Corrupt KRL file when using multiple CA.
Peter Ankerstål
peter at pean.org
Fri Nov 14 16:33:13 EST 2014
6.5p1
Hälsningar / regards
Peter Ankerstål
> On 14 nov 2014, at 03:34, Damien Miller <djm at mindrot.org> wrote:
>
> What version of OpenSSH are you using? I fixed a bug in KRL generation
> a few months ago:
>
> https://anongit.mindrot.org/openssh.git/commit/krl.c?id=2cd7929250cf9e9f658d70dcd452f529ba08c942
>
>> On Thu, 13 Nov 2014, Peter Ankerst?l wrote:
>>
>> Hi!
>>
>> It seems to be a problem when I have revoked keys from multiple CAs in one KRL
>> file.
>>
>> ssh refuses access and says:
>> Nov 13 13:32:15 q sshd[35438]: error: buffer_get_string_ptr: bad string length
>> 268032
>> Nov 13 13:32:15 q sshd[35438]: error: parse_revoked_certs: buffer error
>> Nov 13 13:32:15 q sshd[35438]: error: Invalid KRL, refusing public key
>> authentication
>>
>> How would I revoke keys from multiple CAs then? if I put multiple RevokedKeys
>> it only considers one file.
>>
>> The KRL is generated by:
>> ssh-keygen -k -u -f revoked_keys.bin -s ca1.pub revoked_keys1
>> ssh-keygen -k -u -f revoked_keys.bin -s ca2.pub revoked_keys2
>>
>>
>> revokes_keys[1-2] has the format:
>> serial: 2134
>> serial: 2343
>> serial: 2842
>> serial: 8795
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2532 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141114/de4998e8/attachment.bin>
More information about the openssh-unix-dev
mailing list