Document ssh-vulnkey key status descriptions (thanks, Hugh Daniel).

author: Colin Watson <cjwatson@debian.org> 2008-05-26 00:13:16 +0000
committer: Colin Watson <cjwatson@debian.org> 2008-05-26 00:13:16 +0000
commit: 89b922856645b056cd9875e54d579097f26459a2 (patch)
tree: 678df7da0cdfbed00c343fc6ae5b0fb1b8b107c6
parent: af64cec5aeb4dc005f02edcf74b25283e9773ad1 (diff)
2 files changed, 38 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index ac7f5d46f..083e9058e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -44,6 +44,7 @@ openssh (1:4.7p1-11) UNRELEASED; urgency=low
    mode (thanks, Hugh Daniel).
  * Move ssh-vulnkey's exit status documentation to a separate section
    (thanks, Hugh Daniel).
+  * Document ssh-vulnkey key status descriptions (thanks, Hugh Daniel).
 -- Colin Watson <cjwatson@debian.org>  Sat, 17 May 2008 08:48:45 +0200
diff --git a/ssh-vulnkey.1 b/ssh-vulnkey.1
index aa3271e46..ffbe3b085 100644
--- a/ssh-vulnkey.1
+++ b/ssh-vulnkey.1
@@ -87,6 +87,43 @@ option is used,
 .Xr sshd 8
 will reject attempts to authenticate with keys in the compromised list.
 .Pp
+The output from
+.Nm
+looks like this:
+.Pp
+.Bd -literal -offset indent
+/etc/ssh/ssh_host_key:1: COMPROMISED: 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@host
+/home/user/.ssh/id_dsa:1: Not blacklisted: 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/user/.ssh/id_dsa.pub
+/home/user/.ssh/authorized_keys:3: Unknown (no blacklist information): 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@host
+.Ed
+.Pp
+Each line is of the following format:
+.Pp
+.Dl Ar filename : Ns Ar line : Ar status : Ar length Ar fingerprint Ar comment
+.Pp
+It is important to distinguish between the possible values of
+.Ar status :
+.Pp
+.Bl -tag -width Ds
+.It COMPROMISED
+These keys are listed in a blacklist file, normally because their
+corresponding private keys are well-known.
+Replacements must be generated using
+.Xr ssh-keygen 1 .
+.It Not blacklisted
+A blacklist file exists for this key type and size, but this key is not
+listed in it.
+Unless there is some particular reason to believe otherwise, this key
+may be used safely.
+(Note that DSA keys used with the broken version of OpenSSL distributed
+by Debian may be compromised in the event that anyone captured a network
+trace, even if they were generated with a secure version of OpenSSL.)
+.It Unknown (no blacklist file)
+No blacklist file exists for this key type and size.
+You should find a suitable published blacklist and install it before
+deciding whether this key is safe to use.
+.El
+.Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl a
author	Colin Watson <cjwatson@debian.org>	2008-05-26 00:13:16 +0000
committer	Colin Watson <cjwatson@debian.org>	2008-05-26 00:13:16 +0000
commit	89b922856645b056cd9875e54d579097f26459a2 (patch)
tree	678df7da0cdfbed00c343fc6ae5b0fb1b8b107c6
parent	af64cec5aeb4dc005f02edcf74b25283e9773ad1 (diff)

diff --git a/debian/changelog b/debian/changelog index ac7f5d46f..083e9058e 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -44,6 +44,7 @@ openssh (1:4.7p1-11) UNRELEASED; urgency=low
44	mode (thanks, Hugh Daniel).	44	mode (thanks, Hugh Daniel).
45	* Move ssh-vulnkey's exit status documentation to a separate section	45	* Move ssh-vulnkey's exit status documentation to a separate section
46	(thanks, Hugh Daniel).	46	(thanks, Hugh Daniel).
		47	* Document ssh-vulnkey key status descriptions (thanks, Hugh Daniel).
47		48
48	-- Colin Watson <cjwatson@debian.org> Sat, 17 May 2008 08:48:45 +0200	49	-- Colin Watson <cjwatson@debian.org> Sat, 17 May 2008 08:48:45 +0200
49		50


diff --git a/ssh-vulnkey.1 b/ssh-vulnkey.1 index aa3271e46..ffbe3b085 100644 --- a/ssh-vulnkey.1 +++ b/ssh-vulnkey.1
@@ -87,6 +87,43 @@ option is used,
87	.Xr sshd 8	87	.Xr sshd 8
88	will reject attempts to authenticate with keys in the compromised list.	88	will reject attempts to authenticate with keys in the compromised list.
89	.Pp	89	.Pp
		90	The output from
		91	.Nm
		92	looks like this:
		93	.Pp
		94	.Bd -literal -offset indent
		95	/etc/ssh/ssh_host_key:1: COMPROMISED: 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@host
		96	/home/user/.ssh/id_dsa:1: Not blacklisted: 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/user/.ssh/id_dsa.pub
		97	/home/user/.ssh/authorized_keys:3: Unknown (no blacklist information): 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@host
		98	.Ed
		99	.Pp
		100	Each line is of the following format:
		101	.Pp
		102	.Dl Ar filename : Ns Ar line : Ar status : Ar length Ar fingerprint Ar comment
		103	.Pp
		104	It is important to distinguish between the possible values of
		105	.Ar status :
		106	.Pp
		107	.Bl -tag -width Ds
		108	.It COMPROMISED
		109	These keys are listed in a blacklist file, normally because their
		110	corresponding private keys are well-known.
		111	Replacements must be generated using
		112	.Xr ssh-keygen 1 .
		113	.It Not blacklisted
		114	A blacklist file exists for this key type and size, but this key is not
		115	listed in it.
		116	Unless there is some particular reason to believe otherwise, this key
		117	may be used safely.
		118	(Note that DSA keys used with the broken version of OpenSSL distributed
		119	by Debian may be compromised in the event that anyone captured a network
		120	trace, even if they were generated with a secure version of OpenSSL.)
		121	.It Unknown (no blacklist file)
		122	No blacklist file exists for this key type and size.
		123	You should find a suitable published blacklist and install it before
		124	deciding whether this key is safe to use.
		125	.El
		126	.Pp
90	The options are as follows:	127	The options are as follows:
91	.Bl -tag -width Ds	128	.Bl -tag -width Ds
92	.It Fl a	129	.It Fl a