src/usr.bin/ssh/ssh-keygen.c - diff

Return to ssh-keygen.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/ssh-keygen.c between version 1.288 and 1.309

version 1.288, 2016/02/15 09:47:49

version 1.309, 2017/12/18 02:25:15

Line 28

#include <string.h>

#include <unistd.h>

#include <limits.h>

#include <locale.h>

#include "xmalloc.h"

#include "sshkey.h"

#include "rsa.h"

#include "authfile.h"

#include "uuencode.h"

#include "sshbuf.h"

Line 47

#include "atomicio.h"

#include "krl.h"

#include "digest.h"

#include "utf8.h"

#include "authfd.h"

#ifdef ENABLE_PKCS11

#include "ssh-pkcs11.h"

Line 113

Line 115

/* Path to CA key when certifying keys. */

char *ca_key_path = NULL;

/* Prefer to use agent keys for CA signing */

int prefer_agent = 0;

/* Certificate serial number */

unsigned long long cert_serial = 0;

Line 141

Line 146

char *certflags_command = NULL;

char *certflags_src_addr = NULL;

/* Arbitrary extensions specified by user */

struct cert_userext {

char *key;

char *val;

int crit;

};

struct cert_userext *cert_userext;

size_t ncert_userext;

/* Conversion to/from various formats */

int convert_to = 0;

int convert_from = 0;

Line 200

Line 214

*bitsp = sshkey_curve_nid_to_bits(nid);

if (*bitsp == 0)

*bitsp = DEFAULT_BITS_ECDSA;

}

} else

else

#endif

*bitsp = DEFAULT_BITS;

}

Line 210

Line 223

OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;

if (*bitsp > maxbits)

fatal("key bits exceeds maximum %d", maxbits);

if (type == KEY_DSA && *bitsp != 1024)

switch (type) {

fatal("DSA keys must be 1024 bits");

case KEY_DSA:

else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 1024)

if (*bitsp != 1024)

fatal("Key must at least be 1024 bits");

fatal("Invalid DSA key length: must be 1024 bits");

else if (type == KEY_ECDSA && sshkey_ecdsa_bits_to_nid(*bitsp) == -1)

break;

fatal("Invalid ECDSA key length - valid lengths are "

case KEY_RSA:

"256, 384 or 521 bits");

if (*bitsp < SSH_RSA_MINIMUM_MODULUS_SIZE)

fatal("Invalid RSA key length: minimum is %d bits",

SSH_RSA_MINIMUM_MODULUS_SIZE);

break;

case KEY_ECDSA:

if (sshkey_ecdsa_bits_to_nid(*bitsp) == -1)

fatal("Invalid ECDSA key length: valid lengths are "

"256, 384 or 521 bits");

}

#endif

}

Line 230

Line 251

name = _PATH_SSH_CLIENT_ID_RSA;

else {

switch (sshkey_type_from_name(key_type_name)) {

case KEY_RSA1:

name = _PATH_SSH_CLIENT_IDENTITY;

break;

case KEY_DSA_CERT:

case KEY_DSA:

name = _PATH_SSH_CLIENT_ID_DSA;

Line 302

Line 320

char comment[61];

int r;

if (k->type == KEY_RSA1)

fatal("version 1 keys are not supported");

if ((r = sshkey_to_blob(k, &blob, &len)) != 0)

fatal("key_to_blob failed: %s", ssh_err(r));

/* Comment + surrounds must fit into 72 chars (RFC 4716 sec 3.3) */

Line 325

Line 341

do_convert_to_pkcs8(struct sshkey *k)

{

switch (sshkey_type_plain(k->type)) {

case KEY_RSA1:

case KEY_RSA:

if (!PEM_write_RSA_PUBKEY(stdout, k->rsa))

fatal("PEM_write_RSA_PUBKEY failed");

Line 348

Line 363

do_convert_to_pem(struct sshkey *k)

{

switch (sshkey_type_plain(k->type)) {

case KEY_RSA1:

case KEY_RSA:

if (!PEM_write_RSAPublicKey(stdout, k->rsa))

fatal("PEM_write_RSAPublicKey failed");

Line 467

Line 481

return NULL;

}

if ((key = sshkey_new_private(ktype)) == NULL)

fatal("key_new_private failed");

fatal("sshkey_new_private failed");

free(type);

switch (key->type) {

Line 503

Line 517

buffer_get_bignum_bits(b, key->rsa->iqmp);

buffer_get_bignum_bits(b, key->rsa->q);

buffer_get_bignum_bits(b, key->rsa->p);

if ((r = rsa_generate_additional_parameters(key->rsa)) != 0)

if ((r = ssh_rsa_generate_additional_parameters(key)) != 0)

fatal("generate RSA parameters failed: %s", ssh_err(r));

break;

}

Line 515

Line 529

/* try the key */

if (sshkey_sign(key, &sig, &slen, data, sizeof(data), NULL, 0) != 0 ||

sshkey_verify(key, sig, slen, data, sizeof(data), 0) != 0) {

sshkey_verify(key, sig, slen, data, sizeof(data), NULL, 0) != 0) {

sshkey_free(key);

free(sig);

return NULL;

Line 745

Line 759

fatal("%s: %s", identity_file, strerror(errno));

prv = load_identity(identity_file);

if ((r = sshkey_write(prv, stdout)) != 0)

error("key_write failed: %s", ssh_err(r));

error("sshkey_write failed: %s", ssh_err(r));

sshkey_free(prv);

fprintf(stdout, "\n");

exit(0);

Line 801

Line 815

struct sshkey *ret;

int r;

if ((ret = sshkey_new(KEY_RSA1)) == NULL)

fatal("sshkey_new failed");

/* Try RSA1 */

if ((r = sshkey_read(ret, cpp)) == 0)

return ret;

/* Try modern */

sshkey_free(ret);

if ((ret = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("sshkey_new failed");

if ((r = sshkey_read(ret, cpp)) == 0)

Line 830

Line 837

ra = sshkey_fingerprint(public, fingerprint_hash, SSH_FP_RANDOMART);

if (fp == NULL || ra == NULL)

fatal("%s: sshkey_fingerprint failed", __func__);

printf("%u %s %s (%s)\n", sshkey_size(public), fp,

mprintf("%u %s %s (%s)\n", sshkey_size(public), fp,

comment ? comment : "no comment", sshkey_type(public));

if (log_level >= SYSLOG_LEVEL_VERBOSE)

printf("%s\n", ra);

Line 870

Line 877

char *comment = NULL, *cp, *ep, line[SSH_MAX_PUBKEY_BYTES];

int i, invalid = 1;

const char *path;

long int lnum = 0;

u_long lnum = 0;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

Line 933

Line 940

}

/* Retry after parsing leading hostname/key options */

if (public == NULL && (public = try_read_key(&cp)) == NULL) {

debug("%s:%ld: not a public key", path, lnum);

debug("%s:%lu: not a public key", path, lnum);

continue;

}

Line 963

Line 970

char *path;

} key_types[] = {

#ifdef WITH_OPENSSL

#ifdef WITH_SSH1

{ "rsa1", "RSA1", _PATH_HOST_KEY_FILE },

#endif /* WITH_SSH1 */

{ "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE },

{ "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE },

{ "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE },

Line 977

Line 981

int first = 0;

struct stat st;

struct sshkey *private, *public;

char comment[1024];

char comment[1024], *prv_tmp, *pub_tmp, *prv_file, *pub_file;

int i, type, fd, r;

FILE *f;

for (i = 0; key_types[i].key_type; i++) {

if (stat(key_types[i].path, &st) == 0)

public = private = NULL;

continue;

prv_tmp = pub_tmp = prv_file = pub_file = NULL;

if (errno != ENOENT) {

xasprintf(&prv_file, "%s%s",

identity_file, key_types[i].path);

/* Check whether private key exists and is not zero-length */

if (stat(prv_file, &st) == 0) {

if (st.st_size != 0)

goto next;

} else if (errno != ENOENT) {

error("Could not stat %s: %s", key_types[i].path,

strerror(errno));

first = 0;

goto failnext;

continue;

}

* Private key doesn't exist or is invalid; proceed with

* key generation.

xasprintf(&prv_tmp, "%s%s.XXXXXXXXXX",

identity_file, key_types[i].path);

xasprintf(&pub_tmp, "%s%s.pub.XXXXXXXXXX",

identity_file, key_types[i].path);

xasprintf(&pub_file, "%s%s.pub",

identity_file, key_types[i].path);

if (first == 0) {

first = 1;

printf("%s: generating new host keys: ", __progname);

Line 998

Line 1020

printf("%s ", key_types[i].key_type_display);

fflush(stdout);

type = sshkey_type_from_name(key_types[i].key_type);

strlcpy(identity_file, key_types[i].path, sizeof(identity_file));

if ((fd = mkstemp(prv_tmp)) == -1) {

error("Could not save your public key in %s: %s",

prv_tmp, strerror(errno));

goto failnext;

}

close(fd); /* just using mkstemp() to generate/reserve a name */

bits = 0;

type_bits_valid(type, NULL, &bits);

if ((r = sshkey_generate(type, bits, &private)) != 0) {

error("key_generate failed: %s", ssh_err(r));

error("sshkey_generate failed: %s", ssh_err(r));

first = 0;

goto failnext;

continue;

}

if ((r = sshkey_from_private(private, &public)) != 0)

fatal("sshkey_from_private failed: %s", ssh_err(r));

snprintf(comment, sizeof comment, "%s@%s", pw->pw_name,

hostname);

if ((r = sshkey_save_private(private, identity_file, "",

if ((r = sshkey_save_private(private, prv_tmp, "",

comment, use_new_format, new_format_cipher, rounds)) != 0) {

error("Saving key \"%s\" failed: %s",

identity_file, ssh_err(r));

prv_tmp, ssh_err(r));

sshkey_free(private);

goto failnext;

sshkey_free(public);

first = 0;

continue;

}

sshkey_free(private);

if ((fd = mkstemp(pub_tmp)) == -1) {

strlcat(identity_file, ".pub", sizeof(identity_file));

error("Could not save your public key in %s: %s",

fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);

pub_tmp, strerror(errno));

if (fd == -1) {

goto failnext;

error("Could not save your public key in %s",

identity_file);

sshkey_free(public);

first = 0;

continue;

}

(void)fchmod(fd, 0644);

f = fdopen(fd, "w");

if (f == NULL) {

error("fdopen %s failed", identity_file);

error("fdopen %s failed: %s", pub_tmp, strerror(errno));

close(fd);

sshkey_free(public);

goto failnext;

first = 0;

continue;

}

if ((r = sshkey_write(public, f)) != 0) {

error("write key failed: %s", ssh_err(r));

fclose(f);

sshkey_free(public);

goto failnext;

first = 0;

continue;

}

fprintf(f, " %s\n", comment);

fclose(f);

if (ferror(f) != 0) {

sshkey_free(public);

error("write key failed: %s", strerror(errno));

fclose(f);

goto failnext;

}

if (fclose(f) != 0) {

error("key close failed: %s", strerror(errno));

goto failnext;

}

/* Rename temporary files to their permanent locations. */

if (rename(pub_tmp, pub_file) != 0) {

error("Unable to move %s into position: %s",

pub_file, strerror(errno));

goto failnext;

}

if (rename(prv_tmp, prv_file) != 0) {

error("Unable to move %s into position: %s",

key_types[i].path, strerror(errno));

failnext:

first = 0;

goto next;

}

sshkey_free(private);

sshkey_free(public);

free(prv_tmp);

free(pub_tmp);

free(prv_file);

free(pub_file);

}

if (first != 0)

printf("\n");

Line 1067

Line 1109

struct known_hosts_ctx *ctx = (struct known_hosts_ctx *)_ctx;

char *hashed, *cp, *hosts, *ohosts;

int has_wild = l->hosts && strcspn(l->hosts, "*?!") != strlen(l->hosts);

int was_hashed = l->hosts && l->hosts[0] == HASH_DELIM;

switch (l->status) {

case HKF_STATUS_OK:

Line 1075

Line 1118

* Don't hash hosts already already hashed, with wildcard

* characters or a CA/revocation marker.

if ((l->match & HKF_MATCH_HOST_HASHED) != 0 ||

if (was_hashed || has_wild || l->marker != MRK_NONE) {

has_wild || l->marker != MRK_NONE) {

fprintf(ctx->out, "%s\n", l->line);

if (has_wild && !find_host) {

logit("%s:%ld: ignoring host name "

logit("%s:%lu: ignoring host name "

"with wildcard: %.64s", l->path,

l->linenum, l->hosts);

}

Line 1091

Line 1133

ohosts = hosts = xstrdup(l->hosts);

while ((cp = strsep(&hosts, ",")) != NULL && *cp != '\0') {

lowercase(cp);

if ((hashed = host_hash(cp, NULL, 0)) == NULL)

fatal("hash_host failed");

fprintf(ctx->out, "%s %s\n", hashed, l->rawkey);

Line 1101

Line 1144

case HKF_STATUS_INVALID:

/* Retain invalid lines, but mark file as invalid. */

ctx->invalid = 1;

logit("%s:%ld: invalid line", l->path, l->linenum);

logit("%s:%lu: invalid line", l->path, l->linenum);

/* FALLTHROUGH */

default:

fprintf(ctx->out, "%s\n", l->line);

Line 1135

Line 1178

ctx->found_key = 1;

if (!quiet)

printf("# Host %s found: line %ld\n",

printf("# Host %s found: line %lu\n",

ctx->host, l->linenum);

}

return 0;

} else if (find_host) {

ctx->found_key = 1;

if (!quiet) {

printf("# Host %s found: line %ld %s\n",

printf("# Host %s found: line %lu %s\n",

ctx->host,

l->linenum, l->marker == MRK_CA ? "CA" :

(l->marker == MRK_REVOKE ? "REVOKED" : ""));

Line 1151

Line 1194

known_hosts_hash(l, ctx);

else if (print_fingerprint) {

fp = sshkey_fingerprint(l->key, fptype, rep);

printf("%s %s %s %s\n", ctx->host,

mprintf("%s %s %s %s\n", ctx->host,

sshkey_type(l->key), fp, l->comment);

free(fp);

} else

Line 1162

Line 1205

/* Retain non-matching hosts when deleting */

if (l->status == HKF_STATUS_INVALID) {

ctx->invalid = 1;

logit("%s:%ld: invalid line", l->path, l->linenum);

logit("%s:%lu: invalid line", l->path, l->linenum);

}

fprintf(ctx->out, "%s\n", l->line);

}

Line 1302

Line 1345

fatal("Failed to load key %s: %s", identity_file, ssh_err(r));

}

if (comment)

printf("Key has comment '%s'\n", comment);

mprintf("Key has comment '%s'\n", comment);

/* Ask the new passphrase (twice). */

if (identity_new_passphrase) {

Line 1418

Line 1461

}

if (private->type != KEY_RSA1 && private->type != KEY_ED25519 &&

if (private->type != KEY_ED25519 && !use_new_format) {

!use_new_format) {

error("Comments are only supported for keys stored in "

error("Comments are only supported for RSA1 or keys stored in "

"the new format (-o).");

explicit_bzero(passphrase, strlen(passphrase));

sshkey_free(private);

exit(1);

}

printf("Key now has comment '%s'\n", comment);

if (comment)

printf("Key now has comment '%s'\n", comment);

else

printf("Key now has no comment\n");

if (identity_comment) {

strlcpy(new_comment, identity_comment, sizeof(new_comment));

Line 1455

Line 1500

explicit_bzero(passphrase, strlen(passphrase));

free(passphrase);

if ((r = sshkey_from_private(private, &public)) != 0)

fatal("key_from_private failed: %s", ssh_err(r));

fatal("sshkey_from_private failed: %s", ssh_err(r));

sshkey_free(private);

strlcat(identity_file, ".pub", sizeof(identity_file));

Line 1510

Line 1555

static void

prepare_options_buf(struct sshbuf *c, int which)

{

size_t i;

sshbuf_reset(c);

if ((which & OPTIONS_CRITICAL) != 0 &&

certflags_command != NULL)

Line 1532

Line 1579

if ((which & OPTIONS_CRITICAL) != 0 &&

certflags_src_addr != NULL)

add_string_option(c, "source-address", certflags_src_addr);

for (i = 0; i < ncert_userext; i++) {

if ((cert_userext[i].crit && (which & OPTIONS_EXTENSIONS)) ||

(!cert_userext[i].crit && (which & OPTIONS_CRITICAL)))

continue;

if (cert_userext[i].val == NULL)

add_flag_option(c, cert_userext[i].key);

else {

add_string_option(c, cert_userext[i].key,

cert_userext[i].val);

}

static struct sshkey *

Line 1564

Line 1622

#endif /* ENABLE_PKCS11 */

}

/* Signer for sshkey_certify_custom that uses the agent */

static int

agent_signer(const struct sshkey *key, u_char **sigp, size_t *lenp,

const u_char *data, size_t datalen,

const char *alg, u_int compat, void *ctx)

{

int *agent_fdp = (int *)ctx;

return ssh_agent_sign(*agent_fdp, key, sigp, lenp,

data, datalen, alg, compat);

}

static void

do_ca_sign(struct passwd *pw, int argc, char **argv)

{

int r, i, fd;

int r, i, fd, found, agent_fd = -1;

u_int n;

struct sshkey *ca, *public;

char valid[64], *otmp, *tmp, *cp, *out, *comment, **plist = NULL;

FILE *f;

struct ssh_identitylist *agent_ids;

size_t j;

#ifdef ENABLE_PKCS11

pkcs11_init(1);

#endif

tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);

if (pkcs11provider != NULL) {

/* If a PKCS#11 token was specified then try to use it */

if ((ca = load_pkcs11_key(tmp)) == NULL)

fatal("No PKCS#11 key matching %s found", ca_key_path);

} else

} else if (prefer_agent) {

* Agent signature requested. Try to use agent after making

* sure the public key specified is actually present in the

* agent.

if ((r = sshkey_load_public(tmp, &ca, NULL)) != 0)

fatal("Cannot load CA public key %s: %s",

tmp, ssh_err(r));

if ((r = ssh_get_authentication_socket(&agent_fd)) != 0)

fatal("Cannot use public key for CA signature: %s",

ssh_err(r));

if ((r = ssh_fetch_identitylist(agent_fd, &agent_ids)) != 0)

fatal("Retrieve agent key list: %s", ssh_err(r));

found = 0;

for (j = 0; j < agent_ids->nkeys; j++) {

if (sshkey_equal(ca, agent_ids->keys[j])) {

found = 1;

break;

}

if (!found)

fatal("CA key %s not found in agent", tmp);

ssh_free_identitylist(agent_ids);

ca->flags |= SSHKEY_FLAG_EXT;

} else {

/* CA key is assumed to be a private key on the filesystem */

ca = load_identity(tmp);

}

free(tmp);

if (key_type_name != NULL &&

sshkey_type_from_name(key_type_name) != ca->type) {

fatal("CA key type %s doesn't match specified %s",

sshkey_ssh_name(ca), key_type_name);

}

for (i = 0; i < argc; i++) {

/* Split list of principals */

n = 0;

Line 1623

Line 1729

OPTIONS_EXTENSIONS);

if ((r = sshkey_from_private(ca,

&public->cert->signature_key)) != 0)

fatal("key_from_private (ca key): %s", ssh_err(r));

fatal("sshkey_from_private (ca key): %s", ssh_err(r));

if (sshkey_certify(public, ca) != 0)

if (agent_fd != -1 && (ca->flags & SSHKEY_FLAG_EXT) != 0) {

fatal("Couldn't not certify key %s", tmp);

if ((r = sshkey_certify_custom(public, ca,

key_type_name, agent_signer, &agent_fd)) != 0)

fatal("Couldn't certify key %s via agent: %s",

tmp, ssh_err(r));

} else {

if ((sshkey_certify(public, ca, key_type_name)) != 0)

fatal("Couldn't certify key %s: %s",

tmp, ssh_err(r));

}

if ((cp = strrchr(tmp, '.')) != NULL && strcmp(cp, ".pub") == 0)

*cp = '\0';

Line 1702

Line 1816

s, s + 4, s + 6, s + 8, s + 10, s + 12);

break;

default:

fatal("Invalid certificate time format %s", s);

fatal("Invalid certificate time format \"%s\"", s);

}

memset(&tm, 0, sizeof(tm));

Line 1735

Line 1849

* from:to, where

* from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS

* from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "always"

* to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS

* to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "forever"

from = xstrdup(timespec);

to = strchr(from, ':');

Line 1746

Line 1860

if (*from == '-' || *from == '+')

cert_valid_from = parse_relative_time(from, now);

else if (strcmp(from, "always") == 0)

cert_valid_from = 0;

else

cert_valid_from = parse_absolute_time(from);

if (*to == '-' || *to == '+')

cert_valid_to = parse_relative_time(to, now);

else if (strcmp(to, "forever") == 0)

cert_valid_to = ~(u_int64_t)0;

else

cert_valid_to = parse_absolute_time(to);

Line 1762

Line 1880

static void

add_cert_option(char *opt)

{

char *val;

char *val, *cp;

int iscrit = 0;

if (strcasecmp(opt, "clear") == 0)

certflags_flags = 0;

Line 1802

Line 1921

if (addr_match_cidr_list(NULL, val) != 0)

fatal("Invalid source-address list");

certflags_src_addr = xstrdup(val);

} else if (strncasecmp(opt, "extension:", 10) == 0 ||

(iscrit = (strncasecmp(opt, "critical:", 9) == 0))) {

val = xstrdup(strchr(opt, ':') + 1);

if ((cp = strchr(val, '=')) != NULL)

*cp++ = '\0';

cert_userext = xreallocarray(cert_userext, ncert_userext + 1,

sizeof(*cert_userext));

cert_userext[ncert_userext].key = val;

cert_userext[ncert_userext].val = cp == NULL ?

NULL : xstrdup(cp);

cert_userext[ncert_userext].crit = iscrit;

ncert_userext++;

} else

fatal("Unsupported certificate option \"%s\"", opt);

}

Line 1905

Line 2036

FILE *f;

char *cp, line[SSH_MAX_PUBKEY_BYTES];

const char *path;

long int lnum = 0;

u_long lnum = 0;

if (!have_identity)

ask_filename(pw, "Enter file in which the key is");

Line 1928

Line 2059

if (*cp == '#' || *cp == '\0')

continue;

if ((key = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("key_new");

fatal("sshkey_new");

if ((r = sshkey_read(key, &cp)) != 0) {

error("%s:%lu: invalid key: %s", path,

lnum, ssh_err(r));

Line 2075

Line 2206

}

if ((key = sshkey_new(KEY_UNSPEC)) == NULL)

fatal("key_new");

fatal("sshkey_new");

if ((r = sshkey_read(key, &cp)) != 0)

fatal("%s:%lu: invalid key: %s",

path, lnum, ssh_err(r));

Line 2188

Line 2319

usage(void)

{

fprintf(stderr,

"usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]\n"

"usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa]\n"

" [-N new_passphrase] [-C comment] [-f output_keyfile]\n"

" ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n"

" ssh-keygen -i [-m key_format] [-f input_keyfile]\n"

Line 2211

Line 2342

" ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n"

" [-j start_line] [-K checkpt] [-W generator]\n"

#endif

" ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n"

" ssh-keygen -s ca_key -I certificate_identity [-h] [-U]\n"

" [-O option] [-V validity_interval] [-z serial_number] file ...\n"

" [-D pkcs11_provider] [-n principals] [-O option]\n"

" [-V validity_interval] [-z serial_number] file ...\n"

" ssh-keygen -L [-f input_keyfile]\n"

" ssh-keygen -A\n"

" ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"

Line 2255

Line 2387

OpenSSL_add_all_algorithms();

log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);

setlocale(LC_CTYPE, "");

/* we need this for the home * directory. */

pw = getpwuid(getuid());

if (!pw)

Line 2262

Line 2396

if (gethostname(hostname, sizeof(hostname)) < 0)

fatal("gethostname: %s", strerror(errno));

/* Remaining characters: UYdw */

/* Remaining characters: Ydw */

while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy"

while ((opt = getopt(argc, argv, "ABHLQUXceghiklopquvxy"

"C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"

"a:b:f:g:j:m:n:r:s:t:z:")) != -1) {

switch (opt) {

Line 2390

Line 2524

case 'D':

pkcs11provider = optarg;

break;

case 'U':

prefer_agent = 1;

break;

case 'u':

update_krl = 1;

break;

Line 2431

Line 2568

break;

case 'J':

lines_to_process = strtoul(optarg, NULL, 10);

break;

case 'j':

start_lineno = strtoul(optarg, NULL, 10);

break;

case 'K':

if (strlen(optarg) >= PATH_MAX)

fatal("Checkpoint filename too long");

Line 2611

Line 2748

printf("Generating public/private %s key pair.\n",

key_type_name);

if ((r = sshkey_generate(type, bits, &private)) != 0)

fatal("key_generate failed");

fatal("sshkey_generate failed");

if ((r = sshkey_from_private(private, &public)) != 0)

fatal("key_from_private failed: %s\n", ssh_err(r));

fatal("sshkey_from_private failed: %s\n", ssh_err(r));

if (!have_identity)

ask_filename(pw, "Enter file in which to save the key");