Annotation of src/usr.bin/ssh/ssh-keygen.c, Revision 1.119
1.1 deraadt 1: /*
1.13 deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
5: * Identity and host key generation and maintenance.
1.31 deraadt 6: *
7: * As far as I am concerned, the code I have written for this software
8: * can be used freely for any purpose. Any derived versions of this
9: * software must be clearly marked as such, and if the derived work is
10: * incompatible with the protocol description in the RFC file, it must be
11: * called by a name other than "ssh" or "Secure Shell".
1.13 deraadt 12: */
1.1 deraadt 13:
14: #include "includes.h"
1.119 ! djm 15: RCSID("$OpenBSD: ssh-keygen.c,v 1.118 2004/12/23 17:38:07 markus Exp $");
1.19 markus 16:
17: #include <openssl/evp.h>
18: #include <openssl/pem.h>
1.1 deraadt 19:
20: #include "xmalloc.h"
1.19 markus 21: #include "key.h"
1.53 markus 22: #include "rsa.h"
1.19 markus 23: #include "authfile.h"
24: #include "uuencode.h"
1.32 markus 25: #include "buffer.h"
26: #include "bufaux.h"
1.40 markus 27: #include "pathnames.h"
1.41 markus 28: #include "log.h"
1.114 djm 29: #include "misc.h"
1.119 ! djm 30: #include "match.h"
! 31: #include "hostfile.h"
1.32 markus 32:
1.75 markus 33: #ifdef SMARTCARD
34: #include "scard.h"
1.106 djm 35: #endif
36: #include "dns.h"
1.66 markus 37:
1.19 markus 38: /* Number of bits in the RSA/DSA key. This value can be changed on the command line. */
1.1 deraadt 39: int bits = 1024;
40:
1.14 markus 41: /*
42: * Flag indicating that we just want to change the passphrase. This can be
43: * set on the command line.
44: */
1.1 deraadt 45: int change_passphrase = 0;
46:
1.14 markus 47: /*
48: * Flag indicating that we just want to change the comment. This can be set
49: * on the command line.
50: */
1.1 deraadt 51: int change_comment = 0;
52:
1.2 provos 53: int quiet = 0;
54:
1.119 ! djm 55: /* Flag indicating that we want to hash a known_hosts file */
! 56: int hash_hosts = 0;
! 57: /* Flag indicating that we want lookup a host in known_hosts file */
! 58: int find_host = 0;
! 59: /* Flag indicating that we want to delete a host from a known_hosts file */
! 60: int delete_host = 0;
! 61:
1.8 markus 62: /* Flag indicating that we just want to see the key fingerprint */
63: int print_fingerprint = 0;
1.49 markus 64: int print_bubblebabble = 0;
1.8 markus 65:
1.10 markus 66: /* The identity file name, given on the command line or entered by the user. */
67: char identity_file[1024];
68: int have_identity = 0;
1.1 deraadt 69:
70: /* This is set to the passphrase if given on the command line. */
71: char *identity_passphrase = NULL;
72:
73: /* This is set to the new passphrase if given on the command line. */
74: char *identity_new_passphrase = NULL;
75:
76: /* This is set to the new comment if given on the command line. */
77: char *identity_comment = NULL;
78:
1.19 markus 79: /* Dump public key file in format used by real and the original SSH 2 */
80: int convert_to_ssh2 = 0;
81: int convert_from_ssh2 = 0;
82: int print_public = 0;
1.105 jakob 83: int print_generic = 0;
1.33 markus 84:
1.87 djm 85: char *key_type_name = NULL;
1.19 markus 86:
1.10 markus 87: /* argv0 */
88: extern char *__progname;
1.1 deraadt 89:
1.19 markus 90: char hostname[MAXHOSTNAMELEN];
91:
1.115 djm 92: /* moduli.c */
93: int gen_candidates(FILE *, int, int, BIGNUM *);
94: int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
95:
1.63 itojun 96: static void
1.10 markus 97: ask_filename(struct passwd *pw, const char *prompt)
1.1 deraadt 98: {
1.12 markus 99: char buf[1024];
1.35 markus 100: char *name = NULL;
101:
1.92 stevesk 102: if (key_type_name == NULL)
1.40 markus 103: name = _PATH_SSH_CLIENT_ID_RSA;
1.92 stevesk 104: else
105: switch (key_type_from_name(key_type_name)) {
106: case KEY_RSA1:
107: name = _PATH_SSH_CLIENT_IDENTITY;
108: break;
109: case KEY_DSA:
110: name = _PATH_SSH_CLIENT_ID_DSA;
111: break;
112: case KEY_RSA:
113: name = _PATH_SSH_CLIENT_ID_RSA;
114: break;
115: default:
116: fprintf(stderr, "bad key type");
117: exit(1);
118: break;
119: }
120:
1.35 markus 121: snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name);
1.37 markus 122: fprintf(stderr, "%s (%s): ", prompt, identity_file);
1.12 markus 123: if (fgets(buf, sizeof(buf), stdin) == NULL)
124: exit(1);
125: if (strchr(buf, '\n'))
126: *strchr(buf, '\n') = 0;
127: if (strcmp(buf, "") != 0)
128: strlcpy(identity_file, buf, sizeof(identity_file));
129: have_identity = 1;
1.7 markus 130: }
131:
1.63 itojun 132: static Key *
1.61 markus 133: load_identity(char *filename)
1.19 markus 134: {
1.52 markus 135: char *pass;
136: Key *prv;
137:
1.55 markus 138: prv = key_load_private(filename, "", NULL);
1.52 markus 139: if (prv == NULL) {
1.61 markus 140: if (identity_passphrase)
141: pass = xstrdup(identity_passphrase);
142: else
1.65 markus 143: pass = read_passphrase("Enter passphrase: ",
144: RP_ALLOW_STDIN);
1.52 markus 145: prv = key_load_private(filename, pass, NULL);
1.19 markus 146: memset(pass, 0, strlen(pass));
147: xfree(pass);
148: }
1.52 markus 149: return prv;
1.19 markus 150: }
151:
1.32 markus 152: #define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----"
1.100 deraadt 153: #define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----"
1.32 markus 154: #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
1.42 stevesk 155: #define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb
1.19 markus 156:
1.63 itojun 157: static void
1.19 markus 158: do_convert_to_ssh2(struct passwd *pw)
159: {
1.59 markus 160: Key *k;
1.94 markus 161: u_int len;
1.36 markus 162: u_char *blob;
1.19 markus 163: struct stat st;
164:
165: if (!have_identity)
166: ask_filename(pw, "Enter file in which the key is");
167: if (stat(identity_file, &st) < 0) {
168: perror(identity_file);
169: exit(1);
170: }
1.59 markus 171: if ((k = key_load_public(identity_file, NULL)) == NULL) {
1.61 markus 172: if ((k = load_identity(identity_file)) == NULL) {
1.59 markus 173: fprintf(stderr, "load failed\n");
174: exit(1);
175: }
1.104 markus 176: }
177: if (k->type == KEY_RSA1) {
178: fprintf(stderr, "version 1 keys are not supported\n");
179: exit(1);
1.19 markus 180: }
1.81 markus 181: if (key_to_blob(k, &blob, &len) <= 0) {
182: fprintf(stderr, "key_to_blob failed\n");
183: exit(1);
184: }
1.32 markus 185: fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN);
1.19 markus 186: fprintf(stdout,
1.101 deraadt 187: "Comment: \"%u-bit %s, converted from OpenSSH by %s@%s\"\n",
1.59 markus 188: key_size(k), key_type(k),
1.19 markus 189: pw->pw_name, hostname);
190: dump_base64(stdout, blob, len);
1.32 markus 191: fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END);
1.59 markus 192: key_free(k);
1.21 markus 193: xfree(blob);
1.19 markus 194: exit(0);
195: }
196:
1.63 itojun 197: static void
1.32 markus 198: buffer_get_bignum_bits(Buffer *b, BIGNUM *value)
199: {
1.116 avsm 200: u_int bignum_bits = buffer_get_int(b);
201: u_int bytes = (bignum_bits + 7) / 8;
1.53 markus 202:
1.32 markus 203: if (buffer_len(b) < bytes)
1.53 markus 204: fatal("buffer_get_bignum_bits: input buffer too small: "
205: "need %d have %d", bytes, buffer_len(b));
1.89 stevesk 206: BN_bin2bn(buffer_ptr(b), bytes, value);
1.32 markus 207: buffer_consume(b, bytes);
208: }
209:
1.63 itojun 210: static Key *
1.93 markus 211: do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
1.32 markus 212: {
213: Buffer b;
214: Key *key = NULL;
1.64 markus 215: char *type, *cipher;
1.69 stevesk 216: u_char *sig, data[] = "abcde12345";
1.62 markus 217: int magic, rlen, ktype, i1, i2, i3, i4;
1.64 markus 218: u_int slen;
1.62 markus 219: u_long e;
1.32 markus 220:
221: buffer_init(&b);
222: buffer_append(&b, blob, blen);
223:
224: magic = buffer_get_int(&b);
225: if (magic != SSH_COM_PRIVATE_KEY_MAGIC) {
226: error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC);
227: buffer_free(&b);
228: return NULL;
229: }
1.62 markus 230: i1 = buffer_get_int(&b);
1.32 markus 231: type = buffer_get_string(&b, NULL);
232: cipher = buffer_get_string(&b, NULL);
1.62 markus 233: i2 = buffer_get_int(&b);
234: i3 = buffer_get_int(&b);
235: i4 = buffer_get_int(&b);
236: debug("ignore (%d %d %d %d)", i1,i2,i3,i4);
1.32 markus 237: if (strcmp(cipher, "none") != 0) {
238: error("unsupported cipher %s", cipher);
239: xfree(cipher);
240: buffer_free(&b);
1.53 markus 241: xfree(type);
1.32 markus 242: return NULL;
243: }
244: xfree(cipher);
245:
1.53 markus 246: if (strstr(type, "dsa")) {
247: ktype = KEY_DSA;
248: } else if (strstr(type, "rsa")) {
249: ktype = KEY_RSA;
250: } else {
1.118 markus 251: buffer_free(&b);
1.53 markus 252: xfree(type);
1.32 markus 253: return NULL;
254: }
1.53 markus 255: key = key_new_private(ktype);
256: xfree(type);
257:
258: switch (key->type) {
259: case KEY_DSA:
260: buffer_get_bignum_bits(&b, key->dsa->p);
261: buffer_get_bignum_bits(&b, key->dsa->g);
262: buffer_get_bignum_bits(&b, key->dsa->q);
263: buffer_get_bignum_bits(&b, key->dsa->pub_key);
264: buffer_get_bignum_bits(&b, key->dsa->priv_key);
265: break;
266: case KEY_RSA:
1.62 markus 267: e = buffer_get_char(&b);
268: debug("e %lx", e);
269: if (e < 30) {
270: e <<= 8;
271: e += buffer_get_char(&b);
272: debug("e %lx", e);
273: e <<= 8;
274: e += buffer_get_char(&b);
275: debug("e %lx", e);
276: }
277: if (!BN_set_word(key->rsa->e, e)) {
1.53 markus 278: buffer_free(&b);
279: key_free(key);
280: return NULL;
281: }
282: buffer_get_bignum_bits(&b, key->rsa->d);
283: buffer_get_bignum_bits(&b, key->rsa->n);
284: buffer_get_bignum_bits(&b, key->rsa->iqmp);
285: buffer_get_bignum_bits(&b, key->rsa->q);
286: buffer_get_bignum_bits(&b, key->rsa->p);
1.68 markus 287: rsa_generate_additional_parameters(key->rsa);
1.53 markus 288: break;
289: }
1.32 markus 290: rlen = buffer_len(&b);
1.85 deraadt 291: if (rlen != 0)
1.53 markus 292: error("do_convert_private_ssh2_from_blob: "
293: "remaining bytes in key blob %d", rlen);
1.32 markus 294: buffer_free(&b);
1.64 markus 295:
296: /* try the key */
297: key_sign(key, &sig, &slen, data, sizeof(data));
298: key_verify(key, sig, slen, data, sizeof(data));
299: xfree(sig);
1.32 markus 300: return key;
301: }
302:
1.63 itojun 303: static void
1.19 markus 304: do_convert_from_ssh2(struct passwd *pw)
305: {
306: Key *k;
307: int blen;
1.98 markus 308: u_int len;
1.19 markus 309: char line[1024], *p;
1.80 stevesk 310: u_char blob[8096];
1.19 markus 311: char encoded[8096];
312: struct stat st;
1.32 markus 313: int escaped = 0, private = 0, ok;
1.19 markus 314: FILE *fp;
315:
316: if (!have_identity)
317: ask_filename(pw, "Enter file in which the key is");
318: if (stat(identity_file, &st) < 0) {
319: perror(identity_file);
320: exit(1);
321: }
322: fp = fopen(identity_file, "r");
323: if (fp == NULL) {
324: perror(identity_file);
325: exit(1);
326: }
327: encoded[0] = '\0';
328: while (fgets(line, sizeof(line), fp)) {
1.25 markus 329: if (!(p = strchr(line, '\n'))) {
330: fprintf(stderr, "input line too long.\n");
331: exit(1);
332: }
333: if (p > line && p[-1] == '\\')
334: escaped++;
1.19 markus 335: if (strncmp(line, "----", 4) == 0 ||
336: strstr(line, ": ") != NULL) {
1.32 markus 337: if (strstr(line, SSH_COM_PRIVATE_BEGIN) != NULL)
338: private = 1;
1.64 markus 339: if (strstr(line, " END ") != NULL) {
340: break;
341: }
1.60 markus 342: /* fprintf(stderr, "ignore: %s", line); */
1.19 markus 343: continue;
344: }
1.25 markus 345: if (escaped) {
346: escaped--;
1.60 markus 347: /* fprintf(stderr, "escaped: %s", line); */
1.25 markus 348: continue;
1.19 markus 349: }
350: *p = '\0';
351: strlcat(encoded, line, sizeof(encoded));
352: }
1.98 markus 353: len = strlen(encoded);
354: if (((len % 4) == 3) &&
355: (encoded[len-1] == '=') &&
356: (encoded[len-2] == '=') &&
357: (encoded[len-3] == '='))
358: encoded[len-3] = '\0';
1.91 stevesk 359: blen = uudecode(encoded, blob, sizeof(blob));
1.19 markus 360: if (blen < 0) {
361: fprintf(stderr, "uudecode failed.\n");
362: exit(1);
363: }
1.32 markus 364: k = private ?
365: do_convert_private_ssh2_from_blob(blob, blen) :
1.33 markus 366: key_from_blob(blob, blen);
1.32 markus 367: if (k == NULL) {
368: fprintf(stderr, "decode blob failed.\n");
369: exit(1);
370: }
371: ok = private ?
1.53 markus 372: (k->type == KEY_DSA ?
373: PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL) :
374: PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, NULL, 0, NULL, NULL)) :
1.32 markus 375: key_write(k, stdout);
376: if (!ok) {
377: fprintf(stderr, "key write failed");
378: exit(1);
379: }
1.19 markus 380: key_free(k);
1.90 markus 381: if (!private)
382: fprintf(stdout, "\n");
1.19 markus 383: fclose(fp);
384: exit(0);
385: }
386:
1.63 itojun 387: static void
1.19 markus 388: do_print_public(struct passwd *pw)
389: {
1.52 markus 390: Key *prv;
1.19 markus 391: struct stat st;
392:
393: if (!have_identity)
394: ask_filename(pw, "Enter file in which the key is");
395: if (stat(identity_file, &st) < 0) {
396: perror(identity_file);
397: exit(1);
398: }
1.61 markus 399: prv = load_identity(identity_file);
1.52 markus 400: if (prv == NULL) {
1.19 markus 401: fprintf(stderr, "load failed\n");
402: exit(1);
403: }
1.52 markus 404: if (!key_write(prv, stdout))
1.19 markus 405: fprintf(stderr, "key_write failed");
1.52 markus 406: key_free(prv);
1.19 markus 407: fprintf(stdout, "\n");
408: exit(0);
409: }
410:
1.74 markus 411: #ifdef SMARTCARD
1.66 markus 412: static void
1.75 markus 413: do_upload(struct passwd *pw, const char *sc_reader_id)
1.66 markus 414: {
415: Key *prv = NULL;
416: struct stat st;
1.95 markus 417: int ret;
1.66 markus 418:
419: if (!have_identity)
420: ask_filename(pw, "Enter file in which the key is");
421: if (stat(identity_file, &st) < 0) {
422: perror(identity_file);
1.95 markus 423: exit(1);
1.66 markus 424: }
425: prv = load_identity(identity_file);
426: if (prv == NULL) {
427: error("load failed");
1.95 markus 428: exit(1);
1.66 markus 429: }
1.95 markus 430: ret = sc_put_key(prv, sc_reader_id);
431: key_free(prv);
432: if (ret < 0)
433: exit(1);
1.103 itojun 434: logit("loading key done");
1.95 markus 435: exit(0);
1.74 markus 436: }
1.75 markus 437:
438: static void
439: do_download(struct passwd *pw, const char *sc_reader_id)
440: {
1.97 markus 441: Key **keys = NULL;
442: int i;
1.75 markus 443:
1.97 markus 444: keys = sc_get_keys(sc_reader_id, NULL);
445: if (keys == NULL)
1.75 markus 446: fatal("cannot read public key from smartcard");
1.97 markus 447: for (i = 0; keys[i]; i++) {
448: key_write(keys[i], stdout);
449: key_free(keys[i]);
450: fprintf(stdout, "\n");
451: }
452: xfree(keys);
1.75 markus 453: exit(0);
454: }
1.78 jakob 455: #endif /* SMARTCARD */
1.66 markus 456:
1.63 itojun 457: static void
1.8 markus 458: do_fingerprint(struct passwd *pw)
459: {
1.15 markus 460: FILE *f;
1.19 markus 461: Key *public;
1.49 markus 462: char *comment = NULL, *cp, *ep, line[16*1024], *fp;
1.84 stevesk 463: int i, skip = 0, num = 1, invalid = 1;
464: enum fp_rep rep;
465: enum fp_type fptype;
1.12 markus 466: struct stat st;
467:
1.52 markus 468: fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
469: rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
1.49 markus 470:
1.12 markus 471: if (!have_identity)
472: ask_filename(pw, "Enter file in which the key is");
473: if (stat(identity_file, &st) < 0) {
474: perror(identity_file);
475: exit(1);
476: }
1.52 markus 477: public = key_load_public(identity_file, &comment);
478: if (public != NULL) {
479: fp = key_fingerprint(public, fptype, rep);
1.101 deraadt 480: printf("%u %s %s\n", key_size(public), fp, comment);
1.33 markus 481: key_free(public);
482: xfree(comment);
1.49 markus 483: xfree(fp);
1.15 markus 484: exit(0);
485: }
1.52 markus 486: if (comment)
487: xfree(comment);
1.15 markus 488:
489: f = fopen(identity_file, "r");
490: if (f != NULL) {
491: while (fgets(line, sizeof(line), f)) {
492: i = strlen(line) - 1;
493: if (line[i] != '\n') {
494: error("line %d too long: %.40s...", num, line);
495: skip = 1;
496: continue;
497: }
498: num++;
499: if (skip) {
500: skip = 0;
501: continue;
502: }
503: line[i] = '\0';
504:
505: /* Skip leading whitespace, empty and comment lines. */
506: for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
507: ;
508: if (!*cp || *cp == '\n' || *cp == '#')
509: continue ;
510: i = strtol(cp, &ep, 10);
511: if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {
512: int quoted = 0;
513: comment = cp;
1.101 deraadt 514: for (; *cp && (quoted || (*cp != ' ' &&
515: *cp != '\t')); cp++) {
1.15 markus 516: if (*cp == '\\' && cp[1] == '"')
517: cp++; /* Skip both */
518: else if (*cp == '"')
519: quoted = !quoted;
520: }
521: if (!*cp)
522: continue;
523: *cp++ = '\0';
524: }
525: ep = cp;
1.38 markus 526: public = key_new(KEY_RSA1);
527: if (key_read(public, &cp) != 1) {
528: cp = ep;
529: key_free(public);
530: public = key_new(KEY_UNSPEC);
531: if (key_read(public, &cp) != 1) {
532: key_free(public);
533: continue;
534: }
1.12 markus 535: }
1.38 markus 536: comment = *cp ? cp : comment;
1.52 markus 537: fp = key_fingerprint(public, fptype, rep);
1.101 deraadt 538: printf("%u %s %s\n", key_size(public), fp,
1.38 markus 539: comment ? comment : "no comment");
1.49 markus 540: xfree(fp);
1.52 markus 541: key_free(public);
1.38 markus 542: invalid = 0;
1.12 markus 543: }
1.15 markus 544: fclose(f);
545: }
546: if (invalid) {
1.83 markus 547: printf("%s is not a public key file.\n", identity_file);
1.15 markus 548: exit(1);
1.12 markus 549: }
550: exit(0);
1.8 markus 551: }
552:
1.119 ! djm 553: static void
! 554: print_host(FILE *f, char *name, Key *public, int hash)
! 555: {
! 556: if (hash && (name = host_hash(name, NULL, 0)) == NULL)
! 557: fatal("hash_host failed");
! 558: fprintf(f, "%s ", name);
! 559: if (!key_write(public, f))
! 560: fatal("key_write failed");
! 561: fprintf(f, "\n");
! 562: }
! 563:
! 564: static void
! 565: do_known_hosts(struct passwd *pw, const char *name)
! 566: {
! 567: FILE *in, *out = stdout;
! 568: Key *public;
! 569: char *cp, *cp2, *kp, *kp2;
! 570: char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN];
! 571: int c, i, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;
! 572:
! 573: if (!have_identity) {
! 574: cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);
! 575: if (strlcpy(identity_file, cp, sizeof(identity_file)) >=
! 576: sizeof(identity_file))
! 577: fatal("Specified known hosts path too long");
! 578: xfree(cp);
! 579: have_identity = 1;
! 580: }
! 581: if ((in = fopen(identity_file, "r")) == NULL)
! 582: fatal("fopen: %s", strerror(errno));
! 583:
! 584: /*
! 585: * Find hosts goes to stdout, hash and deletions happen in-place
! 586: * A corner case is ssh-keygen -HF foo, which should go to stdout
! 587: */
! 588: if (!find_host && (hash_hosts || delete_host)) {
! 589: if (strlcpy(tmp, identity_file, sizeof(tmp)) >= sizeof(tmp) ||
! 590: strlcat(tmp, ".XXXXXXXXXX", sizeof(tmp)) >= sizeof(tmp) ||
! 591: strlcpy(old, identity_file, sizeof(old)) >= sizeof(old) ||
! 592: strlcat(old, ".old", sizeof(old)) >= sizeof(old))
! 593: fatal("known_hosts path too long");
! 594: umask(077);
! 595: if ((c = mkstemp(tmp)) == -1)
! 596: fatal("mkstemp: %s", strerror(errno));
! 597: if ((out = fdopen(c, "w")) == NULL) {
! 598: c = errno;
! 599: unlink(tmp);
! 600: fatal("fdopen: %s", strerror(c));
! 601: }
! 602: inplace = 1;
! 603: }
! 604:
! 605: while (fgets(line, sizeof(line), in)) {
! 606: num++;
! 607: i = strlen(line) - 1;
! 608: if (line[i] != '\n') {
! 609: error("line %d too long: %.40s...", num, line);
! 610: skip = 1;
! 611: invalid = 1;
! 612: continue;
! 613: }
! 614: if (skip) {
! 615: skip = 0;
! 616: continue;
! 617: }
! 618: line[i] = '\0';
! 619:
! 620: /* Skip leading whitespace, empty and comment lines. */
! 621: for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
! 622: ;
! 623: if (!*cp || *cp == '\n' || *cp == '#') {
! 624: if (inplace)
! 625: fprintf(out, "%s\n", cp);
! 626: continue;
! 627: }
! 628: /* Find the end of the host name portion. */
! 629: for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++)
! 630: ;
! 631: if (*kp == '\0' || *(kp + 1) == '\0') {
! 632: error("line %d missing key: %.40s...",
! 633: num, line);
! 634: invalid = 1;
! 635: continue;
! 636: }
! 637: *kp++ = '\0';
! 638: kp2 = kp;
! 639:
! 640: public = key_new(KEY_RSA1);
! 641: if (key_read(public, &kp) != 1) {
! 642: kp = kp2;
! 643: key_free(public);
! 644: public = key_new(KEY_UNSPEC);
! 645: if (key_read(public, &kp) != 1) {
! 646: error("line %d invalid key: %.40s...",
! 647: num, line);
! 648: key_free(public);
! 649: invalid = 1;
! 650: continue;
! 651: }
! 652: }
! 653:
! 654: if (*cp == HASH_DELIM) {
! 655: if (find_host || delete_host) {
! 656: cp2 = host_hash(name, cp, strlen(cp));
! 657: if (cp2 == NULL) {
! 658: error("line %d: invalid hashed "
! 659: "name: %.64s...", num, line);
! 660: invalid = 1;
! 661: continue;
! 662: }
! 663: c = (strcmp(cp2, cp) == 0);
! 664: if (find_host && c) {
! 665: printf("# Host %s found: "
! 666: "line %d type %s\n", name,
! 667: num, key_type(public));
! 668: print_host(out, cp, public, 0);
! 669: }
! 670: if (delete_host && !c)
! 671: print_host(out, cp, public, 0);
! 672: } else if (hash_hosts)
! 673: print_host(out, cp, public, 0);
! 674: } else {
! 675: if (find_host || delete_host) {
! 676: c = (match_hostname(name, cp,
! 677: strlen(cp)) == 1);
! 678: if (find_host && c) {
! 679: printf("# Host %s found: "
! 680: "line %d type %s\n", name,
! 681: num, key_type(public));
! 682: print_host(out, cp, public, hash_hosts);
! 683: }
! 684: if (delete_host && !c)
! 685: print_host(out, cp, public, 0);
! 686: } else if (hash_hosts) {
! 687: for(cp2 = strsep(&cp, ",");
! 688: cp2 != NULL && *cp2 != '\0';
! 689: cp2 = strsep(&cp, ","))
! 690: print_host(out, cp2, public, 1);
! 691: has_unhashed = 1;
! 692: }
! 693: }
! 694: key_free(public);
! 695: }
! 696: fclose(in);
! 697:
! 698: if (invalid) {
! 699: fprintf(stderr, "%s is not a valid known_host file.\n",
! 700: identity_file);
! 701: if (inplace) {
! 702: fprintf(stderr, "Not replacing existing known_hosts "
! 703: "file beacuse of errors");
! 704: fclose(out);
! 705: unlink(tmp);
! 706: }
! 707: exit(1);
! 708: }
! 709:
! 710: if (inplace) {
! 711: fclose(out);
! 712:
! 713: /* Backup existing file */
! 714: if (unlink(old) == -1 && errno != ENOENT)
! 715: fatal("unlink %.100s: %s", old, strerror(errno));
! 716: if (link(identity_file, old) == -1)
! 717: fatal("link %.100s to %.100s: %s", identity_file, old,
! 718: strerror(errno));
! 719: /* Move new one into place */
! 720: if (rename(tmp, identity_file) == -1) {
! 721: error("rename\"%s\" to \"%s\": %s", tmp, identity_file,
! 722: strerror(errno));
! 723: unlink(tmp);
! 724: unlink(old);
! 725: exit(1);
! 726: }
! 727:
! 728: fprintf(stderr, "%s updated.\n", identity_file);
! 729: fprintf(stderr, "Original contents retained as %s\n", old);
! 730: if (has_unhashed) {
! 731: fprintf(stderr, "WARNING: %s contains unhashed "
! 732: "entries\n", old);
! 733: fprintf(stderr, "Delete this file to ensure privacy "
! 734: "of hostnames\n");
! 735: }
! 736: }
! 737:
! 738: exit(0);
! 739: }
! 740:
1.13 deraadt 741: /*
742: * Perform changing a passphrase. The argument is the passwd structure
743: * for the current user.
744: */
1.63 itojun 745: static void
1.7 markus 746: do_change_passphrase(struct passwd *pw)
747: {
1.12 markus 748: char *comment;
749: char *old_passphrase, *passphrase1, *passphrase2;
750: struct stat st;
1.19 markus 751: Key *private;
1.12 markus 752:
753: if (!have_identity)
754: ask_filename(pw, "Enter file in which the key is");
755: if (stat(identity_file, &st) < 0) {
756: perror(identity_file);
757: exit(1);
758: }
759: /* Try to load the file with empty passphrase. */
1.52 markus 760: private = key_load_private(identity_file, "", &comment);
761: if (private == NULL) {
1.12 markus 762: if (identity_passphrase)
763: old_passphrase = xstrdup(identity_passphrase);
764: else
1.65 markus 765: old_passphrase =
766: read_passphrase("Enter old passphrase: ",
767: RP_ALLOW_STDIN);
768: private = key_load_private(identity_file, old_passphrase,
769: &comment);
1.52 markus 770: memset(old_passphrase, 0, strlen(old_passphrase));
771: xfree(old_passphrase);
772: if (private == NULL) {
1.12 markus 773: printf("Bad passphrase.\n");
774: exit(1);
775: }
776: }
777: printf("Key has comment '%s'\n", comment);
778:
779: /* Ask the new passphrase (twice). */
780: if (identity_new_passphrase) {
781: passphrase1 = xstrdup(identity_new_passphrase);
782: passphrase2 = NULL;
783: } else {
784: passphrase1 =
1.65 markus 785: read_passphrase("Enter new passphrase (empty for no "
786: "passphrase): ", RP_ALLOW_STDIN);
787: passphrase2 = read_passphrase("Enter same passphrase again: ",
1.86 deraadt 788: RP_ALLOW_STDIN);
1.12 markus 789:
790: /* Verify that they are the same. */
791: if (strcmp(passphrase1, passphrase2) != 0) {
792: memset(passphrase1, 0, strlen(passphrase1));
793: memset(passphrase2, 0, strlen(passphrase2));
794: xfree(passphrase1);
795: xfree(passphrase2);
796: printf("Pass phrases do not match. Try again.\n");
797: exit(1);
798: }
799: /* Destroy the other copy. */
800: memset(passphrase2, 0, strlen(passphrase2));
801: xfree(passphrase2);
802: }
803:
804: /* Save the file using the new passphrase. */
1.52 markus 805: if (!key_save_private(private, identity_file, passphrase1, comment)) {
1.56 markus 806: printf("Saving the key failed: %s.\n", identity_file);
1.12 markus 807: memset(passphrase1, 0, strlen(passphrase1));
808: xfree(passphrase1);
1.19 markus 809: key_free(private);
1.12 markus 810: xfree(comment);
811: exit(1);
812: }
813: /* Destroy the passphrase and the copy of the key in memory. */
814: memset(passphrase1, 0, strlen(passphrase1));
815: xfree(passphrase1);
1.19 markus 816: key_free(private); /* Destroys contents */
1.12 markus 817: xfree(comment);
1.1 deraadt 818:
1.12 markus 819: printf("Your identification has been saved with the new passphrase.\n");
820: exit(0);
1.1 deraadt 821: }
822:
1.105 jakob 823: /*
824: * Print the SSHFP RR.
825: */
826: static void
1.116 avsm 827: do_print_resource_record(struct passwd *pw, char *hname)
1.105 jakob 828: {
829: Key *public;
830: char *comment = NULL;
831: struct stat st;
832:
833: if (!have_identity)
834: ask_filename(pw, "Enter file in which the key is");
835: if (stat(identity_file, &st) < 0) {
836: perror(identity_file);
837: exit(1);
838: }
839: public = key_load_public(identity_file, &comment);
840: if (public != NULL) {
1.116 avsm 841: export_dns_rr(hname, public, stdout, print_generic);
1.105 jakob 842: key_free(public);
843: xfree(comment);
844: exit(0);
845: }
846: if (comment)
847: xfree(comment);
848:
849: printf("failed to read v2 public key from %s.\n", identity_file);
850: exit(1);
851: }
852:
1.13 deraadt 853: /*
854: * Change the comment of a private key file.
855: */
1.63 itojun 856: static void
1.2 provos 857: do_change_comment(struct passwd *pw)
1.1 deraadt 858: {
1.46 deraadt 859: char new_comment[1024], *comment, *passphrase;
1.52 markus 860: Key *private;
861: Key *public;
1.12 markus 862: struct stat st;
863: FILE *f;
1.46 deraadt 864: int fd;
1.12 markus 865:
866: if (!have_identity)
867: ask_filename(pw, "Enter file in which the key is");
868: if (stat(identity_file, &st) < 0) {
869: perror(identity_file);
870: exit(1);
871: }
1.52 markus 872: private = key_load_private(identity_file, "", &comment);
873: if (private == NULL) {
1.12 markus 874: if (identity_passphrase)
875: passphrase = xstrdup(identity_passphrase);
876: else if (identity_new_passphrase)
877: passphrase = xstrdup(identity_new_passphrase);
878: else
1.65 markus 879: passphrase = read_passphrase("Enter passphrase: ",
880: RP_ALLOW_STDIN);
1.12 markus 881: /* Try to load using the passphrase. */
1.52 markus 882: private = key_load_private(identity_file, passphrase, &comment);
883: if (private == NULL) {
1.12 markus 884: memset(passphrase, 0, strlen(passphrase));
885: xfree(passphrase);
886: printf("Bad passphrase.\n");
887: exit(1);
888: }
1.52 markus 889: } else {
890: passphrase = xstrdup("");
1.12 markus 891: }
1.52 markus 892: if (private->type != KEY_RSA1) {
893: fprintf(stderr, "Comments are only supported for RSA1 keys.\n");
894: key_free(private);
895: exit(1);
1.86 deraadt 896: }
1.12 markus 897: printf("Key now has comment '%s'\n", comment);
898:
899: if (identity_comment) {
900: strlcpy(new_comment, identity_comment, sizeof(new_comment));
901: } else {
902: printf("Enter new comment: ");
903: fflush(stdout);
904: if (!fgets(new_comment, sizeof(new_comment), stdin)) {
905: memset(passphrase, 0, strlen(passphrase));
1.19 markus 906: key_free(private);
1.12 markus 907: exit(1);
908: }
909: if (strchr(new_comment, '\n'))
910: *strchr(new_comment, '\n') = 0;
911: }
912:
913: /* Save the file using the new passphrase. */
1.52 markus 914: if (!key_save_private(private, identity_file, passphrase, new_comment)) {
1.56 markus 915: printf("Saving the key failed: %s.\n", identity_file);
1.12 markus 916: memset(passphrase, 0, strlen(passphrase));
917: xfree(passphrase);
1.19 markus 918: key_free(private);
1.12 markus 919: xfree(comment);
920: exit(1);
921: }
922: memset(passphrase, 0, strlen(passphrase));
923: xfree(passphrase);
1.52 markus 924: public = key_from_private(private);
1.19 markus 925: key_free(private);
1.12 markus 926:
927: strlcat(identity_file, ".pub", sizeof(identity_file));
1.46 deraadt 928: fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
929: if (fd == -1) {
1.12 markus 930: printf("Could not save your public key in %s\n", identity_file);
931: exit(1);
932: }
1.46 deraadt 933: f = fdopen(fd, "w");
934: if (f == NULL) {
935: printf("fdopen %s failed", identity_file);
936: exit(1);
937: }
1.19 markus 938: if (!key_write(public, f))
939: fprintf(stderr, "write key failed");
940: key_free(public);
941: fprintf(f, " %s\n", new_comment);
1.12 markus 942: fclose(f);
1.1 deraadt 943:
1.12 markus 944: xfree(comment);
1.1 deraadt 945:
1.12 markus 946: printf("The comment in your key file has been changed.\n");
947: exit(0);
1.1 deraadt 948: }
949:
1.63 itojun 950: static void
1.10 markus 951: usage(void)
952: {
1.77 jakob 953: fprintf(stderr, "Usage: %s [options]\n", __progname);
954: fprintf(stderr, "Options:\n");
955: fprintf(stderr, " -b bits Number of bits in the key to create.\n");
956: fprintf(stderr, " -c Change comment in private and public key files.\n");
957: fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n");
958: fprintf(stderr, " -f filename Filename of the key file.\n");
1.105 jakob 959: fprintf(stderr, " -g Use generic DNS resource record format.\n");
1.77 jakob 960: fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n");
961: fprintf(stderr, " -l Show fingerprint of key file.\n");
962: fprintf(stderr, " -p Change passphrase of private key file.\n");
963: fprintf(stderr, " -q Quiet.\n");
964: fprintf(stderr, " -y Read private key file and print public key.\n");
965: fprintf(stderr, " -t type Specify type of key to create.\n");
966: fprintf(stderr, " -B Show bubblebabble digest of key file.\n");
1.119 ! djm 967: fprintf(stderr, " -H Hash names in known_hosts file\n");
! 968: fprintf(stderr, " -F hostname Find hostname in known hosts file\n");
1.77 jakob 969: fprintf(stderr, " -C comment Provide new comment.\n");
970: fprintf(stderr, " -N phrase Provide new passphrase.\n");
971: fprintf(stderr, " -P phrase Provide old passphrase.\n");
1.105 jakob 972: fprintf(stderr, " -r hostname Print DNS resource record.\n");
1.77 jakob 973: #ifdef SMARTCARD
974: fprintf(stderr, " -D reader Download public key from smartcard.\n");
975: fprintf(stderr, " -U reader Upload private key to smartcard.\n");
976: #endif /* SMARTCARD */
977:
1.107 djm 978: fprintf(stderr, " -G file Generate candidates for DH-GEX moduli\n");
979: fprintf(stderr, " -T file Screen candidates for DH-GEX moduli\n");
980:
1.12 markus 981: exit(1);
1.10 markus 982: }
983:
1.13 deraadt 984: /*
985: * Main program for key management.
986: */
1.2 provos 987: int
988: main(int ac, char **av)
1.1 deraadt 989: {
1.87 djm 990: char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
1.112 djm 991: char out_file[MAXPATHLEN], *reader_id = NULL;
1.119 ! djm 992: char *rr_hostname = NULL;
1.46 deraadt 993: Key *private, *public;
1.12 markus 994: struct passwd *pw;
995: struct stat st;
1.107 djm 996: int opt, type, fd, download = 0, memory = 0;
997: int generator_wanted = 0, trials = 100;
998: int do_gen_candidates = 0, do_screen_candidates = 0;
1.113 djm 999: int log_level = SYSLOG_LEVEL_INFO;
1.107 djm 1000: BIGNUM *start = NULL;
1.12 markus 1001: FILE *f;
1.33 markus 1002:
1.12 markus 1003: extern int optind;
1004: extern char *optarg;
1005:
1.26 markus 1006: SSLeay_add_all_algorithms();
1.107 djm 1007: log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
1.19 markus 1008:
1.14 markus 1009: /* we need this for the home * directory. */
1.12 markus 1010: pw = getpwuid(getuid());
1011: if (!pw) {
1012: printf("You don't exist, go away!\n");
1013: exit(1);
1014: }
1.19 markus 1015: if (gethostname(hostname, sizeof(hostname)) < 0) {
1016: perror("gethostname");
1017: exit(1);
1018: }
1.14 markus 1019:
1.107 djm 1020: while ((opt = getopt(ac, av,
1.119 ! djm 1021: "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
1.12 markus 1022: switch (opt) {
1023: case 'b':
1024: bits = atoi(optarg);
1025: if (bits < 512 || bits > 32768) {
1026: printf("Bits has bad value.\n");
1027: exit(1);
1028: }
1029: break;
1.119 ! djm 1030: case 'F':
! 1031: find_host = 1;
! 1032: rr_hostname = optarg;
! 1033: break;
! 1034: case 'H':
! 1035: hash_hosts = 1;
! 1036: break;
! 1037: case 'R':
! 1038: delete_host = 1;
! 1039: rr_hostname = optarg;
! 1040: break;
1.12 markus 1041: case 'l':
1042: print_fingerprint = 1;
1043: break;
1.49 markus 1044: case 'B':
1045: print_bubblebabble = 1;
1046: break;
1.12 markus 1047: case 'p':
1048: change_passphrase = 1;
1049: break;
1050: case 'c':
1051: change_comment = 1;
1052: break;
1053: case 'f':
1054: strlcpy(identity_file, optarg, sizeof(identity_file));
1055: have_identity = 1;
1056: break;
1.105 jakob 1057: case 'g':
1058: print_generic = 1;
1059: break;
1.12 markus 1060: case 'P':
1061: identity_passphrase = optarg;
1062: break;
1063: case 'N':
1064: identity_new_passphrase = optarg;
1065: break;
1066: case 'C':
1067: identity_comment = optarg;
1068: break;
1069: case 'q':
1070: quiet = 1;
1.20 deraadt 1071: break;
1.57 markus 1072: case 'e':
1.19 markus 1073: case 'x':
1.57 markus 1074: /* export key */
1.19 markus 1075: convert_to_ssh2 = 1;
1076: break;
1.57 markus 1077: case 'i':
1.19 markus 1078: case 'X':
1.57 markus 1079: /* import key */
1.19 markus 1080: convert_from_ssh2 = 1;
1081: break;
1082: case 'y':
1083: print_public = 1;
1.47 jakob 1084: break;
1.19 markus 1085: case 'd':
1.33 markus 1086: key_type_name = "dsa";
1.19 markus 1087: break;
1.33 markus 1088: case 't':
1089: key_type_name = optarg;
1090: break;
1.75 markus 1091: case 'D':
1092: download = 1;
1.76 jakob 1093: case 'U':
1.75 markus 1094: reader_id = optarg;
1.66 markus 1095: break;
1.113 djm 1096: case 'v':
1097: if (log_level == SYSLOG_LEVEL_INFO)
1098: log_level = SYSLOG_LEVEL_DEBUG1;
1099: else {
1.117 deraadt 1100: if (log_level >= SYSLOG_LEVEL_DEBUG1 &&
1.113 djm 1101: log_level < SYSLOG_LEVEL_DEBUG3)
1102: log_level++;
1103: }
1104: break;
1.105 jakob 1105: case 'r':
1.119 ! djm 1106: rr_hostname = optarg;
1.105 jakob 1107: break;
1.107 djm 1108: case 'W':
1109: generator_wanted = atoi(optarg);
1110: if (generator_wanted < 1)
1111: fatal("Desired generator has bad value.");
1112: break;
1113: case 'a':
1114: trials = atoi(optarg);
1115: break;
1116: case 'M':
1117: memory = atoi(optarg);
1118: break;
1119: case 'G':
1120: do_gen_candidates = 1;
1121: strlcpy(out_file, optarg, sizeof(out_file));
1122: break;
1123: case 'T':
1124: do_screen_candidates = 1;
1125: strlcpy(out_file, optarg, sizeof(out_file));
1126: break;
1127: case 'S':
1128: /* XXX - also compare length against bits */
1129: if (BN_hex2bn(&start, optarg) == 0)
1130: fatal("Invalid start point.");
1131: break;
1.12 markus 1132: case '?':
1133: default:
1134: usage();
1135: }
1136: }
1.113 djm 1137:
1138: /* reinit */
1139: log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1);
1140:
1.12 markus 1141: if (optind < ac) {
1142: printf("Too many arguments.\n");
1.87 djm 1143: usage();
1144: }
1.12 markus 1145: if (change_passphrase && change_comment) {
1146: printf("Can only have one of -p and -c.\n");
1147: usage();
1148: }
1.119 ! djm 1149: if (delete_host || hash_hosts || find_host)
! 1150: do_known_hosts(pw, rr_hostname);
1.49 markus 1151: if (print_fingerprint || print_bubblebabble)
1.12 markus 1152: do_fingerprint(pw);
1153: if (change_passphrase)
1154: do_change_passphrase(pw);
1155: if (change_comment)
1156: do_change_comment(pw);
1.19 markus 1157: if (convert_to_ssh2)
1158: do_convert_to_ssh2(pw);
1159: if (convert_from_ssh2)
1160: do_convert_from_ssh2(pw);
1161: if (print_public)
1162: do_print_public(pw);
1.119 ! djm 1163: if (rr_hostname != NULL) {
! 1164: do_print_resource_record(pw, rr_hostname);
1.105 jakob 1165: }
1.75 markus 1166: if (reader_id != NULL) {
1.74 markus 1167: #ifdef SMARTCARD
1.75 markus 1168: if (download)
1169: do_download(pw, reader_id);
1170: else
1171: do_upload(pw, reader_id);
1.78 jakob 1172: #else /* SMARTCARD */
1.74 markus 1173: fatal("no support for smartcards.");
1.78 jakob 1174: #endif /* SMARTCARD */
1.107 djm 1175: }
1176:
1177: if (do_gen_candidates) {
1178: FILE *out = fopen(out_file, "w");
1.111 djm 1179:
1.107 djm 1180: if (out == NULL) {
1181: error("Couldn't open modulus candidate file \"%s\": %s",
1182: out_file, strerror(errno));
1183: return (1);
1184: }
1185: if (gen_candidates(out, memory, bits, start) != 0)
1186: fatal("modulus candidate generation failed\n");
1187:
1188: return (0);
1189: }
1190:
1191: if (do_screen_candidates) {
1192: FILE *in;
1193: FILE *out = fopen(out_file, "w");
1194:
1195: if (have_identity && strcmp(identity_file, "-") != 0) {
1196: if ((in = fopen(identity_file, "r")) == NULL) {
1197: fatal("Couldn't open modulus candidate "
1.111 djm 1198: "file \"%s\": %s", identity_file,
1.107 djm 1199: strerror(errno));
1200: }
1201: } else
1202: in = stdin;
1203:
1204: if (out == NULL) {
1205: fatal("Couldn't open moduli file \"%s\": %s",
1206: out_file, strerror(errno));
1207: }
1208: if (prime_test(in, out, trials, generator_wanted) != 0)
1209: fatal("modulus screening failed\n");
1.108 markus 1210: return (0);
1.75 markus 1211: }
1.12 markus 1212:
1213: arc4random_stir();
1214:
1.88 markus 1215: if (key_type_name == NULL) {
1216: printf("You must specify a key type (-t).\n");
1217: usage();
1218: }
1.35 markus 1219: type = key_type_from_name(key_type_name);
1220: if (type == KEY_UNSPEC) {
1221: fprintf(stderr, "unknown key type %s\n", key_type_name);
1222: exit(1);
1.19 markus 1223: }
1.33 markus 1224: if (!quiet)
1.35 markus 1225: printf("Generating public/private %s key pair.\n", key_type_name);
1.33 markus 1226: private = key_generate(type, bits);
1227: if (private == NULL) {
1228: fprintf(stderr, "key_generate failed");
1229: exit(1);
1230: }
1231: public = key_from_private(private);
1.12 markus 1232:
1233: if (!have_identity)
1234: ask_filename(pw, "Enter file in which to save the key");
1235:
1236: /* Create ~/.ssh directory if it doesn\'t already exist. */
1.40 markus 1237: snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
1.12 markus 1238: if (strstr(identity_file, dotsshdir) != NULL &&
1239: stat(dotsshdir, &st) < 0) {
1.29 djm 1240: if (mkdir(dotsshdir, 0700) < 0)
1.12 markus 1241: error("Could not create directory '%s'.", dotsshdir);
1242: else if (!quiet)
1243: printf("Created directory '%s'.\n", dotsshdir);
1244: }
1245: /* If the file already exists, ask the user to confirm. */
1246: if (stat(identity_file, &st) >= 0) {
1247: char yesno[3];
1248: printf("%s already exists.\n", identity_file);
1249: printf("Overwrite (y/n)? ");
1250: fflush(stdout);
1251: if (fgets(yesno, sizeof(yesno), stdin) == NULL)
1252: exit(1);
1253: if (yesno[0] != 'y' && yesno[0] != 'Y')
1254: exit(1);
1255: }
1256: /* Ask for a passphrase (twice). */
1257: if (identity_passphrase)
1258: passphrase1 = xstrdup(identity_passphrase);
1259: else if (identity_new_passphrase)
1260: passphrase1 = xstrdup(identity_new_passphrase);
1261: else {
1262: passphrase_again:
1263: passphrase1 =
1.65 markus 1264: read_passphrase("Enter passphrase (empty for no "
1265: "passphrase): ", RP_ALLOW_STDIN);
1266: passphrase2 = read_passphrase("Enter same passphrase again: ",
1267: RP_ALLOW_STDIN);
1.12 markus 1268: if (strcmp(passphrase1, passphrase2) != 0) {
1.65 markus 1269: /*
1270: * The passphrases do not match. Clear them and
1271: * retry.
1272: */
1.12 markus 1273: memset(passphrase1, 0, strlen(passphrase1));
1274: memset(passphrase2, 0, strlen(passphrase2));
1275: xfree(passphrase1);
1276: xfree(passphrase2);
1277: printf("Passphrases do not match. Try again.\n");
1278: goto passphrase_again;
1279: }
1280: /* Clear the other copy of the passphrase. */
1281: memset(passphrase2, 0, strlen(passphrase2));
1282: xfree(passphrase2);
1283: }
1284:
1285: if (identity_comment) {
1286: strlcpy(comment, identity_comment, sizeof(comment));
1287: } else {
1.18 markus 1288: /* Create default commend field for the passphrase. */
1.12 markus 1289: snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
1290: }
1291:
1292: /* Save the key with the given passphrase and comment. */
1.52 markus 1293: if (!key_save_private(private, identity_file, passphrase1, comment)) {
1.56 markus 1294: printf("Saving the key failed: %s.\n", identity_file);
1.12 markus 1295: memset(passphrase1, 0, strlen(passphrase1));
1296: xfree(passphrase1);
1297: exit(1);
1298: }
1299: /* Clear the passphrase. */
1300: memset(passphrase1, 0, strlen(passphrase1));
1301: xfree(passphrase1);
1302:
1303: /* Clear the private key and the random number generator. */
1.33 markus 1304: key_free(private);
1.12 markus 1305: arc4random_stir();
1306:
1307: if (!quiet)
1308: printf("Your identification has been saved in %s.\n", identity_file);
1309:
1310: strlcat(identity_file, ".pub", sizeof(identity_file));
1.46 deraadt 1311: fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
1312: if (fd == -1) {
1.12 markus 1313: printf("Could not save your public key in %s\n", identity_file);
1.46 deraadt 1314: exit(1);
1315: }
1316: f = fdopen(fd, "w");
1317: if (f == NULL) {
1318: printf("fdopen %s failed", identity_file);
1.12 markus 1319: exit(1);
1320: }
1.19 markus 1321: if (!key_write(public, f))
1322: fprintf(stderr, "write key failed");
1323: fprintf(f, " %s\n", comment);
1.12 markus 1324: fclose(f);
1325:
1326: if (!quiet) {
1.50 markus 1327: char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
1.19 markus 1328: printf("Your public key has been saved in %s.\n",
1329: identity_file);
1.12 markus 1330: printf("The key fingerprint is:\n");
1.50 markus 1331: printf("%s %s\n", fp, comment);
1332: xfree(fp);
1.12 markus 1333: }
1.19 markus 1334:
1335: key_free(public);
1.12 markus 1336: exit(0);
1.1 deraadt 1337: }