bugzilla-daemon at mindrot.org
2022-Aug-08 13:49 UTC
[Bug 3468] New: Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468
Bug ID: 3468
Summary: Validity interval changes during Daylight Saving Time
Product: Portable OpenSSH
Version: v9.0p1
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: florfoto at gmail.com
Description of problem:
When specifying a validity interval when signing a certificate using -V
option, an hour is added if the system timezone is in Daylight Saving
Time (DST).
Version-Release number of selected component (if applicable):
openssh-8.7p1-8.el9
How reproducible:
Always
Steps to Reproduce:
1. Grant access on July 28 2022 from 10:00 to 12:00hs:
~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202207281000:202207281200 .ssh/id_rsa.pub
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-07-28T11:00:00 to 2022-07-28T13:00:00
~~~
Actual results:
The previous output says "valid from 2022-07-28T11:00:00 to
2022-07-28T13:00:00" instead of "valid from 2022-07-28T10:00:00 to
2022-07-28T12:00:00".
~~~
[root at rhel9server ~]# ssh-keygen -Lf .ssh/id_rsa-cert.pub
.ssh/id_rsa-cert.pub:
Type: ssh-rsa-cert-v01 at openssh.com user certificate
Public key: RSA-CERT
SHA256:P8r+Z3Hiir9KIg/D04vNwlr9zAYw1k6b6xEeZbF0fps
Signing CA: RSA
SHA256:0GHrCSlevbRxJCe6/+XzSXx6qzWGre4S0kfrP9R+AcA (using rsa-sha2-512)
Key ID: "myuser"
Serial: 0
Valid: from 2022-07-28T11:00:00 to 2022-07-28T13:00:00
Principals:
myuser
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
~~~
Expected results:
1. Grant access on July 28 2022 from 10:00 to 12:00hs (not from 11:00
to 13:00hs):
~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202207281000:202207281200 .ssh/id_rsa.pub
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-07-28T10:00:00 to 2022-07-28T12:00:00
~~~
Additional info:
This only happens when the system clock is in DST.
When DST finishes( for example in November for Europe/Brussels
timezone), there isn?t an hour added:
~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202211281000:202211281200 .ssh/id_rsa.pub
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-11-28T10:00:00 to 2022-11-28T12:00:00
~~~
Description of problem:
When specifying a validity interval when signing a certificate using -V
option, an hour is added if the system timezone is in Daylight Saving
Time (DST).
Version-Release number of selected component (if applicable):
openssh-8.7p1-8.el9
How reproducible:
Always
Steps to Reproduce:
1. Grant access on July 28 2022 from 10:00 to 12:00hs:
~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202207281000:202207281200 .ssh/id_rsa.pub
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-07-28T11:00:00 to 2022-07-28T13:00:00
~~~
Actual results:
The previous output says "valid from 2022-07-28T11:00:00 to
2022-07-28T13:00:00" instead of "valid from 2022-07-28T10:00:00 to
2022-07-28T12:00:00".
~~~
[root at rhel9server ~]# ssh-keygen -Lf .ssh/id_rsa-cert.pub
.ssh/id_rsa-cert.pub:
Type: ssh-rsa-cert-v01 at openssh.com user certificate
Public key: RSA-CERT
SHA256:P8r+Z3Hiir9KIg/D04vNwlr9zAYw1k6b6xEeZbF0fps
Signing CA: RSA
SHA256:0GHrCSlevbRxJCe6/+XzSXx6qzWGre4S0kfrP9R+AcA (using rsa-sha2-512)
Key ID: "myuser"
Serial: 0
Valid: from 2022-07-28T11:00:00 to 2022-07-28T13:00:00
Principals:
myuser
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
~~~
Expected results:
1. Grant access on July 28 2022 from 10:00 to 12:00hs (not from 11:00
to 13:00hs):
~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202207281000:202207281200 .ssh/id_rsa.pub
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-07-28T10:00:00 to 2022-07-28T12:00:00
~~~
Additional info:
This only happens when the system clock is in DST.
When DST finishes( for example in november for Europe/Brussels
timezone), there isn?t an hour added:
~~~
[root at rhel9server ~]# ssh-keygen -s ssh_ca -I myuser -n myuser -V
202211281000:202211281200 .ssh/id_rsa.pub
Signed user key .ssh/id_rsa-cert.pub: id "myuser" serial 0 for myuser
valid from 2022-11-28T10:00:00 to 2022-11-28T12:00:00
~~~
Is this behavior expected or is it a bug?
Thanks in advance.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Aug-09 03:15 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
It's arguably correct - the validity intervals are defined to operate
in the local TZ.
That being said, it is potentially surprising. I have been thinking of
allowing -V to accept less ambiguous time specifications, specifically:
- raw seconds-since-epoch, as hex (0x...) values
- exact date/times in the UTC TZ, as "UTCYYYYMMDD[HHMMSS]"
Would this help you?
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Aug-09 11:12 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468 --- Comment #2 from Florencia Fotorello <florfoto at gmail.com> --- Hi Damien, Thanks for your quick reply.> Would this help you?Yes, exact date/times in the UTC TZ will be very useful. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Aug-09 13:54 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468
Jim Knoble <jmknoble at pobox.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jmknoble at pobox.com
--- Comment #3 from Jim Knoble <jmknoble at pobox.com>
---> exact date/times in the UTC TZ, as "UTCYYYYMMDD[HHMMSS]"
Why not use compact ISO-8601 notation?
yyyymmdd[Thhmmss]Z
Local time would omit the trailing "Z", and no other time zone
expressions need be supported. The existing "T"-less Notation would
still be supported.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Aug-09 14:04 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468 --- Comment #4 from Jim Knoble <jmknoble at pobox.com> ---> raw seconds-since-epoch, as hex (0x...) valuesAlso, recommend decimal values for seconds since epoch, prefixed with "@", as grokked by some date(1) implementations. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Aug-10 07:32 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |dtucker at dtucker.net
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
Attachment #3611| |ok?(dtucker at dtucker.net)
Flags| |
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
Created attachment 3611
--> https://bugzilla.mindrot.org/attachment.cgi?id=3611&action=edit
Implement 'Z' suffix and raw hex seconds-since-epoch
This implements the Z suffix and 0x-prefixed hex values for
seconds-since-epoch.
I didn't go with '@decimal' for the latter as IMO these are mostly
intended for interfacing with other tools (inc. tests) and are a bit
easier to tell apart from something date/time-shaped and consequently
less likely to enter accidentally.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Aug-10 07:35 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3612| |ok?(dtucker at dtucker.net)
Flags| |
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
Created attachment 3612
--> https://bugzilla.mindrot.org/attachment.cgi?id=3612&action=edit
unit test for parse_absolute_time(), including forced UTC conversions
Regress test for library function.
I should note that the underlying parse_absolute_time() function is
used in a few places, so the previous diff updates the manpages for the
other places the additional UTC dates can be reached.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Aug-10 07:40 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3611|ok?(dtucker at dtucker.net) |
Flags| |
Attachment #3611|0 |1
is obsolete| |
Attachment #3613| |ok?(dtucker at dtucker.net)
Flags| |
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
Created attachment 3613
--> https://bugzilla.mindrot.org/attachment.cgi?id=3613&action=edit
fixed: Implement 'Z' suffix and raw hex seconds-since-epoch
oops, original diff had a typo. Please review this
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Aug-10 07:58 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3612|ok?(dtucker at dtucker.net) |ok+
Flags| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Aug-10 07:58 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3613|ok?(dtucker at dtucker.net) |ok+
Flags| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Aug-11 02:02 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3418
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #8 from Damien Miller <djm at mindrot.org> ---
These have been committed and will be in OpenSSH 9.1.
commit b98a42afb69d60891eb0488935990df6ee571c4d
Author: djm at openbsd.org <djm at openbsd.org>
Date: Thu Aug 11 01:57:50 2022 +0000
upstream: add some tests for parse_absolute_time(), including cases
where it is forced to the UTC timezone. bz3468 ok dtucker
OpenBSD-Regress-ID: ea07ca31c2f3847a38df028ca632763ae44e8759
commit ec1ddb72a146fd66d18df9cd423517453a5d8044
Author: djm at openbsd.org <djm at openbsd.org>
Date: Thu Aug 11 01:56:51 2022 +0000
upstream: allow certificate validity intervals, sshsig verification
times and authorized_keys expiry-time options to accept dates in
the UTC time
zone in addition to the default of interpreting them in the system
time zone.
YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC
if
suffixed with a 'Z' character.
Also allow certificate validity intervals to be specified in raw
seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
is intended for use by regress tests and other tools that call
ssh-keygen as part of a CA workflow.
bz3468 ok dtucker
OpenBSD-Commit-ID: 454db1cdffa9fa346aea5211223a2ce0588dfe13
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3418
[Bug 3418] tracking bug for openssh-9.1
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Oct-04 10:59 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468 --- Comment #9 from Damien Miller <djm at mindrot.org> --- Closing bugs from openssh-9.1 release cycle -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-17 02:39 UTC
[Bug 3468] Validity interval changes during Daylight Saving Time
https://bugzilla.mindrot.org/show_bug.cgi?id=3468
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #10 from Damien Miller <djm at mindrot.org> ---
OpenSSH 9.3 has been released. Close resolved bugs
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.