ssh-keygen -V doesn't respect DST

Michael Ströder michael at stroeder.com
Tue Mar 29 00:48:30 AEDT 2022


On 3/28/22 11:23, Jan Schermer wrote:
> we just entered DST here in Czech Republic, and my CA started
> generating certificates with a +1h offset: >
> ssh-keygen -U -s some-ca-key.pub -V 20220328110400:20220328112400 [..]
> 
> Signed user key 438-cert.pub: id
> "eed3f7c7-4809-46e7-892e-6e3642da59c8 " serial 0 valid from
> 2022-03-28T12:04:00 to 2022-03-28T12:24:00
Reading ssh-keygen(1) I have no clue whether time strings specified with 
-V are supposed to be local time or UTC.

IMHO implying local time could cause all sorts of strange issues in case 
time-zone info is not correctly set for a service etc.

> Any plans to fix this? Apparently I am not the only person who
> encountered it
> https://github.com/cloudtools/ssh-ca/blob/master/ssh_ca/utils.py#L72

My own implementation only uses relative time format like "+4h". AFAICS 
the spec in PROTOCOL.certkeys defines the validity period based on 
time-stamps with senconds-since-epoch (UTC).

Ciao, Michael.


More information about the openssh-unix-dev mailing list