Annotation of src/usr.bin/ssh/ssh-keygen.c, Revision 1.147
1.147 ! stevesk 1: /* $OpenBSD: ssh-keygen.c,v 1.146 2006/07/06 16:22:39 stevesk Exp $ */
1.1 deraadt 2: /*
1.13 deraadt 3: * Author: Tatu Ylonen <ylo@cs.hut.fi>
4: * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: * All rights reserved
6: * Identity and host key generation and maintenance.
1.31 deraadt 7: *
8: * As far as I am concerned, the code I have written for this software
9: * can be used freely for any purpose. Any derived versions of this
10: * software must be clearly marked as such, and if the derived work is
11: * incompatible with the protocol description in the RFC file, it must be
12: * called by a name other than "ssh" or "Secure Shell".
1.13 deraadt 13: */
1.1 deraadt 14:
15: #include "includes.h"
1.136 stevesk 16:
17: #include <sys/types.h>
18: #include <sys/stat.h>
1.19 markus 19:
20: #include <openssl/evp.h>
21: #include <openssl/pem.h>
1.145 stevesk 22:
1.147 ! stevesk 23: #include <fcntl.h>
1.145 stevesk 24: #include <pwd.h>
1.1 deraadt 25:
26: #include "xmalloc.h"
1.19 markus 27: #include "key.h"
1.53 markus 28: #include "rsa.h"
1.19 markus 29: #include "authfile.h"
30: #include "uuencode.h"
1.32 markus 31: #include "buffer.h"
32: #include "bufaux.h"
1.40 markus 33: #include "pathnames.h"
1.41 markus 34: #include "log.h"
1.114 djm 35: #include "misc.h"
1.119 djm 36: #include "match.h"
37: #include "hostfile.h"
1.146 stevesk 38: #include "dns.h"
1.32 markus 39:
1.75 markus 40: #ifdef SMARTCARD
41: #include "scard.h"
1.106 djm 42: #endif
1.66 markus 43:
1.130 markus 44: /* Number of bits in the RSA/DSA key. This value can be set on the command line. */
45: #define DEFAULT_BITS 2048
46: #define DEFAULT_BITS_DSA 1024
47: u_int32_t bits = 0;
1.1 deraadt 48:
1.14 markus 49: /*
50: * Flag indicating that we just want to change the passphrase. This can be
51: * set on the command line.
52: */
1.1 deraadt 53: int change_passphrase = 0;
54:
1.14 markus 55: /*
56: * Flag indicating that we just want to change the comment. This can be set
57: * on the command line.
58: */
1.1 deraadt 59: int change_comment = 0;
60:
1.2 provos 61: int quiet = 0;
62:
1.119 djm 63: /* Flag indicating that we want to hash a known_hosts file */
64: int hash_hosts = 0;
65: /* Flag indicating that we want lookup a host in known_hosts file */
66: int find_host = 0;
67: /* Flag indicating that we want to delete a host from a known_hosts file */
68: int delete_host = 0;
69:
1.8 markus 70: /* Flag indicating that we just want to see the key fingerprint */
71: int print_fingerprint = 0;
1.49 markus 72: int print_bubblebabble = 0;
1.8 markus 73:
1.10 markus 74: /* The identity file name, given on the command line or entered by the user. */
75: char identity_file[1024];
76: int have_identity = 0;
1.1 deraadt 77:
78: /* This is set to the passphrase if given on the command line. */
79: char *identity_passphrase = NULL;
80:
81: /* This is set to the new passphrase if given on the command line. */
82: char *identity_new_passphrase = NULL;
83:
84: /* This is set to the new comment if given on the command line. */
85: char *identity_comment = NULL;
86:
1.19 markus 87: /* Dump public key file in format used by real and the original SSH 2 */
88: int convert_to_ssh2 = 0;
89: int convert_from_ssh2 = 0;
90: int print_public = 0;
1.105 jakob 91: int print_generic = 0;
1.33 markus 92:
1.87 djm 93: char *key_type_name = NULL;
1.19 markus 94:
1.10 markus 95: /* argv0 */
96: extern char *__progname;
1.1 deraadt 97:
1.19 markus 98: char hostname[MAXHOSTNAMELEN];
99:
1.115 djm 100: /* moduli.c */
1.124 avsm 101: int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
1.115 djm 102: int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
103:
1.63 itojun 104: static void
1.10 markus 105: ask_filename(struct passwd *pw, const char *prompt)
1.1 deraadt 106: {
1.12 markus 107: char buf[1024];
1.35 markus 108: char *name = NULL;
109:
1.92 stevesk 110: if (key_type_name == NULL)
1.40 markus 111: name = _PATH_SSH_CLIENT_ID_RSA;
1.140 deraadt 112: else {
1.92 stevesk 113: switch (key_type_from_name(key_type_name)) {
114: case KEY_RSA1:
115: name = _PATH_SSH_CLIENT_IDENTITY;
116: break;
117: case KEY_DSA:
118: name = _PATH_SSH_CLIENT_ID_DSA;
119: break;
120: case KEY_RSA:
121: name = _PATH_SSH_CLIENT_ID_RSA;
122: break;
123: default:
124: fprintf(stderr, "bad key type");
125: exit(1);
126: break;
127: }
1.140 deraadt 128: }
1.35 markus 129: snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name);
1.37 markus 130: fprintf(stderr, "%s (%s): ", prompt, identity_file);
1.12 markus 131: if (fgets(buf, sizeof(buf), stdin) == NULL)
132: exit(1);
133: if (strchr(buf, '\n'))
134: *strchr(buf, '\n') = 0;
135: if (strcmp(buf, "") != 0)
136: strlcpy(identity_file, buf, sizeof(identity_file));
137: have_identity = 1;
1.7 markus 138: }
139:
1.63 itojun 140: static Key *
1.61 markus 141: load_identity(char *filename)
1.19 markus 142: {
1.52 markus 143: char *pass;
144: Key *prv;
145:
1.55 markus 146: prv = key_load_private(filename, "", NULL);
1.52 markus 147: if (prv == NULL) {
1.61 markus 148: if (identity_passphrase)
149: pass = xstrdup(identity_passphrase);
150: else
1.65 markus 151: pass = read_passphrase("Enter passphrase: ",
152: RP_ALLOW_STDIN);
1.52 markus 153: prv = key_load_private(filename, pass, NULL);
1.19 markus 154: memset(pass, 0, strlen(pass));
155: xfree(pass);
156: }
1.52 markus 157: return prv;
1.19 markus 158: }
159:
1.32 markus 160: #define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----"
1.100 deraadt 161: #define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----"
1.32 markus 162: #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
1.42 stevesk 163: #define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb
1.19 markus 164:
1.63 itojun 165: static void
1.19 markus 166: do_convert_to_ssh2(struct passwd *pw)
167: {
1.59 markus 168: Key *k;
1.94 markus 169: u_int len;
1.36 markus 170: u_char *blob;
1.19 markus 171: struct stat st;
172:
173: if (!have_identity)
174: ask_filename(pw, "Enter file in which the key is");
175: if (stat(identity_file, &st) < 0) {
176: perror(identity_file);
177: exit(1);
178: }
1.59 markus 179: if ((k = key_load_public(identity_file, NULL)) == NULL) {
1.61 markus 180: if ((k = load_identity(identity_file)) == NULL) {
1.59 markus 181: fprintf(stderr, "load failed\n");
182: exit(1);
183: }
1.104 markus 184: }
185: if (k->type == KEY_RSA1) {
186: fprintf(stderr, "version 1 keys are not supported\n");
187: exit(1);
1.19 markus 188: }
1.81 markus 189: if (key_to_blob(k, &blob, &len) <= 0) {
190: fprintf(stderr, "key_to_blob failed\n");
191: exit(1);
192: }
1.32 markus 193: fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN);
1.19 markus 194: fprintf(stdout,
1.101 deraadt 195: "Comment: \"%u-bit %s, converted from OpenSSH by %s@%s\"\n",
1.59 markus 196: key_size(k), key_type(k),
1.19 markus 197: pw->pw_name, hostname);
198: dump_base64(stdout, blob, len);
1.32 markus 199: fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END);
1.59 markus 200: key_free(k);
1.21 markus 201: xfree(blob);
1.19 markus 202: exit(0);
203: }
204:
1.63 itojun 205: static void
1.32 markus 206: buffer_get_bignum_bits(Buffer *b, BIGNUM *value)
207: {
1.116 avsm 208: u_int bignum_bits = buffer_get_int(b);
209: u_int bytes = (bignum_bits + 7) / 8;
1.53 markus 210:
1.32 markus 211: if (buffer_len(b) < bytes)
1.53 markus 212: fatal("buffer_get_bignum_bits: input buffer too small: "
213: "need %d have %d", bytes, buffer_len(b));
1.89 stevesk 214: BN_bin2bn(buffer_ptr(b), bytes, value);
1.32 markus 215: buffer_consume(b, bytes);
216: }
217:
1.63 itojun 218: static Key *
1.93 markus 219: do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
1.32 markus 220: {
221: Buffer b;
222: Key *key = NULL;
1.64 markus 223: char *type, *cipher;
1.69 stevesk 224: u_char *sig, data[] = "abcde12345";
1.62 markus 225: int magic, rlen, ktype, i1, i2, i3, i4;
1.64 markus 226: u_int slen;
1.62 markus 227: u_long e;
1.32 markus 228:
229: buffer_init(&b);
230: buffer_append(&b, blob, blen);
231:
232: magic = buffer_get_int(&b);
233: if (magic != SSH_COM_PRIVATE_KEY_MAGIC) {
234: error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC);
235: buffer_free(&b);
236: return NULL;
237: }
1.62 markus 238: i1 = buffer_get_int(&b);
1.32 markus 239: type = buffer_get_string(&b, NULL);
240: cipher = buffer_get_string(&b, NULL);
1.62 markus 241: i2 = buffer_get_int(&b);
242: i3 = buffer_get_int(&b);
243: i4 = buffer_get_int(&b);
244: debug("ignore (%d %d %d %d)", i1,i2,i3,i4);
1.32 markus 245: if (strcmp(cipher, "none") != 0) {
246: error("unsupported cipher %s", cipher);
247: xfree(cipher);
248: buffer_free(&b);
1.53 markus 249: xfree(type);
1.32 markus 250: return NULL;
251: }
252: xfree(cipher);
253:
1.53 markus 254: if (strstr(type, "dsa")) {
255: ktype = KEY_DSA;
256: } else if (strstr(type, "rsa")) {
257: ktype = KEY_RSA;
258: } else {
1.118 markus 259: buffer_free(&b);
1.53 markus 260: xfree(type);
1.32 markus 261: return NULL;
262: }
1.53 markus 263: key = key_new_private(ktype);
264: xfree(type);
265:
266: switch (key->type) {
267: case KEY_DSA:
268: buffer_get_bignum_bits(&b, key->dsa->p);
269: buffer_get_bignum_bits(&b, key->dsa->g);
270: buffer_get_bignum_bits(&b, key->dsa->q);
271: buffer_get_bignum_bits(&b, key->dsa->pub_key);
272: buffer_get_bignum_bits(&b, key->dsa->priv_key);
273: break;
274: case KEY_RSA:
1.62 markus 275: e = buffer_get_char(&b);
276: debug("e %lx", e);
277: if (e < 30) {
278: e <<= 8;
279: e += buffer_get_char(&b);
280: debug("e %lx", e);
281: e <<= 8;
282: e += buffer_get_char(&b);
283: debug("e %lx", e);
284: }
285: if (!BN_set_word(key->rsa->e, e)) {
1.53 markus 286: buffer_free(&b);
287: key_free(key);
288: return NULL;
289: }
290: buffer_get_bignum_bits(&b, key->rsa->d);
291: buffer_get_bignum_bits(&b, key->rsa->n);
292: buffer_get_bignum_bits(&b, key->rsa->iqmp);
293: buffer_get_bignum_bits(&b, key->rsa->q);
294: buffer_get_bignum_bits(&b, key->rsa->p);
1.68 markus 295: rsa_generate_additional_parameters(key->rsa);
1.53 markus 296: break;
297: }
1.32 markus 298: rlen = buffer_len(&b);
1.85 deraadt 299: if (rlen != 0)
1.53 markus 300: error("do_convert_private_ssh2_from_blob: "
301: "remaining bytes in key blob %d", rlen);
1.32 markus 302: buffer_free(&b);
1.64 markus 303:
304: /* try the key */
305: key_sign(key, &sig, &slen, data, sizeof(data));
306: key_verify(key, sig, slen, data, sizeof(data));
307: xfree(sig);
1.32 markus 308: return key;
309: }
310:
1.137 dtucker 311: static int
312: get_line(FILE *fp, char *line, size_t len)
313: {
314: int c;
315: size_t pos = 0;
316:
317: line[0] = '\0';
318: while ((c = fgetc(fp)) != EOF) {
319: if (pos >= len - 1) {
320: fprintf(stderr, "input line too long.\n");
321: exit(1);
322: }
1.140 deraadt 323: switch (c) {
1.137 dtucker 324: case '\r':
325: c = fgetc(fp);
326: if (c != EOF && c != '\n' && ungetc(c, fp) == EOF) {
327: fprintf(stderr, "unget: %s\n", strerror(errno));
328: exit(1);
329: }
330: return pos;
331: case '\n':
332: return pos;
333: }
334: line[pos++] = c;
335: line[pos] = '\0';
336: }
1.143 dtucker 337: if (c == EOF)
338: return -1;
1.137 dtucker 339: return pos;
340: }
341:
1.63 itojun 342: static void
1.19 markus 343: do_convert_from_ssh2(struct passwd *pw)
344: {
345: Key *k;
346: int blen;
1.98 markus 347: u_int len;
1.137 dtucker 348: char line[1024];
1.80 stevesk 349: u_char blob[8096];
1.19 markus 350: char encoded[8096];
351: struct stat st;
1.32 markus 352: int escaped = 0, private = 0, ok;
1.19 markus 353: FILE *fp;
354:
355: if (!have_identity)
356: ask_filename(pw, "Enter file in which the key is");
357: if (stat(identity_file, &st) < 0) {
358: perror(identity_file);
359: exit(1);
360: }
361: fp = fopen(identity_file, "r");
362: if (fp == NULL) {
363: perror(identity_file);
364: exit(1);
365: }
366: encoded[0] = '\0';
1.137 dtucker 367: while ((blen = get_line(fp, line, sizeof(line))) != -1) {
368: if (line[blen - 1] == '\\')
1.25 markus 369: escaped++;
1.19 markus 370: if (strncmp(line, "----", 4) == 0 ||
371: strstr(line, ": ") != NULL) {
1.32 markus 372: if (strstr(line, SSH_COM_PRIVATE_BEGIN) != NULL)
373: private = 1;
1.64 markus 374: if (strstr(line, " END ") != NULL) {
375: break;
376: }
1.60 markus 377: /* fprintf(stderr, "ignore: %s", line); */
1.19 markus 378: continue;
379: }
1.25 markus 380: if (escaped) {
381: escaped--;
1.60 markus 382: /* fprintf(stderr, "escaped: %s", line); */
1.25 markus 383: continue;
1.19 markus 384: }
385: strlcat(encoded, line, sizeof(encoded));
386: }
1.98 markus 387: len = strlen(encoded);
388: if (((len % 4) == 3) &&
389: (encoded[len-1] == '=') &&
390: (encoded[len-2] == '=') &&
391: (encoded[len-3] == '='))
392: encoded[len-3] = '\0';
1.91 stevesk 393: blen = uudecode(encoded, blob, sizeof(blob));
1.19 markus 394: if (blen < 0) {
395: fprintf(stderr, "uudecode failed.\n");
396: exit(1);
397: }
1.32 markus 398: k = private ?
399: do_convert_private_ssh2_from_blob(blob, blen) :
1.33 markus 400: key_from_blob(blob, blen);
1.32 markus 401: if (k == NULL) {
402: fprintf(stderr, "decode blob failed.\n");
403: exit(1);
404: }
405: ok = private ?
1.53 markus 406: (k->type == KEY_DSA ?
407: PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL) :
408: PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, NULL, 0, NULL, NULL)) :
1.32 markus 409: key_write(k, stdout);
410: if (!ok) {
411: fprintf(stderr, "key write failed");
412: exit(1);
413: }
1.19 markus 414: key_free(k);
1.90 markus 415: if (!private)
416: fprintf(stdout, "\n");
1.19 markus 417: fclose(fp);
418: exit(0);
419: }
420:
1.63 itojun 421: static void
1.19 markus 422: do_print_public(struct passwd *pw)
423: {
1.52 markus 424: Key *prv;
1.19 markus 425: struct stat st;
426:
427: if (!have_identity)
428: ask_filename(pw, "Enter file in which the key is");
429: if (stat(identity_file, &st) < 0) {
430: perror(identity_file);
431: exit(1);
432: }
1.61 markus 433: prv = load_identity(identity_file);
1.52 markus 434: if (prv == NULL) {
1.19 markus 435: fprintf(stderr, "load failed\n");
436: exit(1);
437: }
1.52 markus 438: if (!key_write(prv, stdout))
1.19 markus 439: fprintf(stderr, "key_write failed");
1.52 markus 440: key_free(prv);
1.19 markus 441: fprintf(stdout, "\n");
442: exit(0);
443: }
444:
1.74 markus 445: #ifdef SMARTCARD
1.66 markus 446: static void
1.75 markus 447: do_upload(struct passwd *pw, const char *sc_reader_id)
1.66 markus 448: {
449: Key *prv = NULL;
450: struct stat st;
1.95 markus 451: int ret;
1.66 markus 452:
453: if (!have_identity)
454: ask_filename(pw, "Enter file in which the key is");
455: if (stat(identity_file, &st) < 0) {
456: perror(identity_file);
1.95 markus 457: exit(1);
1.66 markus 458: }
459: prv = load_identity(identity_file);
460: if (prv == NULL) {
461: error("load failed");
1.95 markus 462: exit(1);
1.66 markus 463: }
1.95 markus 464: ret = sc_put_key(prv, sc_reader_id);
465: key_free(prv);
466: if (ret < 0)
467: exit(1);
1.103 itojun 468: logit("loading key done");
1.95 markus 469: exit(0);
1.74 markus 470: }
1.75 markus 471:
472: static void
473: do_download(struct passwd *pw, const char *sc_reader_id)
474: {
1.97 markus 475: Key **keys = NULL;
476: int i;
1.75 markus 477:
1.97 markus 478: keys = sc_get_keys(sc_reader_id, NULL);
479: if (keys == NULL)
1.75 markus 480: fatal("cannot read public key from smartcard");
1.97 markus 481: for (i = 0; keys[i]; i++) {
482: key_write(keys[i], stdout);
483: key_free(keys[i]);
484: fprintf(stdout, "\n");
485: }
486: xfree(keys);
1.75 markus 487: exit(0);
488: }
1.78 jakob 489: #endif /* SMARTCARD */
1.66 markus 490:
1.63 itojun 491: static void
1.8 markus 492: do_fingerprint(struct passwd *pw)
493: {
1.15 markus 494: FILE *f;
1.19 markus 495: Key *public;
1.49 markus 496: char *comment = NULL, *cp, *ep, line[16*1024], *fp;
1.84 stevesk 497: int i, skip = 0, num = 1, invalid = 1;
498: enum fp_rep rep;
499: enum fp_type fptype;
1.12 markus 500: struct stat st;
501:
1.52 markus 502: fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
503: rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
1.49 markus 504:
1.12 markus 505: if (!have_identity)
506: ask_filename(pw, "Enter file in which the key is");
507: if (stat(identity_file, &st) < 0) {
508: perror(identity_file);
509: exit(1);
510: }
1.52 markus 511: public = key_load_public(identity_file, &comment);
512: if (public != NULL) {
513: fp = key_fingerprint(public, fptype, rep);
1.101 deraadt 514: printf("%u %s %s\n", key_size(public), fp, comment);
1.33 markus 515: key_free(public);
516: xfree(comment);
1.49 markus 517: xfree(fp);
1.15 markus 518: exit(0);
519: }
1.144 markus 520: if (comment) {
1.52 markus 521: xfree(comment);
1.144 markus 522: comment = NULL;
523: }
1.15 markus 524:
525: f = fopen(identity_file, "r");
526: if (f != NULL) {
527: while (fgets(line, sizeof(line), f)) {
528: i = strlen(line) - 1;
529: if (line[i] != '\n') {
530: error("line %d too long: %.40s...", num, line);
531: skip = 1;
532: continue;
533: }
534: num++;
535: if (skip) {
536: skip = 0;
537: continue;
538: }
539: line[i] = '\0';
540:
541: /* Skip leading whitespace, empty and comment lines. */
542: for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
543: ;
544: if (!*cp || *cp == '\n' || *cp == '#')
545: continue ;
546: i = strtol(cp, &ep, 10);
547: if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {
548: int quoted = 0;
549: comment = cp;
1.101 deraadt 550: for (; *cp && (quoted || (*cp != ' ' &&
551: *cp != '\t')); cp++) {
1.15 markus 552: if (*cp == '\\' && cp[1] == '"')
553: cp++; /* Skip both */
554: else if (*cp == '"')
555: quoted = !quoted;
556: }
557: if (!*cp)
558: continue;
559: *cp++ = '\0';
560: }
561: ep = cp;
1.38 markus 562: public = key_new(KEY_RSA1);
563: if (key_read(public, &cp) != 1) {
564: cp = ep;
565: key_free(public);
566: public = key_new(KEY_UNSPEC);
567: if (key_read(public, &cp) != 1) {
568: key_free(public);
569: continue;
570: }
1.12 markus 571: }
1.38 markus 572: comment = *cp ? cp : comment;
1.52 markus 573: fp = key_fingerprint(public, fptype, rep);
1.101 deraadt 574: printf("%u %s %s\n", key_size(public), fp,
1.38 markus 575: comment ? comment : "no comment");
1.49 markus 576: xfree(fp);
1.52 markus 577: key_free(public);
1.38 markus 578: invalid = 0;
1.12 markus 579: }
1.15 markus 580: fclose(f);
581: }
582: if (invalid) {
1.83 markus 583: printf("%s is not a public key file.\n", identity_file);
1.15 markus 584: exit(1);
1.12 markus 585: }
586: exit(0);
1.8 markus 587: }
588:
1.119 djm 589: static void
590: print_host(FILE *f, char *name, Key *public, int hash)
591: {
592: if (hash && (name = host_hash(name, NULL, 0)) == NULL)
593: fatal("hash_host failed");
594: fprintf(f, "%s ", name);
595: if (!key_write(public, f))
596: fatal("key_write failed");
597: fprintf(f, "\n");
598: }
599:
600: static void
601: do_known_hosts(struct passwd *pw, const char *name)
602: {
603: FILE *in, *out = stdout;
604: Key *public;
605: char *cp, *cp2, *kp, *kp2;
606: char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN];
607: int c, i, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;
608:
609: if (!have_identity) {
610: cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);
611: if (strlcpy(identity_file, cp, sizeof(identity_file)) >=
612: sizeof(identity_file))
613: fatal("Specified known hosts path too long");
614: xfree(cp);
615: have_identity = 1;
616: }
617: if ((in = fopen(identity_file, "r")) == NULL)
618: fatal("fopen: %s", strerror(errno));
619:
620: /*
621: * Find hosts goes to stdout, hash and deletions happen in-place
622: * A corner case is ssh-keygen -HF foo, which should go to stdout
623: */
624: if (!find_host && (hash_hosts || delete_host)) {
625: if (strlcpy(tmp, identity_file, sizeof(tmp)) >= sizeof(tmp) ||
626: strlcat(tmp, ".XXXXXXXXXX", sizeof(tmp)) >= sizeof(tmp) ||
627: strlcpy(old, identity_file, sizeof(old)) >= sizeof(old) ||
628: strlcat(old, ".old", sizeof(old)) >= sizeof(old))
629: fatal("known_hosts path too long");
630: umask(077);
631: if ((c = mkstemp(tmp)) == -1)
632: fatal("mkstemp: %s", strerror(errno));
633: if ((out = fdopen(c, "w")) == NULL) {
634: c = errno;
635: unlink(tmp);
636: fatal("fdopen: %s", strerror(c));
637: }
638: inplace = 1;
639: }
640:
641: while (fgets(line, sizeof(line), in)) {
642: num++;
643: i = strlen(line) - 1;
644: if (line[i] != '\n') {
645: error("line %d too long: %.40s...", num, line);
646: skip = 1;
647: invalid = 1;
648: continue;
649: }
650: if (skip) {
651: skip = 0;
652: continue;
653: }
654: line[i] = '\0';
655:
656: /* Skip leading whitespace, empty and comment lines. */
657: for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
658: ;
659: if (!*cp || *cp == '\n' || *cp == '#') {
660: if (inplace)
661: fprintf(out, "%s\n", cp);
662: continue;
663: }
664: /* Find the end of the host name portion. */
665: for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++)
666: ;
667: if (*kp == '\0' || *(kp + 1) == '\0') {
668: error("line %d missing key: %.40s...",
669: num, line);
670: invalid = 1;
671: continue;
672: }
673: *kp++ = '\0';
674: kp2 = kp;
675:
676: public = key_new(KEY_RSA1);
677: if (key_read(public, &kp) != 1) {
678: kp = kp2;
679: key_free(public);
680: public = key_new(KEY_UNSPEC);
681: if (key_read(public, &kp) != 1) {
682: error("line %d invalid key: %.40s...",
683: num, line);
684: key_free(public);
685: invalid = 1;
686: continue;
687: }
688: }
689:
690: if (*cp == HASH_DELIM) {
691: if (find_host || delete_host) {
692: cp2 = host_hash(name, cp, strlen(cp));
693: if (cp2 == NULL) {
694: error("line %d: invalid hashed "
695: "name: %.64s...", num, line);
696: invalid = 1;
697: continue;
698: }
699: c = (strcmp(cp2, cp) == 0);
700: if (find_host && c) {
701: printf("# Host %s found: "
702: "line %d type %s\n", name,
703: num, key_type(public));
704: print_host(out, cp, public, 0);
705: }
706: if (delete_host && !c)
707: print_host(out, cp, public, 0);
708: } else if (hash_hosts)
709: print_host(out, cp, public, 0);
710: } else {
711: if (find_host || delete_host) {
712: c = (match_hostname(name, cp,
713: strlen(cp)) == 1);
714: if (find_host && c) {
715: printf("# Host %s found: "
716: "line %d type %s\n", name,
717: num, key_type(public));
718: print_host(out, cp, public, hash_hosts);
719: }
720: if (delete_host && !c)
721: print_host(out, cp, public, 0);
722: } else if (hash_hosts) {
1.121 deraadt 723: for (cp2 = strsep(&cp, ",");
1.119 djm 724: cp2 != NULL && *cp2 != '\0';
1.120 djm 725: cp2 = strsep(&cp, ",")) {
726: if (strcspn(cp2, "*?!") != strlen(cp2))
727: fprintf(stderr, "Warning: "
728: "ignoring host name with "
729: "metacharacters: %.64s\n",
730: cp2);
731: else
732: print_host(out, cp2, public, 1);
733: }
1.119 djm 734: has_unhashed = 1;
735: }
736: }
737: key_free(public);
738: }
739: fclose(in);
740:
741: if (invalid) {
742: fprintf(stderr, "%s is not a valid known_host file.\n",
743: identity_file);
744: if (inplace) {
745: fprintf(stderr, "Not replacing existing known_hosts "
1.122 markus 746: "file because of errors\n");
1.119 djm 747: fclose(out);
748: unlink(tmp);
749: }
750: exit(1);
751: }
752:
753: if (inplace) {
754: fclose(out);
755:
756: /* Backup existing file */
757: if (unlink(old) == -1 && errno != ENOENT)
758: fatal("unlink %.100s: %s", old, strerror(errno));
759: if (link(identity_file, old) == -1)
760: fatal("link %.100s to %.100s: %s", identity_file, old,
761: strerror(errno));
762: /* Move new one into place */
763: if (rename(tmp, identity_file) == -1) {
764: error("rename\"%s\" to \"%s\": %s", tmp, identity_file,
765: strerror(errno));
766: unlink(tmp);
767: unlink(old);
768: exit(1);
769: }
770:
771: fprintf(stderr, "%s updated.\n", identity_file);
772: fprintf(stderr, "Original contents retained as %s\n", old);
773: if (has_unhashed) {
774: fprintf(stderr, "WARNING: %s contains unhashed "
775: "entries\n", old);
776: fprintf(stderr, "Delete this file to ensure privacy "
1.128 djm 777: "of hostnames\n");
1.119 djm 778: }
779: }
780:
781: exit(0);
782: }
783:
1.13 deraadt 784: /*
785: * Perform changing a passphrase. The argument is the passwd structure
786: * for the current user.
787: */
1.63 itojun 788: static void
1.7 markus 789: do_change_passphrase(struct passwd *pw)
790: {
1.12 markus 791: char *comment;
792: char *old_passphrase, *passphrase1, *passphrase2;
793: struct stat st;
1.19 markus 794: Key *private;
1.12 markus 795:
796: if (!have_identity)
797: ask_filename(pw, "Enter file in which the key is");
798: if (stat(identity_file, &st) < 0) {
799: perror(identity_file);
800: exit(1);
801: }
802: /* Try to load the file with empty passphrase. */
1.52 markus 803: private = key_load_private(identity_file, "", &comment);
804: if (private == NULL) {
1.12 markus 805: if (identity_passphrase)
806: old_passphrase = xstrdup(identity_passphrase);
807: else
1.65 markus 808: old_passphrase =
809: read_passphrase("Enter old passphrase: ",
810: RP_ALLOW_STDIN);
811: private = key_load_private(identity_file, old_passphrase,
812: &comment);
1.52 markus 813: memset(old_passphrase, 0, strlen(old_passphrase));
814: xfree(old_passphrase);
815: if (private == NULL) {
1.12 markus 816: printf("Bad passphrase.\n");
817: exit(1);
818: }
819: }
820: printf("Key has comment '%s'\n", comment);
821:
822: /* Ask the new passphrase (twice). */
823: if (identity_new_passphrase) {
824: passphrase1 = xstrdup(identity_new_passphrase);
825: passphrase2 = NULL;
826: } else {
827: passphrase1 =
1.65 markus 828: read_passphrase("Enter new passphrase (empty for no "
829: "passphrase): ", RP_ALLOW_STDIN);
830: passphrase2 = read_passphrase("Enter same passphrase again: ",
1.86 deraadt 831: RP_ALLOW_STDIN);
1.12 markus 832:
833: /* Verify that they are the same. */
834: if (strcmp(passphrase1, passphrase2) != 0) {
835: memset(passphrase1, 0, strlen(passphrase1));
836: memset(passphrase2, 0, strlen(passphrase2));
837: xfree(passphrase1);
838: xfree(passphrase2);
839: printf("Pass phrases do not match. Try again.\n");
840: exit(1);
841: }
842: /* Destroy the other copy. */
843: memset(passphrase2, 0, strlen(passphrase2));
844: xfree(passphrase2);
845: }
846:
847: /* Save the file using the new passphrase. */
1.52 markus 848: if (!key_save_private(private, identity_file, passphrase1, comment)) {
1.56 markus 849: printf("Saving the key failed: %s.\n", identity_file);
1.12 markus 850: memset(passphrase1, 0, strlen(passphrase1));
851: xfree(passphrase1);
1.19 markus 852: key_free(private);
1.12 markus 853: xfree(comment);
854: exit(1);
855: }
856: /* Destroy the passphrase and the copy of the key in memory. */
857: memset(passphrase1, 0, strlen(passphrase1));
858: xfree(passphrase1);
1.19 markus 859: key_free(private); /* Destroys contents */
1.12 markus 860: xfree(comment);
1.1 deraadt 861:
1.12 markus 862: printf("Your identification has been saved with the new passphrase.\n");
863: exit(0);
1.1 deraadt 864: }
865:
1.105 jakob 866: /*
867: * Print the SSHFP RR.
868: */
1.138 jakob 869: static int
870: do_print_resource_record(struct passwd *pw, char *fname, char *hname)
1.105 jakob 871: {
872: Key *public;
873: char *comment = NULL;
874: struct stat st;
875:
1.138 jakob 876: if (fname == NULL)
1.105 jakob 877: ask_filename(pw, "Enter file in which the key is");
1.138 jakob 878: if (stat(fname, &st) < 0) {
879: if (errno == ENOENT)
880: return 0;
881: perror(fname);
1.105 jakob 882: exit(1);
883: }
1.138 jakob 884: public = key_load_public(fname, &comment);
1.105 jakob 885: if (public != NULL) {
1.116 avsm 886: export_dns_rr(hname, public, stdout, print_generic);
1.105 jakob 887: key_free(public);
888: xfree(comment);
1.138 jakob 889: return 1;
1.105 jakob 890: }
891: if (comment)
892: xfree(comment);
893:
1.138 jakob 894: printf("failed to read v2 public key from %s.\n", fname);
1.105 jakob 895: exit(1);
896: }
897:
1.13 deraadt 898: /*
899: * Change the comment of a private key file.
900: */
1.63 itojun 901: static void
1.2 provos 902: do_change_comment(struct passwd *pw)
1.1 deraadt 903: {
1.46 deraadt 904: char new_comment[1024], *comment, *passphrase;
1.52 markus 905: Key *private;
906: Key *public;
1.12 markus 907: struct stat st;
908: FILE *f;
1.46 deraadt 909: int fd;
1.12 markus 910:
911: if (!have_identity)
912: ask_filename(pw, "Enter file in which the key is");
913: if (stat(identity_file, &st) < 0) {
914: perror(identity_file);
915: exit(1);
916: }
1.52 markus 917: private = key_load_private(identity_file, "", &comment);
918: if (private == NULL) {
1.12 markus 919: if (identity_passphrase)
920: passphrase = xstrdup(identity_passphrase);
921: else if (identity_new_passphrase)
922: passphrase = xstrdup(identity_new_passphrase);
923: else
1.65 markus 924: passphrase = read_passphrase("Enter passphrase: ",
925: RP_ALLOW_STDIN);
1.12 markus 926: /* Try to load using the passphrase. */
1.52 markus 927: private = key_load_private(identity_file, passphrase, &comment);
928: if (private == NULL) {
1.12 markus 929: memset(passphrase, 0, strlen(passphrase));
930: xfree(passphrase);
931: printf("Bad passphrase.\n");
932: exit(1);
933: }
1.52 markus 934: } else {
935: passphrase = xstrdup("");
1.12 markus 936: }
1.52 markus 937: if (private->type != KEY_RSA1) {
938: fprintf(stderr, "Comments are only supported for RSA1 keys.\n");
939: key_free(private);
940: exit(1);
1.86 deraadt 941: }
1.12 markus 942: printf("Key now has comment '%s'\n", comment);
943:
944: if (identity_comment) {
945: strlcpy(new_comment, identity_comment, sizeof(new_comment));
946: } else {
947: printf("Enter new comment: ");
948: fflush(stdout);
949: if (!fgets(new_comment, sizeof(new_comment), stdin)) {
950: memset(passphrase, 0, strlen(passphrase));
1.19 markus 951: key_free(private);
1.12 markus 952: exit(1);
953: }
954: if (strchr(new_comment, '\n'))
955: *strchr(new_comment, '\n') = 0;
956: }
957:
958: /* Save the file using the new passphrase. */
1.52 markus 959: if (!key_save_private(private, identity_file, passphrase, new_comment)) {
1.56 markus 960: printf("Saving the key failed: %s.\n", identity_file);
1.12 markus 961: memset(passphrase, 0, strlen(passphrase));
962: xfree(passphrase);
1.19 markus 963: key_free(private);
1.12 markus 964: xfree(comment);
965: exit(1);
966: }
967: memset(passphrase, 0, strlen(passphrase));
968: xfree(passphrase);
1.52 markus 969: public = key_from_private(private);
1.19 markus 970: key_free(private);
1.12 markus 971:
972: strlcat(identity_file, ".pub", sizeof(identity_file));
1.46 deraadt 973: fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
974: if (fd == -1) {
1.12 markus 975: printf("Could not save your public key in %s\n", identity_file);
976: exit(1);
977: }
1.46 deraadt 978: f = fdopen(fd, "w");
979: if (f == NULL) {
980: printf("fdopen %s failed", identity_file);
981: exit(1);
982: }
1.19 markus 983: if (!key_write(public, f))
984: fprintf(stderr, "write key failed");
985: key_free(public);
986: fprintf(f, " %s\n", new_comment);
1.12 markus 987: fclose(f);
1.1 deraadt 988:
1.12 markus 989: xfree(comment);
1.1 deraadt 990:
1.12 markus 991: printf("The comment in your key file has been changed.\n");
992: exit(0);
1.1 deraadt 993: }
994:
1.63 itojun 995: static void
1.10 markus 996: usage(void)
997: {
1.77 jakob 998: fprintf(stderr, "Usage: %s [options]\n", __progname);
999: fprintf(stderr, "Options:\n");
1.123 otto 1000: fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n");
1001: fprintf(stderr, " -B Show bubblebabble digest of key file.\n");
1.77 jakob 1002: fprintf(stderr, " -b bits Number of bits in the key to create.\n");
1.123 otto 1003: fprintf(stderr, " -C comment Provide new comment.\n");
1.77 jakob 1004: fprintf(stderr, " -c Change comment in private and public key files.\n");
1.123 otto 1005: #ifdef SMARTCARD
1006: fprintf(stderr, " -D reader Download public key from smartcard.\n");
1007: #endif /* SMARTCARD */
1.77 jakob 1008: fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n");
1.123 otto 1009: fprintf(stderr, " -F hostname Find hostname in known hosts file.\n");
1.77 jakob 1010: fprintf(stderr, " -f filename Filename of the key file.\n");
1.123 otto 1011: fprintf(stderr, " -G file Generate candidates for DH-GEX moduli.\n");
1.105 jakob 1012: fprintf(stderr, " -g Use generic DNS resource record format.\n");
1.123 otto 1013: fprintf(stderr, " -H Hash names in known_hosts file.\n");
1.77 jakob 1014: fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n");
1015: fprintf(stderr, " -l Show fingerprint of key file.\n");
1.123 otto 1016: fprintf(stderr, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
1017: fprintf(stderr, " -N phrase Provide new passphrase.\n");
1018: fprintf(stderr, " -P phrase Provide old passphrase.\n");
1.77 jakob 1019: fprintf(stderr, " -p Change passphrase of private key file.\n");
1020: fprintf(stderr, " -q Quiet.\n");
1.123 otto 1021: fprintf(stderr, " -R hostname Remove host from known_hosts file.\n");
1022: fprintf(stderr, " -r hostname Print DNS resource record.\n");
1023: fprintf(stderr, " -S start Start point (hex) for generating DH-GEX moduli.\n");
1024: fprintf(stderr, " -T file Screen candidates for DH-GEX moduli.\n");
1.77 jakob 1025: fprintf(stderr, " -t type Specify type of key to create.\n");
1026: #ifdef SMARTCARD
1027: fprintf(stderr, " -U reader Upload private key to smartcard.\n");
1028: #endif /* SMARTCARD */
1.123 otto 1029: fprintf(stderr, " -v Verbose.\n");
1030: fprintf(stderr, " -W gen Generator to use for generating DH-GEX moduli.\n");
1031: fprintf(stderr, " -y Read private key file and print public key.\n");
1.107 djm 1032:
1.12 markus 1033: exit(1);
1.10 markus 1034: }
1035:
1.13 deraadt 1036: /*
1037: * Main program for key management.
1038: */
1.2 provos 1039: int
1040: main(int ac, char **av)
1.1 deraadt 1041: {
1.87 djm 1042: char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
1.112 djm 1043: char out_file[MAXPATHLEN], *reader_id = NULL;
1.119 djm 1044: char *rr_hostname = NULL;
1.46 deraadt 1045: Key *private, *public;
1.12 markus 1046: struct passwd *pw;
1047: struct stat st;
1.124 avsm 1048: int opt, type, fd, download = 0;
1.126 dtucker 1049: u_int32_t memory = 0, generator_wanted = 0, trials = 100;
1.107 djm 1050: int do_gen_candidates = 0, do_screen_candidates = 0;
1.113 djm 1051: int log_level = SYSLOG_LEVEL_INFO;
1.107 djm 1052: BIGNUM *start = NULL;
1.12 markus 1053: FILE *f;
1.125 avsm 1054: const char *errstr;
1.33 markus 1055:
1.12 markus 1056: extern int optind;
1057: extern char *optarg;
1.129 djm 1058:
1059: /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1060: sanitise_stdfd();
1.12 markus 1061:
1.26 markus 1062: SSLeay_add_all_algorithms();
1.107 djm 1063: log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
1.19 markus 1064:
1.14 markus 1065: /* we need this for the home * directory. */
1.12 markus 1066: pw = getpwuid(getuid());
1067: if (!pw) {
1068: printf("You don't exist, go away!\n");
1069: exit(1);
1070: }
1.19 markus 1071: if (gethostname(hostname, sizeof(hostname)) < 0) {
1072: perror("gethostname");
1073: exit(1);
1074: }
1.14 markus 1075:
1.107 djm 1076: while ((opt = getopt(ac, av,
1.119 djm 1077: "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
1.12 markus 1078: switch (opt) {
1079: case 'b':
1.142 deraadt 1080: bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);
1.125 avsm 1081: if (errstr)
1082: fatal("Bits has bad value %s (%s)",
1083: optarg, errstr);
1.12 markus 1084: break;
1.119 djm 1085: case 'F':
1086: find_host = 1;
1087: rr_hostname = optarg;
1088: break;
1089: case 'H':
1090: hash_hosts = 1;
1091: break;
1092: case 'R':
1093: delete_host = 1;
1094: rr_hostname = optarg;
1095: break;
1.12 markus 1096: case 'l':
1097: print_fingerprint = 1;
1098: break;
1.49 markus 1099: case 'B':
1100: print_bubblebabble = 1;
1101: break;
1.12 markus 1102: case 'p':
1103: change_passphrase = 1;
1104: break;
1105: case 'c':
1106: change_comment = 1;
1107: break;
1108: case 'f':
1.124 avsm 1109: if (strlcpy(identity_file, optarg, sizeof(identity_file)) >=
1110: sizeof(identity_file))
1111: fatal("Identity filename too long");
1.12 markus 1112: have_identity = 1;
1113: break;
1.105 jakob 1114: case 'g':
1115: print_generic = 1;
1116: break;
1.12 markus 1117: case 'P':
1118: identity_passphrase = optarg;
1119: break;
1120: case 'N':
1121: identity_new_passphrase = optarg;
1122: break;
1123: case 'C':
1124: identity_comment = optarg;
1125: break;
1126: case 'q':
1127: quiet = 1;
1.20 deraadt 1128: break;
1.57 markus 1129: case 'e':
1.19 markus 1130: case 'x':
1.57 markus 1131: /* export key */
1.19 markus 1132: convert_to_ssh2 = 1;
1133: break;
1.57 markus 1134: case 'i':
1.19 markus 1135: case 'X':
1.57 markus 1136: /* import key */
1.19 markus 1137: convert_from_ssh2 = 1;
1138: break;
1139: case 'y':
1140: print_public = 1;
1.47 jakob 1141: break;
1.19 markus 1142: case 'd':
1.33 markus 1143: key_type_name = "dsa";
1.19 markus 1144: break;
1.33 markus 1145: case 't':
1146: key_type_name = optarg;
1147: break;
1.75 markus 1148: case 'D':
1149: download = 1;
1.140 deraadt 1150: /*FALLTHROUGH*/
1.76 jakob 1151: case 'U':
1.75 markus 1152: reader_id = optarg;
1.66 markus 1153: break;
1.113 djm 1154: case 'v':
1155: if (log_level == SYSLOG_LEVEL_INFO)
1156: log_level = SYSLOG_LEVEL_DEBUG1;
1157: else {
1.117 deraadt 1158: if (log_level >= SYSLOG_LEVEL_DEBUG1 &&
1.113 djm 1159: log_level < SYSLOG_LEVEL_DEBUG3)
1160: log_level++;
1161: }
1162: break;
1.105 jakob 1163: case 'r':
1.119 djm 1164: rr_hostname = optarg;
1.105 jakob 1165: break;
1.107 djm 1166: case 'W':
1.142 deraadt 1167: generator_wanted = (u_int32_t)strtonum(optarg, 1,
1168: UINT_MAX, &errstr);
1.124 avsm 1169: if (errstr)
1170: fatal("Desired generator has bad value: %s (%s)",
1171: optarg, errstr);
1.107 djm 1172: break;
1173: case 'a':
1.142 deraadt 1174: trials = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);
1.124 avsm 1175: if (errstr)
1176: fatal("Invalid number of trials: %s (%s)",
1177: optarg, errstr);
1.107 djm 1178: break;
1179: case 'M':
1.142 deraadt 1180: memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);
1.124 avsm 1181: if (errstr) {
1182: fatal("Memory limit is %s: %s", errstr, optarg);
1183: }
1.107 djm 1184: break;
1185: case 'G':
1186: do_gen_candidates = 1;
1.124 avsm 1187: if (strlcpy(out_file, optarg, sizeof(out_file)) >=
1188: sizeof(out_file))
1189: fatal("Output filename too long");
1.107 djm 1190: break;
1191: case 'T':
1192: do_screen_candidates = 1;
1.124 avsm 1193: if (strlcpy(out_file, optarg, sizeof(out_file)) >=
1194: sizeof(out_file))
1195: fatal("Output filename too long");
1.107 djm 1196: break;
1197: case 'S':
1198: /* XXX - also compare length against bits */
1199: if (BN_hex2bn(&start, optarg) == 0)
1200: fatal("Invalid start point.");
1201: break;
1.12 markus 1202: case '?':
1203: default:
1204: usage();
1205: }
1206: }
1.113 djm 1207:
1208: /* reinit */
1209: log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1);
1210:
1.12 markus 1211: if (optind < ac) {
1212: printf("Too many arguments.\n");
1.87 djm 1213: usage();
1214: }
1.12 markus 1215: if (change_passphrase && change_comment) {
1216: printf("Can only have one of -p and -c.\n");
1217: usage();
1218: }
1.119 djm 1219: if (delete_host || hash_hosts || find_host)
1220: do_known_hosts(pw, rr_hostname);
1.49 markus 1221: if (print_fingerprint || print_bubblebabble)
1.12 markus 1222: do_fingerprint(pw);
1223: if (change_passphrase)
1224: do_change_passphrase(pw);
1225: if (change_comment)
1226: do_change_comment(pw);
1.19 markus 1227: if (convert_to_ssh2)
1228: do_convert_to_ssh2(pw);
1229: if (convert_from_ssh2)
1230: do_convert_from_ssh2(pw);
1231: if (print_public)
1232: do_print_public(pw);
1.119 djm 1233: if (rr_hostname != NULL) {
1.138 jakob 1234: unsigned int n = 0;
1235:
1236: if (have_identity) {
1237: n = do_print_resource_record(pw,
1238: identity_file, rr_hostname);
1239: if (n == 0) {
1240: perror(identity_file);
1241: exit(1);
1242: }
1243: exit(0);
1244: } else {
1245:
1246: n += do_print_resource_record(pw,
1247: _PATH_HOST_RSA_KEY_FILE, rr_hostname);
1248: n += do_print_resource_record(pw,
1249: _PATH_HOST_DSA_KEY_FILE, rr_hostname);
1250:
1251: if (n == 0)
1252: fatal("no keys found.");
1253: exit(0);
1254: }
1.105 jakob 1255: }
1.75 markus 1256: if (reader_id != NULL) {
1.74 markus 1257: #ifdef SMARTCARD
1.75 markus 1258: if (download)
1259: do_download(pw, reader_id);
1260: else
1261: do_upload(pw, reader_id);
1.78 jakob 1262: #else /* SMARTCARD */
1.74 markus 1263: fatal("no support for smartcards.");
1.78 jakob 1264: #endif /* SMARTCARD */
1.107 djm 1265: }
1266:
1267: if (do_gen_candidates) {
1268: FILE *out = fopen(out_file, "w");
1.111 djm 1269:
1.107 djm 1270: if (out == NULL) {
1271: error("Couldn't open modulus candidate file \"%s\": %s",
1272: out_file, strerror(errno));
1273: return (1);
1274: }
1.130 markus 1275: if (bits == 0)
1276: bits = DEFAULT_BITS;
1.107 djm 1277: if (gen_candidates(out, memory, bits, start) != 0)
1.131 stevesk 1278: fatal("modulus candidate generation failed");
1.107 djm 1279:
1280: return (0);
1281: }
1282:
1283: if (do_screen_candidates) {
1284: FILE *in;
1285: FILE *out = fopen(out_file, "w");
1286:
1287: if (have_identity && strcmp(identity_file, "-") != 0) {
1288: if ((in = fopen(identity_file, "r")) == NULL) {
1289: fatal("Couldn't open modulus candidate "
1.111 djm 1290: "file \"%s\": %s", identity_file,
1.107 djm 1291: strerror(errno));
1292: }
1293: } else
1294: in = stdin;
1295:
1296: if (out == NULL) {
1297: fatal("Couldn't open moduli file \"%s\": %s",
1298: out_file, strerror(errno));
1299: }
1300: if (prime_test(in, out, trials, generator_wanted) != 0)
1.131 stevesk 1301: fatal("modulus screening failed");
1.108 markus 1302: return (0);
1.75 markus 1303: }
1.12 markus 1304:
1305: arc4random_stir();
1306:
1.133 djm 1307: if (key_type_name == NULL)
1308: key_type_name = "rsa";
1309:
1.35 markus 1310: type = key_type_from_name(key_type_name);
1311: if (type == KEY_UNSPEC) {
1312: fprintf(stderr, "unknown key type %s\n", key_type_name);
1313: exit(1);
1.19 markus 1314: }
1.135 dtucker 1315: if (bits == 0)
1316: bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS;
1.134 dtucker 1317: if (type == KEY_DSA && bits != 1024)
1318: fatal("DSA keys must be 1024 bits");
1.33 markus 1319: if (!quiet)
1.35 markus 1320: printf("Generating public/private %s key pair.\n", key_type_name);
1.33 markus 1321: private = key_generate(type, bits);
1322: if (private == NULL) {
1323: fprintf(stderr, "key_generate failed");
1324: exit(1);
1325: }
1326: public = key_from_private(private);
1.12 markus 1327:
1328: if (!have_identity)
1329: ask_filename(pw, "Enter file in which to save the key");
1330:
1.132 djm 1331: /* Create ~/.ssh directory if it doesn't already exist. */
1.40 markus 1332: snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
1.12 markus 1333: if (strstr(identity_file, dotsshdir) != NULL &&
1334: stat(dotsshdir, &st) < 0) {
1.29 djm 1335: if (mkdir(dotsshdir, 0700) < 0)
1.12 markus 1336: error("Could not create directory '%s'.", dotsshdir);
1337: else if (!quiet)
1338: printf("Created directory '%s'.\n", dotsshdir);
1339: }
1340: /* If the file already exists, ask the user to confirm. */
1341: if (stat(identity_file, &st) >= 0) {
1342: char yesno[3];
1343: printf("%s already exists.\n", identity_file);
1344: printf("Overwrite (y/n)? ");
1345: fflush(stdout);
1346: if (fgets(yesno, sizeof(yesno), stdin) == NULL)
1347: exit(1);
1348: if (yesno[0] != 'y' && yesno[0] != 'Y')
1349: exit(1);
1350: }
1351: /* Ask for a passphrase (twice). */
1352: if (identity_passphrase)
1353: passphrase1 = xstrdup(identity_passphrase);
1354: else if (identity_new_passphrase)
1355: passphrase1 = xstrdup(identity_new_passphrase);
1356: else {
1357: passphrase_again:
1358: passphrase1 =
1.65 markus 1359: read_passphrase("Enter passphrase (empty for no "
1360: "passphrase): ", RP_ALLOW_STDIN);
1361: passphrase2 = read_passphrase("Enter same passphrase again: ",
1362: RP_ALLOW_STDIN);
1.12 markus 1363: if (strcmp(passphrase1, passphrase2) != 0) {
1.65 markus 1364: /*
1365: * The passphrases do not match. Clear them and
1366: * retry.
1367: */
1.12 markus 1368: memset(passphrase1, 0, strlen(passphrase1));
1369: memset(passphrase2, 0, strlen(passphrase2));
1370: xfree(passphrase1);
1371: xfree(passphrase2);
1372: printf("Passphrases do not match. Try again.\n");
1373: goto passphrase_again;
1374: }
1375: /* Clear the other copy of the passphrase. */
1376: memset(passphrase2, 0, strlen(passphrase2));
1377: xfree(passphrase2);
1378: }
1379:
1380: if (identity_comment) {
1381: strlcpy(comment, identity_comment, sizeof(comment));
1382: } else {
1.18 markus 1383: /* Create default commend field for the passphrase. */
1.12 markus 1384: snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
1385: }
1386:
1387: /* Save the key with the given passphrase and comment. */
1.52 markus 1388: if (!key_save_private(private, identity_file, passphrase1, comment)) {
1.56 markus 1389: printf("Saving the key failed: %s.\n", identity_file);
1.12 markus 1390: memset(passphrase1, 0, strlen(passphrase1));
1391: xfree(passphrase1);
1392: exit(1);
1393: }
1394: /* Clear the passphrase. */
1395: memset(passphrase1, 0, strlen(passphrase1));
1396: xfree(passphrase1);
1397:
1398: /* Clear the private key and the random number generator. */
1.33 markus 1399: key_free(private);
1.12 markus 1400: arc4random_stir();
1401:
1402: if (!quiet)
1403: printf("Your identification has been saved in %s.\n", identity_file);
1404:
1405: strlcat(identity_file, ".pub", sizeof(identity_file));
1.46 deraadt 1406: fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
1407: if (fd == -1) {
1.12 markus 1408: printf("Could not save your public key in %s\n", identity_file);
1.46 deraadt 1409: exit(1);
1410: }
1411: f = fdopen(fd, "w");
1412: if (f == NULL) {
1413: printf("fdopen %s failed", identity_file);
1.12 markus 1414: exit(1);
1415: }
1.19 markus 1416: if (!key_write(public, f))
1417: fprintf(stderr, "write key failed");
1418: fprintf(f, " %s\n", comment);
1.12 markus 1419: fclose(f);
1420:
1421: if (!quiet) {
1.50 markus 1422: char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
1.19 markus 1423: printf("Your public key has been saved in %s.\n",
1424: identity_file);
1.12 markus 1425: printf("The key fingerprint is:\n");
1.50 markus 1426: printf("%s %s\n", fp, comment);
1427: xfree(fp);
1.12 markus 1428: }
1.19 markus 1429:
1430: key_free(public);
1.12 markus 1431: exit(0);
1.1 deraadt 1432: }