XPost: linux.debian.bugs.dist   
   From: trentbuck@gmail.com   
      
   Package: upgrade-reports   
   Severity: minor   
      
   OpenSSH supports a local key revocation list (originally a response to   
   https://wiki.debian.org/SSLkeys):   
      
       echo RevokedKeys /etc/ssh/sshd_config.d/deny-ex-staff.revoked_keys   
   >/etc/ssh/sshd_config.d/deny-ex-staff.config   
       systemctl restart ssh   
       cat ~alice/.ssh/id_ed25519.pub ~bob/.ssh/id_ed25519.pub >>/e   
   c/ssh/sshd_config.d/deny-ex-staff.revoked_keys   
      
   If the KRL contains DSA keys (ssh-dss ...), openssh-server/trixie fails to   
   parse the KRL completely.   
   It fails safe -- it rejects *every* ssh key.   
      
       2025-08-11T22:57:48.265497+10:00 delta sshd-session[2263]:   
       error: Error checking authentication key   
       ED25519 SHA256:iynb/T3xeJv+cvKhJ8dR9TE50R1ZT8k6372bg7OG7jM in revoked keys   
   file   
       /etc/ssh/sshd_config.d/cyber-deny-ex-staff.revoked_keys: invalid format   
      
   This makes sense once you think about it, but   
   it's easy to *not* think about it until after you're locked out.   
   Particularly if these are keys of staff who were offboarded 20 years ago :-)   
      
   Debian does not use RevokedKeys by default.   
      
   Please amend https://www.debian.org/releases/trixie/release-note   
   /issues.html#openssh-no-longer-supports-dsa-keys   
   to warn users of RevokedKeys to remove DSA (ssh-dss) keys from their KRL.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)