upstream: Add ssh-keyscan -D option to make it print its results in

SSHFP format bz#2821, ok dtucker@ OpenBSD-Commit-ID: 831446b582e0f298ca15c9d99c415c899e392221
2024-11-23 09:17:32 +08:00 · 2018-02-23 05:14:05 +00:00 · 2018-02-23 05:14:05 +00:00 · 1a348359e4
commit 1a348359e4
parent 3e19fb976a
2 changed files with 29 additions and 7 deletions
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.40 2017/05/02 17:04:09 jmc Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.41 2018/02/23 05:14:05 djm Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: May 2 2017 $
+.Dd $Mdocdate: February 23 2018 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@ -15,7 +15,7 @@
 .Sh SYNOPSIS
 .Nm ssh-keyscan
 .Bk -words
-.Op Fl 46cHv
+.Op Fl 46cDHv
 .Op Fl f Ar file
 .Op Fl p Ar port
 .Op Fl T Ar timeout
@ -56,6 +56,12 @@ Forces
 to use IPv6 addresses only.
 .It Fl c
 Request certificates from target hosts instead of plain keys.
+.It Fl D
+Print keys found as SSHFP DNS records.
+The default is to print keys in a format usable as a
+.Xr ssh 1
+.Pa known_hosts
+file.
 .It Fl f Ar file
 Read hosts or
 .Dq addrlist namelist
@ -159,6 +165,10 @@ $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
 .Sh SEE ALSO
 .Xr ssh 1 ,
 .Xr sshd 8
+.%R RFC 4255
+.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
+.%D 2006
+.Re
 .Sh AUTHORS
 .An -nosplit
 .An David Mazieres Aq Mt dm@lcs.mit.edu
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.116 2017/11/25 06:46:22 dtucker Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.117 2018/02/23 05:14:05 djm Exp $ */
 /*
 * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 *
@ -46,6 +46,7 @@
 #include "hostfile.h"
 #include "ssherr.h"
 #include "ssh_api.h"
+#include "dns.h"

 /* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
   Default value is AF_UNSPEC means both IPv4 and IPv6. */
@ -66,6 +67,8 @@ int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;

 int hash_hosts = 0;		/* Hash hostname on output */

+int print_sshfp = 0;		/* Print SSHFP records instead of known_hosts */
+
 #define MAXMAXFD 256

 /* The number of seconds after which to give up on a TCP connection */
@ -280,6 +283,11 @@ keyprint_one(const char *host, struct sshkey *key)
 	char *hostport;
 	const char *known_host, *hashed;

+	if (print_sshfp) {
+		export_dns_rr(host, key, stdout, 0);
+		return;
+	}
+
 	hostport = put_host_port(host, ssh_port);
 	lowercase(hostport);
 	if (hash_hosts && (hashed = host_hash(host, NULL, 0)) == NULL)
@ -497,7 +505,8 @@ congreet(int s)
 		confree(s);
 		return;
 	}
-	fprintf(stderr, "# %s:%d %s\n", c->c_name, ssh_port, chop(buf));
+	fprintf(stderr, "%c %s:%d %s\n", print_sshfp ? ';' : '#',
+	    c->c_name, ssh_port, chop(buf));
 	keygrab_ssh2(c);
 	confree(s);
 }
@ -621,7 +630,7 @@ static void
 usage(void)
 {
 	fprintf(stderr,
-	    "usage: %s [-46cHv] [-f file] [-p port] [-T timeout] [-t type]\n"
+	    "usage: %s [-46cDHv] [-f file] [-p port] [-T timeout] [-t type]\n"
 	    "\t\t   [host | addrlist namelist] ...\n",
 	    __progname);
 	exit(1);
@ -650,7 +659,7 @@ main(int argc, char **argv)
 	if (argc <= 1)
 		usage();

-	while ((opt = getopt(argc, argv, "cHv46p:T:t:f:")) != -1) {
+	while ((opt = getopt(argc, argv, "cDHv46p:T:t:f:")) != -1) {
 		switch (opt) {
 		case 'H':
 			hash_hosts = 1;
@ -658,6 +667,9 @@ main(int argc, char **argv)
 		case 'c':
 			get_cert = 1;
 			break;
+		case 'D':
+			print_sshfp = 1;
+			break;
 		case 'p':
 			ssh_port = a2port(optarg);
 			if (ssh_port <= 0) {