Bug#1053737: /usr/bin/ssh-keygen: ssh-keygen -R: "invalid line" errors

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1053737: /usr/bin/ssh-keygen: ssh-keygen -R: "invalid line" errors
From: Matija Nalis <mnalis-debianbug@voyager.hr>
Date: Mon, 09 Oct 2023 23:36:50 +0200
Message-id: <[🔎] 169688741002.9578.1896607050234702111.reportbug@eagle102.home.lan>
Reply-to: Matija Nalis <mnalis-debianbug@voyager.hr>, 1053737@bugs.debian.org

Package: openssh-client
Version: 1:8.4p1-5+deb11u2
Severity: normal
File: /usr/bin/ssh-keygen

Dear Maintainer,

   * What led up to the situation?

Trying to execute:
 ssh-keygen -f "/home/mnalis/.ssh/known_hosts" -R "github.com"

(exact command as suggested by ssh itself because host key changed, 
 probably due to https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/)

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Tried on another machine with openssh-client 1:9.4p1-1, the same problem is
present there for this known_hosts file too.  Manually editing the file and
removing line 200 works around the specific instance of the problem, but
"ssh-keygen -R" remains unusable. I assume that manually removing all 
lines detected as "invalid line" would also allow ssh-keygen to proceed, 
but I have not tested it.

   * What was the outcome of this action?

ssh-keygen refuses to update known_hosts with following error:

% ssh-keygen -f "/home/mnalis/.ssh/known_hosts" -R "github.com"
/home/mnalis/.ssh/known_hosts:1: invalid line
/home/mnalis/.ssh/known_hosts:2: invalid line
/home/mnalis/.ssh/known_hosts:4: invalid line
/home/mnalis/.ssh/known_hosts:16: invalid line
/home/mnalis/.ssh/known_hosts:17: invalid line
# Host github.com found: line 200
/home/mnalis/.ssh/known_hosts is not a valid known_hosts file.
Not replacing existing known_hosts file because of errors

Here is how first 4 lines of that known_hosts file look like:

|1|DCvQVwzVexcX3Mau1D5fZmVKruM=|soAN7Mhjth9ExnFxG47y++6LLHg= 1024 35 167434766793837483340248804980769949824665268604993978563358959479765830951370741558908832827011687207884480786428301345738847818832072690127564924719644302715664485137952117178027506363037390447008852228373472317454193197538959482837286051143224351239595700806436016270258891540041265360900792522259140180921
|1|amNEFjA4gEiPAJp/hZepdJ1a38A=|3r0i0zg3DJ9iiaAcpdPfLNrhUrw= 1024 35 167434766793837483340248804980769949824665268604993978563358959479765830951370741558908832827011687207884480786428301345738847818832072690127564924719644302715664485137952117178027506363037390447008852228373472317454193197538959482837286051143224351239595700806436016270258891540041265360900792522259140180921
|1|+Q0EQTlTQeJ0jfLrk4Bhhyq7tic=|OtfKGw6dQ8Sw3BsH3MsRxj/+am8= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAoSZK2F7aXr0UxG8TqyqRiVKK1redIINJw2XHAFYwg+fRT4QxRGWANoZO4ggK6SB1dV0JsIvfJr/D7VGNiwfLT/i+K/EWt1jQ1Y13cLhzqqSrsUOWvsr2xC+re8QeSILk5pzP5nzQEYTyyBknCq0yCjnuRKm9MhqQOrcgY2GMB3U=
|1|zlwmrL64HaBaMTElBLAjB5wfiNE=|aqU2HeyZ00Nb16tHDcnZF/KALYI= 1024 35 127996390308881367982749181615590389946112714634614519843262364092321681710130910232611431762945334377336640067840062246513041629962755479231984134203580650174397517780096139161960264450818602524143591999435168314030504459201667428786398279613415241098669732580262057385208616093432930475934719992598708459451

That machine on which known_hosts exist, has been updated for many Debian
versions (at least from Squeeze, probably from Woody).  I seem to recall
that the known_hosts contained plaintext FQDNs back in the time, and then
some version decided to convert them to currently used hashed format. 

It seem that not all lines that were converted are recognized by recent
openssh versions.

   * What outcome did you expect instead?

that the offending line at line 200 is removed.


-- System Information:
Debian Release: 11.8
  APT prefers oldstable-security
  APT policy: (500, 'oldstable-security'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-26-amd64 (SMP w/2 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-client depends on:
ii  adduser           3.118+deb11u1
ii  dpkg              1.20.13
ii  libc6             2.31-13+deb11u7
ii  libedit2          3.1-20191231-2+b1
ii  libfido2-1        1.6.0-2
ii  libgssapi-krb5-2  1.18.3-6+deb11u4
ii  libselinux1       3.1-3
ii  libssl1.1         1.1.1w-0+deb11u1
ii  passwd            1:4.8.1-1
ii  zlib1g            1:1.2.11.dfsg-2+deb11u2

Versions of packages openssh-client recommends:
ii  xauth  1:1.1-1

Versions of packages openssh-client suggests:
pn  keychain                         <none>
pn  libpam-ssh                       <none>
pn  monkeysphere                     <none>
ii  ssh-askpass-gnome [ssh-askpass]  1:8.4p1-5+deb11u2

-- no debconf information

Reply to:

Prev by Date: Bug#1053555: openssh-server: DebianBanner setting not shown in configuration dump
Next by Date: Bug#942100: openssh-server: /etc/ssh/sshd_config unconditionally overwritten by update
Previous by thread: Bug#1053555: openssh-server: DebianBanner setting not shown in configuration dump
Next by thread: Bug#942100: openssh-server: /etc/ssh/sshd_config unconditionally overwritten by update
Index(es):
- Date
- Thread