Bug#496495: openssh-client: ssh-vulnkey "see manpage" message is unnecessary

[Colin Watson <cjwatson@debian.org>]

tags 496495 pending
thanks

On Mon, Aug 25, 2008 at 12:51:23AM -0700, Kevin Mitchell wrote:
> When running ssh-vulnkey -a on a system with no compromised keys, I used
> to get no output. I would argue this to be the correct behaviour. Now, however I get
> 
> #
> # See the ssh-vulnkey(1) manual page for further advice.
> 
> which is an entirely superfluous, and even misleading message as it
> would seem to suggest there is something wrong that reading the manpage
> might explain. Anyone with half a brain operating a Debian system with
> ssh enabled should know not only to read this man page, but also the
> scores of other information about how to mitigate this vulnerability.
> 
> This is also very inconvienient for running ssh-vulnkey -a in cron,
> which must now filter out this message so it doesn't email root when
> there's nothing wrong.

I do think the message is useful if there are compromised or unknown
keys (it is superfluous in some sense, but this is a delicate situation
that I think justifies some extra hand-holding). However, you're right
that it's clearly pointless if all keys are OK.

I've changed ssh-vulnkey for my next upload to only display this message
if there are compromised or unknown keys, and tweaked the verbose mode a
little.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]