openssh bugs - Jun 2007 - [Bug 1319] New: ssh-keygen does not properly handle multiple keys

http://bugzilla.mindrot.org/show_bug.cgi?id=1319

           Summary: ssh-keygen does not properly handle multiple keys
           Product: Portable OpenSSH
           Version: 4.5p1
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh-keygen
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: pepper at rockefeller.edu


When pointed at a file containing multiple keys, ssh-keygen only
fingerprints the first key, and does not either fingerprint the
additional keys or warn in any way that there are (or might be)
additional keys in the specified file.

pepper at salt:~/.ssh$ ssh-keygen -l -f authorized_keys
1024 5c:3a:b3:94:5d:ef:28:2c:4d:76:8a:9f:36:81:5c:af authorized_keys
pepper at salt:~/.ssh$ wc -l authorized_keys
       3 authorized_keys


-- 
Configure bugmail: http://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1319


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org




--- Comment #1 from Damien Miller <djm at mindrot.org>  2008-06-15
05:19:42 ---
the problem here is that in ssh-keygen.c:do_fingerprint() we try
key_load_public() first. If this finds a key then we bail, if not then
we continue though the file a line at a time assuming authorized_keys
format.

The difficulty in fixing this comes from the fact that
key_load_public() opens, reads and closes the file in one go. We need a
variant that operates on an open file (or just a line), so we can
continue.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1319

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1845

--- Comment #2 from Damien Miller <djm at mindrot.org> 2011-06-03 13:40:19
EST ---
We can do this with the new authfile.c code that supports parsing from
memory buffers.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1319

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1930

--- Comment #3 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:16
EST ---
Retarget unresolved bugs/features to 6.0 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1319

--- Comment #4 from Damien Miller <djm at mindrot.org> 2011-09-06 10:36:29
EST ---
Retarget unresolved bugs/features to 6.0 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1319

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1845                        |

--- Comment #5 from Damien Miller <djm at mindrot.org> 2011-09-06 10:39:03
EST ---
Retarget unresolved bugs/features to 6.0 release

(try again - bugzilla's "change several" isn't)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1319

--- Comment #6 from Damien Miller <djm at mindrot.org> 2011-12-02 12:19:01
EST ---
Fixing this is trickier than I thought. The cases that need to be
supported are:

1. SSH1 public key in a private blob
2. SSH1/SSH2 public key in text form
3. known_hosts
4. authorized_keys

We can deal with case #1 by using key_load_public_type() instead of
key_load_public.

It is a little more tricky to support the other cases together though.
For a start, known_hosts always has a hostname before the key string
whereas a public key in text format never does. authorized_keys has
optional key restrictions that need to be recognised and skipped.

A final (?) complication comes in the printing - when printing
fingerprints from known_hosts, one wants to print the hostname obtained
from the start of the line, but when printing everything else the key
comment (end of the line, or baked into the a binary SSH1 private key)
is the most important thing.

So, do_fingerprint needs to be rewritten to look something like this:

k = key_load_public_type(KEY_RSA1, identity_file, comment)
if (k != NULL)
  print fingerprint+comment and exit
for line in identity_file
  split_key_line(line, &preamble, &key, &comment)
  if (auth_parse_options(preamble)) {
    // If it has options then it's definitely authorized keys
    authorized_keys = 1
  } else if (*preamble != '\0') {
    // If the preamble doesn't look like options, then it's probably
    // known_hosts
    known_hosts = 1
  } else {
    // If no preamble at all then it's a plain key or authorized_keys
  }
  print_fingerprint(key)
  print_comment(known_hosts ? preamble : comment)
}

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1319

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1544

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1319

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1986

--- Comment #7 from Damien Miller <djm at mindrot.org> 2012-02-24 10:34:25
EST ---
Retarget from 6.0 to 6.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1319

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1930                        |

--- Comment #8 from Damien Miller <djm at mindrot.org> 2012-02-24 10:38:04
EST ---
Retarget 6.0 => 6.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.