[openssh-commits] [openssh] 01/01: upstream: Add ssh-keyscan -D option to make it print its results in

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Feb 23 17:00:56 AEDT 2018


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 1a348359e4d2876203b5255941bae348557f4f54
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Fri Feb 23 05:14:05 2018 +0000

    upstream: Add ssh-keyscan -D option to make it print its results in
    
    SSHFP format bz#2821, ok dtucker@
    
    OpenBSD-Commit-ID: 831446b582e0f298ca15c9d99c415c899e392221
---
 ssh-keyscan.1 | 16 +++++++++++++---
 ssh-keyscan.c | 20 ++++++++++++++++----
 2 files changed, 29 insertions(+), 7 deletions(-)

diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index aa4a2ae8..cdbce0b3 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.40 2017/05/02 17:04:09 jmc Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.41 2018/02/23 05:14:05 djm Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm at lcs.mit.edu>.
 .\"
@@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: May 2 2017 $
+.Dd $Mdocdate: February 23 2018 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -15,7 +15,7 @@
 .Sh SYNOPSIS
 .Nm ssh-keyscan
 .Bk -words
-.Op Fl 46cHv
+.Op Fl 46cDHv
 .Op Fl f Ar file
 .Op Fl p Ar port
 .Op Fl T Ar timeout
@@ -56,6 +56,12 @@ Forces
 to use IPv6 addresses only.
 .It Fl c
 Request certificates from target hosts instead of plain keys.
+.It Fl D
+Print keys found as SSHFP DNS records.
+The default is to print keys in a format usable as a
+.Xr ssh 1
+.Pa known_hosts
+file.
 .It Fl f Ar file
 Read hosts or
 .Dq addrlist namelist
@@ -159,6 +165,10 @@ $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr sshd 8
+.%R RFC 4255
+.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
+.%D 2006
+.Re
 .Sh AUTHORS
 .An -nosplit
 .An David Mazieres Aq Mt dm at lcs.mit.edu
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index a816a220..15059f6f 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.116 2017/11/25 06:46:22 dtucker Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.117 2018/02/23 05:14:05 djm Exp $ */
 /*
  * Copyright 1995, 1996 by David Mazieres <dm at lcs.mit.edu>.
  *
@@ -46,6 +46,7 @@
 #include "hostfile.h"
 #include "ssherr.h"
 #include "ssh_api.h"
+#include "dns.h"
 
 /* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
    Default value is AF_UNSPEC means both IPv4 and IPv6. */
@@ -66,6 +67,8 @@ int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
 
 int hash_hosts = 0;		/* Hash hostname on output */
 
+int print_sshfp = 0;		/* Print SSHFP records instead of known_hosts */
+
 #define MAXMAXFD 256
 
 /* The number of seconds after which to give up on a TCP connection */
@@ -280,6 +283,11 @@ keyprint_one(const char *host, struct sshkey *key)
 	char *hostport;
 	const char *known_host, *hashed;
 
+	if (print_sshfp) {
+		export_dns_rr(host, key, stdout, 0);
+		return;
+	}
+
 	hostport = put_host_port(host, ssh_port);
 	lowercase(hostport);
 	if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
@@ -497,7 +505,8 @@ congreet(int s)
 		confree(s);
 		return;
 	}
-	fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf));
+	fprintf(stderr, "%c %s:%d %s\n", print_sshfp ? ';' : '#',
+	    c->c_name, ssh_port, chop(buf));
 	keygrab_ssh2(c);
 	confree(s);
 }
@@ -621,7 +630,7 @@ static void
 usage(void)
 {
 	fprintf(stderr,
-	    "usage: %s [-46cHv] [-f file] [-p port] [-T timeout] [-t type]\n"
+	    "usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n"
 	    "\t\t   [host | addrlist namelist] ...\n",
 	    __progname);
 	exit(1);
@@ -650,7 +659,7 @@ main(int argc, char **argv)
 	if (argc <= 1)
 		usage();
 
-	while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
+	while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) {
 		switch (opt) {
 		case 'H':
 			hash_hosts = 1;
@@ -658,6 +667,9 @@ main(int argc, char **argv)
 		case 'c':
 			get_cert = 1;
 			break;
+		case 'D':
+			print_sshfp = 1;
+			break;
 		case 'p':
 			ssh_port = a2port(optarg);
 			if (ssh_port <= 0) {

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list