Corrupt KRL file when using multiple CA.
Damien Miller
djm at mindrot.org
Sat Nov 15 21:16:51 EST 2014
On Fri, 14 Nov 2014, Peter Ankerst?l wrote:
> I recompiled openssh with that line added to krl.c but it gives the same
> result:
>
> debug1: KRL version 0 generated at 20141114T080704
> debug3: ssh_krl_from_blob: first pass, section 0x01
> debug3: ssh_krl_from_blob: first pass, section 0x01
> debug3: ssh_krl_from_blob: second pass, section 0x01
> debug3: parse_revoked_certs: subsection type 0x20
> debug3: revoked_certs_for_ca_key: new CA RSA
> debug3: parse_revoked_certs: subsection type 0x22
> debug3: parse_revoked_certs: subsection type 0x20
> debug3: ssh_krl_from_blob: second pass, section 0x01
> debug3: parse_revoked_certs: subsection type 0x20
> debug3: parse_revoked_certs: subsection type 0x22
> debug3: parse_revoked_certs: subsection type 0x20
> buffer_get_string_ptr: bad string length 268032
> parse_revoked_certs: buffer error
> Invalid KRL, refusing public key authentication
Did you regenerate the KRL after patching OpenSSH? The bug is in KRL
generation, not reading.
-d
More information about the openssh-unix-dev
mailing list