mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-22 10:00:14 +00:00
upstream: add option to test whether keys in an agent are usable,
by performing a signature and a verification using each key "ssh-add -T pubkey [...]" work by markus@, ok djm@ OpenBSD-Commit-ID: 931b888a600b6a883f65375bd5f73a4776c6d19b
This commit is contained in:
djm@openbsd.org
Damien Miller
parent
a36b0b14a1
commit
aa22c20e0c
14
ssh-add.1
14
ssh-add.1
@ -1,4 +1,4 @@
|
||||
.\" $OpenBSD: ssh-add.1,v 1.66 2017/08/29 13:05:58 jmc Exp $
|
||||
.\" $OpenBSD: ssh-add.1,v 1.67 2019/01/20 22:03:29 djm Exp $
|
||||
.\"
|
||||
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -35,7 +35,7 @@
|
||||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd $Mdocdate: August 29 2017 $
|
||||
.Dd $Mdocdate: January 20 2019 $
|
||||
.Dt SSH-ADD 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -43,7 +43,7 @@
|
||||
.Nd adds private key identities to the authentication agent
|
||||
.Sh SYNOPSIS
|
||||
.Nm ssh-add
|
||||
.Op Fl cDdkLlqXx
|
||||
.Op Fl cDdkLlqTXx
|
||||
.Op Fl E Ar fingerprint_hash
|
||||
.Op Fl t Ar life
|
||||
.Op Ar
|
||||
@ -51,6 +51,10 @@
|
||||
.Fl s Ar pkcs11
|
||||
.Nm ssh-add
|
||||
.Fl e Ar pkcs11
|
||||
.Nm ssh-add
|
||||
.Fl T
|
||||
.Ar pubkey
|
||||
.Op Ar ...
|
||||
.Sh DESCRIPTION
|
||||
.Nm
|
||||
adds private key identities to the authentication agent,
|
||||
@ -131,6 +135,10 @@ Be quiet after a successful operation.
|
||||
.It Fl s Ar pkcs11
|
||||
Add keys provided by the PKCS#11 shared library
|
||||
.Ar pkcs11 .
|
||||
.It Fl T Ar pubkey Op Ar ...
|
||||
Tests whether the private keys that correspond to the specified
|
||||
.Ar pubkey
|
||||
files are usable by performing sign and verify operations on each.
|
||||
.It Fl t Ar life
|
||||
Set a maximum lifetime when adding identities to an agent.
|
||||
The lifetime may be specified in seconds or in a time format
|
||||
|
||||
52
ssh-add.c
52
ssh-add.c
@ -1,4 +1,4 @@
|
||||
/* $OpenBSD: ssh-add.c,v 1.136 2018/09/19 02:03:02 djm Exp $ */
|
||||
/* $OpenBSD: ssh-add.c,v 1.137 2019/01/20 22:03:29 djm Exp $ */
|
||||
/*
|
||||
* Author: Tatu Ylonen <ylo@cs.hut.fi>
|
||||
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
|
||||
@ -417,6 +417,40 @@ update_card(int agent_fd, int add, const char *id, int qflag)
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
test_key(int agent_fd, const char *filename)
|
||||
{
|
||||
struct sshkey *key = NULL;
|
||||
u_char *sig = NULL;
|
||||
size_t slen = 0;
|
||||
int r, ret = -1;
|
||||
char data[1024];
|
||||
|
||||
if ((r = sshkey_load_public(filename, &key, NULL)) != 0) {
|
||||
error("Couldn't read public key %s: %s", filename, ssh_err(r));
|
||||
return -1;
|
||||
}
|
||||
arc4random_buf(data, sizeof(data));
|
||||
if ((r = ssh_agent_sign(agent_fd, key, &sig, &slen, data, sizeof(data),
|
||||
NULL, 0)) != 0) {
|
||||
error("Agent signature failed for %s: %s",
|
||||
filename, ssh_err(r));
|
||||
goto done;
|
||||
}
|
||||
if ((r = sshkey_verify(key, sig, slen, data, sizeof(data),
|
||||
NULL, 0)) != 0) {
|
||||
error("Signature verification failed for %s: %s",
|
||||
filename, ssh_err(r));
|
||||
goto done;
|
||||
}
|
||||
/* success */
|
||||
ret = 0;
|
||||
done:
|
||||
free(sig);
|
||||
sshkey_free(key);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
list_identities(int agent_fd, int do_fp)
|
||||
{
|
||||
@ -524,6 +558,7 @@ usage(void)
|
||||
fprintf(stderr, " -X Unlock agent.\n");
|
||||
fprintf(stderr, " -s pkcs11 Add keys from PKCS#11 provider.\n");
|
||||
fprintf(stderr, " -e pkcs11 Remove keys provided by PKCS#11 provider.\n");
|
||||
fprintf(stderr, " -T pubkey Test if ssh-agent can access matching private key.\n");
|
||||
fprintf(stderr, " -q Be quiet after a successful operation.\n");
|
||||
}
|
||||
|
||||
@ -535,7 +570,7 @@ main(int argc, char **argv)
|
||||
int agent_fd;
|
||||
char *pkcs11provider = NULL;
|
||||
int r, i, ch, deleting = 0, ret = 0, key_only = 0;
|
||||
int xflag = 0, lflag = 0, Dflag = 0, qflag = 0;
|
||||
int xflag = 0, lflag = 0, Dflag = 0, qflag = 0, Tflag = 0;
|
||||
|
||||
ssh_malloc_init(); /* must be called before any mallocs */
|
||||
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||
@ -559,7 +594,7 @@ main(int argc, char **argv)
|
||||
exit(2);
|
||||
}
|
||||
|
||||
while ((ch = getopt(argc, argv, "klLcdDxXE:e:M:m:qs:t:")) != -1) {
|
||||
while ((ch = getopt(argc, argv, "klLcdDTxXE:e:M:m:qs:t:")) != -1) {
|
||||
switch (ch) {
|
||||
case 'E':
|
||||
fingerprint_hash = ssh_digest_alg_by_name(optarg);
|
||||
@ -623,6 +658,9 @@ main(int argc, char **argv)
|
||||
case 'q':
|
||||
qflag = 1;
|
||||
break;
|
||||
case 'T':
|
||||
Tflag = 1;
|
||||
break;
|
||||
default:
|
||||
usage();
|
||||
ret = 1;
|
||||
@ -648,6 +686,14 @@ main(int argc, char **argv)
|
||||
|
||||
argc -= optind;
|
||||
argv += optind;
|
||||
if (Tflag) {
|
||||
if (argc <= 0)
|
||||
fatal("no keys to test");
|
||||
for (r = i = 0; i < argc; i++)
|
||||
r |= test_key(agent_fd, argv[i]);
|
||||
ret = r == 0 ? 0 : 1;
|
||||
goto done;
|
||||
}
|
||||
if (pkcs11provider != NULL) {
|
||||
if (update_card(agent_fd, !deleting, pkcs11provider,
|
||||
qflag) == -1)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user