Use of "no-touch-required" with "cert-authority"
Damien Miller
djm at mindrot.org
Tue Feb 18 16:43:47 AEDT 2020
On Mon, 17 Feb 2020, Ron Frederick wrote:
> The other issue I ran across is that specifying “-O no-touch-required”
> when generating the certificate didn’t work, despite that being
> documented in the man page. It appears that ssh-keygen treats this
> keyword as an unknown “critical” value, rather than an “extension”.
> So, the generated certificate ended up looking something like:
>
> Critical Options:
> no-touch-required UNKNOWN OPTION (len 0)
This should fix that problem. I'll take a look at the others separately.
Index: ssh-keygen.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v
retrieving revision 1.398
diff -u -p -r1.398 ssh-keygen.c
--- ssh-keygen.c 7 Feb 2020 03:27:54 -0000 1.398
+++ ssh-keygen.c 18 Feb 2020 05:43:41 -0000
@@ -1656,7 +1656,7 @@ prepare_options_buf(struct sshbuf *c, in
if ((which & OPTIONS_EXTENSIONS) != 0 &&
(certflags_flags & CERTOPT_USER_RC) != 0)
add_flag_option(c, "permit-user-rc");
- if ((which & OPTIONS_CRITICAL) != 0 &&
+ if ((which & OPTIONS_EXTENSIONS) != 0 &&
(certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0)
add_flag_option(c, "no-touch-required");
if ((which & OPTIONS_CRITICAL) != 0 &&
More information about the openssh-unix-dev
mailing list