On 2024/06/18 14:09, Jochen Bern wrote: > On 18.06.24 13:36, Stuart Henderson wrote: > > Not sure whether anything should be done with it, but I noticed so > > thought I'd mention: if you pass ssh-keygen -R a known_hosts file with > > DSA sigs, you get "invalid line" warnings. > > Out of interest, did you, perchance, try running an ssh-keygen -l on a > DSA-infested file? No error output, still-valid key types are listed, DSA keys are not included. $ ssh-keygen -l -f known_hosts-with-dss | cut -d' ' -f4|sort|uniq -c 708 (ECDSA) 676 (ED25519) 608 (RSA) $ ssh-keygen.old -l -f known_hosts-with-dss | cut -d' ' -f4|sort|uniq -c 24 (DSA) 708 (ECDSA) 676 (ED25519) 608 (RSA) > (I added a bit of extra IDS to our monitoring that collects info on the > allowed user pubkeys by running that command on all authorized_keys* files > found on the target machine. Yes, yes, I should probably make that scanner > DELETE all DSA pubkeys it finds on sight, but ...) > > Kind regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
