xref: /openbsd-src/usr.bin/ssh/ssh-add.c (revision ce7e0fc6a9d74d25b78fb6ad846387717f5172b6) 
1 /*
2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  * Adds an identity to the authentication server, or removes an identity.
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  *
13  * SSH2 implementation,
14  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
15  *
16  * Redistribution and use in source and binary forms, with or without
17  * modification, are permitted provided that the following conditions
18  * are met:
19  * 1. Redistributions of source code must retain the above copyright
20  *    notice, this list of conditions and the following disclaimer.
21  * 2. Redistributions in binary form must reproduce the above copyright
22  *    notice, this list of conditions and the following disclaimer in the
23  *    documentation and/or other materials provided with the distribution.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35  */
36 
37 #include "includes.h"
38 RCSID("$OpenBSD: ssh-add.c,v 1.53 2002/03/21 22:44:05 rees Exp $");
39 
40 #include <openssl/evp.h>
41 
42 #include "ssh.h"
43 #include "rsa.h"
44 #include "log.h"
45 #include "xmalloc.h"
46 #include "key.h"
47 #include "authfd.h"
48 #include "authfile.h"
49 #include "pathnames.h"
50 #include "readpass.h"
51 
52 /* argv0 */
53 extern char *__progname;
54 
55 /* Default files to add */
56 static char *default_files[] = {
57 	_PATH_SSH_CLIENT_ID_RSA,
58 	_PATH_SSH_CLIENT_ID_DSA,
59 	_PATH_SSH_CLIENT_IDENTITY,
60 	NULL
61 };
62 
63 
64 /* we keep a cache of one passphrases */
65 static char *pass = NULL;
66 static void
67 clear_pass(void)
68 {
69 	if (pass) {
70 		memset(pass, 0, strlen(pass));
71 		xfree(pass);
72 		pass = NULL;
73 	}
74 }
75 
76 static int
77 delete_file(AuthenticationConnection *ac, const char *filename)
78 {
79 	Key *public;
80 	char *comment = NULL;
81 	int ret = -1;
82 
83 	public = key_load_public(filename, &comment);
84 	if (public == NULL) {
85 		printf("Bad key file %s\n", filename);
86 		return -1;
87 	}
88 	if (ssh_remove_identity(ac, public)) {
89 		fprintf(stderr, "Identity removed: %s (%s)\n", filename, comment);
90 		ret = 0;
91 	} else
92 		fprintf(stderr, "Could not remove identity: %s\n", filename);
93 
94 	key_free(public);
95 	xfree(comment);
96 
97 	return ret;
98 }
99 
100 /* Send a request to remove all identities. */
101 static int
102 delete_all(AuthenticationConnection *ac)
103 {
104 	int ret = -1;
105 
106 	if (ssh_remove_all_identities(ac, 1))
107 		ret = 0;
108 	/* ignore error-code for ssh2 */
109 	ssh_remove_all_identities(ac, 2);
110 
111 	if (ret == 0)
112 		fprintf(stderr, "All identities removed.\n");
113 	else
114 		fprintf(stderr, "Failed to remove all identities.\n");
115 
116 	return ret;
117 }
118 
119 static int
120 add_file(AuthenticationConnection *ac, const char *filename)
121 {
122 	struct stat st;
123 	Key *private;
124 	char *comment = NULL;
125 	char msg[1024];
126 	int ret = -1;
127 
128 	if (stat(filename, &st) < 0) {
129 		perror(filename);
130 		return -1;
131 	}
132 	/* At first, try empty passphrase */
133 	private = key_load_private(filename, "", &comment);
134 	if (comment == NULL)
135 		comment = xstrdup(filename);
136 	/* try last */
137 	if (private == NULL && pass != NULL)
138 		private = key_load_private(filename, pass, NULL);
139 	if (private == NULL) {
140 		/* clear passphrase since it did not work */
141 		clear_pass();
142 		snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
143 		   comment);
144 		for (;;) {
145 			pass = read_passphrase(msg, RP_ALLOW_STDIN);
146 			if (strcmp(pass, "") == 0) {
147 				clear_pass();
148 				xfree(comment);
149 				return -1;
150 			}
151 			private = key_load_private(filename, pass, &comment);
152 			if (private != NULL)
153 				break;
154 			clear_pass();
155 			strlcpy(msg, "Bad passphrase, try again: ", sizeof msg);
156 		}
157 	}
158 	if (ssh_add_identity(ac, private, comment)) {
159 		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
160 		ret = 0;
161 	} else
162 		fprintf(stderr, "Could not add identity: %s\n", filename);
163 
164 	xfree(comment);
165 	key_free(private);
166 
167 	return ret;
168 }
169 
170 static int
171 update_card(AuthenticationConnection *ac, int add, const char *id)
172 {
173 	char *pin;
174 
175 	pin = read_passphrase("Enter passphrase for smartcard: ", RP_ALLOW_STDIN);
176 	if (pin == NULL)
177 		return -1;
178 
179 	if (ssh_update_card(ac, add, id, pin)) {
180 		fprintf(stderr, "Card %s: %s\n",
181 		    add ? "added" : "removed", id);
182 		return 0;
183 	} else {
184 		fprintf(stderr, "Could not %s card: %s\n",
185 		    add ? "add" : "remove", id);
186 		return -1;
187 	}
188 }
189 
190 static int
191 list_identities(AuthenticationConnection *ac, int do_fp)
192 {
193 	Key *key;
194 	char *comment, *fp;
195 	int had_identities = 0;
196 	int version;
197 
198 	for (version = 1; version <= 2; version++) {
199 		for (key = ssh_get_first_identity(ac, &comment, version);
200 		    key != NULL;
201 		    key = ssh_get_next_identity(ac, &comment, version)) {
202 			had_identities = 1;
203 			if (do_fp) {
204 				fp = key_fingerprint(key, SSH_FP_MD5,
205 				    SSH_FP_HEX);
206 				printf("%d %s %s (%s)\n",
207 				    key_size(key), fp, comment, key_type(key));
208 				xfree(fp);
209 			} else {
210 				if (!key_write(key, stdout))
211 					fprintf(stderr, "key_write failed");
212 				fprintf(stdout, " %s\n", comment);
213 			}
214 			key_free(key);
215 			xfree(comment);
216 		}
217 	}
218 	if (!had_identities) {
219 		printf("The agent has no identities.\n");
220 		return -1;
221 	}
222 	return 0;
223 }
224 
225 static int
226 do_file(AuthenticationConnection *ac, int deleting, char *file)
227 {
228 	if (deleting) {
229 		if (delete_file(ac, file) == -1)
230 			return -1;
231 	} else {
232 		if (add_file(ac, file) == -1)
233 			return -1;
234 	}
235 	return 0;
236 }
237 
238 static void
239 usage(void)
240 {
241 	fprintf(stderr, "Usage: %s [options]\n", __progname);
242 	fprintf(stderr, "Options:\n");
243 	fprintf(stderr, "  -l          List fingerprints of all identities.\n");
244 	fprintf(stderr, "  -L          List public key parameters of all identities.\n");
245 	fprintf(stderr, "  -d          Delete identity.\n");
246 	fprintf(stderr, "  -D          Delete all identities.\n");
247 #ifdef SMARTCARD
248 	fprintf(stderr, "  -s reader   Add key in smartcard reader.\n");
249 	fprintf(stderr, "  -e reader   Remove key in smartcard reader.\n");
250 #endif
251 }
252 
253 int
254 main(int argc, char **argv)
255 {
256 	extern char *optarg;
257 	extern int optind;
258 	AuthenticationConnection *ac = NULL;
259 	char *sc_reader_id = NULL;
260 	int i, ch, deleting = 0, ret = 0;
261 
262 	SSLeay_add_all_algorithms();
263 
264 	/* At first, get a connection to the authentication agent. */
265 	ac = ssh_get_authentication_connection();
266 	if (ac == NULL) {
267 		fprintf(stderr, "Could not open a connection to your authentication agent.\n");
268 		exit(2);
269 	}
270 	while ((ch = getopt(argc, argv, "lLdDe:s:")) != -1) {
271 		switch (ch) {
272 		case 'l':
273 		case 'L':
274 			if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
275 				ret = 1;
276 			goto done;
277 			break;
278 		case 'd':
279 			deleting = 1;
280 			break;
281 		case 'D':
282 			if (delete_all(ac) == -1)
283 				ret = 1;
284 			goto done;
285 			break;
286 		case 's':
287 			sc_reader_id = optarg;
288 			break;
289 		case 'e':
290 			deleting = 1;
291 			sc_reader_id = optarg;
292 			break;
293 		default:
294 			usage();
295 			ret = 1;
296 			goto done;
297 		}
298 	}
299 	argc -= optind;
300 	argv += optind;
301 	if (sc_reader_id != NULL) {
302 		if (update_card(ac, !deleting, sc_reader_id) == -1)
303 			ret = 1;
304 		goto done;
305 	}
306 	if (argc == 0) {
307 		char buf[MAXPATHLEN];
308 		struct passwd *pw;
309 		struct stat st;
310 		int count = 0;
311 
312 		if ((pw = getpwuid(getuid())) == NULL) {
313 			fprintf(stderr, "No user found with uid %u\n",
314 			    (u_int)getuid());
315 			ret = 1;
316 			goto done;
317 		}
318 
319 		for(i = 0; default_files[i]; i++) {
320 			snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
321 			    default_files[i]);
322 			if (stat(buf, &st) < 0)
323 				continue;
324 			if (do_file(ac, deleting, buf) == -1)
325 				ret = 1;
326 			else
327 				count++;
328 		}
329 		if (count == 0)
330 			ret = 1;
331 	} else {
332 		for(i = 0; i < argc; i++) {
333 			if (do_file(ac, deleting, argv[i]) == -1)
334 				ret = 1;
335 		}
336 	}
337 	clear_pass();
338 
339 done:
340 	ssh_close_authentication_connection(ac);
341 	return ret;
342 }
343