From 91fadcfc9ae8649ce109eb631e1f20c33e2f21c4 Mon Sep 17 00:00:00 2001 From: djm Date: Fri, 23 Feb 2018 05:14:05 +0000 Subject: [PATCH] Add ssh-keyscan -D option to make it print its results in SSHFP format bz#2821, ok dtucker@ --- usr.bin/ssh/ssh-keyscan.1 | 16 +++++++++++++--- usr.bin/ssh/ssh-keyscan.c | 20 ++++++++++++++++---- usr.bin/ssh/ssh-keyscan/Makefile | 4 ++-- 3 files changed, 31 insertions(+), 9 deletions(-) diff --git a/usr.bin/ssh/ssh-keyscan.1 b/usr.bin/ssh/ssh-keyscan.1 index aa4a2ae838a..cdbce0b3041 100644 --- a/usr.bin/ssh/ssh-keyscan.1 +++ b/usr.bin/ssh/ssh-keyscan.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.40 2017/05/02 17:04:09 jmc Exp $ +.\" $OpenBSD: ssh-keyscan.1,v 1.41 2018/02/23 05:14:05 djm Exp $ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -6,7 +6,7 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" -.Dd $Mdocdate: May 2 2017 $ +.Dd $Mdocdate: February 23 2018 $ .Dt SSH-KEYSCAN 1 .Os .Sh NAME @@ -15,7 +15,7 @@ .Sh SYNOPSIS .Nm ssh-keyscan .Bk -words -.Op Fl 46cHv +.Op Fl 46cDHv .Op Fl f Ar file .Op Fl p Ar port .Op Fl T Ar timeout @@ -56,6 +56,12 @@ Forces to use IPv6 addresses only. .It Fl c Request certificates from target hosts instead of plain keys. +.It Fl D +Print keys found as SSHFP DNS records. +The default is to print keys in a format usable as a +.Xr ssh 1 +.Pa known_hosts +file. .It Fl f Ar file Read hosts or .Dq addrlist namelist @@ -159,6 +165,10 @@ $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e .Sh SEE ALSO .Xr ssh 1 , .Xr sshd 8 +.%R RFC 4255 +.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints" +.%D 2006 +.Re .Sh AUTHORS .An -nosplit .An David Mazieres Aq Mt dm@lcs.mit.edu diff --git a/usr.bin/ssh/ssh-keyscan.c b/usr.bin/ssh/ssh-keyscan.c index 0afc71729ba..b5c9539d2d5 100644 --- a/usr.bin/ssh/ssh-keyscan.c +++ b/usr.bin/ssh/ssh-keyscan.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keyscan.c,v 1.116 2017/11/25 06:46:22 dtucker Exp $ */ +/* $OpenBSD: ssh-keyscan.c,v 1.117 2018/02/23 05:14:05 djm Exp $ */ /* * Copyright 1995, 1996 by David Mazieres . * @@ -40,6 +40,7 @@ #include "hostfile.h" #include "ssherr.h" #include "ssh_api.h" +#include "dns.h" /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. Default value is AF_UNSPEC means both IPv4 and IPv6. */ @@ -60,6 +61,8 @@ int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519; int hash_hosts = 0; /* Hash hostname on output */ +int print_sshfp = 0; /* Print SSHFP records instead of known_hosts */ + #define MAXMAXFD 256 /* The number of seconds after which to give up on a TCP connection */ @@ -260,6 +263,11 @@ keyprint_one(const char *host, struct sshkey *key) char *hostport; const char *known_host, *hashed; + if (print_sshfp) { + export_dns_rr(host, key, stdout, 0); + return; + } + hostport = put_host_port(host, ssh_port); lowercase(hostport); if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL) @@ -477,7 +485,8 @@ congreet(int s) confree(s); return; } - fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf)); + fprintf(stderr, "%c %s:%d %s\n", print_sshfp ? ';' : '#', + c->c_name, ssh_port, chop(buf)); keygrab_ssh2(c); confree(s); } @@ -601,7 +610,7 @@ static void usage(void) { fprintf(stderr, - "usage: %s [-46cHv] [-f file] [-p port] [-T timeout] [-t type]\n" + "usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n" "\t\t [host | addrlist namelist] ...\n", __progname); exit(1); @@ -628,7 +637,7 @@ main(int argc, char **argv) if (argc <= 1) usage(); - while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) { + while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) { switch (opt) { case 'H': hash_hosts = 1; @@ -636,6 +645,9 @@ main(int argc, char **argv) case 'c': get_cert = 1; break; + case 'D': + print_sshfp = 1; + break; case 'p': ssh_port = a2port(optarg); if (ssh_port <= 0) { diff --git a/usr.bin/ssh/ssh-keyscan/Makefile b/usr.bin/ssh/ssh-keyscan/Makefile index 871ac911bf9..22759ec944f 100644 --- a/usr.bin/ssh/ssh-keyscan/Makefile +++ b/usr.bin/ssh/ssh-keyscan/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.11 2018/01/08 15:37:28 markus Exp $ +# $OpenBSD: Makefile,v 1.12 2018/02/23 05:14:05 djm Exp $ .PATH: ${.CURDIR}/.. SRCS= ssh-keyscan.c -SRCS+= atomicio.c cleanup.c compat.c hostfile.c ssh_api.c +SRCS+= atomicio.c cleanup.c compat.c hostfile.c ssh_api.c dns.c SRCS+= ${SRCS_BASE} ${SRCS_KEX} ${SRCS_KEXC} ${SRCS_KEXS} ${SRCS_KEY} \ ${SRCS_PKT} ${SRCS_UTL} PROG= ssh-keyscan -- 2.20.1