Call for testing: openssh-9.8
Stuart Henderson
stu at spacehopper.org
Tue Jun 18 22:36:34 AEST 2024
On 2024/06/18 14:09, Jochen Bern wrote:
> On 18.06.24 13:36, Stuart Henderson wrote:
> > Not sure whether anything should be done with it, but I noticed so
> > thought I'd mention: if you pass ssh-keygen -R a known_hosts file with
> > DSA sigs, you get "invalid line" warnings.
>
> Out of interest, did you, perchance, try running an ssh-keygen -l on a
> DSA-infested file?
No error output, still-valid key types are listed, DSA keys are not
included.
$ ssh-keygen -l -f known_hosts-with-dss | cut -d' ' -f4|sort|uniq -c
708 (ECDSA)
676 (ED25519)
608 (RSA)
$ ssh-keygen.old -l -f known_hosts-with-dss | cut -d' ' -f4|sort|uniq -c
24 (DSA)
708 (ECDSA)
676 (ED25519)
608 (RSA)
> (I added a bit of extra IDS to our monitoring that collects info on the
> allowed user pubkeys by running that command on all authorized_keys* files
> found on the target machine. Yes, yes, I should probably make that scanner
> DELETE all DSA pubkeys it finds on sight, but ...)
>
> Kind regards,
> --
> Jochen Bern
> Systemingenieur
>
> Binect GmbH
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
More information about the openssh-unix-dev
mailing list