summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog7
-rw-r--r--ssh-vulnkey.c24
2 files changed, 29 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog
index 9b58f0f1b..d3651d9c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1openssh (1:4.7p1-13) UNRELEASED; urgency=low
2
3 * Add some helpful advice to the end of ssh-vulnkey's output if there are
4 unknown or compromised keys (thanks, Dan Jacobson; closes: #483756).
5
6 -- Colin Watson <cjwatson@debian.org> Fri, 30 May 2008 23:26:25 +0100
7
1openssh (1:4.7p1-12) unstable; urgency=low 8openssh (1:4.7p1-12) unstable; urgency=low
2 9
3 * Fill in CVE identifier for ssh-vulnkey bug fixed in 1:4.7p1-10. 10 * Fill in CVE identifier for ssh-vulnkey bug fixed in 1:4.7p1-10.
diff --git a/ssh-vulnkey.c b/ssh-vulnkey.c
index 31d252b43..fd37a1da8 100644
--- a/ssh-vulnkey.c
+++ b/ssh-vulnkey.c
@@ -64,6 +64,9 @@ static char *default_files[] = {
64 64
65static int verbosity = 0; 65static int verbosity = 0;
66 66
67static int some_unknown = 0;
68static int some_compromised = 0;
69
67static void 70static void
68usage(void) 71usage(void)
69{ 72{
@@ -106,12 +109,14 @@ do_key(const char *filename, u_long linenum,
106 public->type = KEY_RSA; 109 public->type = KEY_RSA;
107 110
108 blacklist_status = blacklisted_key(public, NULL); 111 blacklist_status = blacklisted_key(public, NULL);
109 if (blacklist_status == -1) 112 if (blacklist_status == -1) {
110 describe_key(filename, linenum, 113 describe_key(filename, linenum,
111 "Unknown (blacklist file not installed)", key, comment, 0); 114 "Unknown (blacklist file not installed)", key, comment, 0);
112 else if (blacklist_status == 1) { 115 some_unknown = 1;
116 } else if (blacklist_status == 1) {
113 describe_key(filename, linenum, 117 describe_key(filename, linenum,
114 "COMPROMISED", key, comment, 0); 118 "COMPROMISED", key, comment, 0);
119 some_compromised = 1;
115 ret = 0; 120 ret = 0;
116 } else 121 } else
117 describe_key(filename, linenum, 122 describe_key(filename, linenum,
@@ -356,5 +361,20 @@ main(int argc, char **argv)
356 ret = 0; 361 ret = 0;
357 } 362 }
358 363
364 if (verbosity >= 0) {
365 if (some_unknown) {
366 printf("#\n");
367 printf("# The status of some keys on your system is unknown.\n");
368 printf("# You may need to install additional blacklist files.\n");
369 }
370 if (some_compromised) {
371 printf("#\n");
372 printf("# Some keys on your system have been compromised!\n");
373 printf("# You must replace them using ssh-keygen(1).\n");
374 }
375 printf("#\n");
376 printf("# See the ssh-vulnkey(1) manual page for further advice.\n");
377 }
378
359 return ret; 379 return ret;
360} 380}