2 files changed, 29 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog
index 9b58f0f1b..d3651d9c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openssh (1:4.7p1-13) UNRELEASED; urgency=low
+  * Add some helpful advice to the end of ssh-vulnkey's output if there are
+    unknown or compromised keys (thanks, Dan Jacobson; closes: #483756).
+ -- Colin Watson <cjwatson@debian.org>  Fri, 30 May 2008 23:26:25 +0100
 openssh (1:4.7p1-12) unstable; urgency=low
  * Fill in CVE identifier for ssh-vulnkey bug fixed in 1:4.7p1-10.
diff --git a/ssh-vulnkey.c b/ssh-vulnkey.c
index 31d252b43..fd37a1da8 100644
--- a/ssh-vulnkey.c
+++ b/ssh-vulnkey.c
@@ -64,6 +64,9 @@ static char *default_files[] = {
 static int verbosity = 0;
+static int some_unknown = 0;
+static int some_compromised = 0;
 static void
 usage(void)
 {
@@ -106,12 +109,14 @@ do_key(const char *filename, u_long linenum,
                public->type = KEY_RSA;
        blacklist_status = blacklisted_key(public, NULL);
-        if (blacklist_status == -1)
+        if (blacklist_status == -1) {
                describe_key(filename, linenum,
                    "Unknown (blacklist file not installed)", key, comment, 0);
-        else if (blacklist_status == 1) {
+                some_unknown = 1;
+        } else if (blacklist_status == 1) {
                describe_key(filename, linenum,
                    "COMPROMISED", key, comment, 0);
+                some_compromised = 1;
                ret = 0;
        } else
                describe_key(filename, linenum,
@@ -356,5 +361,20 @@ main(int argc, char **argv)
                                ret = 0;
        }
+        if (verbosity >= 0) {
+                if (some_unknown) {
+                        printf("#\n");
+                        printf("# The status of some keys on your system is unknown.\n");
+                        printf("# You may need to install additional blacklist files.\n");
+                }
+                if (some_compromised) {
+                        printf("#\n");
+                        printf("# Some keys on your system have been compromised!\n");
+                        printf("# You must replace them using ssh-keygen(1).\n");
+                }
+                printf("#\n");
+                printf("# See the ssh-vulnkey(1) manual page for further advice.\n");
+        }
        return ret;
 }

diff --git a/debian/changelog b/debian/changelog index 9b58f0f1b..d3651d9c0 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -1,3 +1,10 @@
		1	openssh (1:4.7p1-13) UNRELEASED; urgency=low
		2
		3	* Add some helpful advice to the end of ssh-vulnkey's output if there are
		4	unknown or compromised keys (thanks, Dan Jacobson; closes: #483756).
		5
		6	-- Colin Watson <cjwatson@debian.org> Fri, 30 May 2008 23:26:25 +0100
		7
1	openssh (1:4.7p1-12) unstable; urgency=low	8	openssh (1:4.7p1-12) unstable; urgency=low
2		9
3	* Fill in CVE identifier for ssh-vulnkey bug fixed in 1:4.7p1-10.	10	* Fill in CVE identifier for ssh-vulnkey bug fixed in 1:4.7p1-10.


diff --git a/ssh-vulnkey.c b/ssh-vulnkey.c index 31d252b43..fd37a1da8 100644 --- a/ssh-vulnkey.c +++ b/ssh-vulnkey.c
@@ -64,6 +64,9 @@ static char *default_files[] = {
64		64
65	static int verbosity = 0;	65	static int verbosity = 0;
66		66
		67	static int some_unknown = 0;
		68	static int some_compromised = 0;
		69
67	static void	70	static void
68	usage(void)	71	usage(void)
69	{	72	{
@@ -106,12 +109,14 @@ do_key(const char *filename, u_long linenum,
106	public->type = KEY_RSA;	109	public->type = KEY_RSA;
107		110
108	blacklist_status = blacklisted_key(public, NULL);	111	blacklist_status = blacklisted_key(public, NULL);
109	if (blacklist_status == -1)	112	if (blacklist_status == -1) {
110	describe_key(filename, linenum,	113	describe_key(filename, linenum,
111	"Unknown (blacklist file not installed)", key, comment, 0);	114	"Unknown (blacklist file not installed)", key, comment, 0);
112	else if (blacklist_status == 1) {	115	some_unknown = 1;
		116	} else if (blacklist_status == 1) {
113	describe_key(filename, linenum,	117	describe_key(filename, linenum,
114	"COMPROMISED", key, comment, 0);	118	"COMPROMISED", key, comment, 0);
		119	some_compromised = 1;
115	ret = 0;	120	ret = 0;
116	} else	121	} else
117	describe_key(filename, linenum,	122	describe_key(filename, linenum,
@@ -356,5 +361,20 @@ main(int argc, char **argv)
356	ret = 0;	361	ret = 0;
357	}	362	}
358		363
		364	if (verbosity >= 0) {
		365	if (some_unknown) {
		366	printf("#\n");
		367	printf("# The status of some keys on your system is unknown.\n");
		368	printf("# You may need to install additional blacklist files.\n");
		369	}
		370	if (some_compromised) {
		371	printf("#\n");
		372	printf("# Some keys on your system have been compromised!\n");
		373	printf("# You must replace them using ssh-keygen(1).\n");
		374	}
		375	printf("#\n");
		376	printf("# See the ssh-vulnkey(1) manual page for further advice.\n");
		377	}
		378
359	return ret;	379	return ret;
360	}	380	}