summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog1
-rw-r--r--ssh-vulnkey.137
2 files changed, 38 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index ac7f5d46f..083e9058e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -44,6 +44,7 @@ openssh (1:4.7p1-11) UNRELEASED; urgency=low
44 mode (thanks, Hugh Daniel). 44 mode (thanks, Hugh Daniel).
45 * Move ssh-vulnkey's exit status documentation to a separate section 45 * Move ssh-vulnkey's exit status documentation to a separate section
46 (thanks, Hugh Daniel). 46 (thanks, Hugh Daniel).
47 * Document ssh-vulnkey key status descriptions (thanks, Hugh Daniel).
47 48
48 -- Colin Watson <cjwatson@debian.org> Sat, 17 May 2008 08:48:45 +0200 49 -- Colin Watson <cjwatson@debian.org> Sat, 17 May 2008 08:48:45 +0200
49 50
diff --git a/ssh-vulnkey.1 b/ssh-vulnkey.1
index aa3271e46..ffbe3b085 100644
--- a/ssh-vulnkey.1
+++ b/ssh-vulnkey.1
@@ -87,6 +87,43 @@ option is used,
87.Xr sshd 8 87.Xr sshd 8
88will reject attempts to authenticate with keys in the compromised list. 88will reject attempts to authenticate with keys in the compromised list.
89.Pp 89.Pp
90The output from
91.Nm
92looks like this:
93.Pp
94.Bd -literal -offset indent
95/etc/ssh/ssh_host_key:1: COMPROMISED: 2048 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@host
96/home/user/.ssh/id_dsa:1: Not blacklisted: 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx /home/user/.ssh/id_dsa.pub
97/home/user/.ssh/authorized_keys:3: Unknown (no blacklist information): 1024 xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@host
98.Ed
99.Pp
100Each line is of the following format:
101.Pp
102.Dl Ar filename : Ns Ar line : Ar status : Ar length Ar fingerprint Ar comment
103.Pp
104It is important to distinguish between the possible values of
105.Ar status :
106.Pp
107.Bl -tag -width Ds
108.It COMPROMISED
109These keys are listed in a blacklist file, normally because their
110corresponding private keys are well-known.
111Replacements must be generated using
112.Xr ssh-keygen 1 .
113.It Not blacklisted
114A blacklist file exists for this key type and size, but this key is not
115listed in it.
116Unless there is some particular reason to believe otherwise, this key
117may be used safely.
118(Note that DSA keys used with the broken version of OpenSSL distributed
119by Debian may be compromised in the event that anyone captured a network
120trace, even if they were generated with a secure version of OpenSSL.)
121.It Unknown (no blacklist file)
122No blacklist file exists for this key type and size.
123You should find a suitable published blacklist and install it before
124deciding whether this key is safe to use.
125.El
126.Pp
90The options are as follows: 127The options are as follows:
91.Bl -tag -width Ds 128.Bl -tag -width Ds
92.It Fl a 129.It Fl a