diff --git a/ChangeLog b/ChangeLog index 583f88f22..1ff341719 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ [auth-options.c key.c] remove explict search for \0 in packet strings, this job is now done implicitly by buffer_get_cstring; ok markus + - djm@cvs.openbsd.org 2011/10/18 05:00:48 + [ssh-add.1 ssh-add.c] + new "ssh-add -k" option to load plain keys (skipping certificates); + "looks ok" markus@ 20111001 - (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning. ok djm diff --git a/ssh-add.1 b/ssh-add.1 index fd48ff98f..aec620dea 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.55 2010/10/28 18:33:28 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.56 2011/10/18 05:00:48 djm Exp $ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: October 28 2010 $ +.Dd $Mdocdate: October 18 2011 $ .Dt SSH-ADD 1 .Os .Sh NAME @@ -43,7 +43,7 @@ .Nd adds private key identities to the authentication agent .Sh SYNOPSIS .Nm ssh-add -.Op Fl cDdLlXx +.Op Fl cDdkLlXx .Op Fl t Ar life .Op Ar .Nm ssh-add @@ -110,6 +110,9 @@ and retry. .It Fl e Ar pkcs11 Remove keys provided by the PKCS#11 shared library .Ar pkcs11 . +.It Fl k +When loading keys into the agent, load plain private keys only and skip +certificates. .It Fl L Lists public key parameters of all identities currently represented by the agent. diff --git a/ssh-add.c b/ssh-add.c index 6d5e2a957..ea7619e6a 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-add.c,v 1.101 2011/05/04 21:15:29 djm Exp $ */ +/* $OpenBSD: ssh-add.c,v 1.102 2011/10/18 05:00:48 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -139,11 +139,11 @@ delete_all(AuthenticationConnection *ac) } static int -add_file(AuthenticationConnection *ac, const char *filename) +add_file(AuthenticationConnection *ac, const char *filename, int key_only) { Key *private, *cert; char *comment = NULL; - char msg[1024], *certpath; + char msg[1024], *certpath = NULL; int fd, perms_ok, ret = -1; Buffer keyblob; @@ -219,6 +219,9 @@ add_file(AuthenticationConnection *ac, const char *filename) fprintf(stderr, "Could not add identity: %s\n", filename); } + /* Skip trying to load the cert if requested */ + if (key_only) + goto out; /* Now try to add the certificate flavour too */ xasprintf(&certpath, "%s-cert.pub", filename); @@ -253,7 +256,8 @@ add_file(AuthenticationConnection *ac, const char *filename) if (confirm != 0) fprintf(stderr, "The user must confirm each use of the key\n"); out: - xfree(certpath); + if (certpath != NULL) + xfree(certpath); xfree(comment); key_free(private); @@ -347,13 +351,13 @@ lock_agent(AuthenticationConnection *ac, int lock) } static int -do_file(AuthenticationConnection *ac, int deleting, char *file) +do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file) { if (deleting) { if (delete_file(ac, file) == -1) return -1; } else { - if (add_file(ac, file) == -1) + if (add_file(ac, file, key_only) == -1) return -1; } return 0; @@ -383,7 +387,7 @@ main(int argc, char **argv) extern int optind; AuthenticationConnection *ac = NULL; char *pkcs11provider = NULL; - int i, ch, deleting = 0, ret = 0; + int i, ch, deleting = 0, ret = 0, key_only = 0; /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); @@ -400,8 +404,11 @@ main(int argc, char **argv) "Could not open a connection to your authentication agent.\n"); exit(2); } - while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) { + while ((ch = getopt(argc, argv, "klLcdDxXe:s:t:")) != -1) { switch (ch) { + case 'k': + key_only = 1; + break; case 'l': case 'L': if (list_identities(ac, ch == 'l' ? 1 : 0) == -1) @@ -467,7 +474,7 @@ main(int argc, char **argv) default_files[i]); if (stat(buf, &st) < 0) continue; - if (do_file(ac, deleting, buf) == -1) + if (do_file(ac, deleting, key_only, buf) == -1) ret = 1; else count++; @@ -476,7 +483,7 @@ main(int argc, char **argv) ret = 1; } else { for (i = 0; i < argc; i++) { - if (do_file(ac, deleting, argv[i]) == -1) + if (do_file(ac, deleting, key_only, argv[i]) == -1) ret = 1; } }