Attachment #3663 for bug #3493

View | Details | Raw Unified | Return to bug 3493
Collapse All | Expand All

Lines 299-305 verify_host_key_dns(const char hostname, struct sockaddr address, Link Here

(-)a/dns.c (-1 / +4 lines)
299	* Export the fingerprint of a key as a DNS resource record	299	* Export the fingerprint of a key as a DNS resource record
300	*/	300	*/
301	int	301	int
302	export_dns_rr(const char hostname, struct sshkey key, FILE *f, int generic)	302	export_dns_rr(const char hostname, struct sshkey key, FILE *f, int generic,
		303	int alg)
303	{	304	{
304	u_int8_t rdata_pubkey_algorithm = 0;	305	u_int8_t rdata_pubkey_algorithm = 0;
305	u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED;	306	u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED;
Lines 309-314 export_dns_rr(const char hostname, struct sshkey key, FILE *f, int generic) Link Here
309	int success = 0;	310	int success = 0;
310		311
311	for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) {	312	for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) {
		313	if (alg != -1 && dtype != alg)
		314	continue;
312	rdata_digest_type = dtype;	315	rdata_digest_type = dtype;
313	if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,	316	if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
314	&rdata_digest, &rdata_digest_len, key)) {	317	&rdata_digest, &rdata_digest_len, key)) {

Lines 54-59 enum sshfp_hashes { Link Here

(-)a/dns.h (-1 / +1 lines)
54		54
55	int verify_host_key_dns(const char , struct sockaddr ,	55	int verify_host_key_dns(const char , struct sockaddr ,
56	struct sshkey , int );	56	struct sshkey , int );
57	int export_dns_rr(const char , struct sshkey , FILE *, int);	57	int export_dns_rr(const char , struct sshkey , FILE *, int, int);
58		58
59	#endif /* DNS_H */	59	#endif /* DNS_H */




UTC time zone.
.El
.Pp
When generating SSHFP DNS records from public keys using the
.Fl r
flag, the following options are accepted:
.Bl -tag -width Ds
.It Cm hashalg Ns = Ns Ar algorithm
Selects a hash algorithm to use when printing SSHFP records using the
.Fl D
flag.
Valid algorithms are
.Dq sha1
and
.Dq sha256.
The default is to print both.
.El
.Pp
The
.Fl O
option may be specified multiple times.




 */
static int
do_print_resource_record(struct passwd *pw, char *fname, char *hname,
    int print_generic, char * const *opts, size_t nopts)
{
	struct sshkey *public;
	char *comment = NULL;
	struct stat st;
	int r, hash = -1;
	size_t i;

	for (i = 0; i < nopts; i++) {
		if (strncasecmp(opts[i], "hashalg=", 8) == 0) {
			if ((hash = ssh_digest_alg_by_name(opts[i] + 8)) == -1)
				fatal("Unsupported hash algorithm");
		} else {
			error("Invalid option \"%s\"", opts[i]);
			return SSH_ERR_INVALID_ARGUMENT;
		}
	}
	if (fname == NULL)
		fatal_f("no filename");
	if (stat(fname, &st) == -1) {

	}
	if ((r = sshkey_load_public(fname, &public, &comment)) != 0)
		fatal_r(r, "Failed to read v2 public key from \"%s\"", fname);
	export_dns_rr(hname, public, stdout, print_generic, hash);
	sshkey_free(public);
	free(comment);
	return 1;


		if (have_identity) {
			n = do_print_resource_record(pw, identity_file,
			    rr_hostname, print_generic, opts, nopts);
			if (n == 0)
				fatal("%s: %s", identity_file, strerror(errno));
			exit(0);


			n += do_print_resource_record(pw,
			    _PATH_HOST_RSA_KEY_FILE, rr_hostname,
			    print_generic, opts, nopts);
			n += do_print_resource_record(pw,
			    _PATH_HOST_DSA_KEY_FILE, rr_hostname,
			    print_generic, opts, nopts);
			n += do_print_resource_record(pw,
			    _PATH_HOST_ECDSA_KEY_FILE, rr_hostname,
			    print_generic, opts, nopts);
			n += do_print_resource_record(pw,
			    _PATH_HOST_ED25519_KEY_FILE, rr_hostname,
			    print_generic, opts, nopts);
			n += do_print_resource_record(pw,
			    _PATH_HOST_XMSS_KEY_FILE, rr_hostname,
			    print_generic, opts, nopts);
			if (n == 0)
				fatal("no keys found.");
			exit(0);




.Nm ssh-keyscan
.Op Fl 46cDHv
.Op Fl f Ar file
.Op Fl O Ar option
.Op Fl p Ar port
.Op Fl T Ar timeout
.Op Fl t Ar type

.Xr sshd 8 ,
but they do not reveal identifying information should the file's contents
be disclosed.
.It Fl O Ar option
Specify a key/value option.
At present, only a single option is supported:
.Bl -tag -width Ds
.It Cm hashalg Ns = Ns Ar algorithm
Selects a hash algorithm to use when printing SSHFP records using the
.Fl D
flag.
Valid algorithms are
.Dq sha1
and
.Dq sha256.
The default is to print both.
.El
.It Fl p Ar port
Connect to
.Ar port

Lines 32-37 Link Here

(-)a/ssh-keyscan.c (-2 / +13 lines)
32	#include "sshbuf.h"	32	#include "sshbuf.h"
33	#include "sshkey.h"	33	#include "sshkey.h"
34	#include "cipher.h"	34	#include "cipher.h"
		35	#include "digest.h"
35	#include "kex.h"	36	#include "kex.h"
36	#include "compat.h"	37	#include "compat.h"
37	#include "myproposal.h"	38	#include "myproposal.h"
Lines 72-77 int print_sshfp = 0; /* Print SSHFP records instead of known_hosts */ Link Here
72		73
73	int found_one = 0; /* Successfully found a key */	74	int found_one = 0; /* Successfully found a key */
74		75
		76	int hashalg = -1; /* Hash for SSHFP records or -1 for all */
		77
75	#define MAXMAXFD 256	78	#define MAXMAXFD 256
76		79
77	/* The number of seconds after which to give up on a TCP connection */	80	/* The number of seconds after which to give up on a TCP connection */
Lines 294-300 keyprint_one(const char host, struct sshkey key) Link Here
294	found_one = 1;	297	found_one = 1;
295		298
296	if (print_sshfp) {	299	if (print_sshfp) {
297	export_dns_rr(host, key, stdout, 0);	300	export_dns_rr(host, key, stdout, 0, hashalg);
298	return;	301	return;
299	}	302	}
300		303
Lines 704-710 main(int argc, char **argv) Link Here
704	if (argc <= 1)	707	if (argc <= 1)
705	usage();	708	usage();
706		709
707	while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) {	710	while ((opt = getopt(argc, argv, "cDHv46O:p:T:t:f:")) != -1) {
708	switch (opt) {	711	switch (opt) {
709	case 'H':	712	case 'H':
710	hash_hosts = 1;	713	hash_hosts = 1;
Lines 744-749 main(int argc, char **argv) Link Here
744	optarg = NULL;	747	optarg = NULL;
745	argv[fopt_count++] = optarg;	748	argv[fopt_count++] = optarg;
746	break;	749	break;
		750	case 'O':
		751	/* Maybe other misc options in the future too */
		752	if (strncmp(optarg, "hashalg=", 8) != 0)
		753	fatal("Unsupported -O option");
		754	if ((hashalg = ssh_digest_alg_by_name(
		755	optarg + 8)) == -1)
		756	fatal("Unsupported hash algorithm");
		757	break;
747	case 't':	758	case 't':
748	get_keytypes = 0;	759	get_keytypes = 0;
749	tname = strtok(optarg, ",");	760	tname = strtok(optarg, ",");

Return to bug 3493

Lines 1456-1468 do_change_passphrase(struct passwd *pw) Link Here

(-)a/ssh-keygen.c (-9 / +19 lines)
1456	*/	1456	*/
1457	static int	1457	static int
1458	do_print_resource_record(struct passwd pw, char fname, char *hname,	1458	do_print_resource_record(struct passwd pw, char fname, char *hname,
1459	int print_generic)	1459	int print_generic, char * const *opts, size_t nopts)
1460	{	1460	{
1461	struct sshkey *public;	1461	struct sshkey *public;
1462	char *comment = NULL;	1462	char *comment = NULL;
1463	struct stat st;	1463	struct stat st;
1464	int r;	1464	int r, hash = -1;
		1465	size_t i;
1465		1466
		1467	for (i = 0; i < nopts; i++) {
		1468	if (strncasecmp(opts[i], "hashalg=", 8) == 0) {
		1469	if ((hash = ssh_digest_alg_by_name(opts[i] + 8)) == -1)
		1470	fatal("Unsupported hash algorithm");
		1471	} else {
		1472	error("Invalid option \"%s\"", opts[i]);
		1473	return SSH_ERR_INVALID_ARGUMENT;
		1474	}
		1475	}
1466	if (fname == NULL)	1476	if (fname == NULL)
1467	fatal_f("no filename");	1477	fatal_f("no filename");
1468	if (stat(fname, &st) == -1) {	1478	if (stat(fname, &st) == -1) {
Lines 1472-1478 do_print_resource_record(struct passwd pw, char fname, char *hname, Link Here
1472	}	1482	}
1473	if ((r = sshkey_load_public(fname, &public, &comment)) != 0)	1483	if ((r = sshkey_load_public(fname, &public, &comment)) != 0)
1474	fatal_r(r, "Failed to read v2 public key from \"%s\"", fname);	1484	fatal_r(r, "Failed to read v2 public key from \"%s\"", fname);
1475	export_dns_rr(hname, public, stdout, print_generic);	1485	export_dns_rr(hname, public, stdout, print_generic, hash);
1476	sshkey_free(public);	1486	sshkey_free(public);
1477	free(comment);	1487	free(comment);
1478	return 1;	1488	return 1;
Lines 3699-3705 main(int argc, char **argv) Link Here
3699		3709
3700	if (have_identity) {	3710	if (have_identity) {
3701	n = do_print_resource_record(pw, identity_file,	3711	n = do_print_resource_record(pw, identity_file,
3702	rr_hostname, print_generic);	3712	rr_hostname, print_generic, opts, nopts);
3703	if (n == 0)	3713	if (n == 0)
3704	fatal("%s: %s", identity_file, strerror(errno));	3714	fatal("%s: %s", identity_file, strerror(errno));
3705	exit(0);	3715	exit(0);
Lines 3707-3725 main(int argc, char **argv) Link Here
3707		3717
3708	n += do_print_resource_record(pw,	3718	n += do_print_resource_record(pw,
3709	_PATH_HOST_RSA_KEY_FILE, rr_hostname,	3719	_PATH_HOST_RSA_KEY_FILE, rr_hostname,
3710	print_generic);	3720	print_generic, opts, nopts);
3711	n += do_print_resource_record(pw,	3721	n += do_print_resource_record(pw,
3712	_PATH_HOST_DSA_KEY_FILE, rr_hostname,	3722	_PATH_HOST_DSA_KEY_FILE, rr_hostname,
3713	print_generic);	3723	print_generic, opts, nopts);
3714	n += do_print_resource_record(pw,	3724	n += do_print_resource_record(pw,
3715	_PATH_HOST_ECDSA_KEY_FILE, rr_hostname,	3725	_PATH_HOST_ECDSA_KEY_FILE, rr_hostname,
3716	print_generic);	3726	print_generic, opts, nopts);
3717	n += do_print_resource_record(pw,	3727	n += do_print_resource_record(pw,
3718	_PATH_HOST_ED25519_KEY_FILE, rr_hostname,	3728	_PATH_HOST_ED25519_KEY_FILE, rr_hostname,
3719	print_generic);	3729	print_generic, opts, nopts);
3720	n += do_print_resource_record(pw,	3730	n += do_print_resource_record(pw,
3721	_PATH_HOST_XMSS_KEY_FILE, rr_hostname,	3731	_PATH_HOST_XMSS_KEY_FILE, rr_hostname,
3722	print_generic);	3732	print_generic, opts, nopts);
3723	if (n == 0)	3733	if (n == 0)
3724	fatal("no keys found.");	3734	fatal("no keys found.");
3725	exit(0);	3735	exit(0);

Lines 518-523 suffixed with a Z character, which causes them to be interpreted in the Link Here

(-)a/ssh-keygen.1 (+15 lines)
518	UTC time zone.	518	UTC time zone.
519	.El	519	.El
520	.Pp	520	.Pp
		521	When generating SSHFP DNS records from public keys using the
		522	.Fl r
		523	flag, the following options are accepted:
		524	.Bl -tag -width Ds
		525	.It Cm hashalg Ns = Ns Ar algorithm
		526	Selects a hash algorithm to use when printing SSHFP records using the
		527	.Fl D
		528	flag.
		529	Valid algorithms are
		530	.Dq sha1
		531	and
		532	.Dq sha256.
		533	The default is to print both.
		534	.El
		535	.Pp
521	The	536	The
522	.Fl O	537	.Fl O
523	option may be specified multiple times.	538	option may be specified multiple times.

Lines 16-21 Link Here

(-)a/ssh-keyscan.1 (+15 lines)
16	.Nm ssh-keyscan	16	.Nm ssh-keyscan
17	.Op Fl 46cDHv	17	.Op Fl 46cDHv
18	.Op Fl f Ar file	18	.Op Fl f Ar file
		19	.Op Fl O Ar option
19	.Op Fl p Ar port	20	.Op Fl p Ar port
20	.Op Fl T Ar timeout	21	.Op Fl T Ar timeout
21	.Op Fl t Ar type	22	.Op Fl t Ar type
Lines 97-102 and Link Here
97	.Xr sshd 8 ,	98	.Xr sshd 8 ,
98	but they do not reveal identifying information should the file's contents	99	but they do not reveal identifying information should the file's contents
99	be disclosed.	100	be disclosed.
		101	.It Fl O Ar option
		102	Specify a key/value option.
		103	At present, only a single option is supported:
		104	.Bl -tag -width Ds
		105	.It Cm hashalg Ns = Ns Ar algorithm
		106	Selects a hash algorithm to use when printing SSHFP records using the
		107	.Fl D
		108	flag.
		109	Valid algorithms are
		110	.Dq sha1
		111	and
		112	.Dq sha256.
		113	The default is to print both.
		114	.El
100	.It Fl p Ar port	115	.It Fl p Ar port
101	Connect to	116	Connect to
102	.Ar port	117	.Ar port