Bug 1477 - ssh-keygen not reading stdin as expected
Summary: ssh-keygen not reading stdin as expected
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh-keygen (show other bugs)
Version: 6.6p1
Hardware: All Mac OS X
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_7_2
  Show dependency treegraph
 
Reported: 2008-06-16 04:13 AEST by Lars Noodén
Modified: 2021-04-23 15:09 AEST (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Noodén 2008-06-16 04:13:53 AEST 
I see what looks like difficulty reading stdin using ssh-keyscan:
 
 	$ ssh-keyscan -t rsa login.itd.umich.edu | ssh-keygen -l -f -
 	-: No such file or directory
 
Instead of the error message "-: No such file or directory", I would
expect the output from ssh-keyscan to be read into ssh-keygen in the
above example and the fingerprint produced as output.
 
Doing it in two steps works:
 	
 $ ssh-keyscan -t rsa login.itd.umich.edu >/tmp/x; \
   ssh-keygen -l -f /tmp/x
 # login.itd.umich.edu SSH-1.99-OpenSSH_4.6p1-hpn12v17
 1024 10:4a:ec:d2:f1:38:f7:ea:0a:a0:0f:17:57:ea:a6:16 login.itd.umich.edu

Option -f filename, Filename of the key file, seems to be the right option and '-' is the usual way of indicating stdin.

FWIW trying to used /dev/stdin directly also gives an error

$ ssh-keyscan login.itd.umich.edu | ssh-keygen -l -f /dev/stdin
# login.itd.umich.edu SSH-1.99-OpenSSH_4.6p1-hpn12v17
/dev/stdin is not a public key file.

ssh-keygen seems not to have a way to show version.  This is at least the following platforms:
 
   OpenBSD 4.2 GENERIC#3 i386
   OpenBSD 4.3 GENERIC#698 i386
   Linux 2.6.24-18-generic #1 SMP x86_64

The corresponding accompanying ssh show these versions:

   OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
   OpenSSH_4.7, OpenSSL 0.9.7j 04 May 2006
   OpenSSH_4.8, OpenSSL 0.9.7j 04 May 2006
Comment 1 Darren Tucker 2008-06-16 04:16:58 AEST 
Try:

ssh-keyscan -t rsa login.itd.umich.edu | ssh-keygen -l -f /dev/stdin
Comment 2 Lars Noodén 2008-06-16 04:59:16 AEST 
The same behavior can be found on this platform and version:

 OpenBSD 4.3 GENERIC.MP#0 amd64
 OpenSSH_5.0, OpenSSL 0.9.7j 04 May 2006
Comment 3 Lars Noodén 2008-07-26 15:00:45 AEST 
(Hmm.  I can see that replies via e-mail seem not to get piped back into bugzilla here.)

Darren suggested a second way to produce the error:
    ssh-keyscan -t rsa login.itd.umich.edu | ssh-keygen -l -f /dev/stdin

which gives the following error
/dev/stdin is not a public key file.
Comment 4 Lars Noodén 2008-07-26 15:01:46 AEST 
(Hmm.  I can see that replies via e-mail seem not to get piped back into bugzilla here.)

Darren suggested a second way to produce the error:
    ssh-keyscan -t rsa login.itd.umich.edu | ssh-keygen -l -f /dev/stdin

which gives the following error
    /dev/stdin is not a public key file.

It seems to be present in OpenSSH 5.1
Comment 5 Jameson Rollins 2008-11-18 04:55:46 AEDT 
Hello.  I too would really like to see ssh-keygen be able to properly read from stdin.  It would make many of the tasks I have to do much much easier.  The current situation where input needs to be written to an intermediate file is quite cumbersome.

It actually appears that reading of /dev/stdin may be broken, as opposed to completely unsupported.  It appears that ssh-keygen will read from a redirection of file, but not from a pipeline: 

servo:/tmp/cdtemp.laHoFb 0$ ssh-keygen -l -f id_rsa.pub 
1024 23:ff:58:10:19:b6:5d:4f:c9:92:28:00:57:2c:5a:c8 id_rsa.pub (RSA)
servo:/tmp/cdtemp.laHoFb 0$ ssh-keygen -l -f /dev/stdin <id_rsa.pub 
1024 23:ff:58:10:19:b6:5d:4f:c9:92:28:00:57:2c:5a:c8 /dev/stdin (RSA)
servo:/tmp/cdtemp.laHoFb 0$ cat id_rsa.pub | ssh-keygen -l -f /dev/stdin
/dev/stdin is not a public key file.
servo:/tmp/cdtemp.laHoFb 1$ 

I don't understand why it would be behaving this way.

Thanks so much for such a great program.

servo:/tmp/cdtemp.laHoFb 0$ ssh -V
OpenSSH_5.1p1 Debian-3, OpenSSL 0.9.8g 19 Oct 2007
servo:/tmp/cdtemp.laHoFb 0$
Comment 6 Will 2014-07-28 11:22:58 AEST 
This is still broken on Mac OS X, preventing me from writing portable scripts. Installed latest 6.6p1 and it's still broken, even though this bug seems very old. Works fine on my Linux systems:

will@x ~$ which ssh
/usr/local/bin/ssh
will@x ~$ ssh -V
OpenSSH_6.6p1, OpenSSL 1.0.1h 5 Jun 2014
will@x ~$ ssh-keyscan -t rsa login.itd.umich.edu | ssh-keygen -l -f /dev/stdin
# login.itd.umich.edu SSH-1.99-OpenSSH_5.2p1-hpn13v6
/dev/stdin is not a public key file.
will@x ~$ ssh-keygen -l -f <(ssh-keyscan -t rsa login.itd.umich.edu)
# login.itd.umich.edu SSH-1.99-OpenSSH_5.2p1-hpn13v6
/dev/fd/63 is not a public key file.
will@x ~$ uname -a
Darwin x.local 13.3.0 Darwin Kernel Version 13.3.0: Tue Jun  3 21:27:35 PDT 2014; root:xnu-2422.110.17~1/RELEASE_X86_64 x86_64
will@x ~$ sw_vers -productVersion
10.9.4
will@x ~$ system_profiler SPSoftwareDataType
Software:

    System Software Overview:

      System Version: OS X 10.9.4 (13E28)
      Kernel Version: Darwin 13.3.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      Computer Name: x
      User Name: Will X (will)
      Secure Virtual Memory: Enabled
      Time since boot: 8 days 4:23

will@x ~$ which ssh-keygen
/usr/local/bin/ssh-keygen
will@x ~$

Temporary files are the only way on Mac.
Comment 7 Damien Miller 2016-02-05 13:46:11 AEDT 
fixed in:

commit c56a255162c2166884539c0a1f7511575325b477
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Mon Nov 16 22:53:07 2015 +0000

    upstream commit
    
    Allow fingerprinting from standard input "ssh-keygen -lf
     -"
    
    Support fingerprinting multiple plain keys in a file and authorized_keys
    files too (bz#1319)
    
    ok markus@
    
    Upstream-ID: 903f8b4502929d6ccf53509e4e07eae084574b77
Comment 8 Damien Miller 2021-04-23 15:09:16 AEST 
closing resolved bugs as of 8.6p1 release