version 1.381, 2020/01/02 22:40:09 |
version 1.384, 2020/01/21 11:06:09 |
|
|
exit(ok ? 0 : 1); |
exit(ok ? 0 : 1); |
} |
} |
|
|
#ifdef WITH_OPENSSL |
|
static void |
static void |
load_krl(const char *path, struct ssh_krl **krlp) |
load_krl(const char *path, struct ssh_krl **krlp) |
{ |
{ |
|
|
ssh_krl_free(krl); |
ssh_krl_free(krl); |
exit(ret); |
exit(ret); |
} |
} |
#endif |
|
|
|
static struct sshkey * |
static struct sshkey * |
load_sign_key(const char *keypath, const struct sshkey *pubkey) |
load_sign_key(const char *keypath, const struct sshkey *pubkey) |
|
|
} |
} |
|
|
static int |
static int |
do_download_sk(const char *skprovider) |
do_download_sk(const char *skprovider, const char *device) |
{ |
{ |
struct sshkey **keys; |
struct sshkey **keys; |
size_t nkeys, i; |
size_t nkeys, i; |
|
|
fatal("Cannot download keys without provider"); |
fatal("Cannot download keys without provider"); |
|
|
pin = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN); |
pin = read_passphrase("Enter PIN for security key: ", RP_ALLOW_STDIN); |
if ((r = sshsk_load_resident(skprovider, pin, &keys, &nkeys)) != 0) { |
if ((r = sshsk_load_resident(skprovider, device, pin, |
|
&keys, &nkeys)) != 0) { |
freezero(pin, strlen(pin)); |
freezero(pin, strlen(pin)); |
error("Unable to load resident keys: %s", ssh_err(r)); |
error("Unable to load resident keys: %s", ssh_err(r)); |
return -1; |
return -1; |
|
|
fprintf(stderr, |
fprintf(stderr, |
"usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]\n" |
"usage: ssh-keygen [-q] [-b bits] [-C comment] [-f output_keyfile] [-m format]\n" |
" [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n" |
" [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n" |
" [-N new_passphrase] [-w provider] [-x flags]\n" |
" [-N new_passphrase] [-O option] [-w provider]\n" |
" ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]\n" |
" ssh-keygen -p [-f keyfile] [-m format] [-N new_passphrase]\n" |
" [-P old_passphrase]\n" |
" [-P old_passphrase]\n" |
" ssh-keygen -i [-f input_keyfile] [-m key_format]\n" |
" ssh-keygen -i [-f input_keyfile] [-m key_format]\n" |
|
|
" ssh-keygen -D pkcs11\n"); |
" ssh-keygen -D pkcs11\n"); |
#endif |
#endif |
fprintf(stderr, |
fprintf(stderr, |
" ssh-keygen -K path [-w sk_provider]\n"); |
|
fprintf(stderr, |
|
" ssh-keygen -F hostname [-lv] [-f known_hosts_file]\n" |
" ssh-keygen -F hostname [-lv] [-f known_hosts_file]\n" |
" ssh-keygen -H [-f known_hosts_file]\n" |
" ssh-keygen -H [-f known_hosts_file]\n" |
|
" ssh-keygen -K [-w provider]\n" |
" ssh-keygen -R hostname [-f known_hosts_file]\n" |
" ssh-keygen -R hostname [-f known_hosts_file]\n" |
" ssh-keygen -r hostname [-g] [-f input_keyfile]\n" |
" ssh-keygen -r hostname [-g] [-f input_keyfile]\n" |
#ifdef WITH_OPENSSL |
#ifdef WITH_OPENSSL |
" ssh-keygen -M generate [-O option] output\n" |
" ssh-keygen -M generate [-O option] output_file\n" |
" ssh-keygen -M screen [-f input_file] [-O option] [-a rounds] output_file\n" |
" ssh-keygen -M screen [-f input_file] [-O option] output_file\n" |
#endif |
#endif |
" ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]\n" |
" ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]\n" |
" [-n principals] [-O option] [-V validity_interval]\n" |
" [-n principals] [-O option] [-V validity_interval]\n" |
|
|
int do_gen_candidates = 0, do_screen_candidates = 0, download_sk = 0; |
int do_gen_candidates = 0, do_screen_candidates = 0, download_sk = 0; |
unsigned long long cert_serial = 0; |
unsigned long long cert_serial = 0; |
char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; |
char *identity_comment = NULL, *ca_key_path = NULL, **opts = NULL; |
|
char *sk_application = NULL, *sk_device = NULL, *sk_user = NULL; |
size_t i, nopts = 0; |
size_t i, nopts = 0; |
u_int32_t bits = 0; |
u_int32_t bits = 0; |
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; |
uint8_t sk_flags = SSH_SK_USER_PRESENCE_REQD; |
|
|
usage(); |
usage(); |
} |
} |
if (gen_krl) { |
if (gen_krl) { |
#ifdef WITH_OPENSSL |
|
do_gen_krl(pw, update_krl, ca_key_path, |
do_gen_krl(pw, update_krl, ca_key_path, |
cert_serial, identity_comment, argc, argv); |
cert_serial, identity_comment, argc, argv); |
return (0); |
return (0); |
#else |
|
fatal("KRL generation not supported"); |
|
#endif |
|
} |
} |
if (check_krl) { |
if (check_krl) { |
#ifdef WITH_OPENSSL |
|
do_check_krl(pw, argc, argv); |
do_check_krl(pw, argc, argv); |
return (0); |
return (0); |
#else |
|
fatal("KRL checking not supported"); |
|
#endif |
|
} |
} |
if (ca_key_path != NULL) { |
if (ca_key_path != NULL) { |
if (cert_key_id == NULL) |
if (cert_key_id == NULL) |
|
|
} |
} |
if (pkcs11provider != NULL) |
if (pkcs11provider != NULL) |
do_download(pw); |
do_download(pw); |
if (download_sk) |
if (download_sk) { |
return do_download_sk(sk_provider); |
for (i = 0; i < nopts; i++) { |
|
if (strncasecmp(opts[i], "device=", 7) == 0) { |
|
sk_device = xstrdup(opts[i] + 7); |
|
} else { |
|
fatal("Option \"%s\" is unsupported for " |
|
"FIDO authenticator download", opts[i]); |
|
} |
|
} |
|
return do_download_sk(sk_provider, sk_device); |
|
} |
if (print_fingerprint || print_bubblebabble) |
if (print_fingerprint || print_bubblebabble) |
do_fingerprint(pw); |
do_fingerprint(pw); |
if (change_passphrase) |
if (change_passphrase) |
|
|
sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; |
sk_flags &= ~SSH_SK_USER_PRESENCE_REQD; |
} else if (strcasecmp(opts[i], "resident") == 0) { |
} else if (strcasecmp(opts[i], "resident") == 0) { |
sk_flags |= SSH_SK_RESIDENT_KEY; |
sk_flags |= SSH_SK_RESIDENT_KEY; |
|
} else if (strncasecmp(opts[i], "device=", 7) == 0) { |
|
sk_device = xstrdup(opts[i] + 7); |
|
} else if (strncasecmp(opts[i], "user=", 5) == 0) { |
|
sk_user = xstrdup(opts[i] + 5); |
|
} else if (strncasecmp(opts[i], |
|
"application=", 12) == 0) { |
|
sk_application = xstrdup(opts[i] + 12); |
} else { |
} else { |
fatal("Option \"%s\" is unsupported for " |
fatal("Option \"%s\" is unsupported for " |
"FIDO authenticator enrollment", opts[i]); |
"FIDO authenticator enrollment", opts[i]); |
|
|
} |
} |
passphrase = NULL; |
passphrase = NULL; |
for (i = 0 ; i < 3; i++) { |
for (i = 0 ; i < 3; i++) { |
if (!quiet) { |
|
printf("You may need to touch your security " |
|
"key to authorize key generation.\n"); |
|
} |
|
fflush(stdout); |
fflush(stdout); |
r = sshsk_enroll(type, sk_provider, |
r = sshsk_enroll(type, sk_provider, sk_device, |
cert_key_id == NULL ? "ssh:" : cert_key_id, |
sk_application == NULL ? "ssh:" : sk_application, |
sk_flags, passphrase, NULL, &private, NULL); |
sk_user, sk_flags, passphrase, NULL, |
|
&private, NULL); |
if (r == 0) |
if (r == 0) |
break; |
break; |
if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) |
if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) |