SSH cert extensions and authz key options
Damien Miller
djm at mindrot.org
Thu Jan 25 14:31:22 AEDT 2018
On Wed, 24 Jan 2018, Michael Ströder wrote:
> >> Are SSH cert extensions and authz key options treated case-insensitive?
> >> [1] does not say anything about this.
> >
> > Cert extensions are case sensitive
> >
> > authorized_keys options aren't.
>
> Sorry for nitpicking some more:
>
> Man page ssh-keygen(1) -O says lower-case "permit-x11-forwarding" [1]
That's a typo. I'll commit a fix. It should be "permit-X11-forwarding"
> Also [2] says that options and extensions have to be "lexically
> ordered". What does that mean exactly regarding the case?
>
> E.g. in Python it makes a difference sorting case-sensitive or
> case-insensitive because capital letters are considered lower. Same in
> OpenSSH code?
Sorting should be case sensitive, i.e. upper-case first.
> $ python3
> Python 3.6.4 (default, Jan 03 2018, 13:52:55) [GCC] on linux
> Type "help", "copyright", "credits" or "license" for more information.
> >>> sorted(['permit-port-forwarding','permit-X11-forwarding','permit-pty'])
> ['permit-X11-forwarding', 'permit-port-forwarding', 'permit-pty']
This is the correct ordering, but you only need to worry about that
if you're writing certificates with your own code. ssh-keygen takes care
of putting things in the right order if you're using that to generate
certificates.
(also, I don't think the order is enforced anyway).
-d
More information about the openssh-unix-dev
mailing list