[Bug 1319] ssh-keygen does not properly handle multiple keys

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Dec 2 12:19:01 EST 2011


--- Comment #6 from Damien Miller <djm at mindrot.org> 2011-12-02 12:19:01 EST ---
Fixing this is trickier than I thought. The cases that need to be
supported are:

1. SSH1 public key in a private blob
2. SSH1/SSH2 public key in text form
3. known_hosts
4. authorized_keys

We can deal with case #1 by using key_load_public_type() instead of

It is a little more tricky to support the other cases together though.
For a start, known_hosts always has a hostname before the key string
whereas a public key in text format never does. authorized_keys has
optional key restrictions that need to be recognised and skipped.

A final (?) complication comes in the printing - when printing
fingerprints from known_hosts, one wants to print the hostname obtained
from the start of the line, but when printing everything else the key
comment (end of the line, or baked into the a binary SSH1 private key)
is the most important thing.

So, do_fingerprint needs to be rewritten to look something like this:

k = key_load_public_type(KEY_RSA1, identity_file, comment)
if (k != NULL)
  print fingerprint+comment and exit
for line in identity_file
  split_key_line(line, &preamble, &key, &comment)
  if (auth_parse_options(preamble)) {
    // If it has options then it's definitely authorized keys
    authorized_keys = 1
  } else if (*preamble != '\0') {
    // If the preamble doesn't look like options, then it's probably
    // known_hosts
    known_hosts = 1
  } else {
    // If no preamble at all then it's a plain key or authorized_keys
  print_comment(known_hosts ? preamble : comment)

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list