Source: openssh Version: 1:6.9p1-2 Severity: wishlist
Hi. Please consider dropping mention-ssh-keygen-on-keychange.patch. It can't be the task of error messages to tell users all possible measures the may now take. More importantly, in it's current form this message reads like a request/suggestion for the user, executing that command, and could lead the uneducated user extremely easily to become victim of an attack. I'm quite surpirsed that it was merged in the Debian package, even though it was already more or less rejected for that very reason upstream. Last but not least, -R, as documented, removes *all* keys, thereby also any other (possibly/probably) still valid keys. Actually, one should possibly tag this bug "security" and increase the severity, as the current message easily tricks novice people into doing something stupid. Cheers, Chris.
