From b4af0ab4cf8795dca57e48eb1b78d69359a874c3 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Sun, 18 May 2008 15:13:11 +0200 Subject: [PATCH] Keep track of the SSH key type and report it --- dowkd.in | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/dowkd.in b/dowkd.in index 801d77c..1339e79 100644 --- a/dowkd.in +++ b/dowkd.in @@ -145,16 +145,20 @@ sub ssh_fprint_file ($) { return (); } -sub ssh_fprint_check ($$$) { - my ($name, $length, $hash) = @_; - if ($length == 1024 || $length == 2048) { +sub ssh_fprint_check ($$$$) { + my ($name, $type, $length, $hash) = @_; + $type =~ /^(?:rsa1?|dsa)\z/ or die; + if (($type eq 'rsa' && ($length == 1024 || $length == 2048)) + || ($type eq 'dsa' && $length == 1024)) { $hash =~ y/://d; $hash =~ s/(..)/chr(hex($1))/ge; - check_hash $name, $hash, "OpenSSH/$length"; + check_hash $name, $hash, "OpenSSH/$type/$length"; + } elsif ($type eq 'dsa') { + print "$name: $length bits DSA key not recommended\n"; } else { - warn "$name: warning: no suitable blacklist\n"; + warn "$name: warning: no suitable blacklist for $type/$length\n"; } - } +} sub clear_tmp ($) { my $tmp = shift; @@ -215,6 +219,14 @@ sub cleanup_ssh_auth_line ($) { return undef; } +sub derive_ssh_auth_type ($) { + my $line = shift; + $line =~ /^ssh-rsa\s/ and return 'rsa'; + $line =~ /^ssh-dss\s/ and return 'dsa'; + $line =~ /^\d+\s/ and return 'rsa1'; + return undef; +} + sub from_ssh_auth_line ($$$) { my ($tmp, $name, $line) = @_; chomp $line; @@ -225,13 +237,14 @@ sub from_ssh_auth_line ($$$) { $l or goto ERROR; $line = $l; } + my $type = derive_ssh_auth_type $line; clear_tmp $tmp; print $tmp "$line\n" or die "print: $!"; $tmp->flush or die "flush: $!"; my ($length, $hash) = ssh_fprint_file "$tmp"; if ($length && $hash) { - ssh_fprint_check "$name", $length, $hash; + ssh_fprint_check "$name", $type, $length, $hash; return; } -- 2.11.4.GIT