Use of "no-touch-required" with "cert-authority"
Ron Frederick
ronf at timeheart.net
Tue Feb 18 19:11:21 AEDT 2020
On Feb 17, 2020, at 9:43 PM, Damien Miller <djm at mindrot.org> wrote:
> On Mon, 17 Feb 2020, Ron Frederick wrote:
>> The other issue I ran across is that specifying “-O no-touch-required”
>> when generating the certificate didn’t work, despite that being
>> documented in the man page. It appears that ssh-keygen treats this
>> keyword as an unknown “critical” value, rather than an “extension”.
>> So, the generated certificate ended up looking something like:
>>
>> Critical Options:
>> no-touch-required UNKNOWN OPTION (len 0)
>
> This should fix that problem. I'll take a look at the others separately.
>
>
> Index: ssh-keygen.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v
> retrieving revision 1.398
> diff -u -p -r1.398 ssh-keygen.c
> --- ssh-keygen.c 7 Feb 2020 03:27:54 -0000 1.398
> +++ ssh-keygen.c 18 Feb 2020 05:43:41 -0000
> @@ -1656,7 +1656,7 @@ prepare_options_buf(struct sshbuf *c, in
> if ((which & OPTIONS_EXTENSIONS) != 0 &&
> (certflags_flags & CERTOPT_USER_RC) != 0)
> add_flag_option(c, "permit-user-rc");
> - if ((which & OPTIONS_CRITICAL) != 0 &&
> + if ((which & OPTIONS_EXTENSIONS) != 0 &&
> (certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0)
> add_flag_option(c, "no-touch-required");
> if ((which & OPTIONS_CRITICAL) != 0 &&
Thanks - that does indeed seem to fix the problem of needing to add “extension:” explicitly.
--
Ron Frederick
ronf at timeheart.net
More information about the openssh-unix-dev
mailing list