2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * Identity and host key generation and maintenance.
7 * As far as I am concerned, the code I have written for this software
8 * can be used freely for any purpose. Any derived versions of this
9 * software must be clearly marked as such, and if the derived work is
10 * incompatible with the protocol description in the RFC file, it must be
11 * called by a name other than "ssh" or "Secure Shell".
15 RCSID("$OpenBSD: ssh-keygen.c,v 1.113 2003/12/22 09:16:58 djm Exp $");
17 #include <openssl/evp.h>
18 #include <openssl/pem.h>
27 #include "pathnames.h"
37 /* Number of bits in the RSA/DSA key. This value can be changed on the command line. */
41 * Flag indicating that we just want to change the passphrase. This can be
42 * set on the command line.
44 int change_passphrase
= 0;
47 * Flag indicating that we just want to change the comment. This can be set
48 * on the command line.
50 int change_comment
= 0;
54 /* Flag indicating that we just want to see the key fingerprint */
55 int print_fingerprint
= 0;
56 int print_bubblebabble
= 0;
58 /* The identity file name, given on the command line or entered by the user. */
59 char identity_file
[1024];
60 int have_identity
= 0;
62 /* This is set to the passphrase if given on the command line. */
63 char *identity_passphrase
= NULL
;
65 /* This is set to the new passphrase if given on the command line. */
66 char *identity_new_passphrase
= NULL
;
68 /* This is set to the new comment if given on the command line. */
69 char *identity_comment
= NULL
;
71 /* Dump public key file in format used by real and the original SSH 2 */
72 int convert_to_ssh2
= 0;
73 int convert_from_ssh2
= 0;
75 int print_generic
= 0;
77 char *key_type_name
= NULL
;
80 #ifdef HAVE___PROGNAME
81 extern char *__progname
;
86 char hostname
[MAXHOSTNAMELEN
];
89 ask_filename(struct passwd
*pw
, const char *prompt
)
94 if (key_type_name
== NULL
)
95 name
= _PATH_SSH_CLIENT_ID_RSA
;
97 switch (key_type_from_name(key_type_name
)) {
99 name
= _PATH_SSH_CLIENT_IDENTITY
;
102 name
= _PATH_SSH_CLIENT_ID_DSA
;
105 name
= _PATH_SSH_CLIENT_ID_RSA
;
108 fprintf(stderr
, "bad key type");
113 snprintf(identity_file
, sizeof(identity_file
), "%s/%s", pw
->pw_dir
, name
);
114 fprintf(stderr
, "%s (%s): ", prompt
, identity_file
);
115 if (fgets(buf
, sizeof(buf
), stdin
) == NULL
)
117 if (strchr(buf
, '\n'))
118 *strchr(buf
, '\n') = 0;
119 if (strcmp(buf
, "") != 0)
120 strlcpy(identity_file
, buf
, sizeof(identity_file
));
125 load_identity(char *filename
)
130 prv
= key_load_private(filename
, "", NULL
);
132 if (identity_passphrase
)
133 pass
= xstrdup(identity_passphrase
);
135 pass
= read_passphrase("Enter passphrase: ",
137 prv
= key_load_private(filename
, pass
, NULL
);
138 memset(pass
, 0, strlen(pass
));
144 #define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----"
145 #define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----"
146 #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
147 #define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb
150 do_convert_to_ssh2(struct passwd
*pw
)
158 ask_filename(pw
, "Enter file in which the key is");
159 if (stat(identity_file
, &st
) < 0) {
160 perror(identity_file
);
163 if ((k
= key_load_public(identity_file
, NULL
)) == NULL
) {
164 if ((k
= load_identity(identity_file
)) == NULL
) {
165 fprintf(stderr
, "load failed\n");
169 if (k
->type
== KEY_RSA1
) {
170 fprintf(stderr
, "version 1 keys are not supported\n");
173 if (key_to_blob(k
, &blob
, &len
) <= 0) {
174 fprintf(stderr
, "key_to_blob failed\n");
177 fprintf(stdout
, "%s\n", SSH_COM_PUBLIC_BEGIN
);
179 "Comment: \"%u-bit %s, converted from OpenSSH by %s@%s\"\n",
180 key_size(k
), key_type(k
),
181 pw
->pw_name
, hostname
);
182 dump_base64(stdout
, blob
, len
);
183 fprintf(stdout
, "%s\n", SSH_COM_PUBLIC_END
);
190 buffer_get_bignum_bits(Buffer
*b
, BIGNUM
*value
)
192 u_int bits
= buffer_get_int(b
);
193 u_int bytes
= (bits
+ 7) / 8;
195 if (buffer_len(b
) < bytes
)
196 fatal("buffer_get_bignum_bits: input buffer too small: "
197 "need %d have %d", bytes
, buffer_len(b
));
198 BN_bin2bn(buffer_ptr(b
), bytes
, value
);
199 buffer_consume(b
, bytes
);
203 do_convert_private_ssh2_from_blob(u_char
*blob
, u_int blen
)
208 u_char
*sig
, data
[] = "abcde12345";
209 int magic
, rlen
, ktype
, i1
, i2
, i3
, i4
;
214 buffer_append(&b
, blob
, blen
);
216 magic
= buffer_get_int(&b
);
217 if (magic
!= SSH_COM_PRIVATE_KEY_MAGIC
) {
218 error("bad magic 0x%x != 0x%x", magic
, SSH_COM_PRIVATE_KEY_MAGIC
);
222 i1
= buffer_get_int(&b
);
223 type
= buffer_get_string(&b
, NULL
);
224 cipher
= buffer_get_string(&b
, NULL
);
225 i2
= buffer_get_int(&b
);
226 i3
= buffer_get_int(&b
);
227 i4
= buffer_get_int(&b
);
228 debug("ignore (%d %d %d %d)", i1
,i2
,i3
,i4
);
229 if (strcmp(cipher
, "none") != 0) {
230 error("unsupported cipher %s", cipher
);
238 if (strstr(type
, "dsa")) {
240 } else if (strstr(type
, "rsa")) {
246 key
= key_new_private(ktype
);
251 buffer_get_bignum_bits(&b
, key
->dsa
->p
);
252 buffer_get_bignum_bits(&b
, key
->dsa
->g
);
253 buffer_get_bignum_bits(&b
, key
->dsa
->q
);
254 buffer_get_bignum_bits(&b
, key
->dsa
->pub_key
);
255 buffer_get_bignum_bits(&b
, key
->dsa
->priv_key
);
258 e
= buffer_get_char(&b
);
262 e
+= buffer_get_char(&b
);
265 e
+= buffer_get_char(&b
);
268 if (!BN_set_word(key
->rsa
->e
, e
)) {
273 buffer_get_bignum_bits(&b
, key
->rsa
->d
);
274 buffer_get_bignum_bits(&b
, key
->rsa
->n
);
275 buffer_get_bignum_bits(&b
, key
->rsa
->iqmp
);
276 buffer_get_bignum_bits(&b
, key
->rsa
->q
);
277 buffer_get_bignum_bits(&b
, key
->rsa
->p
);
278 rsa_generate_additional_parameters(key
->rsa
);
281 rlen
= buffer_len(&b
);
283 error("do_convert_private_ssh2_from_blob: "
284 "remaining bytes in key blob %d", rlen
);
288 key_sign(key
, &sig
, &slen
, data
, sizeof(data
));
289 key_verify(key
, sig
, slen
, data
, sizeof(data
));
295 do_convert_from_ssh2(struct passwd
*pw
)
304 int escaped
= 0, private = 0, ok
;
308 ask_filename(pw
, "Enter file in which the key is");
309 if (stat(identity_file
, &st
) < 0) {
310 perror(identity_file
);
313 fp
= fopen(identity_file
, "r");
315 perror(identity_file
);
319 while (fgets(line
, sizeof(line
), fp
)) {
320 if (!(p
= strchr(line
, '\n'))) {
321 fprintf(stderr
, "input line too long.\n");
324 if (p
> line
&& p
[-1] == '\\')
326 if (strncmp(line
, "----", 4) == 0 ||
327 strstr(line
, ": ") != NULL
) {
328 if (strstr(line
, SSH_COM_PRIVATE_BEGIN
) != NULL
)
330 if (strstr(line
, " END ") != NULL
) {
333 /* fprintf(stderr, "ignore: %s", line); */
338 /* fprintf(stderr, "escaped: %s", line); */
342 strlcat(encoded
, line
, sizeof(encoded
));
344 len
= strlen(encoded
);
345 if (((len
% 4) == 3) &&
346 (encoded
[len
-1] == '=') &&
347 (encoded
[len
-2] == '=') &&
348 (encoded
[len
-3] == '='))
349 encoded
[len
-3] = '\0';
350 blen
= uudecode(encoded
, blob
, sizeof(blob
));
352 fprintf(stderr
, "uudecode failed.\n");
356 do_convert_private_ssh2_from_blob(blob
, blen
) :
357 key_from_blob(blob
, blen
);
359 fprintf(stderr
, "decode blob failed.\n");
363 (k
->type
== KEY_DSA
?
364 PEM_write_DSAPrivateKey(stdout
, k
->dsa
, NULL
, NULL
, 0, NULL
, NULL
) :
365 PEM_write_RSAPrivateKey(stdout
, k
->rsa
, NULL
, NULL
, 0, NULL
, NULL
)) :
366 key_write(k
, stdout
);
368 fprintf(stderr
, "key write failed");
373 fprintf(stdout
, "\n");
379 do_print_public(struct passwd
*pw
)
385 ask_filename(pw
, "Enter file in which the key is");
386 if (stat(identity_file
, &st
) < 0) {
387 perror(identity_file
);
390 prv
= load_identity(identity_file
);
392 fprintf(stderr
, "load failed\n");
395 if (!key_write(prv
, stdout
))
396 fprintf(stderr
, "key_write failed");
398 fprintf(stdout
, "\n");
404 do_upload(struct passwd
*pw
, const char *sc_reader_id
)
411 ask_filename(pw
, "Enter file in which the key is");
412 if (stat(identity_file
, &st
) < 0) {
413 perror(identity_file
);
416 prv
= load_identity(identity_file
);
418 error("load failed");
421 ret
= sc_put_key(prv
, sc_reader_id
);
425 logit("loading key done");
430 do_download(struct passwd
*pw
, const char *sc_reader_id
)
435 keys
= sc_get_keys(sc_reader_id
, NULL
);
437 fatal("cannot read public key from smartcard");
438 for (i
= 0; keys
[i
]; i
++) {
439 key_write(keys
[i
], stdout
);
441 fprintf(stdout
, "\n");
446 #endif /* SMARTCARD */
449 do_fingerprint(struct passwd
*pw
)
453 char *comment
= NULL
, *cp
, *ep
, line
[16*1024], *fp
;
454 int i
, skip
= 0, num
= 1, invalid
= 1;
459 fptype
= print_bubblebabble
? SSH_FP_SHA1
: SSH_FP_MD5
;
460 rep
= print_bubblebabble
? SSH_FP_BUBBLEBABBLE
: SSH_FP_HEX
;
463 ask_filename(pw
, "Enter file in which the key is");
464 if (stat(identity_file
, &st
) < 0) {
465 perror(identity_file
);
468 public = key_load_public(identity_file
, &comment
);
469 if (public != NULL
) {
470 fp
= key_fingerprint(public, fptype
, rep
);
471 printf("%u %s %s\n", key_size(public), fp
, comment
);
480 f
= fopen(identity_file
, "r");
482 while (fgets(line
, sizeof(line
), f
)) {
483 i
= strlen(line
) - 1;
484 if (line
[i
] != '\n') {
485 error("line %d too long: %.40s...", num
, line
);
496 /* Skip leading whitespace, empty and comment lines. */
497 for (cp
= line
; *cp
== ' ' || *cp
== '\t'; cp
++)
499 if (!*cp
|| *cp
== '\n' || *cp
== '#')
501 i
= strtol(cp
, &ep
, 10);
502 if (i
== 0 || ep
== NULL
|| (*ep
!= ' ' && *ep
!= '\t')) {
505 for (; *cp
&& (quoted
|| (*cp
!= ' ' &&
506 *cp
!= '\t')); cp
++) {
507 if (*cp
== '\\' && cp
[1] == '"')
508 cp
++; /* Skip both */
517 public = key_new(KEY_RSA1
);
518 if (key_read(public, &cp
) != 1) {
521 public = key_new(KEY_UNSPEC
);
522 if (key_read(public, &cp
) != 1) {
527 comment
= *cp
? cp
: comment
;
528 fp
= key_fingerprint(public, fptype
, rep
);
529 printf("%u %s %s\n", key_size(public), fp
,
530 comment
? comment
: "no comment");
538 printf("%s is not a public key file.\n", identity_file
);
545 * Perform changing a passphrase. The argument is the passwd structure
546 * for the current user.
549 do_change_passphrase(struct passwd
*pw
)
552 char *old_passphrase
, *passphrase1
, *passphrase2
;
557 ask_filename(pw
, "Enter file in which the key is");
558 if (stat(identity_file
, &st
) < 0) {
559 perror(identity_file
);
562 /* Try to load the file with empty passphrase. */
563 private = key_load_private(identity_file
, "", &comment
);
564 if (private == NULL
) {
565 if (identity_passphrase
)
566 old_passphrase
= xstrdup(identity_passphrase
);
569 read_passphrase("Enter old passphrase: ",
571 private = key_load_private(identity_file
, old_passphrase
,
573 memset(old_passphrase
, 0, strlen(old_passphrase
));
574 xfree(old_passphrase
);
575 if (private == NULL
) {
576 printf("Bad passphrase.\n");
580 printf("Key has comment '%s'\n", comment
);
582 /* Ask the new passphrase (twice). */
583 if (identity_new_passphrase
) {
584 passphrase1
= xstrdup(identity_new_passphrase
);
588 read_passphrase("Enter new passphrase (empty for no "
589 "passphrase): ", RP_ALLOW_STDIN
);
590 passphrase2
= read_passphrase("Enter same passphrase again: ",
593 /* Verify that they are the same. */
594 if (strcmp(passphrase1
, passphrase2
) != 0) {
595 memset(passphrase1
, 0, strlen(passphrase1
));
596 memset(passphrase2
, 0, strlen(passphrase2
));
599 printf("Pass phrases do not match. Try again.\n");
602 /* Destroy the other copy. */
603 memset(passphrase2
, 0, strlen(passphrase2
));
607 /* Save the file using the new passphrase. */
608 if (!key_save_private(private, identity_file
, passphrase1
, comment
)) {
609 printf("Saving the key failed: %s.\n", identity_file
);
610 memset(passphrase1
, 0, strlen(passphrase1
));
616 /* Destroy the passphrase and the copy of the key in memory. */
617 memset(passphrase1
, 0, strlen(passphrase1
));
619 key_free(private); /* Destroys contents */
622 printf("Your identification has been saved with the new passphrase.\n");
627 * Print the SSHFP RR.
630 do_print_resource_record(struct passwd
*pw
, char *hostname
)
633 char *comment
= NULL
;
637 ask_filename(pw
, "Enter file in which the key is");
638 if (stat(identity_file
, &st
) < 0) {
639 perror(identity_file
);
642 public = key_load_public(identity_file
, &comment
);
643 if (public != NULL
) {
644 export_dns_rr(hostname
, public, stdout
, print_generic
);
652 printf("failed to read v2 public key from %s.\n", identity_file
);
657 * Change the comment of a private key file.
660 do_change_comment(struct passwd
*pw
)
662 char new_comment
[1024], *comment
, *passphrase
;
670 ask_filename(pw
, "Enter file in which the key is");
671 if (stat(identity_file
, &st
) < 0) {
672 perror(identity_file
);
675 private = key_load_private(identity_file
, "", &comment
);
676 if (private == NULL
) {
677 if (identity_passphrase
)
678 passphrase
= xstrdup(identity_passphrase
);
679 else if (identity_new_passphrase
)
680 passphrase
= xstrdup(identity_new_passphrase
);
682 passphrase
= read_passphrase("Enter passphrase: ",
684 /* Try to load using the passphrase. */
685 private = key_load_private(identity_file
, passphrase
, &comment
);
686 if (private == NULL
) {
687 memset(passphrase
, 0, strlen(passphrase
));
689 printf("Bad passphrase.\n");
693 passphrase
= xstrdup("");
695 if (private->type
!= KEY_RSA1
) {
696 fprintf(stderr
, "Comments are only supported for RSA1 keys.\n");
700 printf("Key now has comment '%s'\n", comment
);
702 if (identity_comment
) {
703 strlcpy(new_comment
, identity_comment
, sizeof(new_comment
));
705 printf("Enter new comment: ");
707 if (!fgets(new_comment
, sizeof(new_comment
), stdin
)) {
708 memset(passphrase
, 0, strlen(passphrase
));
712 if (strchr(new_comment
, '\n'))
713 *strchr(new_comment
, '\n') = 0;
716 /* Save the file using the new passphrase. */
717 if (!key_save_private(private, identity_file
, passphrase
, new_comment
)) {
718 printf("Saving the key failed: %s.\n", identity_file
);
719 memset(passphrase
, 0, strlen(passphrase
));
725 memset(passphrase
, 0, strlen(passphrase
));
727 public = key_from_private(private);
730 strlcat(identity_file
, ".pub", sizeof(identity_file
));
731 fd
= open(identity_file
, O_WRONLY
| O_CREAT
| O_TRUNC
, 0644);
733 printf("Could not save your public key in %s\n", identity_file
);
738 printf("fdopen %s failed", identity_file
);
741 if (!key_write(public, f
))
742 fprintf(stderr
, "write key failed");
744 fprintf(f
, " %s\n", new_comment
);
749 printf("The comment in your key file has been changed.\n");
756 fprintf(stderr
, "Usage: %s [options]\n", __progname
);
757 fprintf(stderr
, "Options:\n");
758 fprintf(stderr
, " -b bits Number of bits in the key to create.\n");
759 fprintf(stderr
, " -c Change comment in private and public key files.\n");
760 fprintf(stderr
, " -e Convert OpenSSH to IETF SECSH key file.\n");
761 fprintf(stderr
, " -f filename Filename of the key file.\n");
762 fprintf(stderr
, " -g Use generic DNS resource record format.\n");
763 fprintf(stderr
, " -i Convert IETF SECSH to OpenSSH key file.\n");
764 fprintf(stderr
, " -l Show fingerprint of key file.\n");
765 fprintf(stderr
, " -p Change passphrase of private key file.\n");
766 fprintf(stderr
, " -q Quiet.\n");
767 fprintf(stderr
, " -y Read private key file and print public key.\n");
768 fprintf(stderr
, " -t type Specify type of key to create.\n");
769 fprintf(stderr
, " -B Show bubblebabble digest of key file.\n");
770 fprintf(stderr
, " -C comment Provide new comment.\n");
771 fprintf(stderr
, " -N phrase Provide new passphrase.\n");
772 fprintf(stderr
, " -P phrase Provide old passphrase.\n");
773 fprintf(stderr
, " -r hostname Print DNS resource record.\n");
775 fprintf(stderr
, " -D reader Download public key from smartcard.\n");
776 fprintf(stderr
, " -U reader Upload private key to smartcard.\n");
777 #endif /* SMARTCARD */
779 fprintf(stderr
, " -G file Generate candidates for DH-GEX moduli\n");
780 fprintf(stderr
, " -T file Screen candidates for DH-GEX moduli\n");
786 * Main program for key management.
789 main(int ac
, char **av
)
791 char dotsshdir
[MAXPATHLEN
], comment
[1024], *passphrase1
, *passphrase2
;
792 char out_file
[MAXPATHLEN
], *reader_id
= NULL
;
793 char *resource_record_hostname
= NULL
;
794 Key
*private, *public;
797 int opt
, type
, fd
, download
= 0, memory
= 0;
798 int generator_wanted
= 0, trials
= 100;
799 int do_gen_candidates
= 0, do_screen_candidates
= 0;
800 int log_level
= SYSLOG_LEVEL_INFO
;
801 BIGNUM
*start
= NULL
;
807 __progname
= ssh_get_progname(av
[0]);
809 SSLeay_add_all_algorithms();
810 log_init(av
[0], SYSLOG_LEVEL_INFO
, SYSLOG_FACILITY_USER
, 1);
815 /* we need this for the home * directory. */
816 pw
= getpwuid(getuid());
818 printf("You don't exist, go away!\n");
821 if (gethostname(hostname
, sizeof(hostname
)) < 0) {
822 perror("gethostname");
826 while ((opt
= getopt(ac
, av
,
827 "degiqpclBRvxXyb:f:t:U:D:P:N:C:r:g:T:G:M:S:a:W:")) != -1) {
831 if (bits
< 512 || bits
> 32768) {
832 printf("Bits has bad value.\n");
837 print_fingerprint
= 1;
840 print_bubblebabble
= 1;
843 change_passphrase
= 1;
849 strlcpy(identity_file
, optarg
, sizeof(identity_file
));
856 identity_passphrase
= optarg
;
859 identity_new_passphrase
= optarg
;
862 identity_comment
= optarg
;
879 convert_from_ssh2
= 1;
885 key_type_name
= "dsa";
888 key_type_name
= optarg
;
896 if (log_level
== SYSLOG_LEVEL_INFO
)
897 log_level
= SYSLOG_LEVEL_DEBUG1
;
899 if (log_level
>= SYSLOG_LEVEL_DEBUG1
&&
900 log_level
< SYSLOG_LEVEL_DEBUG3
)
905 resource_record_hostname
= optarg
;
908 generator_wanted
= atoi(optarg
);
909 if (generator_wanted
< 1)
910 fatal("Desired generator has bad value.");
913 trials
= atoi(optarg
);
914 if (trials
< TRIAL_MINIMUM
) {
915 fatal("Minimum primality trials is %d",
920 memory
= atoi(optarg
);
922 (memory
< LARGE_MINIMUM
|| memory
> LARGE_MAXIMUM
)) {
923 fatal("Invalid memory amount (min %ld, max %ld)",
924 LARGE_MINIMUM
, LARGE_MAXIMUM
);
928 do_gen_candidates
= 1;
929 strlcpy(out_file
, optarg
, sizeof(out_file
));
932 do_screen_candidates
= 1;
933 strlcpy(out_file
, optarg
, sizeof(out_file
));
936 /* XXX - also compare length against bits */
937 if (BN_hex2bn(&start
, optarg
) == 0)
938 fatal("Invalid start point.");
947 log_init(av
[0], log_level
, SYSLOG_FACILITY_USER
, 1);
950 printf("Too many arguments.\n");
953 if (change_passphrase
&& change_comment
) {
954 printf("Can only have one of -p and -c.\n");
957 if (print_fingerprint
|| print_bubblebabble
)
959 if (change_passphrase
)
960 do_change_passphrase(pw
);
962 do_change_comment(pw
);
964 do_convert_to_ssh2(pw
);
965 if (convert_from_ssh2
)
966 do_convert_from_ssh2(pw
);
969 if (resource_record_hostname
!= NULL
) {
970 do_print_resource_record(pw
, resource_record_hostname
);
972 if (reader_id
!= NULL
) {
975 do_download(pw
, reader_id
);
977 do_upload(pw
, reader_id
);
978 #else /* SMARTCARD */
979 fatal("no support for smartcards.");
980 #endif /* SMARTCARD */
983 if (do_gen_candidates
) {
984 FILE *out
= fopen(out_file
, "w");
987 error("Couldn't open modulus candidate file \"%s\": %s",
988 out_file
, strerror(errno
));
991 if (gen_candidates(out
, memory
, bits
, start
) != 0)
992 fatal("modulus candidate generation failed\n");
997 if (do_screen_candidates
) {
999 FILE *out
= fopen(out_file
, "w");
1001 if (have_identity
&& strcmp(identity_file
, "-") != 0) {
1002 if ((in
= fopen(identity_file
, "r")) == NULL
) {
1003 fatal("Couldn't open modulus candidate "
1004 "file \"%s\": %s", identity_file
,
1011 fatal("Couldn't open moduli file \"%s\": %s",
1012 out_file
, strerror(errno
));
1014 if (prime_test(in
, out
, trials
, generator_wanted
) != 0)
1015 fatal("modulus screening failed\n");
1021 if (key_type_name
== NULL
) {
1022 printf("You must specify a key type (-t).\n");
1025 type
= key_type_from_name(key_type_name
);
1026 if (type
== KEY_UNSPEC
) {
1027 fprintf(stderr
, "unknown key type %s\n", key_type_name
);
1031 printf("Generating public/private %s key pair.\n", key_type_name
);
1032 private = key_generate(type
, bits
);
1033 if (private == NULL
) {
1034 fprintf(stderr
, "key_generate failed");
1037 public = key_from_private(private);
1040 ask_filename(pw
, "Enter file in which to save the key");
1042 /* Create ~/.ssh directory if it doesn\'t already exist. */
1043 snprintf(dotsshdir
, sizeof dotsshdir
, "%s/%s", pw
->pw_dir
, _PATH_SSH_USER_DIR
);
1044 if (strstr(identity_file
, dotsshdir
) != NULL
&&
1045 stat(dotsshdir
, &st
) < 0) {
1046 if (mkdir(dotsshdir
, 0700) < 0)
1047 error("Could not create directory '%s'.", dotsshdir
);
1049 printf("Created directory '%s'.\n", dotsshdir
);
1051 /* If the file already exists, ask the user to confirm. */
1052 if (stat(identity_file
, &st
) >= 0) {
1054 printf("%s already exists.\n", identity_file
);
1055 printf("Overwrite (y/n)? ");
1057 if (fgets(yesno
, sizeof(yesno
), stdin
) == NULL
)
1059 if (yesno
[0] != 'y' && yesno
[0] != 'Y')
1062 /* Ask for a passphrase (twice). */
1063 if (identity_passphrase
)
1064 passphrase1
= xstrdup(identity_passphrase
);
1065 else if (identity_new_passphrase
)
1066 passphrase1
= xstrdup(identity_new_passphrase
);
1070 read_passphrase("Enter passphrase (empty for no "
1071 "passphrase): ", RP_ALLOW_STDIN
);
1072 passphrase2
= read_passphrase("Enter same passphrase again: ",
1074 if (strcmp(passphrase1
, passphrase2
) != 0) {
1076 * The passphrases do not match. Clear them and
1079 memset(passphrase1
, 0, strlen(passphrase1
));
1080 memset(passphrase2
, 0, strlen(passphrase2
));
1083 printf("Passphrases do not match. Try again.\n");
1084 goto passphrase_again
;
1086 /* Clear the other copy of the passphrase. */
1087 memset(passphrase2
, 0, strlen(passphrase2
));
1091 if (identity_comment
) {
1092 strlcpy(comment
, identity_comment
, sizeof(comment
));
1094 /* Create default commend field for the passphrase. */
1095 snprintf(comment
, sizeof comment
, "%s@%s", pw
->pw_name
, hostname
);
1098 /* Save the key with the given passphrase and comment. */
1099 if (!key_save_private(private, identity_file
, passphrase1
, comment
)) {
1100 printf("Saving the key failed: %s.\n", identity_file
);
1101 memset(passphrase1
, 0, strlen(passphrase1
));
1105 /* Clear the passphrase. */
1106 memset(passphrase1
, 0, strlen(passphrase1
));
1109 /* Clear the private key and the random number generator. */
1114 printf("Your identification has been saved in %s.\n", identity_file
);
1116 strlcat(identity_file
, ".pub", sizeof(identity_file
));
1117 fd
= open(identity_file
, O_WRONLY
| O_CREAT
| O_TRUNC
, 0644);
1119 printf("Could not save your public key in %s\n", identity_file
);
1122 f
= fdopen(fd
, "w");
1124 printf("fdopen %s failed", identity_file
);
1127 if (!key_write(public, f
))
1128 fprintf(stderr
, "write key failed");
1129 fprintf(f
, " %s\n", comment
);
1133 char *fp
= key_fingerprint(public, SSH_FP_MD5
, SSH_FP_HEX
);
1134 printf("Your public key has been saved in %s.\n",
1136 printf("The key fingerprint is:\n");
1137 printf("%s %s\n", fp
, comment
);