Bugzilla – Attachment 3663 Details for
Bug 3493
ssh-keyscan -D has no option to disable SHA-1 digest
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan
bz3493.diff (text/plain), 6.34 KB, created by
Damien Miller
on 2023-02-10 14:11:51 AEDT
(
hide
)
Description:
Support -Ohashalg=sha256 in ssh-keygen and ssh-keyscan
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2023-02-10 14:11:51 AEDT
Size:
6.34 KB
patch
obsolete
>diff --git a/dns.c b/dns.c >index 3218abc..09f1674 100644 >--- a/dns.c >+++ b/dns.c >@@ -299,7 +299,8 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, > * Export the fingerprint of a key as a DNS resource record > */ > int >-export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic) >+export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic, >+ int alg) > { > u_int8_t rdata_pubkey_algorithm = 0; > u_int8_t rdata_digest_type = SSHFP_HASH_RESERVED; >@@ -309,6 +310,8 @@ export_dns_rr(const char *hostname, struct sshkey *key, FILE *f, int generic) > int success = 0; > > for (dtype = SSHFP_HASH_SHA1; dtype < SSHFP_HASH_MAX; dtype++) { >+ if (alg != -1 && dtype != alg) >+ continue; > rdata_digest_type = dtype; > if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type, > &rdata_digest, &rdata_digest_len, key)) { >diff --git a/dns.h b/dns.h >index c9b61c4..7f1af29 100644 >--- a/dns.h >+++ b/dns.h >@@ -54,6 +54,6 @@ enum sshfp_hashes { > > int verify_host_key_dns(const char *, struct sockaddr *, > struct sshkey *, int *); >-int export_dns_rr(const char *, struct sshkey *, FILE *, int); >+int export_dns_rr(const char *, struct sshkey *, FILE *, int, int); > > #endif /* DNS_H */ >diff --git a/ssh-keygen.1 b/ssh-keygen.1 >index 8b1f617..983e674 100644 >--- a/ssh-keygen.1 >+++ b/ssh-keygen.1 >@@ -518,6 +518,21 @@ suffixed with a Z character, which causes them to be interpreted in the > UTC time zone. > .El > .Pp >+When generating SSHFP DNS records from public keys using the >+.Fl r >+flag, the following options are accepted: >+.Bl -tag -width Ds >+.It Cm hashalg Ns = Ns Ar algorithm >+Selects a hash algorithm to use when printing SSHFP records using the >+.Fl D >+flag. >+Valid algorithms are >+.Dq sha1 >+and >+.Dq sha256. >+The default is to print both. >+.El >+.Pp > The > .Fl O > option may be specified multiple times. >diff --git a/ssh-keygen.c b/ssh-keygen.c >index 869b675..3b5f867 100644 >--- a/ssh-keygen.c >+++ b/ssh-keygen.c >@@ -1456,13 +1456,23 @@ do_change_passphrase(struct passwd *pw) > */ > static int > do_print_resource_record(struct passwd *pw, char *fname, char *hname, >- int print_generic) >+ int print_generic, char * const *opts, size_t nopts) > { > struct sshkey *public; > char *comment = NULL; > struct stat st; >- int r; >+ int r, hash = -1; >+ size_t i; > >+ for (i = 0; i < nopts; i++) { >+ if (strncasecmp(opts[i], "hashalg=", 8) == 0) { >+ if ((hash = ssh_digest_alg_by_name(opts[i] + 8)) == -1) >+ fatal("Unsupported hash algorithm"); >+ } else { >+ error("Invalid option \"%s\"", opts[i]); >+ return SSH_ERR_INVALID_ARGUMENT; >+ } >+ } > if (fname == NULL) > fatal_f("no filename"); > if (stat(fname, &st) == -1) { >@@ -1472,7 +1482,7 @@ do_print_resource_record(struct passwd *pw, char *fname, char *hname, > } > if ((r = sshkey_load_public(fname, &public, &comment)) != 0) > fatal_r(r, "Failed to read v2 public key from \"%s\"", fname); >- export_dns_rr(hname, public, stdout, print_generic); >+ export_dns_rr(hname, public, stdout, print_generic, hash); > sshkey_free(public); > free(comment); > return 1; >@@ -3699,7 +3709,7 @@ main(int argc, char **argv) > > if (have_identity) { > n = do_print_resource_record(pw, identity_file, >- rr_hostname, print_generic); >+ rr_hostname, print_generic, opts, nopts); > if (n == 0) > fatal("%s: %s", identity_file, strerror(errno)); > exit(0); >@@ -3707,19 +3717,19 @@ main(int argc, char **argv) > > n += do_print_resource_record(pw, > _PATH_HOST_RSA_KEY_FILE, rr_hostname, >- print_generic); >+ print_generic, opts, nopts); > n += do_print_resource_record(pw, > _PATH_HOST_DSA_KEY_FILE, rr_hostname, >- print_generic); >+ print_generic, opts, nopts); > n += do_print_resource_record(pw, > _PATH_HOST_ECDSA_KEY_FILE, rr_hostname, >- print_generic); >+ print_generic, opts, nopts); > n += do_print_resource_record(pw, > _PATH_HOST_ED25519_KEY_FILE, rr_hostname, >- print_generic); >+ print_generic, opts, nopts); > n += do_print_resource_record(pw, > _PATH_HOST_XMSS_KEY_FILE, rr_hostname, >- print_generic); >+ print_generic, opts, nopts); > if (n == 0) > fatal("no keys found."); > exit(0); >diff --git a/ssh-keyscan.1 b/ssh-keyscan.1 >index ca4feea..6fbc298 100644 >--- a/ssh-keyscan.1 >+++ b/ssh-keyscan.1 >@@ -16,6 +16,7 @@ > .Nm ssh-keyscan > .Op Fl 46cDHv > .Op Fl f Ar file >+.Op Fl O Ar option > .Op Fl p Ar port > .Op Fl T Ar timeout > .Op Fl t Ar type >@@ -97,6 +98,20 @@ and > .Xr sshd 8 , > but they do not reveal identifying information should the file's contents > be disclosed. >+.It Fl O Ar option >+Specify a key/value option. >+At present, only a single option is supported: >+.Bl -tag -width Ds >+.It Cm hashalg Ns = Ns Ar algorithm >+Selects a hash algorithm to use when printing SSHFP records using the >+.Fl D >+flag. >+Valid algorithms are >+.Dq sha1 >+and >+.Dq sha256. >+The default is to print both. >+.El > .It Fl p Ar port > Connect to > .Ar port >diff --git a/ssh-keyscan.c b/ssh-keyscan.c >index e79851e..de3b80d 100644 >--- a/ssh-keyscan.c >+++ b/ssh-keyscan.c >@@ -32,6 +32,7 @@ > #include "sshbuf.h" > #include "sshkey.h" > #include "cipher.h" >+#include "digest.h" > #include "kex.h" > #include "compat.h" > #include "myproposal.h" >@@ -72,6 +73,8 @@ int print_sshfp = 0; /* Print SSHFP records instead of known_hosts */ > > int found_one = 0; /* Successfully found a key */ > >+int hashalg = -1; /* Hash for SSHFP records or -1 for all */ >+ > #define MAXMAXFD 256 > > /* The number of seconds after which to give up on a TCP connection */ >@@ -294,7 +297,7 @@ keyprint_one(const char *host, struct sshkey *key) > found_one = 1; > > if (print_sshfp) { >- export_dns_rr(host, key, stdout, 0); >+ export_dns_rr(host, key, stdout, 0, hashalg); > return; > } > >@@ -704,7 +707,7 @@ main(int argc, char **argv) > if (argc <= 1) > usage(); > >- while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) { >+ while ((opt = getopt(argc, argv, "cDHv46O:p:T:t:f:")) != -1) { > switch (opt) { > case 'H': > hash_hosts = 1; >@@ -744,6 +747,14 @@ main(int argc, char **argv) > optarg = NULL; > argv[fopt_count++] = optarg; > break; >+ case 'O': >+ /* Maybe other misc options in the future too */ >+ if (strncmp(optarg, "hashalg=", 8) != 0) >+ fatal("Unsupported -O option"); >+ if ((hashalg = ssh_digest_alg_by_name( >+ optarg + 8)) == -1) >+ fatal("Unsupported hash algorithm"); >+ break; > case 't': > get_keytypes = 0; > tname = strtok(optarg, ",");
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
dtucker
:
ok+
Actions:
View
|
Diff
Attachments on
bug 3493
: 3663