Thank you for taking the time to report this bug while providing a good reproducer.
I was able to reproduce in Focal and Bionic # ssh-keyscan github.com >test_known_hosts # ls -la test_known_hosts -rw-r--r-- 1 root root 656 Mar 28 14:24 test_known_hosts # ssh-keygen -R github.com -f test_known_hosts test_known_hosts updated. Original contents retained as test_known_hosts.old # ls -la test_known_hosts -rw------- 1 root root 0 Mar 28 14:25 test_known_hosts However in Jammy and Impish this is fixed: # ssh-keyscan github.com >test_known_hosts # ls -la test_known_hosts -rw-r--r-- 1 root root 656 Mar 28 14:30 test_known_hosts # ssh-keygen -R github.com -f test_known_hosts test_known_hosts updated. Original contents retained as test_known_hosts.old # ls -la test_known_hosts -rw-r--r-- 1 root root 0 Mar 28 14:31 test_known_hosts With this already being fixed in the newer releases it should just be a matter of finding the relevant commit and adding it to focal and bionic. Thanks ** Also affects: openssh (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: openssh (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: openssh (Ubuntu Impish) Status: New => Fix Released ** Changed in: openssh (Ubuntu Jammy) Status: New => Fix Released ** Changed in: openssh (Ubuntu Bionic) Status: New => Confirmed ** Changed in: openssh (Ubuntu Focal) Status: New => Confirmed ** Tags added: server-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1966591 Title: ssh-keygen -R changes known_hosts file permissions (mode) Status in openssh package in Ubuntu: Fix Released Status in openssh source package in Bionic: Confirmed Status in openssh source package in Focal: Confirmed Status in openssh source package in Impish: Fix Released Status in openssh source package in Jammy: Fix Released Bug description: When I use ssh-keygen -R to remove a host from known_hosts it changes permissions on the file. This causes problems particularly when used on the global known hosts file (/etc/ssh/ssh_known_hosts), because then only root can read it. Programs running non-interactively as non- root users suddenly fail to SSH and it's not immediately obvious why. To reproduce: $ ssh-keyscan github.com >test_known_hosts $ chmod 741 test_known_hosts $ ssh-keygen -R github.com -f test_known_hosts $ stat test_known_hosts ... Access: (0600/-rw-------) ... Expected behavior: file permissions remain unchanged (mode 0741 in this example). $ lsb_release -rd Description: Ubuntu 18.04.6 LTS Release: 18.04 $ apt-cache policy openssh-client openssh-client: Installed: 1:7.6p1-4ubuntu0.6 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1966591/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp