https://bugzilla.mindrot.org/show_bug.cgi?id=3659
Bug ID: 3659
Summary: Certificates are ignored when listing revoked items in
a (binary) revocation list
Product: Portable OpenSSH
Version: 9.2p1
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs@mindrot.org
Reporter: webmaster@mmf-research.de
1. Create a blank binary revocation list:
ssh-keygen -Qlf my.krl
# KRL version 0
# Generated at 20240122T162948
2. Revoke a key, and a certificate:
ssh-keygen -kuf my.krl user1_id25519.pub user2_id25519-cert.pub
Revoking from user1_id25519.pub
Revoking from user2_id25519-cert.pub
3. Check the successful revocation:
ssh-keygen -Qf my.krl user1_id25519.pub user2_id25519-cert.pub
> user1_id25519.pub (USER1 ID): REVOKED
> user2_id25519-cert.pub (USER2 ID): REVOKED
4. Displaying the updated content of the revocation list will ignore
the certificate:
ssh-keygen -Qlf my.krl
# KRL version 0
# Generated at 20240122T162948
hash: SHA256:SHA256:3IJIl... # ssh-ed25519
# CA key ssh-ed25519 SHA256:f4o3Bp...
serial: 3007
I would expect the revoked certificate to show up in this list, too.
Note that in my setup, the SSH daemon correctly denies login with the
revoked certificate. It seems that just the KRL/CRL content listing is
affected.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Bug ID: 3659
Summary: Certificates are ignored when listing revoked items in
a (binary) revocation list
Product: Portable OpenSSH
Version: 9.2p1
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs@mindrot.org
Reporter: webmaster@mmf-research.de
1. Create a blank binary revocation list:
ssh-keygen -Qlf my.krl
# KRL version 0
# Generated at 20240122T162948
2. Revoke a key, and a certificate:
ssh-keygen -kuf my.krl user1_id25519.pub user2_id25519-cert.pub
Revoking from user1_id25519.pub
Revoking from user2_id25519-cert.pub
3. Check the successful revocation:
ssh-keygen -Qf my.krl user1_id25519.pub user2_id25519-cert.pub
> user1_id25519.pub (USER1 ID): REVOKED
> user2_id25519-cert.pub (USER2 ID): REVOKED
4. Displaying the updated content of the revocation list will ignore
the certificate:
ssh-keygen -Qlf my.krl
# KRL version 0
# Generated at 20240122T162948
hash: SHA256:SHA256:3IJIl... # ssh-ed25519
# CA key ssh-ed25519 SHA256:f4o3Bp...
serial: 3007
I would expect the revoked certificate to show up in this list, too.
Note that in my setup, the SSH daemon correctly denies login with the
revoked certificate. It seems that just the KRL/CRL content listing is
affected.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs