Bug#481398: openssh-client: ssh-vulnkey does not report location of files containing compromised or unrecognized keys
Package: openssh-client
Version: 1:4.3p2-9etch1
Severity: normal
The ssh-vulnkey program does not report which file a a bad key was found in, making it tedious to locate offending keys.
The attached patch adds the filename to the output of the ssh-vulnkey command.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.21
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages openssh-client depends on:
ii add 3.102 Add and remove users and groups
ii deb 1.5.11etch1 Debian configuration management sy
ii dpk 1.13.25 package maintenance system for Deb
ii lib 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii lib 2.9.cvs.20050518-2.2 BSD editline and history libraries
ii lib 1.4.4-7etch5 MIT Kerberos runtime libraries
ii lib 5.5-5 Shared libraries for terminal hand
ii lib 0.9.8c-4etch3 SSL shared libraries
ii pas 1:4.0.18.1-7 change and administer password and
ii zli 1:1.2.3-13 compression library - runtime
openssh-client recommends no packages.
-- no debconf information
--- ssh-vulnkey.c.orig 2008-05-15 15:11:13.000000000 -0400
+++ ssh-vulnkey.c 2008-05-15 15:17:35.000000000 -0400
@@ -73,18 +73,18 @@
}
void
-describe_key(const char *msg, const Key *key, const char *comment)
+describe_key(const char *msg, const Key *key, const char *comment, const char *filename)
{
char *fp;
fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
if (!quiet)
- printf("%s: %u %s %s\n", msg, key_size(key), fp, comment);
+ printf("%s: %u %s %s %s\n", msg, key_size(key), fp, comment, filename);
xfree(fp);
}
int
-do_key(const Key *key, const char *comment)
+do_key(const Key *key, const char *comment, const char *filename)
{
char *blacklist_file;
struct stat st;
@@ -93,12 +93,12 @@
blacklist_file = blacklist_filename(key);
if (stat(blacklist_file, &st) < 0)
describe_key("Unknown (no blacklist information)",
- key, comment);
+ key, comment, filename);
else if (blacklisted_key(key)) {
- describe_key("COMPROMISED", key, comment);
+ describe_key("COMPROMISED", key, comment, filename);
ret = 0;
} else
- describe_key("Not blacklisted", key, comment);
+ describe_key("Not blacklisted", key, comment, filename);
xfree(blacklist_file);
return ret;
@@ -170,7 +170,7 @@
if (*cp) {
key = key_new(KEY_RSA1);
if (key_read(key, &cp) == 1) {
- if (!do_key(key, comment))
+ if (!do_key(key, comment, filename))
ret = 0;
key_free(key);
found = 1;
@@ -178,7 +178,7 @@
key_free(key);
key = key_new(KEY_UNSPEC);
if (key_read(key, &cp) == 1) {
- if (!do_key(key, comment))
+ if (!do_key(key, comment, filename))
ret = 0;
key_free(key);
found = 1;
@@ -194,7 +194,7 @@
if (!found && filename) {
key = key_load_public(filename, &comment);
if (key) {
- if (!do_key(key, comment))
+ if (!do_key(key, comment, filename))
ret = 0;
found = 1;
}
Reply to: