Mailing List Archive

[Bug 3198] New: Custom critical options are not lexically ordered
https://bugzilla.mindrot.org/show_bug.cgi?id=3198

Bug ID: 3198
Summary: Custom critical options are not lexically ordered
Product: Portable OpenSSH
Version: -current
Hardware: amd64
OS: Mac OS X
Status: NEW
Severity: normal
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs@mindrot.org
Reporter: mariano.cano@gmail.com

According to PROTOCOL.certkeys critical options must be lexically
ordered by name:

```
Options must be lexically ordered by "name" if they appear in the
sequence. Each named option may only appear once in a certificate.
```

This works for the well-known options 'source-address' and
'force-command' but if custom critical options are passed, they will
appear in the order passed in:

```
$ ssh-keygen -I key-id -O critical:a@foo.com=a -O critical:c@foo.com=c
-O critical:b@foo.com=b -s ca.key user.pub
Signed user key user-cert.pub: id "key-id" serial 0 valid forever
```

They will be stored in the same order and will appear in that order
when inspecting the certificate:
```
user-cert.pub:
Type: ssh-rsa-cert-v01@openssh.com user certificate
Public key: RSA-CERT
SHA256:5XSDsn5usZ40pRyDsJnR2KWKacRc29ufR+U8KLYBqGw
Signing CA: ECDSA
SHA256:rmAjupXaId7QQode/ThbhY/t427k9EKtTfNQHn5AkPk (using
ecdsa-sha2-nistp256)
Key ID: "key-id"
Serial: 0
Valid: forever
Principals: (none)
Critical Options:
a@foo.com UNKNOWN OPTION (len 5)
c@foo.com UNKNOWN OPTION (len 5)
b@foo.com UNKNOWN OPTION (len 5)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
```

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs