[hs@schlittermann.de: Re: enhancement for ssh-vulnkey]

To: debian-user-german <debian-user-german@lists.debian.org>
Subject: [hs@schlittermann.de: Re: enhancement for ssh-vulnkey]
From: Heiko Schlittermann <hs@schlittermann.de>
Date: Fri, 16 May 2008 09:37:29 +0200
Message-id: <[🔎] 20080516073729.GW6225@schlittermann.de>

Hallo,

falls auch von Euch sich jemand daran stört, daß das ssh-vulnkey nicht
die Files anzeigt, in denen es die Schlüssel gefunden hat (jedenfalls
bei mir machte es das nicht): Ich habe hier mal einen DIFF auf das
aktuelle ssh-vulnkey angehängt.

Früher sah das so aus:

    # ssh-vulnkey -a
    ...
    Not blacklisted: 1024 51:a9:d3:97:c0:1f:e1:b7:14:f0:25:6d:1a:f2:c9:a3 /etc/ssh/ssh_host_dsa_key.pub
    Unknown (no blacklist information): 1024 46:ab:77:74:5b:2c:bd:06:ac:3b:5e:3a:f9:38:b8:21 root@jumper
    Unknown (no blacklist information): 1024 89:2f:eb:23:f4:47:d3:e1:28:e7:45:1c:64:f9:9a:0e heiko@eremit
    Not blacklisted: 1024 8d:89:14:59:c3:de:ce:6b:fb:b5:7e:09:5b:11:72:63 environment="REMOTE_USER=schlorke"
    Not blacklisted: 2048 26:16:a8:6e:00:d2:df:ef:22:59:38:aa:35:67:04:71 environment="REMOTE_USER=sommer"
    ...

Jetzt:
    # ./ssh-vulnkey -a
    ...
    /etc/ssh/ssh_host_rsa_key:15:Unknown (no blacklist information): 1024 c5:b3:62:88:02:48:14:79:b5:90:82:01:f2:84:80:b1 /etc/ssh/ssh_host_rsa_key.pub
    /etc/ssh/ssh_host_key:4:Unknown (no blacklist information): 1024 46:ab:77:74:5b:2c:bd:06:ac:3b:5e:3a:f9:38:b8:21 root@jumper
    /root/.ssh/identity:2:Unknown (no blacklist information): 1024 89:2f:eb:23:f4:47:d3:e1:28:e7:45:1c:64:f9:9a:0e heiko@eremit
    /root/.ssh/authorized_keys:1:Not blacklisted: 1024 8d:89:14:59:c3:de:ce:6b:fb:b5:7e:09:5b:11:72:63 schlorke@eremit
    /root/.ssh/authorized_keys:2:Not blacklisted: 2048 26:16:a8:6e:00:d2:df:ef:22:59:38:aa:35:67:04:71 sommer@sc...
    ...

Gefällt jedenfalls mir besser :)


    Best regards from Dresden
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -

--- openssh-4.3p2/ssh-vulnkey.c	2008-05-15 22:29:26.000000000 +0200
+++ openssh-4.3p2.hs12/ssh-vulnkey.c	2008-05-16 09:27:12.000000000 +0200
@@ -73,33 +73,47 @@
 }
 
 void
-describe_key(const char *msg, const Key *key, const char *comment)
+describe_key(const char *msg, const Key *key, const char *comment, const char* filename, ulong linenum)
 {
 	char *fp;
 
 	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
 	if (!quiet)
-		printf("%s: %u %s %s\n", msg, key_size(key), fp, comment);
+		printf("%s:%lu:%s: %u %s %s\n", filename, linenum, msg, key_size(key), fp, comment);
 	xfree(fp);
 }
 
 int
-do_key(const Key *key, const char *comment)
+do_key(const Key *key, const char *comment, const char* tail, const char* filename, ulong linenum)
 {
 	char *blacklist_file;
 	struct stat st;
 	int ret = 1;
+	char *description;
+	char *p;
+
+	/* in case we got some tail (from read_key) it may be a comment, but
+	 * with leading whitespace. It may be some garbage too, that's why
+	 * we go through until we find the first non printable character.
+	 */
+	p = (char*) ((tail && *tail) ? tail : comment);
+	while (*p && *p == ' ') ++p;
+	description = xstrdup(p);
+	for (p = description; *p && isprint(*p); ++p);
+	*p = '\0';
+
 
 	blacklist_file = blacklist_filename(key);
 	if (stat(blacklist_file, &st) < 0)
 		describe_key("Unknown (no blacklist information)",
-		    key, comment);
+		    key, comment, filename, linenum);
 	else if (blacklisted_key(key)) {
-		describe_key("COMPROMISED", key, comment);
+		describe_key("COMPROMISED", key, description, filename, linenum);
 		ret = 0;
 	} else
-		describe_key("Not blacklisted", key, comment);
+		describe_key("Not blacklisted", key, description, filename, linenum);
 	xfree(blacklist_file);
+	xfree(description);
 
 	return ret;
 }
@@ -149,7 +163,6 @@
 		for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
 			;
 		/* Cope with ssh-keyscan output. */
-		comment = NULL;
 		if (*cp) {
 			char *space;
 			int type;
@@ -166,11 +179,11 @@
 			*space = ' ';
 		}
 		if (!comment)
-			comment = xstrdup(filename);
+			comment = xstrdup("");
 		if (*cp) {
 			key = key_new(KEY_RSA1);
 			if (key_read(key, &cp) == 1) {
-				if (!do_key(key, comment))
+				if (!do_key(key, comment, cp, filename, linenum))
 					ret = 0;
 				key_free(key);
 				found = 1;
@@ -178,7 +191,7 @@
 				key_free(key);
 				key = key_new(KEY_UNSPEC);
 				if (key_read(key, &cp) == 1) {
-					if (!do_key(key, comment))
+					if (!do_key(key, comment, cp, filename, linenum))
 						ret = 0;
 					key_free(key);
 					found = 1;
@@ -194,7 +207,7 @@
 	if (!found && filename) {
 		key = key_load_public(filename, &comment);
 		if (key) {
-			if (!do_key(key, comment))
+			if (!do_key(key, comment, cp, filename, linenum))
 				ret = 0;
 			found = 1;
 		}

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Re: Script gesucht: via Mail auf neue Pakete hinweisen
Next by Date: Re: Player oder Konverter für .flv Dateien
Previous by thread: Re: Player oder Konverter für .flv Dateien
Next by thread: ICEWEASEL: Acroread-Plugin startet nicht mehr
Index(es):
- Date
- Thread