Jakob Schürz
2019-Sep-13 14:54 UTC
revoking ssh-cert.pub with serial revokes also younger certs
Hi there! What am I doing wrong? I created a ssh-certificate id_user_rsa-cert.pub with this dump: id_user_rsa-cert.pub: root at host # ssh-keygen -Lf id_user_rsa-cert.pub ??????? Type: ssh-rsa-cert-v01 at openssh.com user certificate ??????? Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk ??????? Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs ??????? Key ID: "test at myhost.mydomain.example" ??????? Serial: 18 ??????? Valid: from 2019-07-29T02:08:00 to 2020-07-28T02:09:43 ??????? Principals: ??????????????? test ??????? Critical Options: (none) ??????? Extensions: ??????????????? permit-X11-forwarding ??????????????? permit-agent-forwarding ??????????????? permit-port-forwarding ??????????????? permit-pty ??????????????? permit-user-rc Now i try to revoke this certificate with ssh-keygen -s ../user_ca.pub -kf /etc/ssh/revoked_keys -z 17 id_user_rsa-cert.pub The serial is 1 less the serial of my created certificate Check, if my certificate is valid root at host # ssh-keygen -Qf /etc/ssh/revoked_keys id_user_rsa-cert.pub id_user_rsa-cert.pub (test on myhost - created by ansible (1564358942)): REVOKED Why? I thougt, when i use -s <Serialnumber> only this specific certificate for a pubkey is revoked... jakob -- lore ipsum
Damien Miller
2019-Sep-16 02:18 UTC
revoking ssh-cert.pub with serial revokes also younger certs
On Fri, 13 Sep 2019, Jakob Sch?rz wrote:> Hi there! > > What am I doing wrong? > > I created a ssh-certificate > > id_user_rsa-cert.pub with this dump: > > id_user_rsa-cert.pub: > root at host # ssh-keygen -Lf id_user_rsa-cert.pub > ??????? Type: ssh-rsa-cert-v01 at openssh.com user certificate > ??????? Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk > ??????? Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs > ??????? Key ID: "test at myhost.mydomain.example" > ??????? Serial: 18 > ??????? Valid: from 2019-07-29T02:08:00 to 2020-07-28T02:09:43 > ??????? Principals: > ??????????????? test > ??????? Critical Options: (none) > ??????? Extensions: > ??????????????? permit-X11-forwarding > ??????????????? permit-agent-forwarding > ??????????????? permit-port-forwarding > ??????????????? permit-pty > ??????????????? permit-user-rc > > > Now i try to revoke this certificate with > > ssh-keygen -s ../user_ca.pub -kf /etc/ssh/revoked_keys -z 17 > id_user_rsa-cert.pub > > The serial is 1 less the serial of my created certificate > > Check, if my certificate is valid > > root at host # ssh-keygen -Qf /etc/ssh/revoked_keys id_user_rsa-cert.pub > id_user_rsa-cert.pub (test on myhost - created by ansible (1564358942)): > REVOKED > > Why? I thougt, when i use -s <Serialnumber> only this specific > certificate for a pubkey is revoked...If you compile krl.c with -DDEBUG_KRL=1 then you can get some extra debugging that might show what is going on. You'll probably need to add -vvv to ssh-keygen's flags too. -d
Jakob Schürz
2019-Sep-16 15:12 UTC
revoking ssh-cert.pub with serial revokes also younger certs
Hi Daminan! Hmmm... thought about a little... when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug is compiled in. ssh-keygen --help gives me ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ... so... option -z is not the serial of the certificate, it is the version-number of the KRL-File... My openssh-Verision from Debian is 1:7.4p1-10+deb9u7. Maybe, this openssh-version does not support revoking a certificate by it's serialnumber. This leads me to the next question... The serial-number of a certificate is uniq over all certificates, or is it allowed, to increment serial-numbers for each certificate separate? How is the design? thank you jakob Am 16.09.19 um 04:18 schrieb Damien Miller:> On Fri, 13 Sep 2019, Jakob Sch?rz wrote: > >> Hi there! >> >> What am I doing wrong? >> >> I created a ssh-certificate >> >> id_user_rsa-cert.pub with this dump: >> >> id_user_rsa-cert.pub: >> root at host # ssh-keygen -Lf id_user_rsa-cert.pub >> ??????? Type: ssh-rsa-cert-v01 at openssh.com user certificate >> ??????? Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk >> ??????? Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs >> ??????? Key ID: "test at myhost.mydomain.example" >> ??????? Serial: 18 >> ??????? Valid: from 2019-07-29T02:08:00 to 2020-07-28T02:09:43 >> ??????? Principals: >> ??????????????? test >> ??????? Critical Options: (none) >> ??????? Extensions: >> ??????????????? permit-X11-forwarding >> ??????????????? permit-agent-forwarding >> ??????????????? permit-port-forwarding >> ??????????????? permit-pty >> ??????????????? permit-user-rc >> >> >> Now i try to revoke this certificate with >> >> ssh-keygen -s ../user_ca.pub -kf /etc/ssh/revoked_keys -z 17 >> id_user_rsa-cert.pub >> >> The serial is 1 less the serial of my created certificate >> >> Check, if my certificate is valid >> >> root at host # ssh-keygen -Qf /etc/ssh/revoked_keys id_user_rsa-cert.pub >> id_user_rsa-cert.pub (test on myhost - created by ansible (1564358942)): >> REVOKED >> >> Why? I thougt, when i use -s <Serialnumber> only this specific >> certificate for a pubkey is revoked... > If you compile krl.c with -DDEBUG_KRL=1 then you can get some extra > debugging that might show what is going on. You'll probably need to > add -vvv to ssh-keygen's flags too. > > -d > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- lore ipsum
Apparently Analagous Threads
- revoking ssh-cert.pub with serial revokes also younger certs
- [Bug 3659] New: Certificates are ignored when listing revoked items in a (binary) revocation list
- Some wishes regarding revoked keys
- Bug in KRL signature verification
- [Bug 2313] New: Corrupt KRL file when using multiple CA.