new option ssh-add -v to verify if key is loaded into the agent

Sat May 7 00:42:15 EST 2011

On Thu, Apr 07, 2011 at 09:12:08AM +0200, Konrad Bucheli wrote:
> Dear openssh developers
> 
> In a shell script I need to verify if a key belonging to a given public
> key file is already loaded into the agent. To achieve this, I added a
> new option -v to ssh-add which does this verification.
> 
> The patch bases on openssh v5.8p1. The regression test agent.sh was
> extended to test this new feature.
> 
> Is there any chance for inclusion of attached patch?

fwiw, some of my ssh trees had something like this (restricted
to ssh v2 keys).

Index: ssh-add.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-add.c,v
retrieving revision 1.100
diff -u -p -u -r1.100 ssh-add.c

--- ssh-add.c	31 Aug 2010 12:33:38 -0000	1.100
+++ ssh-add.c	6 May 2011 14:34:44 -0000
@@ -261,6 +261,32 @@ update_card(AuthenticationConnection *ac
 }
 
 static int
+test_key(AuthenticationConnection *ac, const char *filename)
+{
+	Key *key = NULL;
+	u_char *sig = NULL;
+	u_int slen = 0;
+	int ret = -1;
+	char data[1024];
+
+	if ((key = key_load_public(filename, NULL)) == NULL) {
+		error("Loading key from '%s' failed", filename);
+		goto done;
+	}
+	arc4random_buf(data, sizeof(data));
+	if (ssh_agent_sign(ac, key, &sig, &slen, data, sizeof(data)) == -1)
+		goto done;
+	if (key_verify(key, sig, slen, data, sizeof(data)) == 1)
+		ret = 0;
+ done:
+	if (sig)
+		xfree(sig);
+	if (key)
+		key_free(key);
+	return (ret);
+}
+
+static int
 list_identities(AuthenticationConnection *ac, int do_fp)
 {
 	Key *key;
@@ -351,6 +377,7 @@ usage(void)
 	fprintf(stderr, "  -c          Require confirmation to sign using identities\n");
 	fprintf(stderr, "  -s pkcs11   Add keys from PKCS#11 provider.\n");
 	fprintf(stderr, "  -e pkcs11   Remove keys provided by PKCS#11 provider.\n");
+	fprintf(stderr, "  -T pubkey   Test if ssh-agent can access matching private key.\n");
 }
 
 int
@@ -360,6 +387,7 @@ main(int argc, char **argv)
 	extern int optind;
 	AuthenticationConnection *ac = NULL;
 	char *pkcs11provider = NULL;
+	char *testing = NULL;
 	int i, ch, deleting = 0, ret = 0;
 
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
@@ -374,7 +402,7 @@ main(int argc, char **argv)
 		    "Could not open a connection to your authentication agent.\n");
 		exit(2);
 	}
-	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
+	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:T:")) != -1) {
 		switch (ch) {
 		case 'l':
 		case 'L':
@@ -410,6 +438,9 @@ main(int argc, char **argv)
 				goto done;
 			}
 			break;
+		case 'T':
+			testing = optarg;
+			break;
 		default:
 			usage();
 			ret = 1;
@@ -418,6 +449,10 @@ main(int argc, char **argv)
 	}
 	argc -= optind;
 	argv += optind;
+	if (testing != NULL) {
+		ret = (test_key(ac, testing) == 0) ? 0 : 1;
+		goto done;
+	}
 	if (pkcs11provider != NULL) {
 		if (update_card(ac, !deleting, pkcs11provider) == -1)
 			ret = 1;
