thr3ads.net - openssh bugs - [Bug 2989] New: Revoking certificates when TrustedUserCAKeys-file contains multiple keys does not work [Apr 2019]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.mindrot.org

2019-Apr-06 16:54 UTC

[Bug 2989] New: Revoking certificates when TrustedUserCAKeys-file contains multiple keys does not work

https://bugzilla.mindrot.org/show_bug.cgi?id=2989

            Bug ID: 2989
           Summary: Revoking certificates when TrustedUserCAKeys-file
                    contains multiple keys does not work
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: amd64
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: peter at pean.org

If you are using multiple different CA-keys for authenticating users
you list them (on per line) in a file and point to it using
TrustedUserCAKeys. So far so good.

Let say I have TrustedUserCAKeys /etc/ssh/user_ca.pub i sshd_config.

But when you then try to revoke a certificate you would naturally use
ssh-keygen -k -s /etc/ssh/user_ca.pub -f revoked.bin revoked, but this
will not work. ssh-keygen will only revoke serials or key ids from the
first CA in /etc/ssh/user_ca.pub

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

bugzilla-daemon at bugzilla.mindrot.org

2019-May-10 04:47 UTC

head link

[Bug 2989] Revoking certificates when TrustedUserCAKeys-file contains multiple keys does not work

https://bugzilla.mindrot.org/show_bug.cgi?id=2989

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Are you specifying "revoked" as a literal key? If so, these are
revoked
by the signature key in the certificate, not the one on the command
line (I think).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

bugzilla-daemon at mindrot.org

2023-Oct-11 05:54 UTC

head link

[Bug 2989] Revoking certificates when TrustedUserCAKeys-file contains multiple keys does not work

https://bugzilla.mindrot.org/show_bug.cgi?id=2989

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Closing for lack of followup

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

openssh bugs - Apr 2019 - [Bug 2989] New: Revoking certificates when TrustedUserCAKeys-file contains multiple keys does not work

[Bug 2989] New: Revoking certificates when TrustedUserCAKeys-file contains multiple keys does not work

[Bug 2989] Revoking certificates when TrustedUserCAKeys-file contains multiple keys does not work

[Bug 2989] Revoking certificates when TrustedUserCAKeys-file contains multiple keys does not work