- djm@cvs.openbsd.org 2011/10/18 05:00:48

     [ssh-add.1 ssh-add.c]
     new "ssh-add -k" option to load plain keys (skipping certificates);
     "looks ok" markus@

diff --git a/ChangeLog b/ChangeLog
index 583f88f22c6551978656919238f665e643cc1b30..1ff341719bf09874fa5266332510250a93d471a5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,6 +16,10 @@
      [auth-options.c key.c]
      remove explict search for \0 in packet strings, this job is now done
      implicitly by buffer_get_cstring; ok markus
+   - djm@cvs.openbsd.org 2011/10/18 05:00:48
+     [ssh-add.1 ssh-add.c]
+     new "ssh-add -k" option to load plain keys (skipping certificates);
+     "looks ok" markus@
 
 20111001
  - (dtucker) [openbsd-compat/mktemp.c] Fix compiler warning.  ok djm

diff --git a/ssh-add.1 b/ssh-add.1
index fd48ff98fa3fa7acefb70632d31345f4b5530b80..aec620deaf33e07ec03678056c5f626281ca64fb 100644 (file)
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: ssh-add.1,v 1.55 2010/10/28 18:33:28 jmc Exp $
+.\"    $OpenBSD: ssh-add.1,v 1.56 2011/10/18 05:00:48 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 28 2010 $
+.Dd $Mdocdate: October 18 2011 $
 .Dt SSH-ADD 1
 .Os
 .Sh NAME
@@ -43,7 +43,7 @@
 .Nd adds private key identities to the authentication agent
 .Sh SYNOPSIS
 .Nm ssh-add
-.Op Fl cDdLlXx
+.Op Fl cDdkLlXx
 .Op Fl t Ar life
 .Op Ar
 .Nm ssh-add
@@ -110,6 +110,9 @@ and retry.
 .It Fl e Ar pkcs11
 Remove keys provided by the PKCS#11 shared library
 .Ar pkcs11 .
+.It Fl k
+When loading keys into the agent, load plain private keys only and skip
+certificates.
 .It Fl L
 Lists public key parameters of all identities currently represented
 by the agent.

diff --git a/ssh-add.c b/ssh-add.c
index 6d5e2a95757f3ae3e7bdc35e1f4b2eddf042da25..ea7619e6a3d98407386acc995e0610ab5025f071 100644 (file)
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.101 2011/05/04 21:15:29 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.102 2011/10/18 05:00:48 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -139,11 +139,11 @@ delete_all(AuthenticationConnection *ac)
 }
 
 static int
-add_file(AuthenticationConnection *ac, const char *filename)
+add_file(AuthenticationConnection *ac, const char *filename, int key_only)
 {
        Key *private, *cert;
        char *comment = NULL;
-       char msg[1024], *certpath;
+       char msg[1024], *certpath = NULL;
        int fd, perms_ok, ret = -1;
        Buffer keyblob;
 
@@ -219,6 +219,9 @@ add_file(AuthenticationConnection *ac, const char *filename)
                fprintf(stderr, "Could not add identity: %s\n", filename);
        }
 
+       /* Skip trying to load the cert if requested */
+       if (key_only)
+               goto out;
 
        /* Now try to add the certificate flavour too */
        xasprintf(&certpath, "%s-cert.pub", filename);
@@ -253,7 +256,8 @@ add_file(AuthenticationConnection *ac, const char *filename)
        if (confirm != 0)
                fprintf(stderr, "The user must confirm each use of the key\n");
  out:
-       xfree(certpath);
+       if (certpath != NULL)
+               xfree(certpath);
        xfree(comment);
        key_free(private);
 
@@ -347,13 +351,13 @@ lock_agent(AuthenticationConnection *ac, int lock)
 }
 
 static int
-do_file(AuthenticationConnection *ac, int deleting, char *file)
+do_file(AuthenticationConnection *ac, int deleting, int key_only, char *file)
 {
        if (deleting) {
                if (delete_file(ac, file) == -1)
                        return -1;
        } else {
-               if (add_file(ac, file) == -1)
+               if (add_file(ac, file, key_only) == -1)
                        return -1;
        }
        return 0;
@@ -383,7 +387,7 @@ main(int argc, char **argv)
        extern int optind;
        AuthenticationConnection *ac = NULL;
        char *pkcs11provider = NULL;
-       int i, ch, deleting = 0, ret = 0;
+       int i, ch, deleting = 0, ret = 0, key_only = 0;
 
        /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
        sanitise_stdfd();
@@ -400,8 +404,11 @@ main(int argc, char **argv)
                    "Could not open a connection to your authentication agent.\n");
                exit(2);
        }
-       while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
+       while ((ch = getopt(argc, argv, "klLcdDxXe:s:t:")) != -1) {
                switch (ch) {
+               case 'k':
+                       key_only = 1;
+                       break;
                case 'l':
                case 'L':
                        if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
@@ -467,7 +474,7 @@ main(int argc, char **argv)
                            default_files[i]);
                        if (stat(buf, &st) < 0)
                                continue;
-                       if (do_file(ac, deleting, buf) == -1)
+                       if (do_file(ac, deleting, key_only, buf) == -1)
                                ret = 1;
                        else
                                count++;
@@ -476,7 +483,7 @@ main(int argc, char **argv)
                        ret = 1;
        } else {
                for (i = 0; i < argc; i++) {
-                       if (do_file(ac, deleting, argv[i]) == -1)
+                       if (do_file(ac, deleting, key_only, argv[i]) == -1)
                                ret = 1;
                }
        }