xref: /openbsd-src/usr.bin/ssh/ssh-add.c (revision 3a3fbb3f2e2521ab7c4a56b7ff7462ebd9095ec5) 
1 /*
2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  * Adds an identity to the authentication server, or removes an identity.
6  *
7  * As far as I am concerned, the code I have written for this software
8  * can be used freely for any purpose.  Any derived versions of this
9  * software must be clearly marked as such, and if the derived work is
10  * incompatible with the protocol description in the RFC file, it must be
11  * called by a name other than "ssh" or "Secure Shell".
12  *
13  * SSH2 implementation,
14  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
15  *
16  * Redistribution and use in source and binary forms, with or without
17  * modification, are permitted provided that the following conditions
18  * are met:
19  * 1. Redistributions of source code must retain the above copyright
20  *    notice, this list of conditions and the following disclaimer.
21  * 2. Redistributions in binary form must reproduce the above copyright
22  *    notice, this list of conditions and the following disclaimer in the
23  *    documentation and/or other materials provided with the distribution.
24  *
25  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
26  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
27  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
28  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
29  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
30  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
31  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
32  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
33  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35  */
36 
37 #include "includes.h"
38 RCSID("$OpenBSD: ssh-add.c,v 1.49 2001/12/24 07:29:43 deraadt Exp $");
39 
40 #include <openssl/evp.h>
41 
42 #include "ssh.h"
43 #include "rsa.h"
44 #include "log.h"
45 #include "xmalloc.h"
46 #include "key.h"
47 #include "authfd.h"
48 #include "authfile.h"
49 #include "pathnames.h"
50 #include "readpass.h"
51 
52 /* argv0 */
53 extern char *__progname;
54 
55 /* Default files to add */
56 static char *default_files[] = {
57 	_PATH_SSH_CLIENT_ID_RSA,
58 	_PATH_SSH_CLIENT_ID_DSA,
59 	_PATH_SSH_CLIENT_IDENTITY,
60 	NULL
61 };
62 
63 
64 /* we keep a cache of one passphrases */
65 static char *pass = NULL;
66 static void
67 clear_pass(void)
68 {
69 	if (pass) {
70 		memset(pass, 0, strlen(pass));
71 		xfree(pass);
72 		pass = NULL;
73 	}
74 }
75 
76 static int
77 delete_file(AuthenticationConnection *ac, const char *filename)
78 {
79 	Key *public;
80 	char *comment = NULL;
81 	int ret = -1;
82 
83 	public = key_load_public(filename, &comment);
84 	if (public == NULL) {
85 		printf("Bad key file %s\n", filename);
86 		return -1;
87 	}
88 	if (ssh_remove_identity(ac, public)) {
89 		fprintf(stderr, "Identity removed: %s (%s)\n", filename, comment);
90 		ret = 0;
91 	} else
92 		fprintf(stderr, "Could not remove identity: %s\n", filename);
93 
94 	key_free(public);
95 	xfree(comment);
96 
97 	return ret;
98 }
99 
100 /* Send a request to remove all identities. */
101 static int
102 delete_all(AuthenticationConnection *ac)
103 {
104 	int ret = -1;
105 
106 	if (ssh_remove_all_identities(ac, 1))
107 		ret = 0;
108 	/* ignore error-code for ssh2 */
109 	ssh_remove_all_identities(ac, 2);
110 
111 	if (ret == 0)
112 		fprintf(stderr, "All identities removed.\n");
113 	else
114 		fprintf(stderr, "Failed to remove all identities.\n");
115 
116 	return ret;
117 }
118 
119 static int
120 add_file(AuthenticationConnection *ac, const char *filename)
121 {
122 	struct stat st;
123 	Key *private;
124 	char *comment = NULL;
125 	char msg[1024];
126 	int ret = -1;
127 
128 	if (stat(filename, &st) < 0) {
129 		perror(filename);
130 		return -1;
131 	}
132 	/* At first, try empty passphrase */
133 	private = key_load_private(filename, "", &comment);
134 	if (comment == NULL)
135 		comment = xstrdup(filename);
136 	/* try last */
137 	if (private == NULL && pass != NULL)
138 		private = key_load_private(filename, pass, NULL);
139 	if (private == NULL) {
140 		/* clear passphrase since it did not work */
141 		clear_pass();
142 		snprintf(msg, sizeof msg, "Enter passphrase for %.200s: ",
143 		   comment);
144 		for (;;) {
145 			pass = read_passphrase(msg, RP_ALLOW_STDIN);
146 			if (strcmp(pass, "") == 0) {
147 				clear_pass();
148 				xfree(comment);
149 				return -1;
150 			}
151 			private = key_load_private(filename, pass, &comment);
152 			if (private != NULL)
153 				break;
154 			clear_pass();
155 			strlcpy(msg, "Bad passphrase, try again: ", sizeof msg);
156 		}
157 	}
158 	if (ssh_add_identity(ac, private, comment)) {
159 		fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
160 		ret = 0;
161 	} else
162 		fprintf(stderr, "Could not add identity: %s\n", filename);
163 
164 	xfree(comment);
165 	key_free(private);
166 
167 	return ret;
168 }
169 
170 static int
171 update_card(AuthenticationConnection *ac, int add, const char *id)
172 {
173 	if (ssh_update_card(ac, add, id)) {
174 		fprintf(stderr, "Card %s: %s\n",
175 		    add ? "added" : "removed", id);
176 		return 0;
177 	} else {
178 		fprintf(stderr, "Could not %s card: %s\n",
179 		    add ? "add" : "remove", id);
180 		return -1;
181 	}
182 }
183 
184 static void
185 list_identities(AuthenticationConnection *ac, int do_fp)
186 {
187 	Key *key;
188 	char *comment, *fp;
189 	int had_identities = 0;
190 	int version;
191 
192 	for (version = 1; version <= 2; version++) {
193 		for (key = ssh_get_first_identity(ac, &comment, version);
194 		    key != NULL;
195 		    key = ssh_get_next_identity(ac, &comment, version)) {
196 			had_identities = 1;
197 			if (do_fp) {
198 				fp = key_fingerprint(key, SSH_FP_MD5,
199 				    SSH_FP_HEX);
200 				printf("%d %s %s (%s)\n",
201 				    key_size(key), fp, comment, key_type(key));
202 				xfree(fp);
203 			} else {
204 				if (!key_write(key, stdout))
205 					fprintf(stderr, "key_write failed");
206 				fprintf(stdout, " %s\n", comment);
207 			}
208 			key_free(key);
209 			xfree(comment);
210 		}
211 	}
212 	if (!had_identities)
213 		printf("The agent has no identities.\n");
214 }
215 
216 static int
217 do_file(AuthenticationConnection *ac, int deleting, char *file)
218 {
219 	if (deleting) {
220 		if (delete_file(ac, file) == -1)
221 			return -1;
222 	} else {
223 		if (add_file(ac, file) == -1)
224 			return -1;
225 	}
226 	return 0;
227 }
228 
229 static void
230 usage(void)
231 {
232 	fprintf(stderr, "Usage: %s [options]\n", __progname);
233 	fprintf(stderr, "Options:\n");
234 	fprintf(stderr, "  -l          List fingerprints of all identities.\n");
235 	fprintf(stderr, "  -L          List public key parameters of all identities.\n");
236 	fprintf(stderr, "  -d          Delete identity.\n");
237 	fprintf(stderr, "  -D          Delete all identities.\n");
238 #ifdef SMARTCARD
239 	fprintf(stderr, "  -s reader   Add key in smartcard reader.\n");
240 	fprintf(stderr, "  -e reader   Remove key in smartcard reader.\n");
241 #endif
242 }
243 
244 int
245 main(int argc, char **argv)
246 {
247 	extern char *optarg;
248 	extern int optind;
249 	AuthenticationConnection *ac = NULL;
250 	char *sc_reader_id = NULL;
251 	int i, ch, deleting = 0, ret = 0;
252 
253 	SSLeay_add_all_algorithms();
254 
255 	/* At first, get a connection to the authentication agent. */
256 	ac = ssh_get_authentication_connection();
257 	if (ac == NULL) {
258 		fprintf(stderr, "Could not open a connection to your authentication agent.\n");
259 		exit(1);
260 	}
261 	while ((ch = getopt(argc, argv, "lLdDe:s:")) != -1) {
262 		switch (ch) {
263 		case 'l':
264 		case 'L':
265 			list_identities(ac, ch == 'l' ? 1 : 0);
266 			goto done;
267 			break;
268 		case 'd':
269 			deleting = 1;
270 			break;
271 		case 'D':
272 			if (delete_all(ac) == -1)
273 				ret = 1;
274 			goto done;
275 			break;
276 		case 's':
277 			sc_reader_id = optarg;
278 			break;
279 		case 'e':
280 			deleting = 1;
281 			sc_reader_id = optarg;
282 			break;
283 		default:
284 			usage();
285 			ret = 1;
286 			goto done;
287 		}
288 	}
289 	argc -= optind;
290 	argv += optind;
291 	if (sc_reader_id != NULL) {
292 		if (update_card(ac, !deleting, sc_reader_id) == -1)
293 			ret = 1;
294 		goto done;
295 	}
296 	if (argc == 0) {
297 		char buf[MAXPATHLEN];
298 		struct passwd *pw;
299 
300 		if ((pw = getpwuid(getuid())) == NULL) {
301 			fprintf(stderr, "No user found with uid %u\n",
302 			    (u_int)getuid());
303 			ret = 1;
304 			goto done;
305 		}
306 
307 		for(i = 0; default_files[i]; i++) {
308 			snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
309 			    default_files[i]);
310 			if (do_file(ac, deleting, buf) == -1)
311 				ret = 1;
312 		}
313 	} else {
314 		for(i = 0; i < argc; i++) {
315 			if (do_file(ac, deleting, argv[i]) == -1)
316 				ret = 1;
317 		}
318 	}
319 	clear_pass();
320 
321 done:
322 	ssh_close_authentication_connection(ac);
323 	return ret;
324 }
325