diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2022-05-09 03:09:54 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2022-05-09 03:09:54 +0000 |
commit | 4b77cb20d641f228240503f342630c31a675d049 (patch) | |
tree | f83398c9b4c6e18e9f63a785c62e4e1e0af3808d /usr.bin | |
parent | 6f59cce5fb2a813bd0838c26a382c282c712641f (diff) |
Allow existing -U (use agent) flag to work with "-Y sign" operations,
where it will be interpreted to require that the private keys is
hosted in an agent; bz3429, suggested by Adam Szkoda; ok dtucker@
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/ssh/ssh-keygen.1 | 8 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-keygen.c | 19 |
2 files changed, 17 insertions, 10 deletions
diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1 index 561600dbd84..4e7245366e8 100644 --- a/usr.bin/ssh/ssh-keygen.1 +++ b/usr.bin/ssh/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.221 2022/05/03 07:42:27 florian Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.222 2022/05/09 03:09:53 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: May 3 2022 $ +.Dd $Mdocdate: May 9 2022 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -583,7 +583,9 @@ and (the default). .It Fl U When used in combination with -.Fl s , +.Fl s +or +.Fl Y Ar sign , this option indicates that a CA key resides in a .Xr ssh-agent 1 . See the diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c index 9059f3a6cd3..30d956020b9 100644 --- a/usr.bin/ssh/ssh-keygen.c +++ b/usr.bin/ssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.451 2022/05/08 22:58:35 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.452 2022/05/09 03:09:53 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -2631,8 +2631,8 @@ sig_process_opts(char * const *opts, size_t nopts, char **hashalgp, static int -sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv, - char * const *opts, size_t nopts) +sig_sign(const char *keypath, const char *sig_namespace, int require_agent, + int argc, char **argv, char * const *opts, size_t nopts) { int i, fd = -1, r, ret = -1; int agent_fd = -1; @@ -2656,13 +2656,18 @@ sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv, goto done; } - if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) + if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) { + if (require_agent) + fatal("Couldn't get agent socket"); debug_r(r, "Couldn't get agent socket"); - else { + } else { if ((r = ssh_agent_has_key(agent_fd, pubkey)) == 0) signer = agent_signer; - else + else { + if (require_agent) + fatal("Couldn't find key in agent"); debug_r(r, "Couldn't find key in agent"); + } } if (signer == NULL) { @@ -3517,7 +3522,7 @@ main(int argc, char **argv) exit(1); } return sig_sign(identity_file, cert_principals, - argc, argv, opts, nopts); + prefer_agent, argc, argv, opts, nopts); } else if (strncmp(sign_op, "check-novalidate", 16) == 0) { /* NB. cert_principals is actually namespace, via -n */ if (cert_principals == NULL || |