Bug#1111054: "5.1.8. OpenSSH no longer supports DSA keys" should also mention RevokedKeys (KRL)
Package: upgrade-reports
Severity: minor
OpenSSH supports a local key revocation list (originally a response to https://wiki.debian.org/SSLkeys):
echo RevokedKeys /etc/ssh/sshd_config.d/deny-ex-staff.revoked_keys >/etc/ssh/sshd_config.d/deny-ex-staff.config
systemctl restart ssh
cat ~alice/.ssh/id_ed25519.pub ~bob/.ssh/id_ed25519.pub >>/etc/ssh/sshd_config.d/deny-ex-staff.revoked_keys
If the KRL contains DSA keys (ssh-dss ...), openssh-server/trixie fails to parse the KRL completely.
It fails safe -- it rejects *every* ssh key.
2025-08-11T22:57:48.265497+10:00 delta sshd-session[2263]:
error: Error checking authentication key
ED25519 SHA256:iynb/T3xeJv+cvKhJ8dR9TE50R1ZT8k6372bg7OG7jM in revoked keys file
/etc/ssh/sshd_config.d/cyber-deny-ex-staff.revoked_keys: invalid format
This makes sense once you think about it, but
it's easy to *not* think about it until after you're locked out.
Particularly if these are keys of staff who were offboarded 20 years ago :-)
Debian does not use RevokedKeys by default.
Please amend https://www.debian.org/releases/trixie/release-notes/issues.html#openssh-no-longer-supports-dsa-keys
to warn users of RevokedKeys to remove DSA (ssh-dss) keys from their KRL.
Reply to: