[Bug 3311] Certificate validity "forever" is not documented in PROTOCOL.certkeys

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu May 13 15:58:20 AEST 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3311

--- Comment #2 from Mariano Cano <mariano.cano at gmail.com> ---
The special case is that you can create an SSH certificate without
expiration date if you set the valid before to 0.

See the flag -V in `man ssh-keygen`:

https://github.com/openssh/openssh-portable/blob/d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d/ssh-keygen.1#L613-L643

I haven't tried to debug the code, but in /auth.c there's code to skip
the expiration check if opts->valid_before is 0.

https://github.com/openssh/openssh-portable/blob/2dc328023f60212cd29504fc05d849133ae47355/auth.c#L963-L969

And that "forever" mode, as `man ssh-keygen` says, it is not documented
on the PROTOCOL.certkeys

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list