[Bug 2436] Add ssh option to present certificates on command line

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Sep 11 17:33:26 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2436

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
Created attachment 2700
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2700&action=edit
revised patch

Here's a tweaked version of the patch. Changes are:

- add_certificate_file() never used its "dir" argument; remove it and
save some code

- merge load_certificate_files() into load_public_identity_files();
much of the code is shared (especially % expansion)

- if any CertificateFiles have been specified, skip trying to load
key-cert.pub by default. I figure that if users are specifying
certificates themselves then they don't want implicit behaviour to
confuse things.

- log (at debug2 level) which private key is being used for the
certificate and cases where no private key was found for a given
certificate

- Simplify the matching of certificates to private keys in
sign_and_send_pubkey() and use it for all certificates (i.e. both
CertificateFile and implicit *-cert.pub ones).

- Tweak the wording of the manpage a little and mention the interaction
with IdentitiesOnly.

I've left the ssh -z option in there for now. The alternative to an
explicit flag is making users use -oCertificateFile=...

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list