Hallo, falls auch von Euch sich jemand daran stört, daß das ssh-vulnkey nicht die Files anzeigt, in denen es die Schlüssel gefunden hat (jedenfalls bei mir machte es das nicht): Ich habe hier mal einen DIFF auf das aktuelle ssh-vulnkey angehängt. Früher sah das so aus: # ssh-vulnkey -a ... Not blacklisted: 1024 51:a9:d3:97:c0:1f:e1:b7:14:f0:25:6d:1a:f2:c9:a3 /etc/ssh/ssh_host_dsa_key.pub Unknown (no blacklist information): 1024 46:ab:77:74:5b:2c:bd:06:ac:3b:5e:3a:f9:38:b8:21 root@jumper Unknown (no blacklist information): 1024 89:2f:eb:23:f4:47:d3:e1:28:e7:45:1c:64:f9:9a:0e heiko@eremit Not blacklisted: 1024 8d:89:14:59:c3:de:ce:6b:fb:b5:7e:09:5b:11:72:63 environment="REMOTE_USER=schlorke" Not blacklisted: 2048 26:16:a8:6e:00:d2:df:ef:22:59:38:aa:35:67:04:71 environment="REMOTE_USER=sommer" ... Jetzt: # ./ssh-vulnkey -a ... /etc/ssh/ssh_host_rsa_key:15:Unknown (no blacklist information): 1024 c5:b3:62:88:02:48:14:79:b5:90:82:01:f2:84:80:b1 /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_key:4:Unknown (no blacklist information): 1024 46:ab:77:74:5b:2c:bd:06:ac:3b:5e:3a:f9:38:b8:21 root@jumper /root/.ssh/identity:2:Unknown (no blacklist information): 1024 89:2f:eb:23:f4:47:d3:e1:28:e7:45:1c:64:f9:9a:0e heiko@eremit /root/.ssh/authorized_keys:1:Not blacklisted: 1024 8d:89:14:59:c3:de:ce:6b:fb:b5:7e:09:5b:11:72:63 schlorke@eremit /root/.ssh/authorized_keys:2:Not blacklisted: 2048 26:16:a8:6e:00:d2:df:ef:22:59:38:aa:35:67:04:71 sommer@sc... ... Gefällt jedenfalls mir besser :) Best regards from Dresden Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann HS12-RIPE ----------------------------------------- gnupg encrypted messages are welcome - key ID: 48D0359B --------------- gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B -
--- openssh-4.3p2/ssh-vulnkey.c 2008-05-15 22:29:26.000000000 +0200 +++ openssh-4.3p2.hs12/ssh-vulnkey.c 2008-05-16 09:27:12.000000000 +0200 @@ -73,33 +73,47 @@ } void -describe_key(const char *msg, const Key *key, const char *comment) +describe_key(const char *msg, const Key *key, const char *comment, const char* filename, ulong linenum) { char *fp; fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); if (!quiet) - printf("%s: %u %s %s\n", msg, key_size(key), fp, comment); + printf("%s:%lu:%s: %u %s %s\n", filename, linenum, msg, key_size(key), fp, comment); xfree(fp); } int -do_key(const Key *key, const char *comment) +do_key(const Key *key, const char *comment, const char* tail, const char* filename, ulong linenum) { char *blacklist_file; struct stat st; int ret = 1; + char *description; + char *p; + + /* in case we got some tail (from read_key) it may be a comment, but + * with leading whitespace. It may be some garbage too, that's why + * we go through until we find the first non printable character. + */ + p = (char*) ((tail && *tail) ? tail : comment); + while (*p && *p == ' ') ++p; + description = xstrdup(p); + for (p = description; *p && isprint(*p); ++p); + *p = '\0'; + blacklist_file = blacklist_filename(key); if (stat(blacklist_file, &st) < 0) describe_key("Unknown (no blacklist information)", - key, comment); + key, comment, filename, linenum); else if (blacklisted_key(key)) { - describe_key("COMPROMISED", key, comment); + describe_key("COMPROMISED", key, description, filename, linenum); ret = 0; } else - describe_key("Not blacklisted", key, comment); + describe_key("Not blacklisted", key, description, filename, linenum); xfree(blacklist_file); + xfree(description); return ret; } @@ -149,7 +163,6 @@ for (; *cp && (*cp == ' ' || *cp == '\t'); cp++) ; /* Cope with ssh-keyscan output. */ - comment = NULL; if (*cp) { char *space; int type; @@ -166,11 +179,11 @@ *space = ' '; } if (!comment) - comment = xstrdup(filename); + comment = xstrdup(""); if (*cp) { key = key_new(KEY_RSA1); if (key_read(key, &cp) == 1) { - if (!do_key(key, comment)) + if (!do_key(key, comment, cp, filename, linenum)) ret = 0; key_free(key); found = 1; @@ -178,7 +191,7 @@ key_free(key); key = key_new(KEY_UNSPEC); if (key_read(key, &cp) == 1) { - if (!do_key(key, comment)) + if (!do_key(key, comment, cp, filename, linenum)) ret = 0; key_free(key); found = 1; @@ -194,7 +207,7 @@ if (!found && filename) { key = key_load_public(filename, &comment); if (key) { - if (!do_key(key, comment)) + if (!do_key(key, comment, cp, filename, linenum)) ret = 0; found = 1; }
Attachment:
signature.asc
Description: Digital signature