tags 496495 pending thanks On Mon, Aug 25, 2008 at 12:51:23AM -0700, Kevin Mitchell wrote: > When running ssh-vulnkey -a on a system with no compromised keys, I used > to get no output. I would argue this to be the correct behaviour. Now, > however I get > > # > # See the ssh-vulnkey(1) manual page for further advice. > > which is an entirely superfluous, and even misleading message as it > would seem to suggest there is something wrong that reading the manpage > might explain. Anyone with half a brain operating a Debian system with > ssh enabled should know not only to read this man page, but also the > scores of other information about how to mitigate this vulnerability. > > This is also very inconvienient for running ssh-vulnkey -a in cron, > which must now filter out this message so it doesn't email root when > there's nothing wrong.
I do think the message is useful if there are compromised or unknown keys (it is superfluous in some sense, but this is a delicate situation that I think justifies some extra hand-holding). However, you're right that it's clearly pointless if all keys are OK. I've changed ssh-vulnkey for my next upload to only display this message if there are compromised or unknown keys, and tweaked the verbose mode a little. Thanks, -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
