XPost: linux.debian.bugs.dist 
 From: trentbuck@gmail.com 
  
 Package: upgrade-reports 
 Severity: minor 
  
 OpenSSH supports a local key revocation list (originally a response to 
 https://wiki.debian.org/SSLkeys): 
  
     echo RevokedKeys /etc/ssh/sshd_config.d/deny-ex-staff.revoked_keys 
 >/etc/ssh/sshd_config.d/deny-ex-staff.config 
     systemctl restart ssh 
     cat ~alice/.ssh/id_ed25519.pub ~bob/.ssh/id_ed25519.pub >>/e 
 c/ssh/sshd_config.d/deny-ex-staff.revoked_keys 
  
 If the KRL contains DSA keys (ssh-dss ...), openssh-server/trixie fails to 
 parse the KRL completely. 
 It fails safe -- it rejects *every* ssh key. 
  
     2025-08-11T22:57:48.265497+10:00 delta sshd-session[2263]: 
     error: Error checking authentication key 
     ED25519 SHA256:iynb/T3xeJv+cvKhJ8dR9TE50R1ZT8k6372bg7OG7jM in revoked 
 keys 
 file 
     /etc/ssh/sshd_config.d/cyber-deny-ex-staff.revoked_keys: invalid format 
  
 This makes sense once you think about it, but 
 it's easy to *not* think about it until after you're locked out. 
 Particularly if these are keys of staff who were offboarded 20 years ago :-) 
  
 Debian does not use RevokedKeys by default. 
  
 Please amend https://www.debian.org/releases/trixie/release-note 
 /issues.html#openssh-no-longer-supports-dsa-keys 
 to warn users of RevokedKeys to remove DSA (ssh-dss) keys from their KRL. 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)