When pointed at a file containing multiple keys, ssh-keygen only fingerprints the first key, and does not either fingerprint the additional keys or warn in any way that there are (or might be) additional keys in the specified file. pepper@salt:~/.ssh$ ssh-keygen -l -f authorized_keys 1024 5c:3a:b3:94:5d:ef:28:2c:4d:76:8a:9f:36:81:5c:af authorized_keys pepper@salt:~/.ssh$ wc -l authorized_keys 3 authorized_keys
the problem here is that in ssh-keygen.c:do_fingerprint() we try key_load_public() first. If this finds a key then we bail, if not then we continue though the file a line at a time assuming authorized_keys format. The difficulty in fixing this comes from the fact that key_load_public() opens, reads and closes the file in one go. We need a variant that operates on an open file (or just a line), so we can continue.
We can do this with the new authfile.c code that supports parsing from memory buffers.
Retarget unresolved bugs/features to 6.0 release
Retarget unresolved bugs/features to 6.0 release (try again - bugzilla's "change several" isn't)
Fixing this is trickier than I thought. The cases that need to be supported are: 1. SSH1 public key in a private blob 2. SSH1/SSH2 public key in text form 3. known_hosts 4. authorized_keys We can deal with case #1 by using key_load_public_type() instead of key_load_public. It is a little more tricky to support the other cases together though. For a start, known_hosts always has a hostname before the key string whereas a public key in text format never does. authorized_keys has optional key restrictions that need to be recognised and skipped. A final (?) complication comes in the printing - when printing fingerprints from known_hosts, one wants to print the hostname obtained from the start of the line, but when printing everything else the key comment (end of the line, or baked into the a binary SSH1 private key) is the most important thing. So, do_fingerprint needs to be rewritten to look something like this: k = key_load_public_type(KEY_RSA1, identity_file, comment) if (k != NULL) print fingerprint+comment and exit for line in identity_file split_key_line(line, &preamble, &key, &comment) if (auth_parse_options(preamble)) { // If it has options then it's definitely authorized keys authorized_keys = 1 } else if (*preamble != '\0') { // If the preamble doesn't look like options, then it's probably // known_hosts known_hosts = 1 } else { // If no preamble at all then it's a plain key or authorized_keys } print_fingerprint(key) print_comment(known_hosts ? preamble : comment) }
Retarget from 6.0 to 6.1
Retarget 6.0 => 6.1
Retarget uncompleted bugs from 6.1 => 6.2
Retarget bugs from 6.1 => 6.2
retarget to openssh-6.3
Retarget to openssh-6.4
Retarget 6.3 -> 6.4
Retarget incomplete bugs / feature requests to 6.6 release
Retarget to 6.7 release, since 6.6 was mostly bugfixing.
Remove from 6.6 tracking bug
Remove from 6.7 blocker list. I'm not sure yet sure how to do this reliably
This is fixed in HEAD and will be in the openssh-7.2 release.
This is now implemented in HEAD, supporting RSA1 private keys, v2 public keys, authorized_keys, known_hosts and allowing ssh-keygen -lf- to read from stdin. https://anongit.mindrot.org/openssh.git/commit/?id=c56a255162c2166884539c0a1f7511575325b477 It will be in the forthmcoming openssh-7.2 release
Close all resolved bugs after 7.3p1 release