Use of "no-touch-required" with "cert-authority"

Damien Miller djm at mindrot.org
Tue Feb 18 16:43:47 AEDT 2020


On Mon, 17 Feb 2020, Ron Frederick wrote:

> The other issue I ran across is that specifying “-O no-touch-required”
> when generating the certificate didn’t work, despite that being
> documented in the man page. It appears that ssh-keygen treats this
> keyword as an unknown “critical” value, rather than an “extension”.
> So, the generated certificate ended up looking something like:
>
>         Critical Options: 
>                 no-touch-required UNKNOWN OPTION (len 0)

This should fix that problem. I'll take a look at the others separately.


Index: ssh-keygen.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v
retrieving revision 1.398
diff -u -p -r1.398 ssh-keygen.c
--- ssh-keygen.c	7 Feb 2020 03:27:54 -0000	1.398
+++ ssh-keygen.c	18 Feb 2020 05:43:41 -0000
@@ -1656,7 +1656,7 @@ prepare_options_buf(struct sshbuf *c, in
 	if ((which & OPTIONS_EXTENSIONS) != 0 &&
 	    (certflags_flags & CERTOPT_USER_RC) != 0)
 		add_flag_option(c, "permit-user-rc");
-	if ((which & OPTIONS_CRITICAL) != 0 &&
+	if ((which & OPTIONS_EXTENSIONS) != 0 &&
 	    (certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0)
 		add_flag_option(c, "no-touch-required");
 	if ((which & OPTIONS_CRITICAL) != 0 &&


More information about the openssh-unix-dev mailing list