Bug#1111054: "5.1.8. OpenSSH no longer supports DSA keys" should also mention RevokedKeys (KRL)

Trent W. Buck Wed, 13 Aug 2025 23:53:14 -0700

Package: upgrade-reports
Severity: minor

OpenSSH supports a local key revocation list (originally a response to 
https://wiki.debian.org/SSLkeys):


    echo RevokedKeys /etc/ssh/sshd_config.d/deny-ex-staff.revoked_keys 
>/etc/ssh/sshd_config.d/deny-ex-staff.config
    systemctl restart ssh
    cat ~alice/.ssh/id_ed25519.pub ~bob/.ssh/id_ed25519.pub 
>>/etc/ssh/sshd_config.d/deny-ex-staff.revoked_keys

If the KRL contains DSA keys (ssh-dss ...), openssh-server/trixie fails to 
parse the KRL completely.
It fails safe -- it rejects *every* ssh key.

    2025-08-11T22:57:48.265497+10:00 delta sshd-session[2263]:
    error: Error checking authentication key
    ED25519 SHA256:iynb/T3xeJv+cvKhJ8dR9TE50R1ZT8k6372bg7OG7jM in revoked keys 
file
    /etc/ssh/sshd_config.d/cyber-deny-ex-staff.revoked_keys: invalid format

This makes sense once you think about it, but
it's easy to *not* think about it until after you're locked out.
Particularly if these are keys of staff who were offboarded 20 years ago :-)

Debian does not use RevokedKeys by default.

Please amend 
https://www.debian.org/releases/trixie/release-notes/issues.html#openssh-no-longer-supports-dsa-keys
to warn users of RevokedKeys to remove DSA (ssh-dss) keys from their KRL.

Bug#1111054: "5.1.8. OpenSSH no longer supports DSA keys" should also mention RevokedKeys (KRL)

Reply via email to