openssh unix dev - Apr 2011 - new option ssh-add -v to verify if key is loaded into the agent

Dear openssh developers

In a shell script I need to verify if a key belonging to a given public
key file is already loaded into the agent. To achieve this, I added a
new option -v to ssh-add which does this verification.

The patch bases on openssh v5.8p1. The regression test agent.sh was
extended to test this new feature.

Is there any chance for inclusion of attached patch?

Cheers

Konrad

-- 
konrad bucheli
security engineer

open systems ag
raeffelstrasse 29
ch-8045 zurich

t: +41 44 455 74 00
f: +41 44 455 74 01
kb at open.ch

http://www.open.ch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-5.8p1-sshadd-verify.patch
Type: text/x-patch
Size: 9028 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110407/68929ae4/attachment.bin>

Konrad Bucheli wrote:
> Dear openssh developers
>
> In a shell script I need to verify if a key belonging to a given public
> key file is already loaded into the agent. To achieve this, I added a
> new option -v to ssh-add which does this verification.
>    
What is rationale  to write 100 lines of C-code instead 1 line in shell 
script ?
> The patch bases on openssh v5.8p1. The regression test agent.sh was
> extended to test this new feature.
>
> Is there any chance for inclusion of attached patch?
>
> Cheers
>
> Konrad
>    
Roumen

-- 
Get X.509 certificates support in OpenSSH:
http://roumenpetrov.info/openssh/

Konrad Bucheli wrote:
> Dear openssh developers
>
> In a shell script I need to verify if a key belonging to a given public
> key file is already loaded into the agent. To achieve this, I added a
> new option -v to ssh-add which does this verification.
I'm not sure -v would be the right letter for that.
-c (check) or -t (test) would be suitable names, but those options are
already taken...

On 04/07/2011 03:12 AM, Konrad Bucheli wrote:
> In a shell script I need to verify if a key belonging to a given public
> key file is already loaded into the agent. To achieve this, I added a
> new option -v to ssh-add which does this verification.
Couldn't this already be implemented by grepping the output of
ssh-add -L ?  Is there a compelling need to introduce (and maintain) a
new command-line argument for this?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20110407/326ad8d2/attachment.bin>

Roumen Petrov wrote:
> Konrad Bucheli wrote:
>> Dear openssh developers
>>
>> In a shell script I need to verify if a key belonging to a given public
>> key file is already loaded into the agent. To achieve this, I added a
>> new option -v to ssh-add which does this verification.
>>    
> What is rationale  to write 100 lines of C-code instead 1 line in
> shell script ?
I suspect that when you start trying to take all quirks into account,
the C code will be much easier.

On Thu, Apr 07, 2011 at 09:12:08AM +0200, Konrad Bucheli
wrote:
> Dear openssh developers
> 
> In a shell script I need to verify if a key belonging to a given public
> key file is already loaded into the agent. To achieve this, I added a
> new option -v to ssh-add which does this verification.
> 
> The patch bases on openssh v5.8p1. The regression test agent.sh was
> extended to test this new feature.
> 
> Is there any chance for inclusion of attached patch?
fwiw, some of my ssh trees had something like this (restricted
to ssh v2 keys).

Index: ssh-add.c
==================================================================RCS file:
/cvs/src/usr.bin/ssh/ssh-add.c,v
retrieving revision 1.100
diff -u -p -u -r1.100 ssh-add.c
--- ssh-add.c	31 Aug 2010 12:33:38 -0000	1.100
+++ ssh-add.c	6 May 2011 14:34:44 -0000
@@ -261,6 +261,32 @@ update_card(AuthenticationConnection *ac
 }
 
 static int
+test_key(AuthenticationConnection *ac, const char *filename)
+{
+	Key *key = NULL;
+	u_char *sig = NULL;
+	u_int slen = 0;
+	int ret = -1;
+	char data[1024];
+
+	if ((key = key_load_public(filename, NULL)) == NULL) {
+		error("Loading key from '%s' failed", filename);
+		goto done;
+	}
+	arc4random_buf(data, sizeof(data));
+	if (ssh_agent_sign(ac, key, &sig, &slen, data, sizeof(data)) == -1)
+		goto done;
+	if (key_verify(key, sig, slen, data, sizeof(data)) == 1)
+		ret = 0;
+ done:
+	if (sig)
+		xfree(sig);
+	if (key)
+		key_free(key);
+	return (ret);
+}
+
+static int
 list_identities(AuthenticationConnection *ac, int do_fp)
 {
 	Key *key;
@@ -351,6 +377,7 @@ usage(void)
 	fprintf(stderr, "  -c          Require confirmation to sign using
identities\n");
 	fprintf(stderr, "  -s pkcs11   Add keys from PKCS#11 provider.\n");
 	fprintf(stderr, "  -e pkcs11   Remove keys provided by PKCS#11
provider.\n");
+	fprintf(stderr, "  -T pubkey   Test if ssh-agent can access matching
private key.\n");
 }
 
 int
@@ -360,6 +387,7 @@ main(int argc, char **argv)
 	extern int optind;
 	AuthenticationConnection *ac = NULL;
 	char *pkcs11provider = NULL;
+	char *testing = NULL;
 	int i, ch, deleting = 0, ret = 0;
 
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
@@ -374,7 +402,7 @@ main(int argc, char **argv)
 		    "Could not open a connection to your authentication agent.\n");
 		exit(2);
 	}
-	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
+	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:T:")) != -1) {
 		switch (ch) {
 		case 'l':
 		case 'L':
@@ -410,6 +438,9 @@ main(int argc, char **argv)
 				goto done;
 			}
 			break;
+		case 'T':
+			testing = optarg;
+			break;
 		default:
 			usage();
 			ret = 1;
@@ -418,6 +449,10 @@ main(int argc, char **argv)
 	}
 	argc -= optind;
 	argv += optind;
+	if (testing != NULL) {
+		ret = (test_key(ac, testing) == 0) ? 0 : 1;
+		goto done;
+	}
 	if (pkcs11provider != NULL) {
 		if (update_card(ac, !deleting, pkcs11provider) == -1)
 			ret = 1;

Hi

Thanks for the input. I have now a few questions:
> +	char data[1024];
> +	arc4random_buf(data, sizeof(data));
You use a long pseudo-random token for to verify the private key, while
my patch uses a short (20 bytes) random token. What is recommended?
> +	fprintf(stderr, "  -T pubkey   Test if ssh-agent can access matching
private key.\n");
I think this documentation goes more to the point. Still the verb to use
is open:
-T for test
-C for check
-v for verify
-V for verify

I guess verify is the word with the least general meaning. And if we put
a capital V, it will not be mistaken as "version".

Any opinions?

Cheers
Konrad

-- 
konrad bucheli
security engineer

open systems ag
raeffelstrasse 29
ch-8045 zurich

t: +41 44 455 74 00
f: +41 44 455 74 01
kb at open.ch

http://www.open.ch