CertificateFile and related patches

Adam Eijdenberg adam at continusec.com
Mon Oct 31 14:55:54 AEDT 2016


Hi OpenSSH,

We've started using openssh certificates for server access in our team
and came across a regression (introduced in
https://github.com/openssh/openssh-portable/commit/4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8)
whereby our local clients who were able to successfully connect using
version 6.9, were not able to do so with the same configuration on
version 7.2.

Our configs for clients look roughly like:

    IdentityFile /Users/aeijdenberg/.ssh/id_shortlived_rsa
    IdentitiesOnly yes

and in our .ssh directory we have:

id_shortlived_rsa
id_shortlived_rsa-cert.pub

but no "id_shortlived_rsa.pub".

The reason we don't have the "id_shortlived_rsa.pub" is that we didn't
want our users accidentally adding that to any authorized_keys files
or linking to their Git accounts, since it will rotate often.

I wrote some tests demonstrating the issue, and created a patch that I
believe solves the problem. While doing so I came across a few other
issues related to specifying certificates.

For example, while specifying an IdentifyFile will automatically load
a certificate with the same name (and common suffix), the reverse is
not true, which would be convenient for our usage.

Additionally, when a CertificateFile is explicitly listed, if no
IdentifyFiles are listed, then implicit paths such as ~/.ssh/id_rsa
are used, even when IdentitiesOnly=yes is set.

I created tests for each of these, and a series of commits that I
think fixes each one.

I see there is a related bug here for our original issue, so it looks
like we are not the only ones operating in this type of configuration:
https://bugzilla.mindrot.org/show_bug.cgi?id=2617

Appreciate your consideration. I'm a first time openssh contributor,
so apologies if I've missed any steps in the process.

I rolled this up into a pull request here:
https://github.com/openssh/openssh-portable/pull/53

I suspect that isn't how you actually pull the changes in, but thought
it would be a meaningful way to share a link to the patches.

Cheers, Adam


More information about the openssh-unix-dev mailing list