From 15d091acca07091e7f196168bdf08788f1ae8367 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 30 May 2008 22:25:16 +0000
Subject: Add some helpful advice to the end of ssh-vulnkey's output if there
 are unknown or compromised keys (thanks, Dan Jacobson; closes: #483756).

---
 debian/changelog |  7 +++++++
 ssh-vulnkey.c    | 24 ++++++++++++++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 9b58f0f1b..d3651d9c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openssh (1:4.7p1-13) UNRELEASED; urgency=low
+
+  * Add some helpful advice to the end of ssh-vulnkey's output if there are
+    unknown or compromised keys (thanks, Dan Jacobson; closes: #483756).
+
+ -- Colin Watson <cjwatson@debian.org>  Fri, 30 May 2008 23:26:25 +0100
+
 openssh (1:4.7p1-12) unstable; urgency=low
 
   * Fill in CVE identifier for ssh-vulnkey bug fixed in 1:4.7p1-10.
diff --git a/ssh-vulnkey.c b/ssh-vulnkey.c
index 31d252b43..fd37a1da8 100644
--- a/ssh-vulnkey.c
+++ b/ssh-vulnkey.c
@@ -64,6 +64,9 @@ static char *default_files[] = {
 
 static int verbosity = 0;
 
+static int some_unknown = 0;
+static int some_compromised = 0;
+
 static void
 usage(void)
 {
@@ -106,12 +109,14 @@ do_key(const char *filename, u_long linenum,
 		public->type = KEY_RSA;
 
 	blacklist_status = blacklisted_key(public, NULL);
-	if (blacklist_status == -1)
+	if (blacklist_status == -1) {
 		describe_key(filename, linenum,
 		    "Unknown (blacklist file not installed)", key, comment, 0);
-	else if (blacklist_status == 1) {
+		some_unknown = 1;
+	} else if (blacklist_status == 1) {
 		describe_key(filename, linenum,
 		    "COMPROMISED", key, comment, 0);
+		some_compromised = 1;
 		ret = 0;
 	} else
 		describe_key(filename, linenum,
@@ -356,5 +361,20 @@ main(int argc, char **argv)
 				ret = 0;
 	}
 
+	if (verbosity >= 0) {
+		if (some_unknown) {
+			printf("#\n");
+			printf("# The status of some keys on your system is unknown.\n");
+			printf("# You may need to install additional blacklist files.\n");
+		}
+		if (some_compromised) {
+			printf("#\n");
+			printf("# Some keys on your system have been compromised!\n");
+			printf("# You must replace them using ssh-keygen(1).\n");
+		}
+		printf("#\n");
+		printf("# See the ssh-vulnkey(1) manual page for further advice.\n");
+	}
+
 	return ret;
 }
-- 
cgit v1.2.3