openssh bugs - May 2021 - [Bug 3311] New: Certificate validity "forever" is not documented in PROTOCOL.certkeys

https://bugzilla.mindrot.org/show_bug.cgi?id=3311

            Bug ID: 3311
           Summary: Certificate validity "forever" is not documented
in
                    PROTOCOL.certkeys
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mariano.cano at gmail.com

PROTOCOL.certkeys does not document the special case when "valid
before" is set to 0. A certificate like this will be always valid
("forever").


This is the current text in the PROTOCOL.certkeys:

```
"valid after" and "valid before" specify a validity period
for the
certificate. Each represents a time in seconds since 1970-01-01
00:00:00. A certificate is considered valid if:

    valid after <= current time < valid before
```

With that description a certificate with valid before set to 0 will not
be valid.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3311

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
what special case are you referring to? AFAIK this is no such special
case.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3311

--- Comment #2 from Mariano Cano <mariano.cano at gmail.com> ---
The special case is that you can create an SSH certificate without
expiration date if you set the valid before to 0.

See the flag -V in `man ssh-keygen`:

https://github.com/openssh/openssh-portable/blob/d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d/ssh-keygen.1#L613-L643

I haven't tried to debug the code, but in /auth.c there's code to skip
the expiration check if opts->valid_before is 0.

https://github.com/openssh/openssh-portable/blob/2dc328023f60212cd29504fc05d849133ae47355/auth.c#L963-L969

And that "forever" mode, as `man ssh-keygen` says, it is not
documented
on the PROTOCOL.certkeys

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3311

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
"forever" in ssh-keygen sets valid_after=0 and
valid_before=0xffffffffffffffff, so that's not the case you're talking
about here unless you're considering wall clock times before 1970 or
many billions of years in the future:
https://github.com/openssh/openssh-portable/blob/d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d/ssh-keygen.c#L1954

The other case has nothing to do with certificates (note that the
'opts' variable here is not a key, but another type). It is to support
the authorized_keys "expiry-time" keyword:
https://github.com/openssh/openssh-portable/blob/d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d/sshd.8#L527

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3311

Mariano Cano <mariano.cano at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #4 from Mariano Cano <mariano.cano at gmail.com> ---
You're right, didn't understand the `~` in `~(u_int64_t)0;`

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3311

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Damien Miller <djm at mindrot.org> ---
closing bugs resolved before openssh-8.9

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.