+openssh (1:4.7p1-10) unstable; urgency=low + + * Add a FILES section to ssh-vulnkey(1) (thanks, Hugh Daniel). + * ssh-vulnkey handles options in authorized_keys (LP: #230029), and treats + # as introducing a comment even if it is preceded by whitespace. + + -- Colin Watson Wed, 14 May 2008 12:35:05 +0100 Index: openssh-4.7p1/ssh-vulnkey.1 =================================================================== --- openssh-4.7p1.orig/ssh-vulnkey.1 +++ openssh-4.7p1/ssh-vulnkey.1 @@ -138,6 +138,42 @@ The key fingerprint may be generated usi .Pp This strict format is necessary to allow the blacklist file to be checked quickly, using a binary-search algorithm. +.Sh FILES +.Bl -tag -width Ds +.It Pa ~/.ssh/id_rsa +If present, contains the protocol version 2 RSA authentication identity of +the user. +.It Pa ~/.ssh/id_dsa +If present, contains the protocol version 2 DSA authentication identity of +the user. +.It Pa ~/.ssh/identity +If present, contains the protocol version 1 RSA authentication identity of +the user. +.It Pa ~/.ssh/authorized_keys +If present, lists the public keys (RSA/DSA) that can be used for logging in +as this user. +.It Pa ~/.ssh/authorized_keys2 +Obsolete name for +.Pa ~/.ssh/authorized_keys . +This file may still be present on some old systems, but should not be +created if it is missing. +.It Pa /etc/ssh/ssh_host_rsa_key +If present, contains the protocol version 2 RSA identity of the system. +.It Pa /etc/ssh/ssh_host_dsa_key +If present, contains the protocol version 2 DSA identity of the system. +.It Pa /etc/ssh/ssh_host_key +If present, contains the protocol version 1 RSA identity of the system. +.It Pa /etc/ssh/blacklist. Ns Ar TYPE Ns Pa - Ns Ar LENGTH +If present, lists the blacklisted keys of type +.Ar TYPE +.Pf ( Dq RSA1 , +.Dq RSA , +or +.Dq DSA ) +and bit length +.Ar LENGTH . +The format of this file is described above. +.El .Sh SEE ALSO .Xr ssh-keygen 1 , .Xr sshd 8 Index: openssh-4.7p1/ssh-vulnkey.c =================================================================== --- openssh-4.7p1.orig/ssh-vulnkey.c +++ openssh-4.7p1/ssh-vulnkey.c @@ -138,55 +138,69 @@ do_filename(const char *filename, int qu f = stdin; while (read_keyfile_line(f, filename, line, sizeof(line), &linenum) != -1) { - cp = line; - switch (*cp) { - case '#': - case '\n': - case '\0': - continue; - } - /* Skip leading whitespace. */ - for (; *cp && (*cp == ' ' || *cp == '\t'); cp++) + int i; + char *space; + int type; + + /* Chop trailing newline. */ + i = strlen(line) - 1; + if (line[i] == '\n') + line[i] = '\0'; + + /* Skip leading whitespace, empty and comment lines. */ + for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ; - /* Cope with ssh-keyscan output. */ - comment = NULL; - if (*cp) { - char *space; - int type; + if (!*cp || *cp == '\n' || *cp == '#') + continue; - space = strchr(cp, ' '); - if (!space) - continue; - *space = '\0'; - type = key_type_from_name(cp); - if (type == KEY_UNSPEC) { - comment = xstrdup(cp); - cp = space + 1; + /* Cope with ssh-keyscan output and options in + * authorized_keys files. + */ + space = strchr(cp, ' '); + if (!space) + continue; + *space = '\0'; + type = key_type_from_name(cp); + *space = ' '; + /* Leading number (RSA1) or valid type (RSA/DSA) indicates + * that we have no host name or options to skip. + */ + if (atoi(cp) == 0 && type == KEY_UNSPEC) { + int quoted = 0; + + for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { + if (*cp == '\\' && cp[1] == '"') + cp++; /* Skip both */ + else if (*cp == '"') + quoted = !quoted; } - *space = ' '; + /* Skip remaining whitespace. */ + for (; *cp == ' ' || *cp == '\t'; cp++) + ; + if (!*cp) + continue; } - if (!comment) - comment = xstrdup(filename); - if (*cp) { - key = key_new(KEY_RSA1); + + /* Read and process the key itself. */ + key = key_new(KEY_RSA1); + if (key_read(key, &cp) == 1) { + while (*cp == ' ' || *cp == '\t') + cp++; + if (!do_key(key, *cp ? cp : filename)) + ret = 0; + found = 1; + } else { + key_free(key); + key = key_new(KEY_UNSPEC); if (key_read(key, &cp) == 1) { - if (!do_key(key, comment)) + while (*cp == ' ' || *cp == '\t') + cp++; + if (!do_key(key, *cp ? cp : filename)) ret = 0; - key_free(key); found = 1; - } else { - key_free(key); - key = key_new(KEY_UNSPEC); - if (key_read(key, &cp) == 1) { - if (!do_key(key, comment)) - ret = 0; - key_free(key); - found = 1; - } } } - xfree(comment); - comment = NULL; + key_free(key); } if (f != stdin) fclose(f);