ssh-keygen -V doesn't respect DST
Michael Ströder
michael at stroeder.com
Tue Mar 29 00:48:30 AEDT 2022
On 3/28/22 11:23, Jan Schermer wrote:
> we just entered DST here in Czech Republic, and my CA started
> generating certificates with a +1h offset: >
> ssh-keygen -U -s some-ca-key.pub -V 20220328110400:20220328112400 [..]
>
> Signed user key 438-cert.pub: id
> "eed3f7c7-4809-46e7-892e-6e3642da59c8 " serial 0 valid from
> 2022-03-28T12:04:00 to 2022-03-28T12:24:00
Reading ssh-keygen(1) I have no clue whether time strings specified with
-V are supposed to be local time or UTC.
IMHO implying local time could cause all sorts of strange issues in case
time-zone info is not correctly set for a service etc.
> Any plans to fix this? Apparently I am not the only person who
> encountered it
> https://github.com/cloudtools/ssh-ca/blob/master/ssh_ca/utils.py#L72
My own implementation only uses relative time format like "+4h". AFAICS
the spec in PROTOCOL.certkeys defines the validity period based on
time-stamps with senconds-since-epoch (UTC).
Ciao, Michael.
More information about the openssh-unix-dev
mailing list