diff options
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/ssh/ssh-keyscan.1 | 75 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-keyscan.c | 319 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-keyscan/Makefile | 6 |
3 files changed, 300 insertions, 100 deletions
diff --git a/usr.bin/ssh/ssh-keyscan.1 b/usr.bin/ssh/ssh-keyscan.1 index 80119aa217b..b348bc25229 100644 --- a/usr.bin/ssh/ssh-keyscan.1 +++ b/usr.bin/ssh/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.9 2001/08/02 18:37:35 mpech Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.10 2001/08/05 23:18:20 markus Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. .\" @@ -14,9 +14,13 @@ .Nd gather ssh public keys .Sh SYNOPSIS .Nm ssh-keyscan -.Op Fl t Ar timeout -.Op Ar -- | host | addrlist namelist -.Op Fl f Ar files ... +.Op Fl v46 +.Op Fl p Ar port +.Op Fl T Ar timeout +.Op Fl t Ar type +.Op Fl f Ar file +.Op Ar host | addrlist namelist +.Op Ar ... .Sh DESCRIPTION .Nm is a utility for gathering the public ssh host keys of a number of @@ -37,14 +41,28 @@ any encryption. .Pp The options are as follows: .Bl -tag -width Ds -.It Fl t +.It Fl p Ar port +Port to connect to on the remote host. +.It Fl T Set the timeout for connection attempts. If .Pa timeout seconds have elapsed since a connection was initiated to a host or since the last time anything was read from that host, then the connection is closed and the host in question considered unavailable. Default is 5 seconds. -.It Fl f +.It Fl t Ar type +Specifies the type of the key to fetch from the following hosts. +The possible values are +.Dq rsa1 +for protocol version 1 and +.Dq rsa +or +.Dq dsa +for protocol version 2. +Multiple values may be specified by separating them with commas. +The default is +.Dq rsa1 . +.It Fl f Ar filename Read hosts or .Pa addrlist namelist pairs from this file, one per line. @@ -55,6 +73,19 @@ is supplied instead of a filename, will read hosts or .Pa addrlist namelist pairs from the standard input. +.It Fl v +Verbose mode. +Causes +.Nm +to print debugging messages about its progress. +.It Fl 4 +Forces +.Nm +to use IPv4 addresses only. +.It Fl 6 +Forces +.Nm +to use IPv6 addresses only. .El .Sh SECURITY If you make an ssh_known_hosts file using @@ -67,7 +98,10 @@ On the other hand, if your security model allows such a risk, can help you detect tampered keyfiles or man in the middle attacks which have begun after you created your ssh_known_hosts file. .Sh EXAMPLES -Print the host key for machine +.Pp +Print the +.Pa rsa1 +host key for machine .Pa hostname : .Bd -literal ssh-keyscan hostname @@ -78,20 +112,36 @@ Find all hosts from the file which have new or different keys from those in the sorted file .Pa ssh_known_hosts : .Bd -literal -$ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ - diff ssh_known_hosts - +ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\ + sort -u - ssh_known_hosts | diff ssh_known_hosts - .Ed .Sh FILES .Pa Input format: +.Bd -literal 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 +.Ed .Pp -.Pa Output format: +.Pa Output format for rsa1 keys: +.Bd -literal host-or-namelist bits exponent modulus +.Ed +.Pp +.Pa Output format for rsa and dsa keys: +.Bd -literal +host-or-namelist keytype base64-encoded-key +.Ed +.Pp +Where +.Pa keytype +is either +.Dq ssh-rsa +or +.Dq ssh-dsa . .Pp .Pa /etc/ssh_known_hosts .Sh BUGS It generates "Connection closed by remote host" messages on the consoles -of all the machines it scans. +of all the machines it scans if the server is older than version 2.9. This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. .Sh SEE ALSO @@ -99,3 +149,6 @@ key, and drops the connection as soon as it gets the key. .Xr sshd 8 .Sh AUTHORS David Mazieres <dm@lcs.mit.edu> +wrote the initial version, and +Wayne Davison <wayned@users.sourceforge.net> +added support for protocol version 2. diff --git a/usr.bin/ssh/ssh-keyscan.c b/usr.bin/ssh/ssh-keyscan.c index ab58b0db97a..6a2c62fcace 100644 --- a/usr.bin/ssh/ssh-keyscan.c +++ b/usr.bin/ssh/ssh-keyscan.c @@ -7,25 +7,44 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.25 2001/08/03 10:31:30 jakob Exp $"); +RCSID("$OpenBSD: ssh-keyscan.c,v 1.26 2001/08/05 23:18:20 markus Exp $"); #include <sys/queue.h> #include <errno.h> #include <openssl/bn.h> +#include <setjmp.h> #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" #include "key.h" +#include "kex.h" +#include "compat.h" +#include "myproposal.h" +#include "packet.h" +#include "dispatch.h" #include "buffer.h" #include "bufaux.h" #include "log.h" #include "atomicio.h" +#include "misc.h" + +/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. + Default value is AF_UNSPEC means both IPv4 and IPv6. */ +#ifdef IPV4_DEFAULT +int IPv4or6 = AF_INET; +#else +int IPv4or6 = AF_UNSPEC; +#endif + +int ssh_port = SSH_DEFAULT_PORT; -static int argno = 1; /* Number of argument currently being parsed */ +#define KT_RSA1 1 +#define KT_DSA 2 +#define KT_RSA 4 -int family = AF_UNSPEC; /* IPv4, IPv6 or both */ +int get_keytypes = KT_RSA1; /* Get only RSA1 keys by default */ #define MAXMAXFD 256 @@ -39,6 +58,8 @@ extern char *__progname; fd_set *read_wait; size_t read_wait_size; int ncon; +int nonfatal_fatal = 0; +jmp_buf kexjmp; /* * Keep a connection structure for each file descriptor. The state @@ -54,11 +75,13 @@ typedef struct Connection { int c_plen; /* Packet length field for ssh packet */ int c_len; /* Total bytes which must be read. */ int c_off; /* Length of data read so far. */ + int c_keytype; /* Only one of KT_RSA1, KT_DSA, or KT_RSA */ char *c_namebase; /* Address to free for c_name and c_namelist */ char *c_name; /* Hostname of connection for errors */ char *c_namelist; /* Pointer to other possible addresses */ char *c_output_name; /* Hostname of connection for output */ char *c_data; /* Data read from this fd */ + Kex *c_kex; /* The key-exchange struct for ssh2 */ struct timeval c_tv; /* Time at which connection gets aborted */ TAILQ_ENTRY(Connection) c_link; /* List of connections in timeout order. */ } con; @@ -242,8 +265,8 @@ strnnsep(char **stringp, char *delim) return (tok); } -static void -keyprint(char *host, char *output_name, char *kd, int len) +static Key * +keygrab_ssh1(con *c) { static Key *rsa; static Buffer msg; @@ -252,12 +275,12 @@ keyprint(char *host, char *output_name, char *kd, int len) buffer_init(&msg); rsa = key_new(KEY_RSA1); } - buffer_append(&msg, kd, len); - buffer_consume(&msg, 8 - (len & 7)); /* padding */ + buffer_append(&msg, c->c_data, c->c_plen); + buffer_consume(&msg, 8 - (c->c_plen & 7)); /* padding */ if (buffer_get_char(&msg) != (int) SSH_SMSG_PUBLIC_KEY) { - error("%s: invalid packet type", host); + error("%s: invalid packet type", c->c_name); buffer_clear(&msg); - return; + return NULL; } buffer_consume(&msg, 8); /* cookie */ @@ -270,10 +293,70 @@ keyprint(char *host, char *output_name, char *kd, int len) (void) buffer_get_int(&msg); buffer_get_bignum(&msg, rsa->rsa->e); buffer_get_bignum(&msg, rsa->rsa->n); + buffer_clear(&msg); - fprintf(stdout, "%s ", output_name ? output_name : host); - key_write(rsa, stdout); + return (rsa); +} + +static int +hostjump(Key *hostkey) +{ + longjmp(kexjmp, (int)hostkey); +} + +static int +ssh2_capable(int remote_major, int remote_minor) +{ + switch (remote_major) { + case 1: + if (remote_minor == 99) + return 1; + break; + case 2: + return 1; + default: + break; + } + return 0; +} + +static Key * +keygrab_ssh2(con *c) +{ + int j; + + packet_set_connection(c->c_fd, c->c_fd); + enable_compat20(); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA? + "ssh-dss": "ssh-rsa"; + c->c_kex = kex_setup(myproposal); + c->c_kex->verify_host_key = hostjump; + + if (!(j = setjmp(kexjmp))) { + nonfatal_fatal = 1; + dispatch_run(DISPATCH_BLOCK, &c->c_kex->done, c->c_kex); + fprintf(stderr, "Impossible! dispatch_run() returned!\n"); + exit(1); + } + nonfatal_fatal = 0; + xfree(c->c_kex); + c->c_kex = NULL; + packet_close(); + if (j < 0) + j = 0; + + return (Key*)(j); +} + +static void +keyprint(con *c, Key *key) +{ + if (!key) + return; + + fprintf(stdout, "%s ", c->c_output_name ? c->c_output_name : c->c_name); + key_write(key, stdout); fputs("\n", stdout); } @@ -284,9 +367,9 @@ tcpconnect(char *host) char strport[NI_MAXSERV]; int gaierr, s = -1; - snprintf(strport, sizeof strport, "%d", SSH_DEFAULT_PORT); + snprintf(strport, sizeof strport, "%d", ssh_port); memset(&hints, 0, sizeof(hints)); - hints.ai_family = family; + hints.ai_family = IPv4or6; hints.ai_socktype = SOCK_STREAM; if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) fatal("getaddrinfo %s: %s", host, gai_strerror(gaierr)); @@ -311,7 +394,7 @@ tcpconnect(char *host) } static int -conalloc(char *iname, char *oname) +conalloc(char *iname, char *oname, int keytype) { int s; char *namebase, *name, *namelist; @@ -340,6 +423,7 @@ conalloc(char *iname, char *oname) fdcon[s].c_data = (char *) &fdcon[s].c_plen; fdcon[s].c_len = 4; fdcon[s].c_off = 0; + fdcon[s].c_keytype = keytype; gettimeofday(&fdcon[s].c_tv, NULL); fdcon[s].c_tv.tv_sec += timeout; TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link); @@ -359,6 +443,7 @@ confree(int s) if (fdcon[s].c_status == CS_KEYS) xfree(fdcon[s].c_data); fdcon[s].c_status = CS_UNUSED; + fdcon[s].c_keytype = 0; TAILQ_REMOVE(&tq, &fdcon[s], c_link); FD_CLR(s, read_wait); ncon--; @@ -378,21 +463,16 @@ conrecycle(int s) { int ret; con *c = &fdcon[s]; - char *iname, *oname; - iname = xstrdup(c->c_namelist); - oname = xstrdup(c->c_output_name); + ret = conalloc(c->c_namelist, c->c_output_name, c->c_keytype); confree(s); - ret = conalloc(iname, oname); - xfree(iname); - xfree(oname); return (ret); } static void congreet(int s) { - char buf[80], *cp; + char buf[256], *cp; size_t bufsiz; int n = 0; con *c = &fdcon[s]; @@ -414,12 +494,34 @@ congreet(int s) } *cp = '\0'; fprintf(stderr, "# %s %s\n", c->c_name, buf); - n = snprintf(buf, sizeof buf, "SSH-1.5-OpenSSH-keyscan\r\n"); + if (c->c_keytype != KT_RSA1) { + int remote_major, remote_minor; + char remote_version[sizeof buf]; + + if (sscanf(buf, "SSH-%d.%d-%[^\n]\n", + &remote_major, &remote_minor, remote_version) == 3) + compat_datafellows(remote_version); + else + datafellows = 0; + if (!ssh2_capable(remote_major, remote_minor)) { + debug("%s doesn't support ssh2", c->c_name); + confree(s); + return; + } + } + n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n", + c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2, + c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2); if (atomicio(write, s, buf, n) != n) { error("write (%s): %s", c->c_name, strerror(errno)); confree(s); return; } + if (c->c_keytype != KT_RSA1) { + keyprint(c, keygrab_ssh2(c)); + confree(s); + return; + } c->c_status = CS_SIZE; contouch(s); } @@ -452,7 +554,7 @@ conread(int s) c->c_status = CS_KEYS; break; case CS_KEYS: - keyprint(c->c_name, c->c_output_name, c->c_data, c->c_plen); + keyprint(c, keygrab_ssh1(c)); confree(s); return; break; @@ -516,85 +618,126 @@ conloop(void) } } -static char * -nexthost(int argc, char **argv) +static void +do_host(char *host) { - static Linebuf *lb; - - for (;;) { - if (!lb) { - if (argno >= argc) - return (NULL); - if (argv[argno][0] != '-') - return (argv[argno++]); - if (!strcmp(argv[argno], "--")) { - if (++argno >= argc) - return (NULL); - return (argv[argno++]); - } else if (!strncmp(argv[argno], "-f", 2)) { - char *fname; - - if (argv[argno][2]) - fname = &argv[argno++][2]; - else if (++argno >= argc) { - error("missing filename for `-f'"); - return (NULL); - } else - fname = argv[argno++]; - if (!strcmp(fname, "-")) - fname = NULL; - lb = Linebuf_alloc(fname, error); - } else - error("ignoring invalid/misplaced option `%s'", - argv[argno++]); - } else { - char *line; - - line = Linebuf_getline(lb); - if (line) - return (line); - Linebuf_free(lb); - lb = NULL; + char *name = strnnsep(&host, " \t\n"); + int j; + + for (j = KT_RSA1; j <= KT_RSA; j *= 2) { + if (get_keytypes & j) { + while (ncon >= MAXCON) + conloop(); + conalloc(name, *host ? host : name, j); } } } static void +fatal_callback(void *arg) +{ + if (nonfatal_fatal) + longjmp(kexjmp, -1); +} + +static void usage(void) { - fprintf(stderr, "Usage: %s [options] [ host | addrlist namelist ]\n", + fprintf(stderr, "Usage: %s [options] host ...\n", __progname); fprintf(stderr, "Options:\n"); - fprintf(stderr, " -t timeout Set connection timeout.\n"); fprintf(stderr, " -f file Read hosts or addresses from file.\n"); + fprintf(stderr, " -p port Connect to the specified port.\n"); + fprintf(stderr, " -t keytype Specify the host key type.\n"); + fprintf(stderr, " -T timeout Set connection timeout.\n"); + fprintf(stderr, " -v Verbose; display verbose debugging messages.\n"); + fprintf(stderr, " -4 Use IPv4 only.\n"); + fprintf(stderr, " -6 Use IPv6 only.\n"); exit(1); } int main(int argc, char **argv) { - char *host = NULL; + int debug_flag = 0, log_level = SYSLOG_LEVEL_INFO; + int opt, fopt_count = 0; + char *tname; + + extern int optind; + extern char *optarg; TAILQ_INIT(&tq); - if (argc <= argno) + if (argc <= 1) usage(); - if (argv[1][0] == '-' && argv[1][1] == 't') { - argno++; - if (argv[1][2]) - timeout = atoi(&argv[1][2]); - else { - if (argno >= argc) + while ((opt = getopt(argc, argv, "v46p:T:t:f:")) != -1) { + switch (opt) { + case 'p': + ssh_port = a2port(optarg); + if (ssh_port == 0) { + fprintf(stderr, "Bad port '%s'\n", optarg); + exit(1); + } + break; + case 'T': + timeout = atoi(optarg); + if (timeout <= 0) usage(); - timeout = atoi(argv[argno++]); - } - if (timeout <= 0) + break; + case 'v': + if (!debug_flag) { + debug_flag = 1; + log_level = SYSLOG_LEVEL_DEBUG1; + } + else if (log_level < SYSLOG_LEVEL_DEBUG3) + log_level++; + else + fatal("Too high debugging level."); + break; + case 'f': + if (strcmp(optarg, "-") == 0) + optarg = NULL; + argv[fopt_count++] = optarg; + break; + case 't': + get_keytypes = 0; + tname = strtok(optarg, ","); + while (tname) { + int type = key_type_from_name(tname); + switch (type) { + case KEY_RSA1: + get_keytypes |= KT_RSA1; + break; + case KEY_DSA: + get_keytypes |= KT_DSA; + break; + case KEY_RSA: + get_keytypes |= KT_RSA; + break; + case KEY_UNSPEC: + fatal("unknown key type %s\n", tname); + } + tname = strtok(NULL, ","); + } + break; + case '4': + IPv4or6 = AF_INET; + break; + case '6': + IPv4or6 = AF_INET6; + break; + case '?': + default: usage(); + } } - if (argc <= argno) + if (optind == argc && !fopt_count) usage(); + log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1); + fatal_add_cleanup(fatal_callback, NULL); + maxfd = fdlim_get(1); if (maxfd < 0) fatal("%s: fdlim_get: bad value", __progname); @@ -611,18 +754,22 @@ main(int argc, char **argv) read_wait = xmalloc(read_wait_size); memset(read_wait, 0, read_wait_size); - do { - while (ncon < MAXCON) { - char *name; - - host = nexthost(argc, argv); - if (host == NULL) - break; - name = strnnsep(&host, " \t\n"); - conalloc(name, *host ? host : name); + if (fopt_count) { + Linebuf *lb; + char *line; + int j; + + for (j = 0; j < fopt_count; j++) { + lb = Linebuf_alloc(argv[j], error); + while ((line = Linebuf_getline(lb)) != NULL) + do_host(line); + Linebuf_free(lb); } - conloop(); - } while (host); + } + + while (optind < argc) + do_host(argv[optind++]); + while (ncon > 0) conloop(); diff --git a/usr.bin/ssh/ssh-keyscan/Makefile b/usr.bin/ssh/ssh-keyscan/Makefile index 6748ed7cc5e..2ea5c23934c 100644 --- a/usr.bin/ssh/ssh-keyscan/Makefile +++ b/usr.bin/ssh/ssh-keyscan/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.3 2001/03/03 23:59:39 markus Exp $ +# $OpenBSD: Makefile,v 1.4 2001/08/05 23:18:20 markus Exp $ .PATH: ${.CURDIR}/.. @@ -14,5 +14,5 @@ SRCS= ssh-keyscan.c .include <bsd.prog.mk> -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} +LDADD+= -lcrypto -lz +DPADD+= ${LIBCRYPTO} ${LIBZ} |