[Bug 3198] New: Custom critical options are not lexically ordered
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Jul 28 07:50:05 AEST 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3198
Bug ID: 3198
Summary: Custom critical options are not lexically ordered
Product: Portable OpenSSH
Version: -current
Hardware: amd64
OS: Mac OS X
Status: NEW
Severity: normal
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: mariano.cano at gmail.com
According to PROTOCOL.certkeys critical options must be lexically
ordered by name:
```
Options must be lexically ordered by "name" if they appear in the
sequence. Each named option may only appear once in a certificate.
```
This works for the well-known options 'source-address' and
'force-command' but if custom critical options are passed, they will
appear in the order passed in:
```
$ ssh-keygen -I key-id -O critical:a at foo.com=a -O critical:c at foo.com=c
-O critical:b at foo.com=b -s ca.key user.pub
Signed user key user-cert.pub: id "key-id" serial 0 valid forever
```
They will be stored in the same order and will appear in that order
when inspecting the certificate:
```
user-cert.pub:
Type: ssh-rsa-cert-v01 at openssh.com user certificate
Public key: RSA-CERT
SHA256:5XSDsn5usZ40pRyDsJnR2KWKacRc29ufR+U8KLYBqGw
Signing CA: ECDSA
SHA256:rmAjupXaId7QQode/ThbhY/t427k9EKtTfNQHn5AkPk (using
ecdsa-sha2-nistp256)
Key ID: "key-id"
Serial: 0
Valid: forever
Principals: (none)
Critical Options:
a at foo.com UNKNOWN OPTION (len 5)
c at foo.com UNKNOWN OPTION (len 5)
b at foo.com UNKNOWN OPTION (len 5)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
```
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list