[openssh-commits] [openssh] 03/04: upstream: better debug diagnostics when loading keys. Will now list
git+noreply at mindrot.org
git+noreply at mindrot.org
Tue Jun 24 19:25:25 AEST 2025
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 5ba8391d697740a838fd8811434f707f0e079baa
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Thu Jun 19 05:49:05 2025 +0000
upstream: better debug diagnostics when loading keys. Will now list
key fingerprint and algorithm (not just algorithm number) as well as making
it explicit which keys didn't load.
OpenBSD-Commit-ID: ee3e77a0271ab502e653922c6d161b1e091f8fee
---
ssh.c | 38 +++++++++++++++++++++++---------------
1 file changed, 23 insertions(+), 15 deletions(-)
diff --git a/ssh.c b/ssh.c
index b2172b810..b44a94313 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.613 2025/05/06 05:40:56 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.614 2025/06/19 05:49:05 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -529,16 +529,28 @@ resolve_canonicalize(char **hostp, int port)
static void
check_load(int r, struct sshkey **k, const char *path, const char *message)
{
+ char *fp;
+
switch (r) {
case 0:
+ if (k == NULL || *k == NULL)
+ return;
/* Check RSA keys size and discard if undersized */
- if (k != NULL && *k != NULL &&
- (r = sshkey_check_rsa_length(*k,
+ if ((r = sshkey_check_rsa_length(*k,
options.required_rsa_size)) != 0) {
error_r(r, "load %s \"%s\"", message, path);
free(*k);
*k = NULL;
+ break;
}
+ if ((fp = sshkey_fingerprint(*k,
+ options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL) {
+ fatal_f("failed to fingerprint %s %s key from %s",
+ sshkey_type(*k), message, path);
+ }
+ debug("loaded %s from %s: %s %s", message, path,
+ sshkey_type(*k), fp);
+ free(fp);
break;
case SSH_ERR_INTERNAL_ERROR:
case SSH_ERR_ALLOC_FAIL:
@@ -552,6 +564,8 @@ check_load(int r, struct sshkey **k, const char *path, const char *message)
error_r(r, "load %s \"%s\"", message, path);
break;
}
+ if (k != NULL && *k == NULL)
+ debug("no %s loaded from %s", message, path);
}
/*
@@ -1723,10 +1737,9 @@ main(int ac, char **av)
if ((o) >= sensitive_data.nkeys) \
fatal_f("pubkey out of array bounds"); \
check_load(sshkey_load_public(p, &(sensitive_data.keys[o]), NULL), \
- &(sensitive_data.keys[o]), p, "pubkey"); \
+ &(sensitive_data.keys[o]), p, "hostbased pubkey"); \
if (sensitive_data.keys[o] != NULL) { \
- debug2("hostbased key %d: %s key from \"%s\"", o, \
- sshkey_ssh_name(sensitive_data.keys[o]), p); \
+ debug2("hostbased pubkey \"%s\" in slot %d", p, o); \
loaded++; \
} \
} while (0)
@@ -1734,10 +1747,9 @@ main(int ac, char **av)
if ((o) >= sensitive_data.nkeys) \
fatal_f("cert out of array bounds"); \
check_load(sshkey_load_cert(p, &(sensitive_data.keys[o])), \
- &(sensitive_data.keys[o]), p, "cert"); \
+ &(sensitive_data.keys[o]), p, "hostbased cert"); \
if (sensitive_data.keys[o] != NULL) { \
- debug2("hostbased key %d: %s cert from \"%s\"", o, \
- sshkey_ssh_name(sensitive_data.keys[o]), p); \
+ debug2("hostbased cert \"%s\" in slot %d", p, o); \
loaded++; \
} \
} while (0)
@@ -2442,9 +2454,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo)
continue;
xasprintf(&cp, "%s-cert", filename);
check_load(sshkey_load_public(cp, &public, NULL),
- &public, filename, "pubkey");
- debug("identity file %s type %d", cp,
- public ? public->type : -1);
+ &public, filename, "identity pubkey");
if (public == NULL) {
free(cp);
continue;
@@ -2473,9 +2483,7 @@ load_public_identity_files(const struct ssh_conn_info *cinfo)
free(cp);
check_load(sshkey_load_public(filename, &public, NULL),
- &public, filename, "certificate");
- debug("certificate file %s type %d", filename,
- public ? public->type : -1);
+ &public, filename, "identity cert");
free(options.certificate_files[i]);
options.certificate_files[i] = NULL;
if (public == NULL) {
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list