revoking ssh-cert.pub with serial revokes also younger certs

Jakob Schürz wertstoffe at schuerz.at
Tue Sep 17 01:12:36 AEST 2019 

Hi Daminan!


Hmmm... thought about a little...

when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug
is compiled in.

ssh-keygen --help gives me

ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ...

so... option -z is not the serial of the certificate, it is the
version-number of the KRL-File...

My openssh-Verision from Debian is 1:7.4p1-10+deb9u7. Maybe, this
openssh-version does not support revoking a certificate by it's
serialnumber. This leads me to the next question... The serial-number of
a certificate is uniq over all certificates, or is it allowed, to
increment serial-numbers for each certificate separate? How is the design?


thank you

jakob

Am 16.09.19 um 04:18 schrieb Damien Miller:
> On Fri, 13 Sep 2019, Jakob Schürz wrote:
>
>> Hi there!
>>
>> What am I doing wrong?
>>
>> I created a ssh-certificate
>>
>> id_user_rsa-cert.pub with this dump:
>>
>> id_user_rsa-cert.pub:
>> root at host # ssh-keygen -Lf id_user_rsa-cert.pub
>>         Type: ssh-rsa-cert-v01 at openssh.com user certificate
>>         Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk
>>         Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs
>>         Key ID: "test at myhost.mydomain.example"
>>         Serial: 18
>>         Valid: from 2019-07-29T02:08:00 to 2020-07-28T02:09:43
>>         Principals:
>>                 test
>>         Critical Options: (none)
>>         Extensions:
>>                 permit-X11-forwarding
>>                 permit-agent-forwarding
>>                 permit-port-forwarding
>>                 permit-pty
>>                 permit-user-rc
>>
>>
>> Now i try to revoke this certificate with
>>
>> ssh-keygen -s ../user_ca.pub -kf /etc/ssh/revoked_keys -z 17
>> id_user_rsa-cert.pub
>>
>> The serial is 1 less the serial of my created certificate
>>
>> Check, if my certificate is valid
>>
>> root at host # ssh-keygen -Qf /etc/ssh/revoked_keys id_user_rsa-cert.pub
>> id_user_rsa-cert.pub (test on myhost - created by ansible (1564358942)):
>> REVOKED
>>
>> Why? I thougt, when i use -s <Serialnumber> only this specific
>> certificate for a pubkey is revoked...
> If you compile krl.c with -DDEBUG_KRL=1 then you can get some extra
> debugging that might show what is going on. You'll probably need to
> add -vvv to ssh-keygen's flags too.
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

-- 
lore ipsum

More information about the openssh-unix-dev mailing list