| version 1.381, 2020/01/02 22:40:09 |
version 1.384, 2020/01/21 11:06:09 |
|
|
| exit(ok ? 0 : 1); |
exit(ok ? 0 : 1); |
| } |
} |
| |
|
| #ifdef WITH_OPENSSL |
|
| static void |
static void |
| load_krl(const char *path, struct ssh_krl **krlp) |
load_krl(const char *path, struct ssh_krl **krlp) |
| { |
{ |
|
|
| ssh_krl_free(krl); |
ssh_krl_free(krl); |
| exit(ret); |
exit(ret); |
| } |
} |
| #endif |
|
| |
|
| static struct sshkey * |
static struct sshkey * |
| load_sign_key(const char *keypath, const struct sshkey *pubkey) |
load_sign_key(const char *keypath, const struct sshkey *pubkey) |
|
|
| } |
} |
| |
|
| static int |
static int |
| do_download_sk(const char *skprovider) |
do_download_sk(const char *skprovider, const char *device) |
| { |
{ |
| struct sshkey **keys; |
struct sshkey **keys; |
| size_t nkeys, i; |
size_t nkeys, i; |
|
|
| fatal("Cannot download keys without provider"); |
fatal("Cannot download keys without provider"); |
| |
|
| pin = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN); |
pin = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN); |
| if ((r = sshsk_load_resident(skprovider, pin, &keys, &nkeys)) != 0) { |
if ((r = sshsk_load_resident(skprovider, device, pin, |
| |
&keys, &nkeys)) != 0) { |
| freezero(pin, strlen(pin)); |
freezero(pin, strlen(pin)); |
| error("Unable to load resident keys: %s", ssh_err(r)); |
error("Unable to load resident keys: %s", ssh_err(r)); |
| return -1; |
return -1; |
|
|
| fprintf(stderr, |
fprintf(stderr, |
| "usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]\n" |
"usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]\n" |
| " [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n" |
" [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n" |
| " [-N new_passphrase] [-w provider] [-x flags]\n" |
" [-N new_passphrase] [-O option] [-w provider]\n" |
| " ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]\n" |
" ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]\n" |
| " [-P old_passphrase]\n" |
" [-P old_passphrase]\n" |
| " ssh-keygen -i [-f input_keyfile] [-m key_format]\n" |
" ssh-keygen -i [-f input_keyfile] [-m key_format]\n" |
|
|
| " ssh-keygen -D pkcs11\n"); |
" ssh-keygen -D pkcs11\n"); |
| #endif |
#endif |
| fprintf(stderr, |
fprintf(stderr, |
| " ssh-keygen -K path [-w sk_provider]\n"); |
|
| fprintf(stderr, |
|
| " ssh-keygen -F hostname [-lv] [-f known_hosts_file]\n" |
" ssh-keygen -F hostname [-lv] [-f known_hosts_file]\n" |
| " ssh-keygen -H [-f known_hosts_file]\n" |
" ssh-keygen -H [-f known_hosts_file]\n" |
| |
" ssh-keygen -K [-w provider]\n" |
| " ssh-keygen -R hostname [-f known_hosts_file]\n" |
" ssh-keygen -R hostname [-f known_hosts_file]\n" |
| " ssh-keygen -r hostname [-g] [-f input_keyfile]\n" |
" ssh-keygen -r hostname [-g] [-f input_keyfile]\n" |
| #ifdef WITH_OPENSSL |
#ifdef WITH_OPENSSL |
| " ssh-keygen -M generate [-O option] output\n" |
" ssh-keygen -M generate [-O option] output_file\n" |
| " ssh-keygen -M screen [-f input_file] [-O option] [-a rounds] output_file\n" |
" ssh-keygen -M screen [-f input_file] [-O option] output_file\n" |
| #endif |
#endif |
| " ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]\n" |
" ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]\n" |
| " [-n principals] [-O option] [-V validity_interval]\n" |
" [-n principals] [-O option] [-V validity_interval]\n" |
|
|
| int do_gen_candidates = 0, do_screen_candidates = 0, download_sk = 0; |
int do_gen_candidates = 0, do_screen_candidates = 0, download_sk = 0; |
| unsigned long long cert_serial = 0; |
unsigned long long cert_serial = 0; |
| char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; |
char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; |
| |
char *sk_application = NULL, *sk_device = NULL, *sk_user = NULL; |
| size_t i, nopts = 0; |
size_t i, nopts = 0; |
| u_int32_t bits = 0; |
u_int32_t bits = 0; |
| uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; |
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; |
|
|
| usage(); |
usage(); |
| } |
} |
| if (gen_krl) { |
if (gen_krl) { |
| #ifdef WITH_OPENSSL |
|
| do_gen_krl(pw, update_krl, ca_key_path, |
do_gen_krl(pw, update_krl, ca_key_path, |
| cert_serial, identity_comment, argc, argv); |
cert_serial, identity_comment, argc, argv); |
| return (0); |
return (0); |
| #else |
|
| fatal("KRL generation not supported"); |
|
| #endif |
|
| } |
} |
| if (check_krl) { |
if (check_krl) { |
| #ifdef WITH_OPENSSL |
|
| do_check_krl(pw, argc, argv); |
do_check_krl(pw, argc, argv); |
| return (0); |
return (0); |
| #else |
|
| fatal("KRL checking not supported"); |
|
| #endif |
|
| } |
} |
| if (ca_key_path != NULL) { |
if (ca_key_path != NULL) { |
| if (cert_key_id == NULL) |
if (cert_key_id == NULL) |
|
|
| } |
} |
| if (pkcs11provider != NULL) |
if (pkcs11provider != NULL) |
| do_download(pw); |
do_download(pw); |
| if (download_sk) |
if (download_sk) { |
| return do_download_sk(sk_provider); |
for (i = 0; i < nopts; i++) { |
| |
if (strncasecmp(opts[i], "device=", 7) == 0) { |
| |
sk_device = xstrdup(opts[i] + 7); |
| |
} else { |
| |
fatal("Option \"%s\" is unsupported for " |
| |
"FIDO authenticator download", opts[i]); |
| |
} |
| |
} |
| |
return do_download_sk(sk_provider, sk_device); |
| |
} |
| if (print_fingerprint || print_bubblebabble) |
if (print_fingerprint || print_bubblebabble) |
| do_fingerprint(pw); |
do_fingerprint(pw); |
| if (change_passphrase) |
if (change_passphrase) |
|
|
| sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; |
sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; |
| } else if (strcasecmp(opts[i], "resident") == 0) { |
} else if (strcasecmp(opts[i], "resident") == 0) { |
| sk_flags |= SSH_SK_RESIDENT_KEY; |
sk_flags |= SSH_SK_RESIDENT_KEY; |
| |
} else if (strncasecmp(opts[i], "device=", 7) == 0) { |
| |
sk_device = xstrdup(opts[i] + 7); |
| |
} else if (strncasecmp(opts[i], "user=", 5) == 0) { |
| |
sk_user = xstrdup(opts[i] + 5); |
| |
} else if (strncasecmp(opts[i], |
| |
"application=", 12) == 0) { |
| |
sk_application = xstrdup(opts[i] + 12); |
| } else { |
} else { |
| fatal("Option \"%s\" is unsupported for " |
fatal("Option \"%s\" is unsupported for " |
| "FIDO authenticator enrollment", opts[i]); |
"FIDO authenticator enrollment", opts[i]); |
|
|
| } |
} |
| passphrase = NULL; |
passphrase = NULL; |
| for (i = 0 ; i < 3; i++) { |
for (i = 0 ; i < 3; i++) { |
| if (!quiet) { |
|
| printf("You may need to touch your security " |
|
| "key to authorize key generation.\n"); |
|
| } |
|
| fflush(stdout); |
fflush(stdout); |
| r = sshsk_enroll(type, sk_provider, |
r = sshsk_enroll(type, sk_provider, sk_device, |
| cert_key_id == NULL ? "ssh:" : cert_key_id, |
sk_application == NULL ? "ssh:" : sk_application, |
| sk_flags, passphrase, NULL, &private, NULL); |
sk_user, sk_flags, passphrase, NULL, |
| |
&private, NULL); |
| if (r == 0) |
if (r == 0) |
| break; |
break; |
| if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) |
if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) |
![[BACK]](/icons/back.gif){kind=icon}
Return to ssh-keygen.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh