summaryrefslogtreecommitdiff
path: root/usr.bin/ssh/ssh-keyscan.c
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2015-11-08 22:30:21 +0000
committerDamien Miller <djm@cvs.openbsd.org>2015-11-08 22:30:21 +0000
commit3128d3eb0b6273c3218bcfa1a1e3678358cfc4c4 (patch)
treeff28dbba66994134ecec6062cc5d8d91caa15b93 /usr.bin/ssh/ssh-keyscan.c
parentc67bdb9acef5efd6e6ffb1e2179b584c4827e1eb (diff)
Add "ssh-keyscan -c ..." flag to allow fetching certificates instead
of plain keys; ok markus@
Diffstat (limited to 'usr.bin/ssh/ssh-keyscan.c')
-rw-r--r--usr.bin/ssh/ssh-keyscan.c47
1 files changed, 37 insertions, 10 deletions
diff --git a/usr.bin/ssh/ssh-keyscan.c b/usr.bin/ssh/ssh-keyscan.c
index 2ed32deb1a5..3572fdb049b 100644
--- a/usr.bin/ssh/ssh-keyscan.c
+++ b/usr.bin/ssh/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.102 2015/10/24 22:56:19 djm Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.103 2015/11/08 22:30:20 djm Exp $ */
/*
* Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
*
@@ -54,6 +54,7 @@ int ssh_port = SSH_DEFAULT_PORT;
#define KT_ECDSA 8
#define KT_ED25519 16
+int get_cert = 0;
int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
int hash_hosts = 0; /* Hash hostname on output */
@@ -249,11 +250,32 @@ keygrab_ssh2(con *c)
int r;
enable_compat20();
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- c->c_keytype == KT_DSA ? "ssh-dss" :
- (c->c_keytype == KT_RSA ? "ssh-rsa" :
- (c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
- "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"));
+ switch (c->c_keytype) {
+ case KT_DSA:
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+ "ssh-dss-cert-v01@openssh.com" : "ssh-dss";
+ break;
+ case KT_RSA:
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+ "ssh-rsa-cert-v01@openssh.com" : "ssh-rsa";
+ break;
+ case KT_ED25519:
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+ "ssh-ed25519-cert-v01@openssh.com" : "ssh-ed25519";
+ break;
+ case KT_ECDSA:
+ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com,"
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com" :
+ "ecdsa-sha2-nistp256,"
+ "ecdsa-sha2-nistp384,"
+ "ecdsa-sha2-nistp521";
+ break;
+ default:
+ fatal("unknown key type %d", c->c_keytype);
+ break;
+ }
if ((r = kex_setup(c->c_ssh, myproposal)) != 0) {
free(c->c_ssh);
fprintf(stderr, "kex_setup: %s\n", ssh_err(r));
@@ -284,7 +306,8 @@ keyprint_one(char *host, struct sshkey *key)
fatal("host_hash failed");
hostport = put_host_port(host, ssh_port);
- fprintf(stdout, "%s ", hostport);
+ if (!get_cert)
+ fprintf(stdout, "%s ", hostport);
sshkey_write(key, stdout);
fputs("\n", stdout);
free(hostport);
@@ -298,7 +321,7 @@ keyprint(con *c, struct sshkey *key)
if (key == NULL)
return;
- if (!hash_hosts && ssh_port == SSH_DEFAULT_PORT) {
+ if (get_cert || (!hash_hosts && ssh_port == SSH_DEFAULT_PORT)) {
keyprint_one(hosts, key);
return;
}
@@ -364,6 +387,7 @@ conalloc(char *iname, char *oname, int keytype)
if (fdcon[s].c_status)
fatal("conalloc: attempt to reuse fdno %d", s);
+ debug3("%s: oname %s kt %d", __func__, oname, keytype);
fdcon[s].c_fd = s;
fdcon[s].c_status = CS_CON;
fdcon[s].c_namebase = namebase;
@@ -634,7 +658,7 @@ static void
usage(void)
{
fprintf(stderr,
- "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n"
+ "usage: %s [-46Hcv] [-f file] [-p port] [-T timeout] [-t type]\n"
"\t\t [host | addrlist namelist] ...\n",
__progname);
exit(1);
@@ -660,11 +684,14 @@ main(int argc, char **argv)
if (argc <= 1)
usage();
- while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) {
+ while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
switch (opt) {
case 'H':
hash_hosts = 1;
break;
+ case 'c':
+ get_cert = 1;
+ break;
case 'p':
ssh_port = a2port(optarg);
if (ssh_port <= 0) {