Include subnet-qualified names names for hosts.

[ssh-ca] / bin / sign

diff --git a/bin/sign b/bin/sign
index 833c2a1..29add64 100755 (executable)
--- a/bin/sign
+++ b/bin/sign
@@ -16,7 +16,7 @@ mkdir publish.new
 for kt in $rawkeytypes; do
   cp ca/ca-$kt.pub publish.new/
   read pub <ca/ca-$kt.pub
-  echo "$@cert-authority $scope $pub" >publish.new/ca-$kt.entry
+  echo "@cert-authority $scope $pub" >publish.new/ca-$kt.entry
 done
 
 ## Sign the various host keys.
@@ -35,17 +35,22 @@ while read line <&3; do
   set -- $line
   host=$1
   names=""
+  nicks=""
 
   ## If this is a different host, then start a new section of the list.
-  case "$host" in "$last") ;; *) { echo; echo "$host"; } >&4 ;; esac
+  case "$last" in
+    "%%%") echo "$host" >&4 ;;
+    "$host") ;;
+    *) { echo; echo "$host"; } >&4 ;;
+  esac
   last=$host
 
   ## Build a list of names for the host.
   for n in "$@"; do
-    names=${names:+$names,}$n
     case "$n" in
-      *.* | *:*) ;;
-      *) names=${names:+$names,}$n.$domain ;;
+      .*) for h in $nicks; do names=${names:+$names,}$h$n,$h$n.$domain; done ;;
+      *.* | *:*) names=${names:+$names,}$n ;;
+      *) nicks=${nicks:+$nicks }$n names=${names:+$names,}$n,$n.$domain ;;
     esac
   done
 
@@ -53,7 +58,7 @@ while read line <&3; do
   for kt in $rawkeytypes; do
     if [ ! -f host/$host-$kt.pub ]; then continue; fi
     cp host/$host-$kt.pub publish.new/
-    ssh-keygen -q -sca/ca-$kt \
+    ssh-keygen -q -tv00 -sca/ca-$kt \
       -h -I"$cacomment:$host.$domain" -n$names \
       -V$validity \
       publish.new/$host-$kt.pub