version 1.257, 2015/01/18 21:51:19 |
version 1.268, 2015/03/31 11:06:49 |
|
|
fatal("%s: unknown key format %d", __func__, convert_format); |
fatal("%s: unknown key format %d", __func__, convert_format); |
} |
} |
|
|
if (!private) |
if (!private) { |
if ((r = sshkey_write(k, stdout)) == 0) |
if ((r = sshkey_write(k, stdout)) == 0) |
ok = 1; |
ok = 1; |
if (ok) |
if (ok) |
fprintf(stdout, "\n"); |
fprintf(stdout, "\n"); |
else { |
} else { |
switch (k->type) { |
switch (k->type) { |
case KEY_DSA: |
case KEY_DSA: |
ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, |
ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, |
|
|
fp = sshkey_fingerprint(keys[i], fptype, rep); |
fp = sshkey_fingerprint(keys[i], fptype, rep); |
ra = sshkey_fingerprint(keys[i], fingerprint_hash, |
ra = sshkey_fingerprint(keys[i], fingerprint_hash, |
SSH_FP_RANDOMART); |
SSH_FP_RANDOMART); |
|
if (fp == NULL || ra == NULL) |
|
fatal("%s: sshkey_fingerprint fail", __func__); |
printf("%u %s %s (PKCS11 key)\n", sshkey_size(keys[i]), |
printf("%u %s %s (PKCS11 key)\n", sshkey_size(keys[i]), |
fp, sshkey_type(keys[i])); |
fp, sshkey_type(keys[i])); |
if (log_level >= SYSLOG_LEVEL_VERBOSE) |
if (log_level >= SYSLOG_LEVEL_VERBOSE) |
|
|
exit(1); |
exit(1); |
} |
} |
if ((r = sshkey_load_public(identity_file, &public, &comment)) != 0) |
if ((r = sshkey_load_public(identity_file, &public, &comment)) != 0) |
error("Error loading public key \"%s\": %s", |
debug2("Error loading public key \"%s\": %s", |
identity_file, ssh_err(r)); |
identity_file, ssh_err(r)); |
else { |
else { |
fp = sshkey_fingerprint(public, fptype, rep); |
fp = sshkey_fingerprint(public, fptype, rep); |
ra = sshkey_fingerprint(public, fingerprint_hash, |
ra = sshkey_fingerprint(public, fingerprint_hash, |
SSH_FP_RANDOMART); |
SSH_FP_RANDOMART); |
|
if (fp == NULL || ra == NULL) |
|
fatal("%s: sshkey_fingerprint fail", __func__); |
printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment, |
printf("%u %s %s (%s)\n", sshkey_size(public), fp, comment, |
sshkey_type(public)); |
sshkey_type(public)); |
if (log_level >= SYSLOG_LEVEL_VERBOSE) |
if (log_level >= SYSLOG_LEVEL_VERBOSE) |
|
|
fp = sshkey_fingerprint(public, fptype, rep); |
fp = sshkey_fingerprint(public, fptype, rep); |
ra = sshkey_fingerprint(public, fingerprint_hash, |
ra = sshkey_fingerprint(public, fingerprint_hash, |
SSH_FP_RANDOMART); |
SSH_FP_RANDOMART); |
|
if (fp == NULL || ra == NULL) |
|
fatal("%s: sshkey_fingerprint fail", __func__); |
printf("%u %s %s (%s)\n", sshkey_size(public), fp, |
printf("%u %s %s (%s)\n", sshkey_size(public), fp, |
comment ? comment : "no comment", sshkey_type(public)); |
comment ? comment : "no comment", sshkey_type(public)); |
if (log_level >= SYSLOG_LEVEL_VERBOSE) |
if (log_level >= SYSLOG_LEVEL_VERBOSE) |
|
|
char *key_type_display; |
char *key_type_display; |
char *path; |
char *path; |
} key_types[] = { |
} key_types[] = { |
|
#ifdef WITH_OPENSSL |
|
#ifdef WITH_SSH1 |
{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE }, |
{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE }, |
|
#endif /* WITH_SSH1 */ |
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, |
{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, |
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, |
{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, |
{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, |
{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, |
|
#endif /* WITH_OPENSSL */ |
{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE }, |
{ "ed25519", "ED25519",_PATH_HOST_ED25519_KEY_FILE }, |
{ NULL, NULL, NULL } |
{ NULL, NULL, NULL } |
}; |
}; |
|
|
char *hashed, *cp, *hosts, *ohosts; |
char *hashed, *cp, *hosts, *ohosts; |
int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); |
int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts); |
|
|
/* Retain invalid lines when hashing, but mark file as invalid. */ |
switch (l->status) { |
if (l->status == HKF_STATUS_INVALID) { |
case HKF_STATUS_OK: |
|
case HKF_STATUS_MATCHED: |
|
/* |
|
* Don't hash hosts already already hashed, with wildcard |
|
* characters or a CA/revocation marker. |
|
*/ |
|
if ((l->match & HKF_MATCH_HOST_HASHED) != 0 || |
|
has_wild || l->marker != MRK_NONE) { |
|
fprintf(ctx->out, "%s\n", l->line); |
|
if (has_wild && !find_host) { |
|
fprintf(stderr, "%s:%ld: ignoring host name " |
|
"with wildcard: %.64s\n", l->path, |
|
l->linenum, l->hosts); |
|
} |
|
return 0; |
|
} |
|
/* |
|
* Split any comma-separated hostnames from the host list, |
|
* hash and store separately. |
|
*/ |
|
ohosts = hosts = xstrdup(l->hosts); |
|
while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') { |
|
if ((hashed = host_hash(cp, NULL, 0)) == NULL) |
|
fatal("hash_host failed"); |
|
fprintf(ctx->out, "%s %s\n", hashed, l->rawkey); |
|
ctx->has_unhashed = 1; |
|
} |
|
free(ohosts); |
|
return 0; |
|
case HKF_STATUS_INVALID: |
|
/* Retain invalid lines, but mark file as invalid. */ |
ctx->invalid = 1; |
ctx->invalid = 1; |
fprintf(stderr, "%s:%ld: invalid line\n", l->path, l->linenum); |
fprintf(stderr, "%s:%ld: invalid line\n", l->path, l->linenum); |
|
/* FALLTHROUGH */ |
|
default: |
fprintf(ctx->out, "%s\n", l->line); |
fprintf(ctx->out, "%s\n", l->line); |
return 0; |
return 0; |
} |
} |
|
/* NOTREACHED */ |
/* |
return -1; |
* Don't hash hosts already already hashed, with wildcard characters |
|
* or a CA/revocation marker. |
|
*/ |
|
if (l->was_hashed || has_wild || l->marker != MRK_NONE) { |
|
fprintf(ctx->out, "%s\n", l->line); |
|
if (has_wild && !find_host) { |
|
fprintf(stderr, "%s:%ld: ignoring host name " |
|
"with wildcard: %.64s\n", l->path, |
|
l->linenum, l->hosts); |
|
} |
|
return 0; |
|
} |
|
/* |
|
* Split any comma-separated hostnames from the host list, |
|
* hash and store separately. |
|
*/ |
|
ohosts = hosts = xstrdup(l->hosts); |
|
while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') { |
|
if ((hashed = host_hash(cp, NULL, 0)) == NULL) |
|
fatal("hash_host failed"); |
|
fprintf(ctx->out, "%s %s\n", hashed, l->rawkey); |
|
ctx->has_unhashed = 1; |
|
} |
|
free(ohosts); |
|
return 0; |
|
} |
} |
|
|
static int |
static int |
|
|
{ |
{ |
struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; |
struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx; |
|
|
if (l->status == HKF_STATUS_HOST_MATCHED) { |
if (l->status == HKF_STATUS_MATCHED) { |
if (delete_host) { |
if (delete_host) { |
if (l->marker != MRK_NONE) { |
if (l->marker != MRK_NONE) { |
/* Don't remove CA and revocation lines */ |
/* Don't remove CA and revocation lines */ |
|
|
static void |
static void |
do_known_hosts(struct passwd *pw, const char *name) |
do_known_hosts(struct passwd *pw, const char *name) |
{ |
{ |
char *cp, tmp[MAXPATHLEN], old[MAXPATHLEN]; |
char *cp, tmp[PATH_MAX], old[PATH_MAX]; |
int r, fd, oerrno, inplace = 0; |
int r, fd, oerrno, inplace = 0; |
struct known_hosts_ctx ctx; |
struct known_hosts_ctx ctx; |
|
|
|
|
/* XXX support identity_file == "-" for stdin */ |
/* XXX support identity_file == "-" for stdin */ |
if ((r = hostkeys_foreach(identity_file, |
if ((r = hostkeys_foreach(identity_file, |
hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx, |
hash_hosts ? known_hosts_hash : known_hosts_find_delete, &ctx, |
name, find_host ? HKF_WANT_MATCH_HOST : 0)) != 0) |
name, NULL, find_host ? HKF_WANT_MATCH : 0)) != 0) |
fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r)); |
fatal("%s: hostkeys_foreach failed: %s", __func__, ssh_err(r)); |
|
|
if (inplace) |
if (inplace) |
|
|
identity_file, ssh_err(r)); |
identity_file, ssh_err(r)); |
exit(1); |
exit(1); |
} |
} |
printf("Key has comment '%s'\n", comment); |
if (comment) |
|
printf("Key has comment '%s'\n", comment); |
|
|
/* Ask the new passphrase (twice). */ |
/* Ask the new passphrase (twice). */ |
if (identity_new_passphrase) { |
if (identity_new_passphrase) { |
|
|
} |
} |
if (private->type != KEY_RSA1) { |
if (private->type != KEY_RSA1) { |
fprintf(stderr, "Comments are only supported for RSA1 keys.\n"); |
fprintf(stderr, "Comments are only supported for RSA1 keys.\n"); |
|
explicit_bzero(passphrase, strlen(passphrase)); |
sshkey_free(private); |
sshkey_free(private); |
exit(1); |
exit(1); |
} |
} |
|
|
key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); |
key_fp = sshkey_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); |
ca_fp = sshkey_fingerprint(key->cert->signature_key, |
ca_fp = sshkey_fingerprint(key->cert->signature_key, |
fingerprint_hash, SSH_FP_DEFAULT); |
fingerprint_hash, SSH_FP_DEFAULT); |
|
if (key_fp == NULL || ca_fp == NULL) |
|
fatal("%s: sshkey_fingerprint fail", __func__); |
|
|
printf("%s:\n", identity_file); |
printf("%s:\n", identity_file); |
printf(" Type: %s %s certificate\n", sshkey_ssh_name(key), |
printf(" Type: %s %s certificate\n", sshkey_ssh_name(key), |
|
|
} |
} |
|
|
static void |
static void |
update_krl_from_file(struct passwd *pw, const char *file, |
update_krl_from_file(struct passwd *pw, const char *file, int wild_ca, |
const struct sshkey *ca, struct ssh_krl *krl) |
const struct sshkey *ca, struct ssh_krl *krl) |
{ |
{ |
struct sshkey *key = NULL; |
struct sshkey *key = NULL; |
|
|
if (*cp == '\0') |
if (*cp == '\0') |
continue; |
continue; |
if (strncasecmp(cp, "serial:", 7) == 0) { |
if (strncasecmp(cp, "serial:", 7) == 0) { |
if (ca == NULL) { |
if (ca == NULL && !wild_ca) { |
fatal("revoking certificates by serial number " |
fatal("revoking certificates by serial number " |
"requires specification of a CA key"); |
"requires specification of a CA key"); |
} |
} |
|
|
__func__); |
__func__); |
} |
} |
} else if (strncasecmp(cp, "id:", 3) == 0) { |
} else if (strncasecmp(cp, "id:", 3) == 0) { |
if (ca == NULL) { |
if (ca == NULL && !wild_ca) { |
fatal("revoking certificates by key ID " |
fatal("revoking certificates by key ID " |
"requires specification of a CA key"); |
"requires specification of a CA key"); |
} |
} |
|
|
struct ssh_krl *krl; |
struct ssh_krl *krl; |
struct stat sb; |
struct stat sb; |
struct sshkey *ca = NULL; |
struct sshkey *ca = NULL; |
int fd, i, r; |
int fd, i, r, wild_ca = 0; |
char *tmp; |
char *tmp; |
struct sshbuf *kbuf; |
struct sshbuf *kbuf; |
|
|
|
|
fatal("KRL \"%s\" does not exist", identity_file); |
fatal("KRL \"%s\" does not exist", identity_file); |
} |
} |
if (ca_key_path != NULL) { |
if (ca_key_path != NULL) { |
tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
if (strcasecmp(ca_key_path, "none") == 0) |
if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0) |
wild_ca = 1; |
fatal("Cannot load CA public key %s: %s", |
else { |
tmp, ssh_err(r)); |
tmp = tilde_expand_filename(ca_key_path, pw->pw_uid); |
free(tmp); |
if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0) |
|
fatal("Cannot load CA public key %s: %s", |
|
tmp, ssh_err(r)); |
|
free(tmp); |
|
} |
} |
} |
|
|
if (updating) |
if (updating) |
|
|
ssh_krl_set_comment(krl, identity_comment); |
ssh_krl_set_comment(krl, identity_comment); |
|
|
for (i = 0; i < argc; i++) |
for (i = 0; i < argc; i++) |
update_krl_from_file(pw, argv[i], ca, krl); |
update_krl_from_file(pw, argv[i], wild_ca, ca, krl); |
|
|
if ((kbuf = sshbuf_new()) == NULL) |
if ((kbuf = sshbuf_new()) == NULL) |
fatal("sshbuf_new failed"); |
fatal("sshbuf_new failed"); |
|
|
" ssh-keygen -e [-m key_format] [-f input_keyfile]\n" |
" ssh-keygen -e [-m key_format] [-f input_keyfile]\n" |
" ssh-keygen -y [-f input_keyfile]\n" |
" ssh-keygen -y [-f input_keyfile]\n" |
" ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" |
" ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" |
" ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n" |
" ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]\n" |
" ssh-keygen -B [-f input_keyfile]\n"); |
" ssh-keygen -B [-f input_keyfile]\n"); |
#ifdef ENABLE_PKCS11 |
#ifdef ENABLE_PKCS11 |
fprintf(stderr, |
fprintf(stderr, |
|
|
{ |
{ |
char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2; |
char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2; |
char *checkpoint = NULL; |
char *checkpoint = NULL; |
char out_file[PATH_MAX], *rr_hostname = NULL, *ep; |
char out_file[PATH_MAX], *rr_hostname = NULL, *ep, *fp, *ra; |
struct sshkey *private, *public; |
struct sshkey *private, *public; |
struct passwd *pw; |
struct passwd *pw; |
struct stat st; |
struct stat st; |
|
|
fclose(f); |
fclose(f); |
|
|
if (!quiet) { |
if (!quiet) { |
char *fp = sshkey_fingerprint(public, fingerprint_hash, |
fp = sshkey_fingerprint(public, fingerprint_hash, |
SSH_FP_DEFAULT); |
SSH_FP_DEFAULT); |
char *ra = sshkey_fingerprint(public, fingerprint_hash, |
ra = sshkey_fingerprint(public, fingerprint_hash, |
SSH_FP_RANDOMART); |
SSH_FP_RANDOMART); |
|
if (fp == NULL || ra == NULL) |
|
fatal("sshkey_fingerprint failed"); |
printf("Your public key has been saved in %s.\n", |
printf("Your public key has been saved in %s.\n", |
identity_file); |
identity_file); |
printf("The key fingerprint is:\n"); |
printf("The key fingerprint is:\n"); |