summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2022-05-09 03:09:54 +0000
committerDamien Miller <djm@cvs.openbsd.org>2022-05-09 03:09:54 +0000
commit4b77cb20d641f228240503f342630c31a675d049 (patch)
treef83398c9b4c6e18e9f63a785c62e4e1e0af3808d /usr.bin
parent6f59cce5fb2a813bd0838c26a382c282c712641f (diff)
Allow existing -U (use agent) flag to work with "-Y sign" operations,
where it will be interpreted to require that the private keys is hosted in an agent; bz3429, suggested by Adam Szkoda; ok dtucker@
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/ssh-keygen.18
-rw-r--r--usr.bin/ssh/ssh-keygen.c19
2 files changed, 17 insertions, 10 deletions
diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1
index 561600dbd84..4e7245366e8 100644
--- a/usr.bin/ssh/ssh-keygen.1
+++ b/usr.bin/ssh/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.221 2022/05/03 07:42:27 florian Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.222 2022/05/09 03:09:53 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: May 3 2022 $
+.Dd $Mdocdate: May 9 2022 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
@@ -583,7 +583,9 @@ and
(the default).
.It Fl U
When used in combination with
-.Fl s ,
+.Fl s
+or
+.Fl Y Ar sign ,
this option indicates that a CA key resides in a
.Xr ssh-agent 1 .
See the
diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index 9059f3a6cd3..30d956020b9 100644
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.451 2022/05/08 22:58:35 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.452 2022/05/09 03:09:53 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2631,8 +2631,8 @@ sig_process_opts(char * const *opts, size_t nopts, char **hashalgp,
static int
-sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv,
- char * const *opts, size_t nopts)
+sig_sign(const char *keypath, const char *sig_namespace, int require_agent,
+ int argc, char **argv, char * const *opts, size_t nopts)
{
int i, fd = -1, r, ret = -1;
int agent_fd = -1;
@@ -2656,13 +2656,18 @@ sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv,
goto done;
}
- if ((r = ssh_get_authentication_socket(&agent_fd)) != 0)
+ if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {
+ if (require_agent)
+ fatal("Couldn't get agent socket");
debug_r(r, "Couldn't get agent socket");
- else {
+ } else {
if ((r = ssh_agent_has_key(agent_fd, pubkey)) == 0)
signer = agent_signer;
- else
+ else {
+ if (require_agent)
+ fatal("Couldn't find key in agent");
debug_r(r, "Couldn't find key in agent");
+ }
}
if (signer == NULL) {
@@ -3517,7 +3522,7 @@ main(int argc, char **argv)
exit(1);
}
return sig_sign(identity_file, cert_principals,
- argc, argv, opts, nopts);
+ prefer_agent, argc, argv, opts, nopts);
} else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
/* NB. cert_principals is actually namespace, via -n */
if (cert_principals == NULL ||