Mailing List Archive: [Bug 3311] Certificate validity "forever" is not documented in PROTOCOL.certkeys

[Bug 3311] Certificate validity "forever" is not documented in PROTOCOL.certkeys

May 12, 2021, 9:27 PM

Post #1 of 4 (113 views)

https://bugzilla.mindrot.org/show_bug.cgi?id=3311

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |djm@mindrot.org

--- Comment #1 from Damien Miller <djm@mindrot.org> ---
what special case are you referring to? AFAIK this is no such special
case.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3311] Certificate validity "forever" is not documented in PROTOCOL.certkeys [ In reply to ]

bugzilla-daemon at mindrot

May 12, 2021, 10:58 PM

Post #2 of 4 (113 views)

Permalink

https://bugzilla.mindrot.org/show_bug.cgi?id=3311

--- Comment #2 from Mariano Cano <mariano.cano@gmail.com> ---
The special case is that you can create an SSH certificate without
expiration date if you set the valid before to 0.

See the flag -V in `man ssh-keygen`:

https://github.com/openssh/openssh-portable/blob/d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d/ssh-keygen.1#L613-L643

I haven't tried to debug the code, but in /auth.c there's code to skip
the expiration check if opts->valid_before is 0.

https://github.com/openssh/openssh-portable/blob/2dc328023f60212cd29504fc05d849133ae47355/auth.c#L963-L969

And that "forever" mode, as `man ssh-keygen` says, it is not documented
on the PROTOCOL.certkeys

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3311] Certificate validity "forever" is not documented in PROTOCOL.certkeys [ In reply to ]

bugzilla-daemon at mindrot

May 13, 2021, 3:43 AM

Post #3 of 4 (113 views)

Permalink

https://bugzilla.mindrot.org/show_bug.cgi?id=3311

--- Comment #3 from Damien Miller <djm@mindrot.org> ---
"forever" in ssh-keygen sets valid_after=0 and
valid_before=0xffffffffffffffff, so that's not the case you're talking
about here unless you're considering wall clock times before 1970 or
many billions of years in the future:
https://github.com/openssh/openssh-portable/blob/d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d/ssh-keygen.c#L1954

The other case has nothing to do with certificates (note that the
'opts' variable here is not a key, but another type). It is to support
the authorized_keys "expiry-time" keyword:
https://github.com/openssh/openssh-portable/blob/d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d/sshd.8#L527

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 3311] Certificate validity "forever" is not documented in PROTOCOL.certkeys [ In reply to ]

bugzilla-daemon at mindrot

May 13, 2021, 12:27 PM

Post #4 of 4 (113 views)

Permalink

https://bugzilla.mindrot.org/show_bug.cgi?id=3311

Mariano Cano <mariano.cano@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED

--- Comment #4 from Mariano Cano <mariano.cano@gmail.com> ---
You're right, didn't understand the `~` in `~(u_int64_t)0;`

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs