[Bug 3468] New: Validity interval changes during Daylight Saving Time

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Aug 8 23:49:06 AEST 2022 

https://bugzilla.mindrot.org/show_bug.cgi?id=3468

            Bug ID: 3468
           Summary: Validity interval changes during Daylight Saving Time
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: florfoto at gmail.com

Description of problem:
When specifying a validity interval when signing a certificate using -V
option, an hour is added if the system timezone is in Daylight Saving
Time (DST).

Version-Release number of selected component (if applicable):
openssh-8.7p1-8.el9

How reproducible:
Always

Steps to Reproduce:
1. Grant access on July 28 2022 from 10:00 to 12:00hs:

~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202207281000:202207281200 .ssh/id_rsa.pub 
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-07-28T11:00:00 to 2022-07-28T13:00:00
~~~

Actual results:
The previous output says "valid from 2022-07-28T11:00:00 to
2022-07-28T13:00:00" instead of "valid from 2022-07-28T10:00:00 to
2022-07-28T12:00:00".

~~~
[root at rhel9server ~]# ssh-keygen -Lf .ssh/id_rsa-cert.pub 
.ssh/id_rsa-cert.pub:
        Type: ssh-rsa-cert-v01 at openssh.com user certificate
        Public key: RSA-CERT
SHA256:P8r+Z3Hiir9KIg/D04vNwlr9zAYw1k6b6xEeZbF0fps
        Signing CA: RSA
SHA256:0GHrCSlevbRxJCe6/+XzSXx6qzWGre4S0kfrP9R+AcA (using rsa-sha2-512)
        Key ID: "myuser"
        Serial: 0
        Valid: from 2022-07-28T11:00:00 to 2022-07-28T13:00:00
        Principals: 
                myuser
        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc
~~~

Expected results:
1. Grant access on July 28 2022 from 10:00 to 12:00hs (not from 11:00
to 13:00hs):

~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202207281000:202207281200 .ssh/id_rsa.pub 
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-07-28T10:00:00 to 2022-07-28T12:00:00
~~~

Additional info:
This only happens when the system clock is in DST.
When DST finishes( for example in November for Europe/Brussels
timezone), there isn´t an hour added:

~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202211281000:202211281200 .ssh/id_rsa.pub 
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-11-28T10:00:00 to 2022-11-28T12:00:00
~~~

Description of problem:
When specifying a validity interval when signing a certificate using -V
option, an hour is added if the system timezone is in Daylight Saving
Time (DST).

Version-Release number of selected component (if applicable):
openssh-8.7p1-8.el9

How reproducible:
Always

Steps to Reproduce:
1. Grant access on July 28 2022 from 10:00 to 12:00hs:

~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202207281000:202207281200 .ssh/id_rsa.pub 
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-07-28T11:00:00 to 2022-07-28T13:00:00
~~~

Actual results:
The previous output says "valid from 2022-07-28T11:00:00 to
2022-07-28T13:00:00" instead of "valid from 2022-07-28T10:00:00 to
2022-07-28T12:00:00".

~~~
[root at rhel9server ~]# ssh-keygen -Lf .ssh/id_rsa-cert.pub 
.ssh/id_rsa-cert.pub:
        Type: ssh-rsa-cert-v01 at openssh.com user certificate
        Public key: RSA-CERT
SHA256:P8r+Z3Hiir9KIg/D04vNwlr9zAYw1k6b6xEeZbF0fps
        Signing CA: RSA
SHA256:0GHrCSlevbRxJCe6/+XzSXx6qzWGre4S0kfrP9R+AcA (using rsa-sha2-512)
        Key ID: "myuser"
        Serial: 0
        Valid: from 2022-07-28T11:00:00 to 2022-07-28T13:00:00
        Principals: 
                myuser
        Critical Options: (none)
        Extensions: 
                permit-X11-forwarding
                permit-agent-forwarding
                permit-port-forwarding
                permit-pty
                permit-user-rc
~~~

Expected results:
1. Grant access on July 28 2022 from 10:00 to 12:00hs (not from 11:00
to 13:00hs):

~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202207281000:202207281200 .ssh/id_rsa.pub 
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-07-28T10:00:00 to 2022-07-28T12:00:00
~~~

Additional info:
This only happens when the system clock is in DST.
When DST finishes( for example in november for Europe/Brussels
timezone), there isn´t an hour added:

~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202211281000:202211281200 .ssh/id_rsa.pub 
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-11-28T10:00:00 to 2022-11-28T12:00:00
~~~

Is this behavior expected or is it a bug?

Thanks in advance.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list