xref: /openbsd-src/usr.bin/ssh/ssh-add.c (revision 33b792a3c1c87b47219fdf9a73548c4003214de3) 
1 /*
2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  * Adds an identity to the authentication server, or removes an identity.
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  *
13  * SSH2 implementation,
14  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
15  *
16  * Redistribution and use in source and binary forms, with or without
17  * modification, are permitted provided that the following conditions
18  * are met:
19  * 1. Redistributions of source code must retain the above copyright
20  *    notice, this list of conditions and the following disclaimer.
21  * 2. Redistributions in binary form must reproduce the above copyright
22  *    notice, this list of conditions and the following disclaimer in the
23  *    documentation and/or other materials provided with the distribution.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35  */
36 
37 #include "includes.h"
38 RCSID("$OpenBSD: ssh-add.c,v 1.50 2002/01/29 14:27:57 markus Exp $");
39 
40 #include <openssl/evp.h>
41 
42 #include "ssh.h"
43 #include "rsa.h"
44 #include "log.h"
45 #include "xmalloc.h"
46 #include "key.h"
47 #include "authfd.h"
48 #include "authfile.h"
49 #include "pathnames.h"
50 #include "readpass.h"
51 
52 /* argv0 */
53 extern char *__progname;
54 
55 /* Default files to add */
56 static char *default_files[] = {
57 	_PATH_SSH_CLIENT_ID_RSA,
58 	_PATH_SSH_CLIENT_ID_DSA,
59 	_PATH_SSH_CLIENT_IDENTITY,
60 	NULL
61 };
62 
63 
64 /* we keep a cache of one passphrases */
65 static char *pass = NULL;
66 static void
67 clear_pass(void)
68 {
69 	if (pass) {
70 		memset(pass, 0, strlen(pass));
71 		xfree(pass);
72 		pass = NULL;
73 	}
74 }
75 
76 static int
77 delete_file(AuthenticationConnection *ac, const char *filename)
78 {
79 	Key *public;
80 	char *comment = NULL;
81 	int ret = -1;
82 
83 	public = key_load_public(filename, &comment);
84 	if (public == NULL) {
85 		printf("Bad key file %s\n", filename);
86 		return -1;
87 	}
88 	if (ssh_remove_identity(ac, public)) {
89 		fprintf(stderr, "Identity removed: %s (%s)\n", filename, comment);
90 		ret = 0;
91 	} else
92 		fprintf(stderr, "Could not remove identity: %s\n", filename);
93 
94 	key_free(public);
95 	xfree(comment);
96 
97 	return ret;
98 }
99 
100 /* Send a request to remove all identities. */
101 static int
102 delete_all(AuthenticationConnection *ac)
103 {
104 	int ret = -1;
105 
106 	if (ssh_remove_all_identities(ac, 1))
107 		ret = 0;
108 	/* ignore error-code for ssh2 */
109 	ssh_remove_all_identities(ac, 2);
110 
111 	if (ret == 0)
112 		fprintf(stderr, "All identities removed.\n");
113 	else
114 		fprintf(stderr, "Failed to remove all identities.\n");
115 
116 	return ret;
117 }
118 
119 static int
120 add_file(AuthenticationConnection *ac, const char *filename)
121 {
122 	struct stat st;
123 	Key *private;
124 	char *comment = NULL;
125 	char msg[1024];
126 	int ret = -1;
127 
128 	if (stat(filename, &st) < 0) {
129 		perror(filename);
130 		return -1;
131 	}
132 	/* At first, try empty passphrase */
133 	private = key_load_private(filename, "", &comment);
134 	if (comment == NULL)
135 		comment = xstrdup(filename);
136 	/* try last */
137 	if (private == NULL && pass != NULL)
138 		private = key_load_private(filename, pass, NULL);
139 	if (private == NULL) {
140 		/* clear passphrase since it did not work */
141 		clear_pass();
142 		snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
143 		   comment);
144 		for (;;) {
145 			pass = read_passphrase(msg, RP_ALLOW_STDIN);
146 			if (strcmp(pass, "") == 0) {
147 				clear_pass();
148 				xfree(comment);
149 				return -1;
150 			}
151 			private = key_load_private(filename, pass, &comment);
152 			if (private != NULL)
153 				break;
154 			clear_pass();
155 			strlcpy(msg, "Bad passphrase, try again: ", sizeof msg);
156 		}
157 	}
158 	if (ssh_add_identity(ac, private, comment)) {
159 		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
160 		ret = 0;
161 	} else
162 		fprintf(stderr, "Could not add identity: %s\n", filename);
163 
164 	xfree(comment);
165 	key_free(private);
166 
167 	return ret;
168 }
169 
170 static int
171 update_card(AuthenticationConnection *ac, int add, const char *id)
172 {
173 	if (ssh_update_card(ac, add, id)) {
174 		fprintf(stderr, "Card %s: %s\n",
175 		    add ? "added" : "removed", id);
176 		return 0;
177 	} else {
178 		fprintf(stderr, "Could not %s card: %s\n",
179 		    add ? "add" : "remove", id);
180 		return -1;
181 	}
182 }
183 
184 static int
185 list_identities(AuthenticationConnection *ac, int do_fp)
186 {
187 	Key *key;
188 	char *comment, *fp;
189 	int had_identities = 0;
190 	int version;
191 
192 	for (version = 1; version <= 2; version++) {
193 		for (key = ssh_get_first_identity(ac, &comment, version);
194 		    key != NULL;
195 		    key = ssh_get_next_identity(ac, &comment, version)) {
196 			had_identities = 1;
197 			if (do_fp) {
198 				fp = key_fingerprint(key, SSH_FP_MD5,
199 				    SSH_FP_HEX);
200 				printf("%d %s %s (%s)\n",
201 				    key_size(key), fp, comment, key_type(key));
202 				xfree(fp);
203 			} else {
204 				if (!key_write(key, stdout))
205 					fprintf(stderr, "key_write failed");
206 				fprintf(stdout, " %s\n", comment);
207 			}
208 			key_free(key);
209 			xfree(comment);
210 		}
211 	}
212 	if (!had_identities) {
213 		printf("The agent has no identities.\n");
214 		return -1;
215 	}
216 	return 0;
217 }
218 
219 static int
220 do_file(AuthenticationConnection *ac, int deleting, char *file)
221 {
222 	if (deleting) {
223 		if (delete_file(ac, file) == -1)
224 			return -1;
225 	} else {
226 		if (add_file(ac, file) == -1)
227 			return -1;
228 	}
229 	return 0;
230 }
231 
232 static void
233 usage(void)
234 {
235 	fprintf(stderr, "Usage: %s [options]\n", __progname);
236 	fprintf(stderr, "Options:\n");
237 	fprintf(stderr, "  -l          List fingerprints of all identities.\n");
238 	fprintf(stderr, "  -L          List public key parameters of all identities.\n");
239 	fprintf(stderr, "  -d          Delete identity.\n");
240 	fprintf(stderr, "  -D          Delete all identities.\n");
241 #ifdef SMARTCARD
242 	fprintf(stderr, "  -s reader   Add key in smartcard reader.\n");
243 	fprintf(stderr, "  -e reader   Remove key in smartcard reader.\n");
244 #endif
245 }
246 
247 int
248 main(int argc, char **argv)
249 {
250 	extern char *optarg;
251 	extern int optind;
252 	AuthenticationConnection *ac = NULL;
253 	char *sc_reader_id = NULL;
254 	int i, ch, deleting = 0, ret = 0;
255 
256 	SSLeay_add_all_algorithms();
257 
258 	/* At first, get a connection to the authentication agent. */
259 	ac = ssh_get_authentication_connection();
260 	if (ac == NULL) {
261 		fprintf(stderr, "Could not open a connection to your authentication agent.\n");
262 		exit(2);
263 	}
264 	while ((ch = getopt(argc, argv, "lLdDe:s:")) != -1) {
265 		switch (ch) {
266 		case 'l':
267 		case 'L':
268 			if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
269 				ret = 1;
270 			goto done;
271 			break;
272 		case 'd':
273 			deleting = 1;
274 			break;
275 		case 'D':
276 			if (delete_all(ac) == -1)
277 				ret = 1;
278 			goto done;
279 			break;
280 		case 's':
281 			sc_reader_id = optarg;
282 			break;
283 		case 'e':
284 			deleting = 1;
285 			sc_reader_id = optarg;
286 			break;
287 		default:
288 			usage();
289 			ret = 1;
290 			goto done;
291 		}
292 	}
293 	argc -= optind;
294 	argv += optind;
295 	if (sc_reader_id != NULL) {
296 		if (update_card(ac, !deleting, sc_reader_id) == -1)
297 			ret = 1;
298 		goto done;
299 	}
300 	if (argc == 0) {
301 		char buf[MAXPATHLEN];
302 		struct passwd *pw;
303 
304 		if ((pw = getpwuid(getuid())) == NULL) {
305 			fprintf(stderr, "No user found with uid %u\n",
306 			    (u_int)getuid());
307 			ret = 1;
308 			goto done;
309 		}
310 
311 		for(i = 0; default_files[i]; i++) {
312 			snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
313 			    default_files[i]);
314 			if (do_file(ac, deleting, buf) == -1)
315 				ret = 1;
316 		}
317 	} else {
318 		for(i = 0; i < argc; i++) {
319 			if (do_file(ac, deleting, argv[i]) == -1)
320 				ret = 1;
321 		}
322 	}
323 	clear_pass();
324 
325 done:
326 	ssh_close_authentication_connection(ac);
327 	return ret;
328 }
329