upstream: Allow existing -U (use agent) flag to work with "-Y sign"

operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429, suggested by Adam Szkoda; ok dtucker@ OpenBSD-Commit-ID: a7bc69873b99c32c42c7628ed9ea91565ba08c2f
2022-05-09 03:09:53 +00:00 · 2022-05-09 03:09:53 +00:00 · 0086a286ea
parent cb010744cc
commit 0086a286ea
2 changed files with 17 additions and 10 deletions
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.221 2022/05/03 07:42:27 florian Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.222 2022/05/09 03:09:53 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 3 2022 $
+.Dd $Mdocdate: May 9 2022 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@ -583,7 +583,9 @@ and
 (the default).
 .It Fl U
 When used in combination with
-.Fl s ,
+.Fl s
+or
+.Fl Y Ar sign ,
 this option indicates that a CA key resides in a
 .Xr ssh-agent 1 .
 See the
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.451 2022/05/08 22:58:35 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.452 2022/05/09 03:09:53 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -2654,8 +2654,8 @@ sig_process_opts(char * const *opts, size_t nopts, char **hashalgp,


 static int
-sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv,
-    char * const *opts, size_t nopts)
+sig_sign(const char *keypath, const char *sig_namespace, int require_agent,
+    int argc, char **argv, char * const *opts, size_t nopts)
 {
 	int i, fd = -1, r, ret = -1;
 	int agent_fd = -1;
@ -2679,13 +2679,18 @@ sig_sign(const char *keypath, const char *sig_namespace, int argc, char **argv,
 		goto done;
 	}

-	if ((r = ssh_get_authentication_socket(&agent_fd)) != 0)
+	if ((r = ssh_get_authentication_socket(&agent_fd)) != 0) {
+		if (require_agent)
+			fatal("Couldn't get agent socket");
 		debug_r(r, "Couldn't get agent socket");
-	else {
+	} else {
 		if ((r = ssh_agent_has_key(agent_fd, pubkey)) == 0)
 			signer = agent_signer;
-		else
+		else {
+			if (require_agent)
+				fatal("Couldn't find key in agent");
 			debug_r(r, "Couldn't find key in agent");
+		}
 	}

 	if (signer == NULL) {
@ -3543,7 +3548,7 @@ main(int argc, char **argv)
 				exit(1);
 			}
 			return sig_sign(identity_file, cert_principals,
-			    argc, argv, opts, nopts);
+			    prefer_agent, argc, argv, opts, nopts);
 		} else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
 			/* NB. cert_principals is actually namespace, via -n */
 			if (cert_principals == NULL ||