This is a small modification I made to OpenSSH 4.6p1 that allows a user to see if his or her key is\\ installed on a remote host without logging in. I find this useful in auditing user account keys.
[[http://vapid.dhs.org/html/patch-openssh-4.6p1_check_key.txt|Download Patch]]
=====Patching and building=====
larry@mathom:/u0/orig$ rm -rf openssh-4.6p1\\
larry@mathom:/u0/orig$ tar -zxf openssh-4.6p1.tar.gz\\
larry@mathom:/u0/orig$ patch -p0 < patch\\
patching file openssh-4.6p1/ssh.c\\
patching file openssh-4.6p1/sshconnect1.c\\
patching file openssh-4.6p1/readconf.c\\
patching file openssh-4.6p1/version.h\\
patching file openssh-4.6p1/readconf.h\\
larry@mathom:/u0/orig$ cd openssh-4.6p1;./configure;make;make install\\
=====Patch Contents=====
<code c>
--- orig/openssh-4.6p1/sshconnect1.c 2006-11-07 07:14:42.000000000 -0500
+++ openssh-4.6p1/sshconnect1.c 2007-05-15 03:31:06.740012440 -0400
@@ -69,10 +69,11 @@
u_int i; Key *key; BIGNUM challenge; + u_char buf[300]; / Get connection to the agent. / auth = ssh_get_authentication_connection(); - if (!auth) +if (!auth) return 0; if ((challenge = BN_new()) == NULL)
@@ -84,7 +85,7 @@
/ Try this identity. / debug("Trying RSA authentication via agent with '%.100s'", comment); - xfree(comment); + if (!options.checkey) xfree(comment); / Tell the server that we are willing to authenticate using this key. / packet_start(SSH_CMSG_AUTH_RSA); @@ -107,9 +108,17 @@ packet_disconnect("Protocol error during RSA authentication: %d", type); + /if -u is enabled print a message and then exit/ + if (options.checkey) { + snprintf(buf, sizeof(buf), "RSA key '%.100s' is Valid",comment); + xfree(comment); + packet_disconnect("%s",buf); + } + packet_get_bignum(challenge); packet_check_eom();
+
debug("Received RSA challenge from server.");
/ Ask the agent to decrypt the challenge. / @@ -136,12 +145,16 @@
type = packet_read();
/ The server returns success if it accepted the authentication. / +
if (type == SSH_SMSG_SUCCESS) { ssh_close_authentication_connection(auth); BN_clear_free(challenge); debug("RSA authentication accepted by server."); return 1; }
+
+
+
/ Otherwise it should return failure. / if (type != SSH_SMSG_FAILURE) packet_disconnect("Protocol error waiting RSA auth response: %d", @@ -234,7 +247,8 @@ xfree(comment); return 0; } - / Otherwise, the server should respond with a challenge. / + + / Otherwise, the server should respond with a challenge. / if (type != SSH_SMSG_AUTH_RSA_CHALLENGE) packet_disconnect("Protocol error during RSA authentication: %d", type);
@@ -256,7 +270,15 @@
else private = key_load_private_type(KEY_RSA1, authfile, "", NULL, &perm_ok); - if (private == NULL && !options.batch_mode && perm_ok) { + + /if -u flag is set just check to see if key is valid and exit./ + if (options.checkey && perm_ok) { + snprintf(buf, sizeof(buf), "RSA key '%.100s' is Valid",comment); + xfree(comment); + packet_disconnect("%s",buf); + } + + if (private == NULL && !options.batch_mode && perm_ok && !options.checkey) { snprintf(buf, sizeof(buf), "Enter passphrase for RSA key '%.100s': ", comment); for (i = 0; i < options.number_of_password_prompts; i++) {
--- orig/openssh-4.6p1/ssh.c 2007-01-05 00:30:17.000000000 -0500
+++ openssh-4.6p1/ssh.c 2007-05-10 11:40:06.279706888 -0400
@@ -185,7 +185,7 @@
usage(void)
{
fprintf(stderr,
-"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
+"usage: ssh [-1246AaCfgkMNnqsTtuVvXxY] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-e escape_char] [-F configfile]\n" " [-i identity_file] [-L [bind_address:]port:host:hostport]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
@@ -272,7 +272,7 @@
while ((opt = getopt(ac, av, - "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) { + "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TuVw:XY")) != -1) {
switch (opt) { case '1':
options.protocol = SSH_PROTO_1; @@ -523,6 +523,9 @@
case 'F':
config = optarg; break; + case 'u': + options.checkey = 1; + break;
usage(); } --- orig/openssh-4.6p1/readconf.c 2007-02-19 06:12:54.000000000 -0500 +++ openssh-4.6p1/readconf.c 2007-05-10 11:31:54.924404248 -0400 @@ -1065,6 +1065,7 @@
options->tun_remote = -1; options->local_command = NULL; options->permit_local_command = -1; + options->checkey = 0; }
/
--- orig/openssh-4.6p1/readconf.h 2006-08-04 22:39:40.000000000 -0400
+++ openssh-4.6p1/readconf.h 2007-05-10 11:29:55.636538760 -0400
@@ -120,6 +120,7 @@
char *local_command; int permit_local_command; + int checkey; } Options;
</code>
=====Usage=====
larry@mathom:/u0/orig/openssh-4.6p1$ /u0/openssh-4.6p1/ssh -1 -u -i /u0/larry/identity-03062007 root@test-host1\\
RSA key '/u0/larry/identity-03062007' is Valid\\
\\
So the above key is in .authorized_keys for root on host test-host1.\\
Otherwise it will return permission denied.\\