option to hash hostnames output by ssh-keyscan; ok markus@ deraadt@

2 files changed, 24 insertions, 6 deletions

diff --git a/usr.bin/ssh/ssh-keyscan.1 b/usr.bin/ssh/ssh-keyscan.1
index 9efcf52137e..63427e727d8 100644
--- a/usr.bin/ssh/ssh-keyscan.1
+++ b/usr.bin/ssh/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.18 2004/07/12 23:34:25 brad Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.19 2005/03/01 10:41:28 djm Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -15,7 +15,7 @@
 .Sh SYNOPSIS
 .Nm ssh-keyscan
 .Bk -words
-.Op Fl v46
+.Op Fl Hv46
 .Op Fl p Ar port
 .Op Fl T Ar timeout
 .Op Fl t Ar type
@@ -46,6 +46,14 @@ scanning process involve any encryption.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
+.It Fl H
+Hash all hostnames and addresses in the output.
+Hashed names may be used normally by
+.Nm ssh
+and
+.Nm sshd ,
+but they do not reveal identifying information should the file's contents
+be disclosed.
 .It Fl p Ar port
 Port to connect to on the remote host.
 .It Fl T Ar timeout
diff --git a/usr.bin/ssh/ssh-keyscan.c b/usr.bin/ssh/ssh-keyscan.c
index 85db4083ad1..51e625b703d 100644
--- a/usr.bin/ssh/ssh-keyscan.c
+++ b/usr.bin/ssh/ssh-keyscan.c
@@ -7,7 +7,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.50 2004/08/11 21:44:32 avsm Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.51 2005/03/01 10:41:28 djm Exp $");
 
 #include <sys/queue.h>
 #include <errno.h>
@@ -29,6 +29,7 @@ RCSID("$OpenBSD: ssh-keyscan.c,v 1.50 2004/08/11 21:44:32 avsm Exp $");
 #include "log.h"
 #include "atomicio.h"
 #include "misc.h"
+#include "hostfile.h"
 
 /* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
    Default value is AF_UNSPEC means both IPv4 and IPv6. */
@@ -42,6 +43,8 @@ int ssh_port = SSH_DEFAULT_PORT;
 
 int get_keytypes = KT_RSA1;	/* Get only RSA1 keys by default */
 
+int hash_hosts = 0;		/* Hash hostname on output */
+
 #define MAXMAXFD 256
 
 /* The number of seconds after which to give up on a TCP connection */
@@ -357,10 +360,14 @@ keygrab_ssh2(con *c)
 static void
 keyprint(con *c, Key *key)
 {
+	char *host = c->c_output_name ? c->c_output_name : c->c_name;
+
 	if (!key)
 		return;
+	if (hash_hosts && (host = host_hash(host, NULL, 0)) == NULL)
+		fatal("host_hash failed");
 
-	fprintf(stdout, "%s ", c->c_output_name ? c->c_output_name : c->c_name);
+	fprintf(stdout, "%s ", host);
 	key_write(key, stdout);
 	fputs("\n", stdout);
 }
@@ -667,7 +674,7 @@ fatal(const char *fmt,...)
 static void
 usage(void)
 {
-	fprintf(stderr, "usage: %s [-v46] [-p port] [-T timeout] [-t type] [-f file]\n"
+	fprintf(stderr, "usage: %s [-Hv46] [-p port] [-T timeout] [-t type] [-f file]\n"
 	    "\t\t   [host | addrlist namelist] [...]\n",
 	    __progname);
 	exit(1);
@@ -688,8 +695,11 @@ main(int argc, char **argv)
 	if (argc <= 1)
 		usage();
 
-	while ((opt = getopt(argc, argv, "v46p:T:t:f:")) != -1) {
+	while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) {
 		switch (opt) {
+		case 'H':
+			hash_hosts = 1;
+			break;
 		case 'p':
 			ssh_port = a2port(optarg);
 			if (ssh_port == 0) {