xref: /titanic_44/usr/src/cmd/ssh/ssh-add/ssh-add.c (revision ea01bd62c06264135e67699c4e213c6de9313abe)
1 /*
2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 /*
6  * Author: Tatu Ylonen <ylo@cs.hut.fi>
7  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8  *                    All rights reserved
9  * Adds an identity to the authentication server, or removes an identity.
10  *
11  * As far as I am concerned, the code I have written for this software
12  * can be used freely for any purpose.  Any derived versions of this
13  * software must be clearly marked as such, and if the derived work is
14  * incompatible with the protocol description in the RFC file, it must be
15  * called by a name other than "ssh" or "Secure Shell".
16  *
17  * SSH2 implementation,
18  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
19  *
20  * Redistribution and use in source and binary forms, with or without
21  * modification, are permitted provided that the following conditions
22  * are met:
23  * 1. Redistributions of source code must retain the above copyright
24  *    notice, this list of conditions and the following disclaimer.
25  * 2. Redistributions in binary form must reproduce the above copyright
26  *    notice, this list of conditions and the following disclaimer in the
27  *    documentation and/or other materials provided with the distribution.
28  *
29  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
30  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
31  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
32  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
33  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
34  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
35  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
36  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
37  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
38  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39  */
40 
41 #include "includes.h"
42 RCSID("$OpenBSD: ssh-add.c,v 1.63 2002/09/19 15:51:23 markus Exp $");
43 
44 #include <openssl/evp.h>
45 
46 #include "ssh.h"
47 #include "rsa.h"
48 #include "log.h"
49 #include "xmalloc.h"
50 #include "key.h"
51 #include "authfd.h"
52 #include "authfile.h"
53 #include "pathnames.h"
54 #include "readpass.h"
55 #include "misc.h"
56 
57 #ifdef HAVE___PROGNAME
58 extern char *__progname;
59 #else
60 char *__progname;
61 #endif
62 
63 /* argv0 */
64 extern char *__progname;
65 
66 /* Default files to add */
67 static char *default_files[] = {
68 	_PATH_SSH_CLIENT_ID_RSA,
69 	_PATH_SSH_CLIENT_ID_DSA,
70 	_PATH_SSH_CLIENT_IDENTITY,
71 	NULL
72 };
73 
74 /* Default lifetime (0 == forever) */
75 static int lifetime = 0;
76 
77 /* we keep a cache of one passphrases */
78 static char *pass = NULL;
79 static void
clear_pass(void)80 clear_pass(void)
81 {
82 	if (pass) {
83 		memset(pass, 0, strlen(pass));
84 		xfree(pass);
85 		pass = NULL;
86 	}
87 }
88 
89 static int
delete_file(AuthenticationConnection * ac,const char * filename)90 delete_file(AuthenticationConnection *ac, const char *filename)
91 {
92 	Key *public;
93 	char *comment = NULL;
94 	int ret = -1;
95 
96 	public = key_load_public(filename, &comment);
97 	if (public == NULL) {
98 		printf(gettext("Bad key file %s\n"), filename);
99 		return -1;
100 	}
101 	if (ssh_remove_identity(ac, public)) {
102 		fprintf(stderr, gettext("Identity removed: %s (%s)\n"),
103 			filename, comment);
104 		ret = 0;
105 	} else
106 		fprintf(stderr, gettext("Could not remove identity: %s\n"),
107 			filename);
108 
109 	key_free(public);
110 	xfree(comment);
111 
112 	return ret;
113 }
114 
115 /* Send a request to remove all identities. */
116 static int
delete_all(AuthenticationConnection * ac)117 delete_all(AuthenticationConnection *ac)
118 {
119 	int ret = -1;
120 
121 	if (ssh_remove_all_identities(ac, 1))
122 		ret = 0;
123 	/* ignore error-code for ssh2 */
124 	ssh_remove_all_identities(ac, 2);
125 
126 	if (ret == 0)
127 		fprintf(stderr, gettext("All identities removed.\n"));
128 	else
129 		fprintf(stderr, gettext("Failed to remove all identities.\n"));
130 
131 	return ret;
132 }
133 
134 static int
add_file(AuthenticationConnection * ac,const char * filename)135 add_file(AuthenticationConnection *ac, const char *filename)
136 {
137 	struct stat st;
138 	Key *private;
139 	char *comment = NULL;
140 	char msg[1024];
141 	int ret = -1;
142 
143 	if (stat(filename, &st) < 0) {
144 		perror(filename);
145 		return -1;
146 	}
147 	/* At first, try empty passphrase */
148 	private = key_load_private(filename, "", &comment);
149 	if (comment == NULL)
150 		comment = xstrdup(filename);
151 	/* try last */
152 	if (private == NULL && pass != NULL)
153 		private = key_load_private(filename, pass, NULL);
154 	if (private == NULL) {
155 		/* clear passphrase since it did not work */
156 		clear_pass();
157 		snprintf(msg, sizeof msg,
158 			 gettext("Enter passphrase for %.200s: "), comment);
159 		for (;;) {
160 			pass = read_passphrase(msg, RP_ALLOW_STDIN);
161 			if (strcmp(pass, "") == 0) {
162 				clear_pass();
163 				xfree(comment);
164 				return -1;
165 			}
166 			private = key_load_private(filename, pass, &comment);
167 			if (private != NULL)
168 				break;
169 			clear_pass();
170 			strlcpy(msg, gettext("Bad passphrase, try again: "),
171 				sizeof msg);
172 		}
173 	}
174 
175 	if (ssh_add_identity_constrained(ac, private, comment, lifetime)) {
176 		fprintf(stderr, gettext("Identity added: %s (%s)\n"),
177 			filename, comment);
178 		ret = 0;
179 		if (lifetime != 0)
180                         fprintf(stderr,
181 			    gettext("Lifetime set to %d seconds\n"), lifetime);
182 	} else if (ssh_add_identity(ac, private, comment)) {
183 		fprintf(stderr, gettext("Identity added: %s (%s)\n"),
184 			filename, comment);
185 		ret = 0;
186 	} else {
187 		fprintf(stderr, gettext("Could not add identity: %s\n"),
188 			filename);
189 	}
190 
191 	xfree(comment);
192 	key_free(private);
193 
194 	return ret;
195 }
196 
197 static int
list_identities(AuthenticationConnection * ac,int do_fp)198 list_identities(AuthenticationConnection *ac, int do_fp)
199 {
200 	Key *key;
201 	char *comment, *fp;
202 	int had_identities = 0;
203 	int version;
204 
205 	for (version = 1; version <= 2; version++) {
206 		for (key = ssh_get_first_identity(ac, &comment, version);
207 		    key != NULL;
208 		    key = ssh_get_next_identity(ac, &comment, version)) {
209 			had_identities = 1;
210 			if (do_fp) {
211 				fp = key_fingerprint(key, SSH_FP_MD5,
212 				    SSH_FP_HEX);
213 				printf("%d %s %s (%s)\n",
214 				    key_size(key), fp, comment, key_type(key));
215 				xfree(fp);
216 			} else {
217 				if (!key_write(key, stdout))
218 					fprintf(stderr,
219 						gettext("key_write failed"));
220 				fprintf(stdout, " %s\n", comment);
221 			}
222 			key_free(key);
223 			xfree(comment);
224 		}
225 	}
226 	if (!had_identities) {
227 		printf(gettext("The agent has no identities.\n"));
228 		return -1;
229 	}
230 	return 0;
231 }
232 
233 static int
lock_agent(AuthenticationConnection * ac,int lock)234 lock_agent(AuthenticationConnection *ac, int lock)
235 {
236 	char prompt[100], *p1, *p2;
237 	int passok = 1, ret = -1;
238 
239 	strlcpy(prompt, "Enter lock password: ", sizeof(prompt));
240 	p1 = read_passphrase(prompt, RP_ALLOW_STDIN);
241 	if (lock) {
242 		strlcpy(prompt, "Again: ", sizeof prompt);
243 		p2 = read_passphrase(prompt, RP_ALLOW_STDIN);
244 		if (strcmp(p1, p2) != 0) {
245 			fprintf(stderr, gettext("Passwords do not match.\n"));
246 			passok = 0;
247 		}
248 		memset(p2, 0, strlen(p2));
249 		xfree(p2);
250 	}
251 	if (passok && ssh_lock_agent(ac, lock, p1)) {
252 		if (lock)
253 			fprintf(stderr, gettext("Agent locked.\n"));
254 		else
255 			fprintf(stderr, gettext("Agent unlocked.\n"));
256 		ret = 0;
257 	} else {
258 		if (lock)
259 			fprintf(stderr, gettext("Failed to lock agent.\n"));
260 		else
261 			fprintf(stderr, gettext("Failed to unlock agent.\n"));
262 	}
263 	memset(p1, 0, strlen(p1));
264 	xfree(p1);
265 	return (ret);
266 }
267 
268 static int
do_file(AuthenticationConnection * ac,int deleting,char * file)269 do_file(AuthenticationConnection *ac, int deleting, char *file)
270 {
271 	if (deleting) {
272 		if (delete_file(ac, file) == -1)
273 			return -1;
274 	} else {
275 		if (add_file(ac, file) == -1)
276 			return -1;
277 	}
278 	return 0;
279 }
280 
281 static void
usage(void)282 usage(void)
283 {
284 	fprintf(stderr,
285 		gettext( "Usage: %s [options]\n"
286 		"Options:\n"
287 		"  -l          List fingerprints of all identities.\n"
288 		"  -L          List public key parameters of all identities.\n"
289 		"  -d          Delete identity.\n"
290 		"  -D          Delete all identities.\n"
291 		"  -x          Lock agent.\n"
292 		"  -X          Unlock agent.\n"
293 		"  -t life     Set lifetime (seconds) when adding identities.\n"
294 		), __progname);
295 }
296 
297 int
main(int argc,char ** argv)298 main(int argc, char **argv)
299 {
300 	extern char *optarg;
301 	extern int optind;
302 	AuthenticationConnection *ac = NULL;
303 	int i, ch, deleting = 0, ret = 0;
304 
305 	__progname = get_progname(argv[0]);
306 
307 	(void) g11n_setlocale(LC_ALL, "");
308 
309 	init_rng();
310 	seed_rng();
311 
312 	SSLeay_add_all_algorithms();
313 
314 	/* At first, get a connection to the authentication agent. */
315 	ac = ssh_get_authentication_connection();
316 	if (ac == NULL) {
317 		fprintf(stderr, gettext("Could not open a connection "
318 			    "to your authentication agent.\n"));
319 		exit(2);
320 	}
321 	while ((ch = getopt(argc, argv, "lLdDxXe:s:t:")) != -1) {
322 		switch (ch) {
323 		case 'l':
324 		case 'L':
325 			if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
326 				ret = 1;
327 			goto done;
328 			break;
329 		case 'x':
330 		case 'X':
331 			if (lock_agent(ac, ch == 'x' ? 1 : 0) == -1)
332 				ret = 1;
333 			goto done;
334 			break;
335 		case 'd':
336 			deleting = 1;
337 			break;
338 		case 'D':
339 			if (delete_all(ac) == -1)
340 				ret = 1;
341 			goto done;
342 			break;
343 		case 't':
344 			if ((lifetime = convtime(optarg)) == -1) {
345 				fprintf(stderr, gettext("Invalid lifetime\n"));
346 				ret = 1;
347 				goto done;
348 			}
349 			break;
350 		default:
351 			usage();
352 			ret = 1;
353 			goto done;
354 		}
355 	}
356 	argc -= optind;
357 	argv += optind;
358 	if (argc == 0) {
359 		char buf[MAXPATHLEN];
360 		struct passwd *pw;
361 		struct stat st;
362 		int count = 0;
363 
364 		if ((pw = getpwuid(getuid())) == NULL) {
365 			fprintf(stderr, gettext("No user found with uid %u\n"),
366 			    (u_int)getuid());
367 			ret = 1;
368 			goto done;
369 		}
370 
371 		for(i = 0; default_files[i]; i++) {
372 			snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
373 			    default_files[i]);
374 			if (stat(buf, &st) < 0)
375 				continue;
376 			if (do_file(ac, deleting, buf) == -1)
377 				ret = 1;
378 			else
379 				count++;
380 		}
381 		if (count == 0)
382 			ret = 1;
383 	} else {
384 		for(i = 0; i < argc; i++) {
385 			if (do_file(ac, deleting, argv[i]) == -1)
386 				ret = 1;
387 		}
388 	}
389 	clear_pass();
390 
391 done:
392 	ssh_close_authentication_connection(ac);
393 	return ret;
394 }
395