Bug#803622: openssh: drop mention-ssh-keygen-on-keychange.patch

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#803622: openssh: drop mention-ssh-keygen-on-keychange.patch
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Sun, 01 Nov 2015 03:18:16 +0100
Message-id: <[🔎] 144634429641.18231.13501790399545285011.reportbug@heisenberg.scientia.net>
Reply-to: Christoph Anton Mitterer <calestyo@scientia.net>, 803622@bugs.debian.org

Source: openssh
Version: 1:6.9p1-2
Severity: wishlist


Hi.

Please consider dropping mention-ssh-keygen-on-keychange.patch.

It can't be the task of error messages to tell users all possible
measures the may now take.

More importantly, in it's current form this message reads like a
request/suggestion for the user, executing that command, and could
lead the uneducated user extremely easily to become victim of an
attack.
I'm quite surpirsed that it was merged in the Debian package,
even though it was already more or less rejected for that very
reason upstream.

Last but not least, -R, as documented, removes *all* keys, thereby
also any other (possibly/probably) still valid keys.


Actually, one should possibly tag this bug "security" and increase
the severity, as the current message easily tricks novice people
into doing something stupid.


Cheers,
Chris.

Reply to:

Next by Date: Bug#804817: Manpage gives misleading information about "secure fingerprints" from DNS (SSHFP records)
Next by thread: Bug#804817: Manpage gives misleading information about "secure fingerprints" from DNS (SSHFP records)
Index(es):
- Date
- Thread