3 files changed, 25 insertions, 9 deletions

diff --git a/debian/changelog b/debian/changelog
index 6d61f5c62..15abbe97a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -39,6 +39,9 @@ openssh (1:4.7p1-11) UNRELEASED; urgency=low
     closes: #480020).
   * Log IP addresses of hosts attempting to use blacklisted keys (closes:
     #481721).
+  * Add -v (verbose) option to ssh-vulnkey, and don't print output for keys
+    that have a blacklist file but that are not listed unless in verbose
+    mode (thanks, Hugh Daniel).
 
  -- Colin Watson <cjwatson@debian.org>  Sat, 17 May 2008 08:48:45 +0200
 
diff --git a/ssh-vulnkey.1 b/ssh-vulnkey.1
index c0a7592f8..8e681115a 100644
--- a/ssh-vulnkey.1
+++ b/ssh-vulnkey.1
@@ -28,7 +28,7 @@
 .Nd check blacklist of compromised keys
 .Sh SYNOPSIS
 .Nm
-.Op Fl q
+.Op Fl q | Fl v
 .Ar file ...
 .Nm
 .Fl a
@@ -115,6 +115,16 @@ Normally,
 outputs the fingerprint of each key scanned, with a description of its
 status.
 This option suppresses that output.
+.It Fl v
+Verbose mode.
+Normally,
+.Nm
+does not output anything for keys that are not listed in their corresponding
+blacklist file (although it still produces output for keys for which there
+is no blacklist file, since their status is unknown).
+This option causes
+.Nm
+to produce output for all keys.
 .El
 .Sh BLACKLIST FILE FORMAT
 The blacklist file may start with comments, on lines starting with
diff --git a/ssh-vulnkey.c b/ssh-vulnkey.c
index f78615478..39c984db2 100644
--- a/ssh-vulnkey.c
+++ b/ssh-vulnkey.c
@@ -60,7 +60,7 @@ static char *default_files[] = {
         NULL
 };
 
-static int quiet = 0;
+static int verbosity = 0;
 
 static void
 usage(void)
@@ -74,12 +74,12 @@ usage(void)
 
 void
 describe_key(const char *filename, u_long linenum, const char *msg,
-    const Key *key, const char *comment)
+    const Key *key, const char *comment, int min_verbosity)
 {
         char *fp;
 
         fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-        if (!quiet)
+        if (verbosity >= min_verbosity)
                 printf("%s:%lu: %s: %u %s %s\n", filename, linenum, msg,
                     key_size(key), fp, comment);
         xfree(fp);
@@ -101,14 +101,14 @@ do_key(const char *filename, u_long linenum,
         blacklist_status = blacklisted_key(public);
         if (blacklist_status == -1)
                 describe_key(filename, linenum,
-                    "Unknown (no blacklist information)", key, comment);
+                    "Unknown (no blacklist information)", key, comment, 0);
         else if (blacklist_status == 1) {
                 describe_key(filename, linenum,
-                    "COMPROMISED", key, comment);
+                    "COMPROMISED", key, comment, 0);
                 ret = 0;
         } else
                 describe_key(filename, linenum,
-                    "Not blacklisted", key, comment);
+                    "Not blacklisted", key, comment, 1);
 
         key_free(public);
 
@@ -289,13 +289,16 @@ main(int argc, char **argv)
         init_rng();
         seed_rng();
 
-        while ((opt = getopt(argc, argv, "ahq")) != -1) {
+        while ((opt = getopt(argc, argv, "ahqv")) != -1) {
                 switch (opt) {
                 case 'a':
                         all_users = 1;
                         break;
                 case 'q':
-                        quiet = 1;
+                        verbosity--;
+                        break;
+                case 'v':
+                        verbosity++;
                         break;
                 case 'h':
                 default: