Call for testing: openssh-9.8

Stuart Henderson stu at spacehopper.org
Tue Jun 18 22:36:34 AEST 2024


On 2024/06/18 14:09, Jochen Bern wrote:
> On 18.06.24 13:36, Stuart Henderson wrote:
> > Not sure whether anything should be done with it, but I noticed so
> > thought I'd mention: if you pass ssh-keygen -R a known_hosts file with
> > DSA sigs, you get "invalid line" warnings.
> 
> Out of interest, did you, perchance, try running an ssh-keygen -l on a
> DSA-infested file?

No error output, still-valid key types are listed, DSA keys are not
included.

$ ssh-keygen -l -f known_hosts-with-dss | cut -d' ' -f4|sort|uniq -c
 708 (ECDSA)
 676 (ED25519)
 608 (RSA)

 $ ssh-keygen.old -l -f known_hosts-with-dss | cut -d' ' -f4|sort|uniq -c
  24 (DSA)
 708 (ECDSA)
 676 (ED25519)
 608 (RSA)



> (I added a bit of extra IDS to our monitoring that collects info on the
> allowed user pubkeys by running that command on all authorized_keys* files
> found on the target machine. Yes, yes, I should probably make that scanner
> DELETE all DSA pubkeys it finds on sight, but ...)
> 
> Kind regards,
> -- 
> Jochen Bern
> Systemingenieur
> 
> Binect GmbH



> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



More information about the openssh-unix-dev mailing list