Bug#483756: insist ssh-vulnkey -a be run by the administrator upon upgrade

[Colin Watson <cjwatson@debian.org>]

On Fri, May 30, 2008 at 05:56:19PM -0700, Suresh Ramasubramanian wrote:
> Colin Watson [31/05/08 00:31 +0100]:
> >Sure, but that's a problem with *their* machine (i.e. it allows access
> >from unauthorised persons) rather than a problem with your machine. The
> >sshd blacklisting will prevent this problem on their side - you might
> >send them an updated key but you won't be able to log in with it.
> 
> Not allowed access as much as "found a compromised key in ~/.ssh and warned
> him".

Having a compromised key in ~/.ssh/authorized_keys (if that's what it
was) is effectively equivalent to allowing access to that account from
the entire Internet.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]