"ssh-keygen -R ..." refuses operation because of (old) ssh-dss keys
Damien Miller
djm at mindrot.org
Wed Dec 3 17:37:08 AEDT 2025
On Fri, 28 Nov 2025, Philipp Marek via openssh-unix-dev wrote:
> Hi,
>
> I tried to clean up a rotated host key:
>
> $ ssh-keygen -R 'gitlab.opencode.de'
> .../.ssh/known_hosts:143: invalid line
> .../.ssh/known_hosts:1006: invalid line
> # Host gitlab.opencode.de found: line 1789
> # Host gitlab.opencode.de found: line 1790
> # Host gitlab.opencode.de found: line 1797
> .../.ssh/known_hosts is not a valid known_hosts file.
> Not replacing existing known_hosts file because of errors
>
> The lines 143 and 1006 contain "ssh-dss" keys --
> yes, they might not be allowed any more,
> but that shouldn't forbid cleaning up the file, should it?
>
> How about dropping lines with deprecated algorithms,
> silently or with a message similar to the "Host ... found"?
I don't think it should completely remove invalid lines, but it's
probably worth special-casing ssh-dsa keys for removal.
Anyone want to try to make a patch?
-d
More information about the openssh-unix-dev
mailing list