From 2f89210eb11ccb0a7289f89a545697029b2bb9d7 Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jrollins@phys.columbia.edu>
Date: Thu, 14 Aug 2008 21:05:40 -0700
Subject: [PATCH 1/1] Add sorting of the processed key lines so that "good"
 keys are output at the end.  This is done so that they take precedence over
 "bad" when being processed in key files.  If bad keys are processed after
 good keys, there is a possibility of malicious bad key causing good keys to
 be continually removed from key files, which would be a big nuisance.

---
 src/common | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/common b/src/common
index 9c76bd1..17955a7 100644
--- a/src/common
+++ b/src/common
@@ -484,7 +484,10 @@ process_user_id() {
 		fi
 		;;
 	esac
-    done
+    done | sort -t: -k1 -n -r
+    # NOTE: this last sort is important so that the "good" keys (key
+    # flag '0') come last.  This is so that they take precedence when
+    # being processed in the key files over "bad" keys (key flag '1')
 }
 
 # process a single host in the known_host file
@@ -498,16 +501,15 @@ process_host_known_hosts() {
     local tmpfile
 
     host="$1"
+    userID="ssh://${host}"
 
     log "processing: $host"
 
-    userID="ssh://${host}"
-
     nKeys=0
     nKeysOK=0
 
     IFS=$'\n'
-    for line in $(process_user_id "ssh://${host}") ; do
+    for line in $(process_user_id "${userID}") ; do
 	# note that key was found
 	nKeys=$((nKeys+1))
 
-- 
2.25.1