Bug#1053737: /usr/bin/ssh-keygen: ssh-keygen -R: "invalid line" errors
Package: openssh-client
Version: 1:8.4p1-5+deb11u2
Severity: normal
File: /usr/bin/ssh-keygen
Dear Maintainer,
* What led up to the situation?
Trying to execute:
ssh-keygen -f "/home/mnalis/.ssh/known_hosts" -R "github.com"
(exact command as suggested by ssh itself because host key changed,
probably due to https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/)
* What exactly did you do (or not do) that was effective (or
ineffective)?
Tried on another machine with openssh-client 1:9.4p1-1, the same problem is
present there for this known_hosts file too. Manually editing the file and
removing line 200 works around the specific instance of the problem, but
"ssh-keygen -R" remains unusable. I assume that manually removing all
lines detected as "invalid line" would also allow ssh-keygen to proceed,
but I have not tested it.
* What was the outcome of this action?
ssh-keygen refuses to update known_hosts with following error:
% ssh-keygen -f "/home/mnalis/.ssh/known_hosts" -R "github.com"
/home/mnalis/.ssh/known_hosts:1: invalid line
/home/mnalis/.ssh/known_hosts:2: invalid line
/home/mnalis/.ssh/known_hosts:4: invalid line
/home/mnalis/.ssh/known_hosts:16: invalid line
/home/mnalis/.ssh/known_hosts:17: invalid line
# Host github.com found: line 200
/home/mnalis/.ssh/known_hosts is not a valid known_hosts file.
Not replacing existing known_hosts file because of errors
Here is how first 4 lines of that known_hosts file look like:
|1|DCvQVwzVexcX3Mau1D5fZmVKruM=|soAN7Mhjth9ExnFxG47y++6LLHg= 1024 35 167434766793837483340248804980769949824665268604993978563358959479765830951370741558908832827011687207884480786428301345738847818832072690127564924719644302715664485137952117178027506363037390447008852228373472317454193197538959482837286051143224351239595700806436016270258891540041265360900792522259140180921
|1|amNEFjA4gEiPAJp/hZepdJ1a38A=|3r0i0zg3DJ9iiaAcpdPfLNrhUrw= 1024 35 167434766793837483340248804980769949824665268604993978563358959479765830951370741558908832827011687207884480786428301345738847818832072690127564924719644302715664485137952117178027506363037390447008852228373472317454193197538959482837286051143224351239595700806436016270258891540041265360900792522259140180921
|1|+Q0EQTlTQeJ0jfLrk4Bhhyq7tic=|OtfKGw6dQ8Sw3BsH3MsRxj/+am8= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAoSZK2F7aXr0UxG8TqyqRiVKK1redIINJw2XHAFYwg+fRT4QxRGWANoZO4ggK6SB1dV0JsIvfJr/D7VGNiwfLT/i+K/EWt1jQ1Y13cLhzqqSrsUOWvsr2xC+re8QeSILk5pzP5nzQEYTyyBknCq0yCjnuRKm9MhqQOrcgY2GMB3U=
|1|zlwmrL64HaBaMTElBLAjB5wfiNE=|aqU2HeyZ00Nb16tHDcnZF/KALYI= 1024 35 127996390308881367982749181615590389946112714634614519843262364092321681710130910232611431762945334377336640067840062246513041629962755479231984134203580650174397517780096139161960264450818602524143591999435168314030504459201667428786398279613415241098669732580262057385208616093432930475934719992598708459451
That machine on which known_hosts exist, has been updated for many Debian
versions (at least from Squeeze, probably from Woody). I seem to recall
that the known_hosts contained plaintext FQDNs back in the time, and then
some version decided to convert them to currently used hashed format.
It seem that not all lines that were converted are recognized by recent
openssh versions.
* What outcome did you expect instead?
that the offending line at line 200 is removed.
-- System Information:
Debian Release: 11.8
APT prefers oldstable-security
APT policy: (500, 'oldstable-security'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-26-amd64 (SMP w/2 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-client depends on:
ii adduser 3.118+deb11u1
ii dpkg 1.20.13
ii libc6 2.31-13+deb11u7
ii libedit2 3.1-20191231-2+b1
ii libfido2-1 1.6.0-2
ii libgssapi-krb5-2 1.18.3-6+deb11u4
ii libselinux1 3.1-3
ii libssl1.1 1.1.1w-0+deb11u1
ii passwd 1:4.8.1-1
ii zlib1g 1:1.2.11.dfsg-2+deb11u2
Versions of packages openssh-client recommends:
ii xauth 1:1.1-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
pn monkeysphere <none>
ii ssh-askpass-gnome [ssh-askpass] 1:8.4p1-5+deb11u2
-- no debconf information
Reply to: