]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | |
3 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
4 | * All rights reserved | |
5 | * Created: Mon Mar 27 02:26:40 1995 ylo | |
6 | * Identity and host key generation and maintenance. | |
7 | */ | |
8 | ||
9 | #include "includes.h" | |
10 | RCSID("$Id$"); | |
11 | ||
12 | #include <openssl/evp.h> | |
13 | #include <openssl/pem.h> | |
14 | #include <openssl/rsa.h> | |
15 | #include <openssl/dsa.h> | |
16 | ||
17 | #include "ssh.h" | |
18 | #include "xmalloc.h" | |
19 | #include "fingerprint.h" | |
20 | #include "key.h" | |
21 | #include "rsa.h" | |
22 | #include "dsa.h" | |
23 | #include "authfile.h" | |
24 | #include "uuencode.h" | |
25 | ||
26 | /* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ | |
27 | int bits = 1024; | |
28 | ||
29 | /* | |
30 | * Flag indicating that we just want to change the passphrase. This can be | |
31 | * set on the command line. | |
32 | */ | |
33 | int change_passphrase = 0; | |
34 | ||
35 | /* | |
36 | * Flag indicating that we just want to change the comment. This can be set | |
37 | * on the command line. | |
38 | */ | |
39 | int change_comment = 0; | |
40 | ||
41 | int quiet = 0; | |
42 | ||
43 | /* Flag indicating that we just want to see the key fingerprint */ | |
44 | int print_fingerprint = 0; | |
45 | ||
46 | /* The identity file name, given on the command line or entered by the user. */ | |
47 | char identity_file[1024]; | |
48 | int have_identity = 0; | |
49 | ||
50 | /* This is set to the passphrase if given on the command line. */ | |
51 | char *identity_passphrase = NULL; | |
52 | ||
53 | /* This is set to the new passphrase if given on the command line. */ | |
54 | char *identity_new_passphrase = NULL; | |
55 | ||
56 | /* This is set to the new comment if given on the command line. */ | |
57 | char *identity_comment = NULL; | |
58 | ||
59 | /* Dump public key file in format used by real and the original SSH 2 */ | |
60 | int convert_to_ssh2 = 0; | |
61 | int convert_from_ssh2 = 0; | |
62 | int print_public = 0; | |
63 | int dsa_mode = 0; | |
64 | ||
65 | /* argv0 */ | |
66 | #ifdef HAVE___PROGNAME | |
67 | extern char *__progname; | |
68 | #else /* HAVE___PROGNAME */ | |
69 | static const char *__progname = "ssh-keygen"; | |
70 | #endif /* HAVE___PROGNAME */ | |
71 | ||
72 | char hostname[MAXHOSTNAMELEN]; | |
73 | ||
74 | void | |
75 | ask_filename(struct passwd *pw, const char *prompt) | |
76 | { | |
77 | char buf[1024]; | |
78 | snprintf(identity_file, sizeof(identity_file), "%s/%s", | |
79 | pw->pw_dir, | |
80 | dsa_mode ? SSH_CLIENT_ID_DSA: SSH_CLIENT_IDENTITY); | |
81 | printf("%s (%s): ", prompt, identity_file); | |
82 | fflush(stdout); | |
83 | if (fgets(buf, sizeof(buf), stdin) == NULL) | |
84 | exit(1); | |
85 | if (strchr(buf, '\n')) | |
86 | *strchr(buf, '\n') = 0; | |
87 | if (strcmp(buf, "") != 0) | |
88 | strlcpy(identity_file, buf, sizeof(identity_file)); | |
89 | have_identity = 1; | |
90 | } | |
91 | ||
92 | int | |
93 | try_load_key(char *filename, Key *k) | |
94 | { | |
95 | int success = 1; | |
96 | if (!load_private_key(filename, "", k, NULL)) { | |
97 | char *pass = read_passphrase("Enter passphrase: ", 1); | |
98 | if (!load_private_key(filename, pass, k, NULL)) { | |
99 | success = 0; | |
100 | } | |
101 | memset(pass, 0, strlen(pass)); | |
102 | xfree(pass); | |
103 | } | |
104 | return success; | |
105 | } | |
106 | ||
107 | #define SSH_COM_MAGIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----" | |
108 | #define SSH_COM_MAGIC_END "---- END SSH2 PUBLIC KEY ----" | |
109 | ||
110 | void | |
111 | do_convert_to_ssh2(struct passwd *pw) | |
112 | { | |
113 | Key *k; | |
114 | int len; | |
115 | unsigned char *blob; | |
116 | struct stat st; | |
117 | ||
118 | if (!have_identity) | |
119 | ask_filename(pw, "Enter file in which the key is"); | |
120 | if (stat(identity_file, &st) < 0) { | |
121 | perror(identity_file); | |
122 | exit(1); | |
123 | } | |
124 | k = key_new(KEY_DSA); | |
125 | if (!try_load_key(identity_file, k)) { | |
126 | fprintf(stderr, "load failed\n"); | |
127 | exit(1); | |
128 | } | |
129 | dsa_make_key_blob(k, &blob, &len); | |
130 | fprintf(stdout, SSH_COM_MAGIC_BEGIN "\n"); | |
131 | fprintf(stdout, | |
132 | "Comment: \"%d-bit DSA, converted from openssh by %s@%s\"\n", | |
133 | BN_num_bits(k->dsa->p), | |
134 | pw->pw_name, hostname); | |
135 | dump_base64(stdout, blob, len); | |
136 | fprintf(stdout, SSH_COM_MAGIC_END "\n"); | |
137 | key_free(k); | |
138 | xfree(blob); | |
139 | exit(0); | |
140 | } | |
141 | ||
142 | void | |
143 | do_convert_from_ssh2(struct passwd *pw) | |
144 | { | |
145 | Key *k; | |
146 | int blen; | |
147 | char line[1024], *p; | |
148 | char blob[8096]; | |
149 | char encoded[8096]; | |
150 | struct stat st; | |
151 | int escaped = 0; | |
152 | FILE *fp; | |
153 | ||
154 | if (!have_identity) | |
155 | ask_filename(pw, "Enter file in which the key is"); | |
156 | if (stat(identity_file, &st) < 0) { | |
157 | perror(identity_file); | |
158 | exit(1); | |
159 | } | |
160 | fp = fopen(identity_file, "r"); | |
161 | if (fp == NULL) { | |
162 | perror(identity_file); | |
163 | exit(1); | |
164 | } | |
165 | encoded[0] = '\0'; | |
166 | while (fgets(line, sizeof(line), fp)) { | |
167 | if (!(p = strchr(line, '\n'))) { | |
168 | fprintf(stderr, "input line too long.\n"); | |
169 | exit(1); | |
170 | } | |
171 | if (p > line && p[-1] == '\\') | |
172 | escaped++; | |
173 | if (strncmp(line, "----", 4) == 0 || | |
174 | strstr(line, ": ") != NULL) { | |
175 | fprintf(stderr, "ignore: %s", line); | |
176 | continue; | |
177 | } | |
178 | if (escaped) { | |
179 | escaped--; | |
180 | fprintf(stderr, "escaped: %s", line); | |
181 | continue; | |
182 | } | |
183 | *p = '\0'; | |
184 | strlcat(encoded, line, sizeof(encoded)); | |
185 | } | |
186 | blen = uudecode(encoded, (unsigned char *)blob, sizeof(blob)); | |
187 | if (blen < 0) { | |
188 | fprintf(stderr, "uudecode failed.\n"); | |
189 | exit(1); | |
190 | } | |
191 | k = dsa_key_from_blob(blob, blen); | |
192 | if (!key_write(k, stdout)) | |
193 | fprintf(stderr, "key_write failed"); | |
194 | key_free(k); | |
195 | fprintf(stdout, "\n"); | |
196 | fclose(fp); | |
197 | exit(0); | |
198 | } | |
199 | ||
200 | void | |
201 | do_print_public(struct passwd *pw) | |
202 | { | |
203 | Key *k; | |
204 | int len; | |
205 | unsigned char *blob; | |
206 | struct stat st; | |
207 | ||
208 | if (!have_identity) | |
209 | ask_filename(pw, "Enter file in which the key is"); | |
210 | if (stat(identity_file, &st) < 0) { | |
211 | perror(identity_file); | |
212 | exit(1); | |
213 | } | |
214 | k = key_new(KEY_DSA); | |
215 | if (!try_load_key(identity_file, k)) { | |
216 | fprintf(stderr, "load failed\n"); | |
217 | exit(1); | |
218 | } | |
219 | dsa_make_key_blob(k, &blob, &len); | |
220 | if (!key_write(k, stdout)) | |
221 | fprintf(stderr, "key_write failed"); | |
222 | key_free(k); | |
223 | xfree(blob); | |
224 | fprintf(stdout, "\n"); | |
225 | exit(0); | |
226 | } | |
227 | ||
228 | void | |
229 | do_fingerprint(struct passwd *pw) | |
230 | { | |
231 | FILE *f; | |
232 | BIGNUM *e, *n; | |
233 | Key *public; | |
234 | char *comment = NULL, *cp, *ep, line[16*1024]; | |
235 | int i, skip = 0, num = 1, invalid = 1; | |
236 | unsigned int ignore; | |
237 | struct stat st; | |
238 | ||
239 | if (!have_identity) | |
240 | ask_filename(pw, "Enter file in which the key is"); | |
241 | if (stat(identity_file, &st) < 0) { | |
242 | perror(identity_file); | |
243 | exit(1); | |
244 | } | |
245 | public = key_new(KEY_RSA); | |
246 | if (load_public_key(identity_file, public, &comment)) { | |
247 | printf("%d %s %s\n", BN_num_bits(public->rsa->n), | |
248 | key_fingerprint(public), comment); | |
249 | key_free(public); | |
250 | exit(0); | |
251 | } | |
252 | key_free(public); | |
253 | ||
254 | /* XXX */ | |
255 | f = fopen(identity_file, "r"); | |
256 | if (f != NULL) { | |
257 | n = BN_new(); | |
258 | e = BN_new(); | |
259 | while (fgets(line, sizeof(line), f)) { | |
260 | i = strlen(line) - 1; | |
261 | if (line[i] != '\n') { | |
262 | error("line %d too long: %.40s...", num, line); | |
263 | skip = 1; | |
264 | continue; | |
265 | } | |
266 | num++; | |
267 | if (skip) { | |
268 | skip = 0; | |
269 | continue; | |
270 | } | |
271 | line[i] = '\0'; | |
272 | ||
273 | /* Skip leading whitespace, empty and comment lines. */ | |
274 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | |
275 | ; | |
276 | if (!*cp || *cp == '\n' || *cp == '#') | |
277 | continue ; | |
278 | i = strtol(cp, &ep, 10); | |
279 | if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) { | |
280 | int quoted = 0; | |
281 | comment = cp; | |
282 | for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { | |
283 | if (*cp == '\\' && cp[1] == '"') | |
284 | cp++; /* Skip both */ | |
285 | else if (*cp == '"') | |
286 | quoted = !quoted; | |
287 | } | |
288 | if (!*cp) | |
289 | continue; | |
290 | *cp++ = '\0'; | |
291 | } | |
292 | ep = cp; | |
293 | if (auth_rsa_read_key(&cp, &ignore, e, n)) { | |
294 | invalid = 0; | |
295 | comment = *cp ? cp : comment; | |
296 | printf("%d %s %s\n", BN_num_bits(n), | |
297 | fingerprint(e, n), | |
298 | comment ? comment : "no comment"); | |
299 | } | |
300 | } | |
301 | BN_free(e); | |
302 | BN_free(n); | |
303 | fclose(f); | |
304 | } | |
305 | if (invalid) { | |
306 | printf("%s is not a valid key file.\n", identity_file); | |
307 | exit(1); | |
308 | } | |
309 | exit(0); | |
310 | } | |
311 | ||
312 | /* | |
313 | * Perform changing a passphrase. The argument is the passwd structure | |
314 | * for the current user. | |
315 | */ | |
316 | void | |
317 | do_change_passphrase(struct passwd *pw) | |
318 | { | |
319 | char *comment; | |
320 | char *old_passphrase, *passphrase1, *passphrase2; | |
321 | struct stat st; | |
322 | Key *private; | |
323 | Key *public; | |
324 | int type = dsa_mode ? KEY_DSA : KEY_RSA; | |
325 | ||
326 | if (!have_identity) | |
327 | ask_filename(pw, "Enter file in which the key is"); | |
328 | if (stat(identity_file, &st) < 0) { | |
329 | perror(identity_file); | |
330 | exit(1); | |
331 | } | |
332 | ||
333 | if (type == KEY_RSA) { | |
334 | /* XXX this works currently only for RSA */ | |
335 | public = key_new(type); | |
336 | if (!load_public_key(identity_file, public, NULL)) { | |
337 | printf("%s is not a valid key file.\n", identity_file); | |
338 | exit(1); | |
339 | } | |
340 | /* Clear the public key since we are just about to load the whole file. */ | |
341 | key_free(public); | |
342 | } | |
343 | ||
344 | /* Try to load the file with empty passphrase. */ | |
345 | private = key_new(type); | |
346 | if (!load_private_key(identity_file, "", private, &comment)) { | |
347 | if (identity_passphrase) | |
348 | old_passphrase = xstrdup(identity_passphrase); | |
349 | else | |
350 | old_passphrase = read_passphrase("Enter old passphrase: ", 1); | |
351 | if (!load_private_key(identity_file, old_passphrase, private, &comment)) { | |
352 | memset(old_passphrase, 0, strlen(old_passphrase)); | |
353 | xfree(old_passphrase); | |
354 | printf("Bad passphrase.\n"); | |
355 | exit(1); | |
356 | } | |
357 | memset(old_passphrase, 0, strlen(old_passphrase)); | |
358 | xfree(old_passphrase); | |
359 | } | |
360 | printf("Key has comment '%s'\n", comment); | |
361 | ||
362 | /* Ask the new passphrase (twice). */ | |
363 | if (identity_new_passphrase) { | |
364 | passphrase1 = xstrdup(identity_new_passphrase); | |
365 | passphrase2 = NULL; | |
366 | } else { | |
367 | passphrase1 = | |
368 | read_passphrase("Enter new passphrase (empty for no passphrase): ", 1); | |
369 | passphrase2 = read_passphrase("Enter same passphrase again: ", 1); | |
370 | ||
371 | /* Verify that they are the same. */ | |
372 | if (strcmp(passphrase1, passphrase2) != 0) { | |
373 | memset(passphrase1, 0, strlen(passphrase1)); | |
374 | memset(passphrase2, 0, strlen(passphrase2)); | |
375 | xfree(passphrase1); | |
376 | xfree(passphrase2); | |
377 | printf("Pass phrases do not match. Try again.\n"); | |
378 | exit(1); | |
379 | } | |
380 | /* Destroy the other copy. */ | |
381 | memset(passphrase2, 0, strlen(passphrase2)); | |
382 | xfree(passphrase2); | |
383 | } | |
384 | ||
385 | /* Save the file using the new passphrase. */ | |
386 | if (!save_private_key(identity_file, passphrase1, private, comment)) { | |
387 | printf("Saving the key failed: %s: %s.\n", | |
388 | identity_file, strerror(errno)); | |
389 | memset(passphrase1, 0, strlen(passphrase1)); | |
390 | xfree(passphrase1); | |
391 | key_free(private); | |
392 | xfree(comment); | |
393 | exit(1); | |
394 | } | |
395 | /* Destroy the passphrase and the copy of the key in memory. */ | |
396 | memset(passphrase1, 0, strlen(passphrase1)); | |
397 | xfree(passphrase1); | |
398 | key_free(private); /* Destroys contents */ | |
399 | xfree(comment); | |
400 | ||
401 | printf("Your identification has been saved with the new passphrase.\n"); | |
402 | exit(0); | |
403 | } | |
404 | ||
405 | /* | |
406 | * Change the comment of a private key file. | |
407 | */ | |
408 | void | |
409 | do_change_comment(struct passwd *pw) | |
410 | { | |
411 | char new_comment[1024], *comment; | |
412 | Key *private; | |
413 | Key *public; | |
414 | char *passphrase; | |
415 | struct stat st; | |
416 | FILE *f; | |
417 | ||
418 | if (!have_identity) | |
419 | ask_filename(pw, "Enter file in which the key is"); | |
420 | if (stat(identity_file, &st) < 0) { | |
421 | perror(identity_file); | |
422 | exit(1); | |
423 | } | |
424 | /* | |
425 | * Try to load the public key from the file the verify that it is | |
426 | * readable and of the proper format. | |
427 | */ | |
428 | public = key_new(KEY_RSA); | |
429 | if (!load_public_key(identity_file, public, NULL)) { | |
430 | printf("%s is not a valid key file.\n", identity_file); | |
431 | exit(1); | |
432 | } | |
433 | ||
434 | private = key_new(KEY_RSA); | |
435 | if (load_private_key(identity_file, "", private, &comment)) | |
436 | passphrase = xstrdup(""); | |
437 | else { | |
438 | if (identity_passphrase) | |
439 | passphrase = xstrdup(identity_passphrase); | |
440 | else if (identity_new_passphrase) | |
441 | passphrase = xstrdup(identity_new_passphrase); | |
442 | else | |
443 | passphrase = read_passphrase("Enter passphrase: ", 1); | |
444 | /* Try to load using the passphrase. */ | |
445 | if (!load_private_key(identity_file, passphrase, private, &comment)) { | |
446 | memset(passphrase, 0, strlen(passphrase)); | |
447 | xfree(passphrase); | |
448 | printf("Bad passphrase.\n"); | |
449 | exit(1); | |
450 | } | |
451 | } | |
452 | printf("Key now has comment '%s'\n", comment); | |
453 | ||
454 | if (identity_comment) { | |
455 | strlcpy(new_comment, identity_comment, sizeof(new_comment)); | |
456 | } else { | |
457 | printf("Enter new comment: "); | |
458 | fflush(stdout); | |
459 | if (!fgets(new_comment, sizeof(new_comment), stdin)) { | |
460 | memset(passphrase, 0, strlen(passphrase)); | |
461 | key_free(private); | |
462 | exit(1); | |
463 | } | |
464 | if (strchr(new_comment, '\n')) | |
465 | *strchr(new_comment, '\n') = 0; | |
466 | } | |
467 | ||
468 | /* Save the file using the new passphrase. */ | |
469 | if (!save_private_key(identity_file, passphrase, private, new_comment)) { | |
470 | printf("Saving the key failed: %s: %s.\n", | |
471 | identity_file, strerror(errno)); | |
472 | memset(passphrase, 0, strlen(passphrase)); | |
473 | xfree(passphrase); | |
474 | key_free(private); | |
475 | xfree(comment); | |
476 | exit(1); | |
477 | } | |
478 | memset(passphrase, 0, strlen(passphrase)); | |
479 | xfree(passphrase); | |
480 | key_free(private); | |
481 | ||
482 | strlcat(identity_file, ".pub", sizeof(identity_file)); | |
483 | f = fopen(identity_file, "w"); | |
484 | if (!f) { | |
485 | printf("Could not save your public key in %s\n", identity_file); | |
486 | exit(1); | |
487 | } | |
488 | if (!key_write(public, f)) | |
489 | fprintf(stderr, "write key failed"); | |
490 | key_free(public); | |
491 | fprintf(f, " %s\n", new_comment); | |
492 | fclose(f); | |
493 | ||
494 | xfree(comment); | |
495 | ||
496 | printf("The comment in your key file has been changed.\n"); | |
497 | exit(0); | |
498 | } | |
499 | ||
500 | void | |
501 | usage(void) | |
502 | { | |
503 | printf("Usage: %s [-lpqxXydc] [-b bits] [-f file] [-C comment] [-N new-pass] [-P pass]\n", __progname); | |
504 | exit(1); | |
505 | } | |
506 | ||
507 | /* | |
508 | * Main program for key management. | |
509 | */ | |
510 | int | |
511 | main(int ac, char **av) | |
512 | { | |
513 | char dotsshdir[16 * 1024], comment[1024], *passphrase1, *passphrase2; | |
514 | struct passwd *pw; | |
515 | int opt; | |
516 | struct stat st; | |
517 | FILE *f; | |
518 | Key *private; | |
519 | Key *public; | |
520 | extern int optind; | |
521 | extern char *optarg; | |
522 | ||
523 | OpenSSL_add_all_algorithms(); | |
524 | ||
525 | /* we need this for the home * directory. */ | |
526 | pw = getpwuid(getuid()); | |
527 | if (!pw) { | |
528 | printf("You don't exist, go away!\n"); | |
529 | exit(1); | |
530 | } | |
531 | if (gethostname(hostname, sizeof(hostname)) < 0) { | |
532 | perror("gethostname"); | |
533 | exit(1); | |
534 | } | |
535 | ||
536 | while ((opt = getopt(ac, av, "dqpclRxXyb:f:P:N:C:")) != EOF) { | |
537 | switch (opt) { | |
538 | case 'b': | |
539 | bits = atoi(optarg); | |
540 | if (bits < 512 || bits > 32768) { | |
541 | printf("Bits has bad value.\n"); | |
542 | exit(1); | |
543 | } | |
544 | break; | |
545 | ||
546 | case 'l': | |
547 | print_fingerprint = 1; | |
548 | break; | |
549 | ||
550 | case 'p': | |
551 | change_passphrase = 1; | |
552 | break; | |
553 | ||
554 | case 'c': | |
555 | change_comment = 1; | |
556 | break; | |
557 | ||
558 | case 'f': | |
559 | strlcpy(identity_file, optarg, sizeof(identity_file)); | |
560 | have_identity = 1; | |
561 | break; | |
562 | ||
563 | case 'P': | |
564 | identity_passphrase = optarg; | |
565 | break; | |
566 | ||
567 | case 'N': | |
568 | identity_new_passphrase = optarg; | |
569 | break; | |
570 | ||
571 | case 'C': | |
572 | identity_comment = optarg; | |
573 | break; | |
574 | ||
575 | case 'q': | |
576 | quiet = 1; | |
577 | break; | |
578 | ||
579 | case 'R': | |
580 | if (rsa_alive() == 0) | |
581 | exit(1); | |
582 | else | |
583 | exit(0); | |
584 | break; | |
585 | ||
586 | case 'x': | |
587 | convert_to_ssh2 = 1; | |
588 | break; | |
589 | ||
590 | case 'X': | |
591 | convert_from_ssh2 = 1; | |
592 | break; | |
593 | ||
594 | case 'y': | |
595 | print_public = 1; | |
596 | break; | |
597 | ||
598 | case 'd': | |
599 | dsa_mode = 1; | |
600 | break; | |
601 | ||
602 | case '?': | |
603 | default: | |
604 | usage(); | |
605 | } | |
606 | } | |
607 | if (optind < ac) { | |
608 | printf("Too many arguments.\n"); | |
609 | usage(); | |
610 | } | |
611 | if (change_passphrase && change_comment) { | |
612 | printf("Can only have one of -p and -c.\n"); | |
613 | usage(); | |
614 | } | |
615 | /* check if RSA support is needed and exists */ | |
616 | if (dsa_mode == 0 && rsa_alive() == 0) { | |
617 | fprintf(stderr, | |
618 | "%s: no RSA support in libssl and libcrypto. See ssl(8).\n", | |
619 | __progname); | |
620 | exit(1); | |
621 | } | |
622 | if (print_fingerprint) | |
623 | do_fingerprint(pw); | |
624 | if (change_passphrase) | |
625 | do_change_passphrase(pw); | |
626 | if (change_comment) | |
627 | do_change_comment(pw); | |
628 | if (convert_to_ssh2) | |
629 | do_convert_to_ssh2(pw); | |
630 | if (convert_from_ssh2) | |
631 | do_convert_from_ssh2(pw); | |
632 | if (print_public) | |
633 | do_print_public(pw); | |
634 | ||
635 | arc4random_stir(); | |
636 | ||
637 | if (dsa_mode != 0) { | |
638 | if (!quiet) | |
639 | printf("Generating DSA parameter and key.\n"); | |
640 | public = private = dsa_generate_key(bits); | |
641 | if (private == NULL) { | |
642 | fprintf(stderr, "dsa_generate_keys failed"); | |
643 | exit(1); | |
644 | } | |
645 | } else { | |
646 | if (quiet) | |
647 | rsa_set_verbose(0); | |
648 | /* Generate the rsa key pair. */ | |
649 | public = key_new(KEY_RSA); | |
650 | private = key_new(KEY_RSA); | |
651 | rsa_generate_key(private->rsa, public->rsa, bits); | |
652 | } | |
653 | ||
654 | if (!have_identity) | |
655 | ask_filename(pw, "Enter file in which to save the key"); | |
656 | ||
657 | /* Create ~/.ssh directory if it doesn\'t already exist. */ | |
658 | snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, SSH_USER_DIR); | |
659 | if (strstr(identity_file, dotsshdir) != NULL && | |
660 | stat(dotsshdir, &st) < 0) { | |
661 | if (mkdir(dotsshdir, 0755) < 0) | |
662 | error("Could not create directory '%s'.", dotsshdir); | |
663 | else if (!quiet) | |
664 | printf("Created directory '%s'.\n", dotsshdir); | |
665 | } | |
666 | /* If the file already exists, ask the user to confirm. */ | |
667 | if (stat(identity_file, &st) >= 0) { | |
668 | char yesno[3]; | |
669 | printf("%s already exists.\n", identity_file); | |
670 | printf("Overwrite (y/n)? "); | |
671 | fflush(stdout); | |
672 | if (fgets(yesno, sizeof(yesno), stdin) == NULL) | |
673 | exit(1); | |
674 | if (yesno[0] != 'y' && yesno[0] != 'Y') | |
675 | exit(1); | |
676 | } | |
677 | /* Ask for a passphrase (twice). */ | |
678 | if (identity_passphrase) | |
679 | passphrase1 = xstrdup(identity_passphrase); | |
680 | else if (identity_new_passphrase) | |
681 | passphrase1 = xstrdup(identity_new_passphrase); | |
682 | else { | |
683 | passphrase_again: | |
684 | passphrase1 = | |
685 | read_passphrase("Enter passphrase (empty for no passphrase): ", 1); | |
686 | passphrase2 = read_passphrase("Enter same passphrase again: ", 1); | |
687 | if (strcmp(passphrase1, passphrase2) != 0) { | |
688 | /* The passphrases do not match. Clear them and retry. */ | |
689 | memset(passphrase1, 0, strlen(passphrase1)); | |
690 | memset(passphrase2, 0, strlen(passphrase2)); | |
691 | xfree(passphrase1); | |
692 | xfree(passphrase2); | |
693 | printf("Passphrases do not match. Try again.\n"); | |
694 | goto passphrase_again; | |
695 | } | |
696 | /* Clear the other copy of the passphrase. */ | |
697 | memset(passphrase2, 0, strlen(passphrase2)); | |
698 | xfree(passphrase2); | |
699 | } | |
700 | ||
701 | if (identity_comment) { | |
702 | strlcpy(comment, identity_comment, sizeof(comment)); | |
703 | } else { | |
704 | /* Create default commend field for the passphrase. */ | |
705 | snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname); | |
706 | } | |
707 | ||
708 | /* Save the key with the given passphrase and comment. */ | |
709 | if (!save_private_key(identity_file, passphrase1, private, comment)) { | |
710 | printf("Saving the key failed: %s: %s.\n", | |
711 | identity_file, strerror(errno)); | |
712 | memset(passphrase1, 0, strlen(passphrase1)); | |
713 | xfree(passphrase1); | |
714 | exit(1); | |
715 | } | |
716 | /* Clear the passphrase. */ | |
717 | memset(passphrase1, 0, strlen(passphrase1)); | |
718 | xfree(passphrase1); | |
719 | ||
720 | /* Clear the private key and the random number generator. */ | |
721 | if (private != public) { | |
722 | key_free(private); | |
723 | } | |
724 | arc4random_stir(); | |
725 | ||
726 | if (!quiet) | |
727 | printf("Your identification has been saved in %s.\n", identity_file); | |
728 | ||
729 | strlcat(identity_file, ".pub", sizeof(identity_file)); | |
730 | f = fopen(identity_file, "w"); | |
731 | if (!f) { | |
732 | printf("Could not save your public key in %s\n", identity_file); | |
733 | exit(1); | |
734 | } | |
735 | if (!key_write(public, f)) | |
736 | fprintf(stderr, "write key failed"); | |
737 | fprintf(f, " %s\n", comment); | |
738 | fclose(f); | |
739 | ||
740 | if (!quiet) { | |
741 | printf("Your public key has been saved in %s.\n", | |
742 | identity_file); | |
743 | printf("The key fingerprint is:\n"); | |
744 | printf("%s %s\n", key_fingerprint(public), comment); | |
745 | } | |
746 | ||
747 | key_free(public); | |
748 | exit(0); | |
749 | } |