1 /* $OpenBSD: ssh-keygen.c,v 1.154 2006/08/03 03:34:42 deraadt Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * Identity and host key generation and maintenance.
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
17 #include <sys/types.h>
18 #include <sys/socket.h>
20 #include <sys/param.h>
22 #include <openssl/evp.h>
23 #include <openssl/pem.h>
43 #include "pathnames.h"
54 /* Number of bits in the RSA/DSA key. This value can be set on the command line. */
55 #define DEFAULT_BITS 2048
56 #define DEFAULT_BITS_DSA 1024
60 * Flag indicating that we just want to change the passphrase. This can be
61 * set on the command line.
63 int change_passphrase
= 0;
66 * Flag indicating that we just want to change the comment. This can be set
67 * on the command line.
69 int change_comment
= 0;
73 /* Flag indicating that we want to hash a known_hosts file */
75 /* Flag indicating that we want lookup a host in known_hosts file */
77 /* Flag indicating that we want to delete a host from a known_hosts file */
80 /* Flag indicating that we just want to see the key fingerprint */
81 int print_fingerprint
= 0;
82 int print_bubblebabble
= 0;
84 /* The identity file name, given on the command line or entered by the user. */
85 char identity_file
[1024];
86 int have_identity
= 0;
88 /* This is set to the passphrase if given on the command line. */
89 char *identity_passphrase
= NULL
;
91 /* This is set to the new passphrase if given on the command line. */
92 char *identity_new_passphrase
= NULL
;
94 /* This is set to the new comment if given on the command line. */
95 char *identity_comment
= NULL
;
97 /* Dump public key file in format used by real and the original SSH 2 */
98 int convert_to_ssh2
= 0;
99 int convert_from_ssh2
= 0;
100 int print_public
= 0;
101 int print_generic
= 0;
103 char *key_type_name
= NULL
;
106 extern char *__progname
;
108 char hostname
[MAXHOSTNAMELEN
];
111 int gen_candidates(FILE *, u_int32_t
, u_int32_t
, BIGNUM
*);
112 int prime_test(FILE *, FILE *, u_int32_t
, u_int32_t
);
115 ask_filename(struct passwd
*pw
, const char *prompt
)
120 if (key_type_name
== NULL
)
121 name
= _PATH_SSH_CLIENT_ID_RSA
;
123 switch (key_type_from_name(key_type_name
)) {
125 name
= _PATH_SSH_CLIENT_IDENTITY
;
128 name
= _PATH_SSH_CLIENT_ID_DSA
;
131 name
= _PATH_SSH_CLIENT_ID_RSA
;
134 fprintf(stderr
, "bad key type");
139 snprintf(identity_file
, sizeof(identity_file
), "%s/%s", pw
->pw_dir
, name
);
140 fprintf(stderr
, "%s (%s): ", prompt
, identity_file
);
141 if (fgets(buf
, sizeof(buf
), stdin
) == NULL
)
143 if (strchr(buf
, '\n'))
144 *strchr(buf
, '\n') = 0;
145 if (strcmp(buf
, "") != 0)
146 strlcpy(identity_file
, buf
, sizeof(identity_file
));
151 load_identity(char *filename
)
156 prv
= key_load_private(filename
, "", NULL
);
158 if (identity_passphrase
)
159 pass
= xstrdup(identity_passphrase
);
161 pass
= read_passphrase("Enter passphrase: ",
163 prv
= key_load_private(filename
, pass
, NULL
);
164 memset(pass
, 0, strlen(pass
));
170 #define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----"
171 #define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----"
172 #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
173 #define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb
176 do_convert_to_ssh2(struct passwd
*pw
)
184 ask_filename(pw
, "Enter file in which the key is");
185 if (stat(identity_file
, &st
) < 0) {
186 perror(identity_file
);
189 if ((k
= key_load_public(identity_file
, NULL
)) == NULL
) {
190 if ((k
= load_identity(identity_file
)) == NULL
) {
191 fprintf(stderr
, "load failed\n");
195 if (k
->type
== KEY_RSA1
) {
196 fprintf(stderr
, "version 1 keys are not supported\n");
199 if (key_to_blob(k
, &blob
, &len
) <= 0) {
200 fprintf(stderr
, "key_to_blob failed\n");
203 fprintf(stdout
, "%s\n", SSH_COM_PUBLIC_BEGIN
);
205 "Comment: \"%u-bit %s, converted from OpenSSH by %s@%s\"\n",
206 key_size(k
), key_type(k
),
207 pw
->pw_name
, hostname
);
208 dump_base64(stdout
, blob
, len
);
209 fprintf(stdout
, "%s\n", SSH_COM_PUBLIC_END
);
216 buffer_get_bignum_bits(Buffer
*b
, BIGNUM
*value
)
218 u_int bignum_bits
= buffer_get_int(b
);
219 u_int bytes
= (bignum_bits
+ 7) / 8;
221 if (buffer_len(b
) < bytes
)
222 fatal("buffer_get_bignum_bits: input buffer too small: "
223 "need %d have %d", bytes
, buffer_len(b
));
224 BN_bin2bn(buffer_ptr(b
), bytes
, value
);
225 buffer_consume(b
, bytes
);
229 do_convert_private_ssh2_from_blob(u_char
*blob
, u_int blen
)
234 u_char
*sig
, data
[] = "abcde12345";
235 int magic
, rlen
, ktype
, i1
, i2
, i3
, i4
;
240 buffer_append(&b
, blob
, blen
);
242 magic
= buffer_get_int(&b
);
243 if (magic
!= SSH_COM_PRIVATE_KEY_MAGIC
) {
244 error("bad magic 0x%x != 0x%x", magic
, SSH_COM_PRIVATE_KEY_MAGIC
);
248 i1
= buffer_get_int(&b
);
249 type
= buffer_get_string(&b
, NULL
);
250 cipher
= buffer_get_string(&b
, NULL
);
251 i2
= buffer_get_int(&b
);
252 i3
= buffer_get_int(&b
);
253 i4
= buffer_get_int(&b
);
254 debug("ignore (%d %d %d %d)", i1
,i2
,i3
,i4
);
255 if (strcmp(cipher
, "none") != 0) {
256 error("unsupported cipher %s", cipher
);
264 if (strstr(type
, "dsa")) {
266 } else if (strstr(type
, "rsa")) {
273 key
= key_new_private(ktype
);
278 buffer_get_bignum_bits(&b
, key
->dsa
->p
);
279 buffer_get_bignum_bits(&b
, key
->dsa
->g
);
280 buffer_get_bignum_bits(&b
, key
->dsa
->q
);
281 buffer_get_bignum_bits(&b
, key
->dsa
->pub_key
);
282 buffer_get_bignum_bits(&b
, key
->dsa
->priv_key
);
285 e
= buffer_get_char(&b
);
289 e
+= buffer_get_char(&b
);
292 e
+= buffer_get_char(&b
);
295 if (!BN_set_word(key
->rsa
->e
, e
)) {
300 buffer_get_bignum_bits(&b
, key
->rsa
->d
);
301 buffer_get_bignum_bits(&b
, key
->rsa
->n
);
302 buffer_get_bignum_bits(&b
, key
->rsa
->iqmp
);
303 buffer_get_bignum_bits(&b
, key
->rsa
->q
);
304 buffer_get_bignum_bits(&b
, key
->rsa
->p
);
305 rsa_generate_additional_parameters(key
->rsa
);
308 rlen
= buffer_len(&b
);
310 error("do_convert_private_ssh2_from_blob: "
311 "remaining bytes in key blob %d", rlen
);
315 key_sign(key
, &sig
, &slen
, data
, sizeof(data
));
316 key_verify(key
, sig
, slen
, data
, sizeof(data
));
322 get_line(FILE *fp
, char *line
, size_t len
)
328 while ((c
= fgetc(fp
)) != EOF
) {
329 if (pos
>= len
- 1) {
330 fprintf(stderr
, "input line too long.\n");
336 if (c
!= EOF
&& c
!= '\n' && ungetc(c
, fp
) == EOF
) {
337 fprintf(stderr
, "unget: %s\n", strerror(errno
));
353 do_convert_from_ssh2(struct passwd
*pw
)
362 int escaped
= 0, private = 0, ok
;
366 ask_filename(pw
, "Enter file in which the key is");
367 if (stat(identity_file
, &st
) < 0) {
368 perror(identity_file
);
371 fp
= fopen(identity_file
, "r");
373 perror(identity_file
);
377 while ((blen
= get_line(fp
, line
, sizeof(line
))) != -1) {
378 if (line
[blen
- 1] == '\\')
380 if (strncmp(line
, "----", 4) == 0 ||
381 strstr(line
, ": ") != NULL
) {
382 if (strstr(line
, SSH_COM_PRIVATE_BEGIN
) != NULL
)
384 if (strstr(line
, " END ") != NULL
) {
387 /* fprintf(stderr, "ignore: %s", line); */
392 /* fprintf(stderr, "escaped: %s", line); */
395 strlcat(encoded
, line
, sizeof(encoded
));
397 len
= strlen(encoded
);
398 if (((len
% 4) == 3) &&
399 (encoded
[len
-1] == '=') &&
400 (encoded
[len
-2] == '=') &&
401 (encoded
[len
-3] == '='))
402 encoded
[len
-3] = '\0';
403 blen
= uudecode(encoded
, blob
, sizeof(blob
));
405 fprintf(stderr
, "uudecode failed.\n");
409 do_convert_private_ssh2_from_blob(blob
, blen
) :
410 key_from_blob(blob
, blen
);
412 fprintf(stderr
, "decode blob failed.\n");
416 (k
->type
== KEY_DSA
?
417 PEM_write_DSAPrivateKey(stdout
, k
->dsa
, NULL
, NULL
, 0, NULL
, NULL
) :
418 PEM_write_RSAPrivateKey(stdout
, k
->rsa
, NULL
, NULL
, 0, NULL
, NULL
)) :
419 key_write(k
, stdout
);
421 fprintf(stderr
, "key write failed");
426 fprintf(stdout
, "\n");
432 do_print_public(struct passwd
*pw
)
438 ask_filename(pw
, "Enter file in which the key is");
439 if (stat(identity_file
, &st
) < 0) {
440 perror(identity_file
);
443 prv
= load_identity(identity_file
);
445 fprintf(stderr
, "load failed\n");
448 if (!key_write(prv
, stdout
))
449 fprintf(stderr
, "key_write failed");
451 fprintf(stdout
, "\n");
457 do_upload(struct passwd
*pw
, const char *sc_reader_id
)
464 ask_filename(pw
, "Enter file in which the key is");
465 if (stat(identity_file
, &st
) < 0) {
466 perror(identity_file
);
469 prv
= load_identity(identity_file
);
471 error("load failed");
474 ret
= sc_put_key(prv
, sc_reader_id
);
478 logit("loading key done");
483 do_download(struct passwd
*pw
, const char *sc_reader_id
)
488 keys
= sc_get_keys(sc_reader_id
, NULL
);
490 fatal("cannot read public key from smartcard");
491 for (i
= 0; keys
[i
]; i
++) {
492 key_write(keys
[i
], stdout
);
494 fprintf(stdout
, "\n");
499 #endif /* SMARTCARD */
502 do_fingerprint(struct passwd
*pw
)
506 char *comment
= NULL
, *cp
, *ep
, line
[16*1024], *fp
;
507 int i
, skip
= 0, num
= 1, invalid
= 1;
512 fptype
= print_bubblebabble
? SSH_FP_SHA1
: SSH_FP_MD5
;
513 rep
= print_bubblebabble
? SSH_FP_BUBBLEBABBLE
: SSH_FP_HEX
;
516 ask_filename(pw
, "Enter file in which the key is");
517 if (stat(identity_file
, &st
) < 0) {
518 perror(identity_file
);
521 public = key_load_public(identity_file
, &comment
);
522 if (public != NULL
) {
523 fp
= key_fingerprint(public, fptype
, rep
);
524 printf("%u %s %s\n", key_size(public), fp
, comment
);
535 f
= fopen(identity_file
, "r");
537 while (fgets(line
, sizeof(line
), f
)) {
538 i
= strlen(line
) - 1;
539 if (line
[i
] != '\n') {
540 error("line %d too long: %.40s...", num
, line
);
551 /* Skip leading whitespace, empty and comment lines. */
552 for (cp
= line
; *cp
== ' ' || *cp
== '\t'; cp
++)
554 if (!*cp
|| *cp
== '\n' || *cp
== '#')
556 i
= strtol(cp
, &ep
, 10);
557 if (i
== 0 || ep
== NULL
|| (*ep
!= ' ' && *ep
!= '\t')) {
560 for (; *cp
&& (quoted
|| (*cp
!= ' ' &&
561 *cp
!= '\t')); cp
++) {
562 if (*cp
== '\\' && cp
[1] == '"')
563 cp
++; /* Skip both */
572 public = key_new(KEY_RSA1
);
573 if (key_read(public, &cp
) != 1) {
576 public = key_new(KEY_UNSPEC
);
577 if (key_read(public, &cp
) != 1) {
582 comment
= *cp
? cp
: comment
;
583 fp
= key_fingerprint(public, fptype
, rep
);
584 printf("%u %s %s\n", key_size(public), fp
,
585 comment
? comment
: "no comment");
593 printf("%s is not a public key file.\n", identity_file
);
600 print_host(FILE *f
, char *name
, Key
*public, int hash
)
602 if (hash
&& (name
= host_hash(name
, NULL
, 0)) == NULL
)
603 fatal("hash_host failed");
604 fprintf(f
, "%s ", name
);
605 if (!key_write(public, f
))
606 fatal("key_write failed");
611 do_known_hosts(struct passwd
*pw
, const char *name
)
613 FILE *in
, *out
= stdout
;
615 char *cp
, *cp2
, *kp
, *kp2
;
616 char line
[16*1024], tmp
[MAXPATHLEN
], old
[MAXPATHLEN
];
617 int c
, i
, skip
= 0, inplace
= 0, num
= 0, invalid
= 0, has_unhashed
= 0;
619 if (!have_identity
) {
620 cp
= tilde_expand_filename(_PATH_SSH_USER_HOSTFILE
, pw
->pw_uid
);
621 if (strlcpy(identity_file
, cp
, sizeof(identity_file
)) >=
622 sizeof(identity_file
))
623 fatal("Specified known hosts path too long");
627 if ((in
= fopen(identity_file
, "r")) == NULL
)
628 fatal("fopen: %s", strerror(errno
));
631 * Find hosts goes to stdout, hash and deletions happen in-place
632 * A corner case is ssh-keygen -HF foo, which should go to stdout
634 if (!find_host
&& (hash_hosts
|| delete_host
)) {
635 if (strlcpy(tmp
, identity_file
, sizeof(tmp
)) >= sizeof(tmp
) ||
636 strlcat(tmp
, ".XXXXXXXXXX", sizeof(tmp
)) >= sizeof(tmp
) ||
637 strlcpy(old
, identity_file
, sizeof(old
)) >= sizeof(old
) ||
638 strlcat(old
, ".old", sizeof(old
)) >= sizeof(old
))
639 fatal("known_hosts path too long");
641 if ((c
= mkstemp(tmp
)) == -1)
642 fatal("mkstemp: %s", strerror(errno
));
643 if ((out
= fdopen(c
, "w")) == NULL
) {
646 fatal("fdopen: %s", strerror(c
));
651 while (fgets(line
, sizeof(line
), in
)) {
653 i
= strlen(line
) - 1;
654 if (line
[i
] != '\n') {
655 error("line %d too long: %.40s...", num
, line
);
666 /* Skip leading whitespace, empty and comment lines. */
667 for (cp
= line
; *cp
== ' ' || *cp
== '\t'; cp
++)
669 if (!*cp
|| *cp
== '\n' || *cp
== '#') {
671 fprintf(out
, "%s\n", cp
);
674 /* Find the end of the host name portion. */
675 for (kp
= cp
; *kp
&& *kp
!= ' ' && *kp
!= '\t'; kp
++)
677 if (*kp
== '\0' || *(kp
+ 1) == '\0') {
678 error("line %d missing key: %.40s...",
686 public = key_new(KEY_RSA1
);
687 if (key_read(public, &kp
) != 1) {
690 public = key_new(KEY_UNSPEC
);
691 if (key_read(public, &kp
) != 1) {
692 error("line %d invalid key: %.40s...",
700 if (*cp
== HASH_DELIM
) {
701 if (find_host
|| delete_host
) {
702 cp2
= host_hash(name
, cp
, strlen(cp
));
704 error("line %d: invalid hashed "
705 "name: %.64s...", num
, line
);
709 c
= (strcmp(cp2
, cp
) == 0);
710 if (find_host
&& c
) {
711 printf("# Host %s found: "
712 "line %d type %s\n", name
,
713 num
, key_type(public));
714 print_host(out
, cp
, public, 0);
716 if (delete_host
&& !c
)
717 print_host(out
, cp
, public, 0);
718 } else if (hash_hosts
)
719 print_host(out
, cp
, public, 0);
721 if (find_host
|| delete_host
) {
722 c
= (match_hostname(name
, cp
,
724 if (find_host
&& c
) {
725 printf("# Host %s found: "
726 "line %d type %s\n", name
,
727 num
, key_type(public));
728 print_host(out
, cp
, public, hash_hosts
);
730 if (delete_host
&& !c
)
731 print_host(out
, cp
, public, 0);
732 } else if (hash_hosts
) {
733 for (cp2
= strsep(&cp
, ",");
734 cp2
!= NULL
&& *cp2
!= '\0';
735 cp2
= strsep(&cp
, ",")) {
736 if (strcspn(cp2
, "*?!") != strlen(cp2
))
737 fprintf(stderr
, "Warning: "
738 "ignoring host name with "
739 "metacharacters: %.64s\n",
742 print_host(out
, cp2
, public, 1);
752 fprintf(stderr
, "%s is not a valid known_host file.\n",
755 fprintf(stderr
, "Not replacing existing known_hosts "
756 "file because of errors\n");
766 /* Backup existing file */
767 if (unlink(old
) == -1 && errno
!= ENOENT
)
768 fatal("unlink %.100s: %s", old
, strerror(errno
));
769 if (link(identity_file
, old
) == -1)
770 fatal("link %.100s to %.100s: %s", identity_file
, old
,
772 /* Move new one into place */
773 if (rename(tmp
, identity_file
) == -1) {
774 error("rename\"%s\" to \"%s\": %s", tmp
, identity_file
,
781 fprintf(stderr
, "%s updated.\n", identity_file
);
782 fprintf(stderr
, "Original contents retained as %s\n", old
);
784 fprintf(stderr
, "WARNING: %s contains unhashed "
786 fprintf(stderr
, "Delete this file to ensure privacy "
795 * Perform changing a passphrase. The argument is the passwd structure
796 * for the current user.
799 do_change_passphrase(struct passwd
*pw
)
802 char *old_passphrase
, *passphrase1
, *passphrase2
;
807 ask_filename(pw
, "Enter file in which the key is");
808 if (stat(identity_file
, &st
) < 0) {
809 perror(identity_file
);
812 /* Try to load the file with empty passphrase. */
813 private = key_load_private(identity_file
, "", &comment
);
814 if (private == NULL
) {
815 if (identity_passphrase
)
816 old_passphrase
= xstrdup(identity_passphrase
);
819 read_passphrase("Enter old passphrase: ",
821 private = key_load_private(identity_file
, old_passphrase
,
823 memset(old_passphrase
, 0, strlen(old_passphrase
));
824 xfree(old_passphrase
);
825 if (private == NULL
) {
826 printf("Bad passphrase.\n");
830 printf("Key has comment '%s'\n", comment
);
832 /* Ask the new passphrase (twice). */
833 if (identity_new_passphrase
) {
834 passphrase1
= xstrdup(identity_new_passphrase
);
838 read_passphrase("Enter new passphrase (empty for no "
839 "passphrase): ", RP_ALLOW_STDIN
);
840 passphrase2
= read_passphrase("Enter same passphrase again: ",
843 /* Verify that they are the same. */
844 if (strcmp(passphrase1
, passphrase2
) != 0) {
845 memset(passphrase1
, 0, strlen(passphrase1
));
846 memset(passphrase2
, 0, strlen(passphrase2
));
849 printf("Pass phrases do not match. Try again.\n");
852 /* Destroy the other copy. */
853 memset(passphrase2
, 0, strlen(passphrase2
));
857 /* Save the file using the new passphrase. */
858 if (!key_save_private(private, identity_file
, passphrase1
, comment
)) {
859 printf("Saving the key failed: %s.\n", identity_file
);
860 memset(passphrase1
, 0, strlen(passphrase1
));
866 /* Destroy the passphrase and the copy of the key in memory. */
867 memset(passphrase1
, 0, strlen(passphrase1
));
869 key_free(private); /* Destroys contents */
872 printf("Your identification has been saved with the new passphrase.\n");
877 * Print the SSHFP RR.
880 do_print_resource_record(struct passwd
*pw
, char *fname
, char *hname
)
883 char *comment
= NULL
;
887 ask_filename(pw
, "Enter file in which the key is");
888 if (stat(fname
, &st
) < 0) {
894 public = key_load_public(fname
, &comment
);
895 if (public != NULL
) {
896 export_dns_rr(hname
, public, stdout
, print_generic
);
904 printf("failed to read v2 public key from %s.\n", fname
);
909 * Change the comment of a private key file.
912 do_change_comment(struct passwd
*pw
)
914 char new_comment
[1024], *comment
, *passphrase
;
922 ask_filename(pw
, "Enter file in which the key is");
923 if (stat(identity_file
, &st
) < 0) {
924 perror(identity_file
);
927 private = key_load_private(identity_file
, "", &comment
);
928 if (private == NULL
) {
929 if (identity_passphrase
)
930 passphrase
= xstrdup(identity_passphrase
);
931 else if (identity_new_passphrase
)
932 passphrase
= xstrdup(identity_new_passphrase
);
934 passphrase
= read_passphrase("Enter passphrase: ",
936 /* Try to load using the passphrase. */
937 private = key_load_private(identity_file
, passphrase
, &comment
);
938 if (private == NULL
) {
939 memset(passphrase
, 0, strlen(passphrase
));
941 printf("Bad passphrase.\n");
945 passphrase
= xstrdup("");
947 if (private->type
!= KEY_RSA1
) {
948 fprintf(stderr
, "Comments are only supported for RSA1 keys.\n");
952 printf("Key now has comment '%s'\n", comment
);
954 if (identity_comment
) {
955 strlcpy(new_comment
, identity_comment
, sizeof(new_comment
));
957 printf("Enter new comment: ");
959 if (!fgets(new_comment
, sizeof(new_comment
), stdin
)) {
960 memset(passphrase
, 0, strlen(passphrase
));
964 if (strchr(new_comment
, '\n'))
965 *strchr(new_comment
, '\n') = 0;
968 /* Save the file using the new passphrase. */
969 if (!key_save_private(private, identity_file
, passphrase
, new_comment
)) {
970 printf("Saving the key failed: %s.\n", identity_file
);
971 memset(passphrase
, 0, strlen(passphrase
));
977 memset(passphrase
, 0, strlen(passphrase
));
979 public = key_from_private(private);
982 strlcat(identity_file
, ".pub", sizeof(identity_file
));
983 fd
= open(identity_file
, O_WRONLY
| O_CREAT
| O_TRUNC
, 0644);
985 printf("Could not save your public key in %s\n", identity_file
);
990 printf("fdopen %s failed", identity_file
);
993 if (!key_write(public, f
))
994 fprintf(stderr
, "write key failed");
996 fprintf(f
, " %s\n", new_comment
);
1001 printf("The comment in your key file has been changed.\n");
1008 fprintf(stderr
, "Usage: %s [options]\n", __progname
);
1009 fprintf(stderr
, "Options:\n");
1010 fprintf(stderr
, " -a trials Number of trials for screening DH-GEX moduli.\n");
1011 fprintf(stderr
, " -B Show bubblebabble digest of key file.\n");
1012 fprintf(stderr
, " -b bits Number of bits in the key to create.\n");
1013 fprintf(stderr
, " -C comment Provide new comment.\n");
1014 fprintf(stderr
, " -c Change comment in private and public key files.\n");
1016 fprintf(stderr
, " -D reader Download public key from smartcard.\n");
1017 #endif /* SMARTCARD */
1018 fprintf(stderr
, " -e Convert OpenSSH to IETF SECSH key file.\n");
1019 fprintf(stderr
, " -F hostname Find hostname in known hosts file.\n");
1020 fprintf(stderr
, " -f filename Filename of the key file.\n");
1021 fprintf(stderr
, " -G file Generate candidates for DH-GEX moduli.\n");
1022 fprintf(stderr
, " -g Use generic DNS resource record format.\n");
1023 fprintf(stderr
, " -H Hash names in known_hosts file.\n");
1024 fprintf(stderr
, " -i Convert IETF SECSH to OpenSSH key file.\n");
1025 fprintf(stderr
, " -l Show fingerprint of key file.\n");
1026 fprintf(stderr
, " -M memory Amount of memory (MB) to use for generating DH-GEX moduli.\n");
1027 fprintf(stderr
, " -N phrase Provide new passphrase.\n");
1028 fprintf(stderr
, " -P phrase Provide old passphrase.\n");
1029 fprintf(stderr
, " -p Change passphrase of private key file.\n");
1030 fprintf(stderr
, " -q Quiet.\n");
1031 fprintf(stderr
, " -R hostname Remove host from known_hosts file.\n");
1032 fprintf(stderr
, " -r hostname Print DNS resource record.\n");
1033 fprintf(stderr
, " -S start Start point (hex) for generating DH-GEX moduli.\n");
1034 fprintf(stderr
, " -T file Screen candidates for DH-GEX moduli.\n");
1035 fprintf(stderr
, " -t type Specify type of key to create.\n");
1037 fprintf(stderr
, " -U reader Upload private key to smartcard.\n");
1038 #endif /* SMARTCARD */
1039 fprintf(stderr
, " -v Verbose.\n");
1040 fprintf(stderr
, " -W gen Generator to use for generating DH-GEX moduli.\n");
1041 fprintf(stderr
, " -y Read private key file and print public key.\n");
1047 * Main program for key management.
1050 main(int ac
, char **av
)
1052 char dotsshdir
[MAXPATHLEN
], comment
[1024], *passphrase1
, *passphrase2
;
1053 char out_file
[MAXPATHLEN
], *reader_id
= NULL
;
1054 char *rr_hostname
= NULL
;
1055 Key
*private, *public;
1058 int opt
, type
, fd
, download
= 0;
1059 u_int32_t memory
= 0, generator_wanted
= 0, trials
= 100;
1060 int do_gen_candidates
= 0, do_screen_candidates
= 0;
1061 int log_level
= SYSLOG_LEVEL_INFO
;
1062 BIGNUM
*start
= NULL
;
1067 extern char *optarg
;
1069 /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
1072 __progname
= ssh_get_progname(av
[0]);
1074 SSLeay_add_all_algorithms();
1075 log_init(av
[0], SYSLOG_LEVEL_INFO
, SYSLOG_FACILITY_USER
, 1);
1080 /* we need this for the home * directory. */
1081 pw
= getpwuid(getuid());
1083 printf("You don't exist, go away!\n");
1086 if (gethostname(hostname
, sizeof(hostname
)) < 0) {
1087 perror("gethostname");
1091 while ((opt
= getopt(ac
, av
,
1092 "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
1095 bits
= (u_int32_t
)strtonum(optarg
, 768, 32768, &errstr
);
1097 fatal("Bits has bad value %s (%s)",
1102 rr_hostname
= optarg
;
1109 rr_hostname
= optarg
;
1112 print_fingerprint
= 1;
1115 print_bubblebabble
= 1;
1118 change_passphrase
= 1;
1124 if (strlcpy(identity_file
, optarg
, sizeof(identity_file
)) >=
1125 sizeof(identity_file
))
1126 fatal("Identity filename too long");
1133 identity_passphrase
= optarg
;
1136 identity_new_passphrase
= optarg
;
1139 identity_comment
= optarg
;
1147 convert_to_ssh2
= 1;
1152 convert_from_ssh2
= 1;
1158 key_type_name
= "dsa";
1161 key_type_name
= optarg
;
1170 if (log_level
== SYSLOG_LEVEL_INFO
)
1171 log_level
= SYSLOG_LEVEL_DEBUG1
;
1173 if (log_level
>= SYSLOG_LEVEL_DEBUG1
&&
1174 log_level
< SYSLOG_LEVEL_DEBUG3
)
1179 rr_hostname
= optarg
;
1182 generator_wanted
= (u_int32_t
)strtonum(optarg
, 1,
1185 fatal("Desired generator has bad value: %s (%s)",
1189 trials
= (u_int32_t
)strtonum(optarg
, 1, UINT_MAX
, &errstr
);
1191 fatal("Invalid number of trials: %s (%s)",
1195 memory
= (u_int32_t
)strtonum(optarg
, 1, UINT_MAX
, &errstr
);
1197 fatal("Memory limit is %s: %s", errstr
, optarg
);
1201 do_gen_candidates
= 1;
1202 if (strlcpy(out_file
, optarg
, sizeof(out_file
)) >=
1204 fatal("Output filename too long");
1207 do_screen_candidates
= 1;
1208 if (strlcpy(out_file
, optarg
, sizeof(out_file
)) >=
1210 fatal("Output filename too long");
1213 /* XXX - also compare length against bits */
1214 if (BN_hex2bn(&start
, optarg
) == 0)
1215 fatal("Invalid start point.");
1224 log_init(av
[0], log_level
, SYSLOG_FACILITY_USER
, 1);
1227 printf("Too many arguments.\n");
1230 if (change_passphrase
&& change_comment
) {
1231 printf("Can only have one of -p and -c.\n");
1234 if (delete_host
|| hash_hosts
|| find_host
)
1235 do_known_hosts(pw
, rr_hostname
);
1236 if (print_fingerprint
|| print_bubblebabble
)
1238 if (change_passphrase
)
1239 do_change_passphrase(pw
);
1241 do_change_comment(pw
);
1242 if (convert_to_ssh2
)
1243 do_convert_to_ssh2(pw
);
1244 if (convert_from_ssh2
)
1245 do_convert_from_ssh2(pw
);
1247 do_print_public(pw
);
1248 if (rr_hostname
!= NULL
) {
1251 if (have_identity
) {
1252 n
= do_print_resource_record(pw
,
1253 identity_file
, rr_hostname
);
1255 perror(identity_file
);
1261 n
+= do_print_resource_record(pw
,
1262 _PATH_HOST_RSA_KEY_FILE
, rr_hostname
);
1263 n
+= do_print_resource_record(pw
,
1264 _PATH_HOST_DSA_KEY_FILE
, rr_hostname
);
1267 fatal("no keys found.");
1271 if (reader_id
!= NULL
) {
1274 do_download(pw
, reader_id
);
1276 do_upload(pw
, reader_id
);
1277 #else /* SMARTCARD */
1278 fatal("no support for smartcards.");
1279 #endif /* SMARTCARD */
1282 if (do_gen_candidates
) {
1283 FILE *out
= fopen(out_file
, "w");
1286 error("Couldn't open modulus candidate file \"%s\": %s",
1287 out_file
, strerror(errno
));
1291 bits
= DEFAULT_BITS
;
1292 if (gen_candidates(out
, memory
, bits
, start
) != 0)
1293 fatal("modulus candidate generation failed");
1298 if (do_screen_candidates
) {
1300 FILE *out
= fopen(out_file
, "w");
1302 if (have_identity
&& strcmp(identity_file
, "-") != 0) {
1303 if ((in
= fopen(identity_file
, "r")) == NULL
) {
1304 fatal("Couldn't open modulus candidate "
1305 "file \"%s\": %s", identity_file
,
1312 fatal("Couldn't open moduli file \"%s\": %s",
1313 out_file
, strerror(errno
));
1315 if (prime_test(in
, out
, trials
, generator_wanted
) != 0)
1316 fatal("modulus screening failed");
1322 if (key_type_name
== NULL
)
1323 key_type_name
= "rsa";
1325 type
= key_type_from_name(key_type_name
);
1326 if (type
== KEY_UNSPEC
) {
1327 fprintf(stderr
, "unknown key type %s\n", key_type_name
);
1331 bits
= (type
== KEY_DSA
) ? DEFAULT_BITS_DSA
: DEFAULT_BITS
;
1332 if (type
== KEY_DSA
&& bits
!= 1024)
1333 fatal("DSA keys must be 1024 bits");
1335 printf("Generating public/private %s key pair.\n", key_type_name
);
1336 private = key_generate(type
, bits
);
1337 if (private == NULL
) {
1338 fprintf(stderr
, "key_generate failed");
1341 public = key_from_private(private);
1344 ask_filename(pw
, "Enter file in which to save the key");
1346 /* Create ~/.ssh directory if it doesn't already exist. */
1347 snprintf(dotsshdir
, sizeof dotsshdir
, "%s/%s", pw
->pw_dir
, _PATH_SSH_USER_DIR
);
1348 if (strstr(identity_file
, dotsshdir
) != NULL
&&
1349 stat(dotsshdir
, &st
) < 0) {
1350 if (mkdir(dotsshdir
, 0700) < 0)
1351 error("Could not create directory '%s'.", dotsshdir
);
1353 printf("Created directory '%s'.\n", dotsshdir
);
1355 /* If the file already exists, ask the user to confirm. */
1356 if (stat(identity_file
, &st
) >= 0) {
1358 printf("%s already exists.\n", identity_file
);
1359 printf("Overwrite (y/n)? ");
1361 if (fgets(yesno
, sizeof(yesno
), stdin
) == NULL
)
1363 if (yesno
[0] != 'y' && yesno
[0] != 'Y')
1366 /* Ask for a passphrase (twice). */
1367 if (identity_passphrase
)
1368 passphrase1
= xstrdup(identity_passphrase
);
1369 else if (identity_new_passphrase
)
1370 passphrase1
= xstrdup(identity_new_passphrase
);
1374 read_passphrase("Enter passphrase (empty for no "
1375 "passphrase): ", RP_ALLOW_STDIN
);
1376 passphrase2
= read_passphrase("Enter same passphrase again: ",
1378 if (strcmp(passphrase1
, passphrase2
) != 0) {
1380 * The passphrases do not match. Clear them and
1383 memset(passphrase1
, 0, strlen(passphrase1
));
1384 memset(passphrase2
, 0, strlen(passphrase2
));
1387 printf("Passphrases do not match. Try again.\n");
1388 goto passphrase_again
;
1390 /* Clear the other copy of the passphrase. */
1391 memset(passphrase2
, 0, strlen(passphrase2
));
1395 if (identity_comment
) {
1396 strlcpy(comment
, identity_comment
, sizeof(comment
));
1398 /* Create default commend field for the passphrase. */
1399 snprintf(comment
, sizeof comment
, "%s@%s", pw
->pw_name
, hostname
);
1402 /* Save the key with the given passphrase and comment. */
1403 if (!key_save_private(private, identity_file
, passphrase1
, comment
)) {
1404 printf("Saving the key failed: %s.\n", identity_file
);
1405 memset(passphrase1
, 0, strlen(passphrase1
));
1409 /* Clear the passphrase. */
1410 memset(passphrase1
, 0, strlen(passphrase1
));
1413 /* Clear the private key and the random number generator. */
1418 printf("Your identification has been saved in %s.\n", identity_file
);
1420 strlcat(identity_file
, ".pub", sizeof(identity_file
));
1421 fd
= open(identity_file
, O_WRONLY
| O_CREAT
| O_TRUNC
, 0644);
1423 printf("Could not save your public key in %s\n", identity_file
);
1426 f
= fdopen(fd
, "w");
1428 printf("fdopen %s failed", identity_file
);
1431 if (!key_write(public, f
))
1432 fprintf(stderr
, "write key failed");
1433 fprintf(f
, " %s\n", comment
);
1437 char *fp
= key_fingerprint(public, SSH_FP_MD5
, SSH_FP_HEX
);
1438 printf("Your public key has been saved in %s.\n",
1440 printf("The key fingerprint is:\n");
1441 printf("%s %s\n", fp
, comment
);