[Bug 2989] New: Revoking certificates when TrustedUserCAKeys-file contains multiple keys does not work

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Apr 7 02:54:40 AEST 2019


https://bugzilla.mindrot.org/show_bug.cgi?id=2989

            Bug ID: 2989
           Summary: Revoking certificates when TrustedUserCAKeys-file
                    contains multiple keys does not work
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: amd64
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: peter at pean.org

If you are using multiple different CA-keys for authenticating users
you list them (on per line) in a file and point to it using
TrustedUserCAKeys. So far so good.

Let say I have TrustedUserCAKeys /etc/ssh/user_ca.pub i sshd_config.

But when you then try to revoke a certificate you would naturally use
ssh-keygen -k -s /etc/ssh/user_ca.pub -f revoked.bin revoked, but this
will not work. ssh-keygen will only revoke serials or key ids from the
first CA in /etc/ssh/user_ca.pub

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list