do not try to add to known_hosts if HASH_KNOWN_HOSTS is true but ssh-keygen is not...
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Sun, 18 Apr 2010 00:16:52 +0000 (20:16 -0400)
committerDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Sun, 18 Apr 2010 00:16:52 +0000 (20:16 -0400)
src/share/common
src/share/m/ssh_proxycommand

index adec5a1feea5d52e11c9f96ee8598207b422fe9a..9e403022b8fd2a397e286b9fd942624598aa1faa 100644 (file)
@@ -885,13 +885,25 @@ process_host_known_hosts() {
 
            # hash if specified
            if [ "$HASH_KNOWN_HOSTS" = 'true' ] ; then
+                if (type ssh-keygen >/dev/null) ; then
                # FIXME: this is really hackish cause ssh-keygen won't
                # hash from stdin to stdout
-               tmpfile=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
-               ssh2known_hosts "$host" "$sshKey" > "$tmpfile"
-               ssh-keygen -H -f "$tmpfile" 2>/dev/null
-               cat "$tmpfile" >> "$KNOWN_HOSTS"
-               rm -f "$tmpfile" "${tmpfile}.old"
+                   tmpfile=$(mktemp ${TMPDIR:-/tmp}/tmp.XXXXXXXXXX)
+                   ssh2known_hosts "$host" "$sshKey" > "$tmpfile"
+                   ssh-keygen -H -f "$tmpfile" 2>/dev/null
+                   cat "$tmpfile" >> "$KNOWN_HOSTS"
+                   rm -f "$tmpfile" "${tmpfile}.old"
+                else
+       # FIXME: we could do this without needing ssh-keygen.  hashed
+       # known_hosts looks like: |1|X|Y where 1 means SHA1 (nothing
+       # else is defined in openssh sources), X is the salt (same
+       # length as the digest output), base64-encoded, and Y is the
+       # digested hostname (also base64-encoded).
+
+       # see hostfile.{c,h} in openssh sources.
+
+                    failure "Cannot hash known_hosts as requested"
+                fi
            else
                ssh2known_hosts "$host" "$sshKey" >> "$KNOWN_HOSTS"
            fi
index 5f7a63bdd6ba6e3c66f98eb7e87de5c19bc666f6..5fb2ce445f6e04d1343b558338408546bb741fdf 100644 (file)
@@ -237,7 +237,17 @@ else
         if (type ssh-keygen &>/dev/null) ; then
             hostKey=$(ssh-keygen -F "$HOST" -f "$KNOWN_HOSTS" 2>/dev/null)
         else
-            # FIXME: we're not dealing with digested known_hosts if we don't 
+            # FIXME: we're not dealing with digested known_hosts if we
+            # don't have ssh-keygen
+
+       # But we could do this without needing ssh-keygen.  hashed
+       # known_hosts looks like: |1|X|Y where 1 means SHA1 (nothing
+       # else is defined in openssh sources), X is the salt (same
+       # length as the digest output), base64-encoded, and Y is the
+       # digested hostname (also base64-encoded).
+
+       # see hostfile.{c,h} in openssh sources.
+
             hostKey=$(cut -f1 -d\  < .ssh/known_hosts | tr ',' '\n' | grep -Fx -e "$HOST" || :)
         fi
     fi