[Bug 3311] Certificate validity "forever" is not documented in PROTOCOL.certkeys
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu May 13 15:58:20 AEST 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3311
--- Comment #2 from Mariano Cano <mariano.cano at gmail.com> ---
The special case is that you can create an SSH certificate without
expiration date if you set the valid before to 0.
See the flag -V in `man ssh-keygen`:
https://github.com/openssh/openssh-portable/blob/d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d/ssh-keygen.1#L613-L643
I haven't tried to debug the code, but in /auth.c there's code to skip
the expiration check if opts->valid_before is 0.
https://github.com/openssh/openssh-portable/blob/2dc328023f60212cd29504fc05d849133ae47355/auth.c#L963-L969
And that "forever" mode, as `man ssh-keygen` says, it is not documented
on the PROTOCOL.certkeys
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list