diff options
Diffstat (limited to 'crypto/openssh/ssh-keygen.c')
-rw-r--r-- | crypto/openssh/ssh-keygen.c | 181 |
1 files changed, 142 insertions, 39 deletions
diff --git a/crypto/openssh/ssh-keygen.c b/crypto/openssh/ssh-keygen.c index c95e4ab..4b6218b 100644 --- a/crypto/openssh/ssh-keygen.c +++ b/crypto/openssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.205 2011/01/11 06:13:10 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.210 2011/04/18 00:46:05 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -49,10 +49,7 @@ #include "hostfile.h" #include "dns.h" #include "ssh2.h" - -#ifdef ENABLE_PKCS11 #include "ssh-pkcs11.h" -#endif /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ #define DEFAULT_BITS 2048 @@ -160,6 +157,38 @@ int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); int prime_test(FILE *, FILE *, u_int32_t, u_int32_t); static void +type_bits_valid(int type, u_int32_t *bitsp) +{ + u_int maxbits; + + if (type == KEY_UNSPEC) { + fprintf(stderr, "unknown key type %s\n", key_type_name); + exit(1); + } + if (*bitsp == 0) { + if (type == KEY_DSA) + *bitsp = DEFAULT_BITS_DSA; + else if (type == KEY_ECDSA) + *bitsp = DEFAULT_BITS_ECDSA; + else + *bitsp = DEFAULT_BITS; + } + maxbits = (type == KEY_DSA) ? + OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; + if (*bitsp > maxbits) { + fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); + exit(1); + } + if (type == KEY_DSA && *bitsp != 1024) + fatal("DSA keys must be 1024 bits"); + else if (type != KEY_ECDSA && *bitsp < 768) + fatal("Key must at least be 768 bits"); + else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1) + fatal("Invalid ECDSA key length - valid lengths are " + "256, 384 or 521 bits"); +} + +static void ask_filename(struct passwd *pw, const char *prompt) { char buf[1024]; @@ -818,6 +847,98 @@ do_fingerprint(struct passwd *pw) } static void +do_gen_all_hostkeys(struct passwd *pw) +{ + struct { + char *key_type; + char *key_type_display; + char *path; + } key_types[] = { + { "rsa1", "RSA1", _PATH_HOST_KEY_FILE }, + { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, + { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, + { "ecdsa", "ECDSA",_PATH_HOST_ECDSA_KEY_FILE }, + { NULL, NULL, NULL } + }; + + int first = 0; + struct stat st; + Key *private, *public; + char comment[1024]; + int i, type, fd; + FILE *f; + + for (i = 0; key_types[i].key_type; i++) { + if (stat(key_types[i].path, &st) == 0) + continue; + if (errno != ENOENT) { + printf("Could not stat %s: %s", key_types[i].path, + strerror(errno)); + first = 0; + continue; + } + + if (first == 0) { + first = 1; + printf("%s: generating new host keys: ", __progname); + } + printf("%s ", key_types[i].key_type_display); + fflush(stdout); + arc4random_stir(); + type = key_type_from_name(key_types[i].key_type); + strlcpy(identity_file, key_types[i].path, sizeof(identity_file)); + bits = 0; + type_bits_valid(type, &bits); + private = key_generate(type, bits); + if (private == NULL) { + fprintf(stderr, "key_generate failed\n"); + first = 0; + continue; + } + public = key_from_private(private); + snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, + hostname); + if (!key_save_private(private, identity_file, "", comment)) { + printf("Saving the key failed: %s.\n", identity_file); + key_free(private); + key_free(public); + first = 0; + continue; + } + key_free(private); + arc4random_stir(); + strlcat(identity_file, ".pub", sizeof(identity_file)); + fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); + if (fd == -1) { + printf("Could not save your public key in %s\n", + identity_file); + key_free(public); + first = 0; + continue; + } + f = fdopen(fd, "w"); + if (f == NULL) { + printf("fdopen %s failed\n", identity_file); + key_free(public); + first = 0; + continue; + } + if (!key_write(public, f)) { + fprintf(stderr, "write key failed\n"); + key_free(public); + first = 0; + continue; + } + fprintf(f, " %s\n", comment); + fclose(f); + key_free(public); + + } + if (first != 0) + printf("\n"); +} + +static void printhost(FILE *f, const char *name, Key *public, int ca, int hash) { if (print_fingerprint) { @@ -1330,6 +1451,9 @@ prepare_options_buf(Buffer *c, int which) certflags_command != NULL) add_string_option(c, "force-command", certflags_command); if ((which & OPTIONS_EXTENSIONS) != 0 && + (certflags_flags & CERTOPT_X_FWD) != 0) + add_flag_option(c, "permit-X11-forwarding"); + if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_AGENT_FWD) != 0) add_flag_option(c, "permit-agent-forwarding"); if ((which & OPTIONS_EXTENSIONS) != 0 && @@ -1341,9 +1465,6 @@ prepare_options_buf(Buffer *c, int which) if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_USER_RC) != 0) add_flag_option(c, "permit-user-rc"); - if ((which & OPTIONS_EXTENSIONS) != 0 && - (certflags_flags & CERTOPT_X_FWD) != 0) - add_flag_option(c, "permit-X11-forwarding"); if ((which & OPTIONS_CRITICAL) != 0 && certflags_src_addr != NULL) add_string_option(c, "source-address", certflags_src_addr); @@ -1593,7 +1714,7 @@ add_cert_option(char *opt) { char *val; - if (strcmp(opt, "clear") == 0) + if (strcasecmp(opt, "clear") == 0) certflags_flags = 0; else if (strcasecmp(opt, "no-x11-forwarding") == 0) certflags_flags &= ~CERTOPT_X_FWD; @@ -1745,6 +1866,7 @@ usage(void) { fprintf(stderr, "usage: %s [options]\n", __progname); fprintf(stderr, "Options:\n"); + fprintf(stderr, " -A Generate non-existent host keys for all key types.\n"); fprintf(stderr, " -a trials Number of trials for screening DH-GEX moduli.\n"); fprintf(stderr, " -B Show bubblebabble digest of key file.\n"); fprintf(stderr, " -b bits Number of bits in the key to create.\n"); @@ -1799,9 +1921,9 @@ main(int argc, char **argv) struct passwd *pw; struct stat st; int opt, type, fd; - u_int maxbits; u_int32_t memory = 0, generator_wanted = 0, trials = 100; int do_gen_candidates = 0, do_screen_candidates = 0; + int gen_all_hostkeys = 0; BIGNUM *start = NULL; FILE *f; const char *errstr; @@ -1817,7 +1939,6 @@ main(int argc, char **argv) OpenSSL_add_all_algorithms(); log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); - init_rng(); seed_rng(); /* we need this for the home * directory. */ @@ -1831,9 +1952,12 @@ main(int argc, char **argv) exit(1); } - while ((opt = getopt(argc, argv, "degiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" + while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:P:m:N:n:" "O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) { switch (opt) { + case 'A': + gen_all_hostkeys = 1; + break; case 'b': bits = (u_int32_t)strtonum(optarg, 256, 32768, &errstr); if (errstr) @@ -1928,9 +2052,6 @@ main(int argc, char **argv) case 'y': print_public = 1; break; - case 'd': - key_type_name = "dsa"; - break; case 's': ca_key_path = optarg; break; @@ -2109,37 +2230,19 @@ main(int argc, char **argv) return (0); } + if (gen_all_hostkeys) { + do_gen_all_hostkeys(pw); + return (0); + } + arc4random_stir(); if (key_type_name == NULL) key_type_name = "rsa"; type = key_type_from_name(key_type_name); - if (type == KEY_UNSPEC) { - fprintf(stderr, "unknown key type %s\n", key_type_name); - exit(1); - } - if (bits == 0) { - if (type == KEY_DSA) - bits = DEFAULT_BITS_DSA; - else if (type == KEY_ECDSA) - bits = DEFAULT_BITS_ECDSA; - else - bits = DEFAULT_BITS; - } - maxbits = (type == KEY_DSA) ? - OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; - if (bits > maxbits) { - fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); - exit(1); - } - if (type == KEY_DSA && bits != 1024) - fatal("DSA keys must be 1024 bits"); - else if (type != KEY_ECDSA && bits < 768) - fatal("Key must at least be 768 bits"); - else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(bits) == -1) - fatal("Invalid ECDSA key length - valid lengths are " - "256, 384 or 521 bits"); + type_bits_valid(type, &bits); + if (!quiet) printf("Generating public/private %s key pair.\n", key_type_name); private = key_generate(type, bits); |