Bug#481853: [openssh-client] "ssh-vulnkey -a" does not see the weak keys of the user

[David <david.maillists@gmail.com>]

Package: openssh-client
Version: 1:4.7p1-10
Severity: important
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

--- Please enter the report below this line. ---

I have the packages openssh-blacklist and openssh-blacklist-extra installed. 

If I run "ssh-vulnkey -a" I get no output, either by running it as user or as root.

Nevertheless:

# perl dowkd.pl user
/home/username/.ssh/known_hosts:1: weak key (OpenSSH/rsa/2048)
/home/username/.ssh/known_hosts:2: weak key (OpenSSH/rsa/2048)
summary: keys found: 2, weak keys: 2

I am deleting the file /home/username/.ssh/known_hosts right now, so I am afraid it will not be available for debugging :-(


--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.24-1-686

Debian Release: lenny/sid
  990 unstable        www.debian-multimedia.org 
  990 unstable        ftp.uk.debian.org 
  500 stable          dl.google.com 
  500 experimental    www.debian-multimedia.org 
    1 experimental    ftp.uk.debian.org 

--- Package information. ---
Depends                       (Version) | Installed
=======================================-+-========================
libc6                        (>= 2.7-1) | 2.7-11
libcomerr2                  (>= 1.33-3) | 1.40.8-2
libedit2        (>= 2.5.cvs.20010821-1) | 2.9.cvs.20050518-4
libkrb53                (>= 1.6.dfsg.2) | 1.6.dfsg.3-2
libncurses5         (>= 5.6+20071006-3) | 5.6+20080503-1
libssl0.9.8               (>= 0.9.8g-9) | 0.9.8g-10
zlib1g                     (>= 1:1.1.4) | 1:1.2.3.3.dfsg-12
debconf                     (>= 1.2.0)  | 1.5.22
 OR debconf-2.0                         | 
adduser                       (>= 3.10) | 3.107
dpkg                         (>= 1.7.0) | 1.14.19
passwd                                  | 1:4.1.1-1