Attachment 3127 Details for Bug 2821 – Add ssh-keyscan -D flag for output in SSHFP format

[patch] Add ssh-keyscan -D flag for output in SSHFP format

bz2821.diff (text/plain), 3.24 KB, created by Damien Miller on 2018-02-23 13:55:26 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2018-02-23 13:55:26 AEDT

Size: 3.24 KB

patch

obsolete

>diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
>index aa4a2ae..6c088ee 100644
>--- a/ssh-keyscan.1
>+++ b/ssh-keyscan.1
>@@ -15,7 +15,7 @@
> .Sh SYNOPSIS
> .Nm ssh-keyscan
> .Bk -words
>-.Op Fl 46cHv
>+.Op Fl 46cDHv
> .Op Fl f Ar file
> .Op Fl p Ar port
> .Op Fl T Ar timeout
>@@ -56,6 +56,12 @@ Forces
> to use IPv6 addresses only.
> .It Fl c
> Request certificates from target hosts instead of plain keys.
>+.It Fl D
>+Print keys found as SSHFP DNS records.
>+The default is to print keys in a format usable as a
>+.Xr ssh 1
>+.Pa known_hosts
>+file.
> .It Fl f Ar file
> Read hosts or
> .Dq addrlist namelist
>@@ -159,6 +165,10 @@ $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
> .Sh SEE ALSO
> .Xr ssh 1 ,
> .Xr sshd 8
>+.%R RFC 4255
>+.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
>+.%D 2006
>+.Re
> .Sh AUTHORS
> .An -nosplit
> .An David Mazieres Aq Mt dm@lcs.mit.edu
>diff --git a/ssh-keyscan.c b/ssh-keyscan.c
>index 0afc717..498dc30 100644
>--- a/ssh-keyscan.c
>+++ b/ssh-keyscan.c
>@@ -40,6 +40,7 @@
> #include "hostfile.h"
> #include "ssherr.h"
> #include "ssh_api.h"
>+#include "dns.h"
> 
> /* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
>    Default value is AF_UNSPEC means both IPv4 and IPv6. */
>@@ -60,6 +61,8 @@ int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
> 
> int hash_hosts = 0;		/* Hash hostname on output */
> 
>+int print_sshfp = 0;		/* Print SSHFP records instead of known_hosts */
>+
> #define MAXMAXFD 256
> 
> /* The number of seconds after which to give up on a TCP connection */
>@@ -260,6 +263,11 @@ keyprint_one(const char *host, struct sshkey *key)
> 	char *hostport;
> 	const char *known_host, *hashed;
> 
>+	if (print_sshfp) {
>+		export_dns_rr(host, key, stdout, 0);
>+		return;
>+	}
>+
> 	hostport = put_host_port(host, ssh_port);
> 	lowercase(hostport);
> 	if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
>@@ -477,7 +485,8 @@ congreet(int s)
> 		confree(s);
> 		return;
> 	}
>-	fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf));
>+	fprintf(stderr, "%c %s:%d %s\n", print_sshfp ? ';' : '#',
>+	    c->c_name, ssh_port, chop(buf));
> 	keygrab_ssh2(c);
> 	confree(s);
> }
>@@ -601,7 +610,7 @@ static void
> usage(void)
> {
> 	fprintf(stderr,
>-	    "usage: %s [-46cHv] [-f file] [-p port] [-T timeout] [-t type]\n"
>+	    "usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n"
> 	    "\t\t   [host | addrlist namelist] ...\n",
> 	    __progname);
> 	exit(1);
>@@ -628,7 +637,7 @@ main(int argc, char **argv)
> 	if (argc <= 1)
> 		usage();
> 
>-	while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
>+	while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) {
> 		switch (opt) {
> 		case 'H':
> 			hash_hosts = 1;
>@@ -636,6 +645,9 @@ main(int argc, char **argv)
> 		case 'c':
> 			get_cert = 1;
> 			break;
>+		case 'D':
>+			print_sshfp = 1;
>+			break;
> 		case 'p':
> 			ssh_port = a2port(optarg);
> 			if (ssh_port <= 0) {
>diff --git a/ssh-keyscan/Makefile b/ssh-keyscan/Makefile
>index 871ac91..e4896ea 100644
>--- a/ssh-keyscan/Makefile
>+++ b/ssh-keyscan/Makefile
>@@ -3,7 +3,7 @@
> .PATH:		${.CURDIR}/..
> 
> SRCS=	ssh-keyscan.c
>-SRCS+=	atomicio.c cleanup.c compat.c hostfile.c ssh_api.c
>+SRCS+=	atomicio.c cleanup.c compat.c hostfile.c ssh_api.c dns.c
> SRCS+=	${SRCS_BASE} ${SRCS_KEX} ${SRCS_KEXC} ${SRCS_KEXS} ${SRCS_KEY} \
> 	${SRCS_PKT} ${SRCS_UTL}
> PROG=	ssh-keyscan

Flags:

dtucker: ok+

Actions: View | Diff

Attachments on bug 2821: 3127