssh_port = SSH_DEFAULT_PORT;
#define KT_ECDSA 8 #define KT_ECDSA 8
#define KT_ED25519 16 #define KT_ED25519 16
int get_cert = 0;
int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519; int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
int hash_hosts = 0; /* Hash hostname on output */ int hash_hosts = 0; /* Hash hostname on output */
@ -267,11 +268,32 @@ keygrab_ssh2(con *c)
int r; int r;
enable_compat20(); enable_compat20();
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = switch (c->c_keytype) {
c->c_keytype == KT_DSA ? "ssh-dss" : case KT_DSA:
(c->c_keytype == KT_RSA ? "ssh-rsa" : myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
(c->c_keytype == KT_ED25519 ? "ssh-ed25519" : "ssh-dss-cert-v01@openssh.com" : "ssh-dss";
"ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521")); break;
case KT_RSA:
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
"ssh-rsa-cert-v01@openssh.com" : "ssh-rsa";
break;
case KT_ED25519:
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
"ssh-ed25519-cert-v01@openssh.com" : "ssh-ed25519";
break;
case KT_ECDSA:
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
"ecdsa-sha2-nistp256-cert-v01@openssh.com,"
"ecdsa-sha2-nistp384-cert-v01@openssh.com,"
"ecdsa-sha2-nistp521-cert-v01@openssh.com" :
"ecdsa-sha2-nistp256,"
"ecdsa-sha2-nistp384,"
"ecdsa-sha2-nistp521";
break;
default:
fatal("unknown key type %d", c->c_keytype);
break;
}
if ((r = kex_setup(c->c_ssh, myproposal)) != 0) { if ((r = kex_setup(c->c_ssh, myproposal)) != 0) {
free(c->c_ssh); free(c->c_ssh);
fprintf(stderr, "kex_setup: %s\n", ssh_err(r)); fprintf(stderr, "kex_setup: %s\n", ssh_err(r));
@ -304,7 +326,8 @@ keyprint_one(char *host, struct sshkey *key)
fatal("host_hash failed"); fatal("host_hash failed");
hostport = put_host_port(host, ssh_port); hostport = put_host_port(host, ssh_port);
fprintf(stdout, "%s ", hostport); if (!get_cert)
fprintf(stdout, "%s ", hostport);
sshkey_write(key, stdout); sshkey_write(key, stdout);
fputs("\n", stdout); fputs("\n", stdout);
free(hostport); free(hostport);
@ -318,7 +341,7 @@ keyprint(con *c, struct sshkey *key)
if (key == NULL) if (key == NULL)
return; return;
if (!hash_hosts && ssh_port == SSH_DEFAULT_PORT) { if (get_cert || (!hash_hosts && ssh_port == SSH_DEFAULT_PORT)) {
keyprint_one(hosts, key); keyprint_one(hosts, key);
return; return;
} }
@ -384,6 +407,7 @@ conalloc(char *iname, char *oname, int keytype)
if (fdcon[s].c_status) if (fdcon[s].c_status)
fatal("conalloc: attempt to reuse fdno %d", s); fatal("conalloc: attempt to reuse fdno %d", s);
debug3("%s: oname %s kt %d", __func__, oname, keytype);
fdcon[s].c_fd = s; fdcon[s].c_fd = s;
fdcon[s].c_status = CS_CON; fdcon[s].c_status = CS_CON;
fdcon[s].c_namebase = namebase; fdcon[s].c_namebase = namebase;
@ -654,7 +678,7 @@ static void
usage(void) usage(void)
{ {
fprintf(stderr, fprintf(stderr,
"usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n" "usage: %s [-46Hcv] [-f file] [-p port] [-T timeout] [-t type]\n"
"\t\t [host | addrlist namelist] ...\n", "\t\t [host | addrlist namelist] ...\n",
__progname); __progname);
exit(1); exit(1);
@ -682,11 +706,14 @@ main(int argc, char **argv)
if (argc <= 1) if (argc <= 1)
usage(); usage();
while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) { while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
switch (opt) { switch (opt) {
case 'H': case 'H':
hash_hosts = 1; hash_hosts = 1;
break; break;
case 'c':
get_cert = 1;
break;
case 'p': case 'p':
ssh_port = a2port(optarg); ssh_port = a2port(optarg);
if (ssh_port <= 0) { if (ssh_port <= 0) {