[Bug 3807] New: Authentication failure due to expired certificates

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3807

            Bug ID: 3807
           Summary: Authentication failure due to expired certificates
           Product: Portable OpenSSH
           Version: -current
          Hardware: 68k
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mariano.cano at gmail.com

At least from openssh 9.6, when the sshd server is configured with
certificates, child processes created on a new connection won't pick a
refreshed certificate and will use the one available when the server
started, even though you can see in the logs that the certificate has
been reprocessed. 

I've tested this in the following versions:

* 9.9: fail
* 9.6: fail
* 9.2: ok
* 8.2: ok

Fail means that a refreshed certificate is not used, and ok means that
it was used.

The configuration looks like this:

Match all
        TrustedUserCAKeys /etc/ssh/ca.pub
        HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
        HostKey /etc/ssh/ssh_host_ecdsa_key

The logs on all versions tested show this:

... sshd[373286]: debug3: checking match for 'all' user xxx host xxx
addr xxx laddr xxx lport 22
... sshd[373286]: debug3: reprocess config:130 setting
TrustedUserCAKeys /etc/ssh/ca.pub
... sshd[373286]: debug3: reprocess config:131 setting HostCertificate
/etc/ssh/ssh_host_ecdsa_key-cert.pub
... sshd[373286]: debug3: reprocess config:132 setting HostKey
/etc/ssh/ssh_host_ecdsa_key

If we use strace to see the system calls of each process on a working
version (9.2), we can see the file being opened:

[pid 18697] openat(AT_FDCWD, "/etc/ssh/ssh_host_ecdsa_key-cert.pub",
O_RDONLY) = 4

This is not the case at least with the version 9.6

-- 
You are receiving this mail because:
You are watching the assignee of the bug.