upstream commit

Add "ssh-keyscan -c ..." flag to allow fetching
 certificates instead of plain keys; ok markus@

Upstream-ID: 0947e2177dba92339eced9e49d3c5bf7dda69f82

diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 6bbc480cd5c6d74d9e6f322d1eb059833f818609..12eb5810bc044c1f9829ce97ff1e1cec60e408ae 100644 (file)
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"    $OpenBSD: ssh-keyscan.1,v 1.36 2014/08/30 15:33:50 sobrado Exp $
+.\"    $OpenBSD: ssh-keyscan.1,v 1.37 2015/11/08 22:30:20 djm Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: August 30 2014 $
+.Dd $Mdocdate: November 8 2015 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -15,7 +15,7 @@
 .Sh SYNOPSIS
 .Nm ssh-keyscan
 .Bk -words
-.Op Fl 46Hv
+.Op Fl 46Hcv
 .Op Fl f Ar file
 .Op Fl p Ar port
 .Op Fl T Ar timeout
@@ -54,6 +54,8 @@ to use IPv4 addresses only.
 Forces
 .Nm
 to use IPv6 addresses only.
+.It Fl c
+Request certificates from target hosts instead of plain keys.
 .It Fl f Ar file
 Read hosts or
 .Dq addrlist namelist

diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 7db0e10e536d894c7e7f16bdf067750ab1f408f9..0e5ca609a0fae616977e75ed09a2988a1ce586d5 100644 (file)
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.102 2015/10/24 22:56:19 djm Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.103 2015/11/08 22:30:20 djm Exp $ */
 /*
  * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
  *
@@ -60,6 +60,7 @@ int ssh_port = SSH_DEFAULT_PORT;
 #define KT_ECDSA       8
 #define KT_ED25519     16
 
+int get_cert = 0;
 int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
 
 int hash_hosts = 0;            /* Hash hostname on output */
@@ -267,11 +268,32 @@ keygrab_ssh2(con *c)
        int r;
 
        enable_compat20();
-       myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
-           c->c_keytype == KT_DSA ?  "ssh-dss" :
-           (c->c_keytype == KT_RSA ? "ssh-rsa" :
-           (c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
-           "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"));
+       switch (c->c_keytype) {
+       case KT_DSA:
+               myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+                   "ssh-dss-cert-v01@openssh.com" : "ssh-dss";
+               break;
+       case KT_RSA:
+               myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+                   "ssh-rsa-cert-v01@openssh.com" : "ssh-rsa";
+               break;
+       case KT_ED25519:
+               myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+                   "ssh-ed25519-cert-v01@openssh.com" : "ssh-ed25519";
+               break;
+       case KT_ECDSA:
+               myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = get_cert ?
+                   "ecdsa-sha2-nistp256-cert-v01@openssh.com,"
+                   "ecdsa-sha2-nistp384-cert-v01@openssh.com,"
+                   "ecdsa-sha2-nistp521-cert-v01@openssh.com" :
+                   "ecdsa-sha2-nistp256,"
+                   "ecdsa-sha2-nistp384,"
+                   "ecdsa-sha2-nistp521";
+               break;
+       default:
+               fatal("unknown key type %d", c->c_keytype);
+               break;
+       }
        if ((r = kex_setup(c->c_ssh, myproposal)) != 0) {
                free(c->c_ssh);
                fprintf(stderr, "kex_setup: %s\n", ssh_err(r));
@@ -304,7 +326,8 @@ keyprint_one(char *host, struct sshkey *key)
                fatal("host_hash failed");
 
        hostport = put_host_port(host, ssh_port);
-       fprintf(stdout, "%s ", hostport);
+       if (!get_cert)
+               fprintf(stdout, "%s ", hostport);
        sshkey_write(key, stdout);
        fputs("\n", stdout);
        free(hostport);
@@ -318,7 +341,7 @@ keyprint(con *c, struct sshkey *key)
 
        if (key == NULL)
                return;
-       if (!hash_hosts && ssh_port == SSH_DEFAULT_PORT) {
+       if (get_cert || (!hash_hosts && ssh_port == SSH_DEFAULT_PORT)) {
                keyprint_one(hosts, key);
                return;
        }
@@ -384,6 +407,7 @@ conalloc(char *iname, char *oname, int keytype)
        if (fdcon[s].c_status)
                fatal("conalloc: attempt to reuse fdno %d", s);
 
+       debug3("%s: oname %s kt %d", __func__, oname, keytype);
        fdcon[s].c_fd = s;
        fdcon[s].c_status = CS_CON;
        fdcon[s].c_namebase = namebase;
@@ -654,7 +678,7 @@ static void
 usage(void)
 {
        fprintf(stderr,
-           "usage: %s [-46Hv] [-f file] [-p port] [-T timeout] [-t type]\n"
+           "usage: %s [-46Hcv] [-f file] [-p port] [-T timeout] [-t type]\n"
            "\t\t   [host | addrlist namelist] ...\n",
            __progname);
        exit(1);
@@ -682,11 +706,14 @@ main(int argc, char **argv)
        if (argc <= 1)
                usage();
 
-       while ((opt = getopt(argc, argv, "Hv46p:T:t:f:")) != -1) {
+       while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
                switch (opt) {
                case 'H':
                        hash_hosts = 1;
                        break;
+               case 'c':
+                       get_cert = 1;
+                       break;
                case 'p':
                        ssh_port = a2port(optarg);
                        if (ssh_port <= 0) {