Jakob Schürz
2019-Sep-16 15:12 UTC
revoking ssh-cert.pub with serial revokes also younger certs
Hi Daminan! Hmmm... thought about a little... when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug is compiled in. ssh-keygen --help gives me ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ... so... option -z is not the serial of the certificate, it is the version-number of the KRL-File... My openssh-Verision from Debian is 1:7.4p1-10+deb9u7. Maybe, this openssh-version does not support revoking a certificate by it's serialnumber. This leads me to the next question... The serial-number of a certificate is uniq over all certificates, or is it allowed, to increment serial-numbers for each certificate separate? How is the design? thank you jakob Am 16.09.19 um 04:18 schrieb Damien Miller:> On Fri, 13 Sep 2019, Jakob Sch?rz wrote: > >> Hi there! >> >> What am I doing wrong? >> >> I created a ssh-certificate >> >> id_user_rsa-cert.pub with this dump: >> >> id_user_rsa-cert.pub: >> root at host # ssh-keygen -Lf id_user_rsa-cert.pub >> ??????? Type: ssh-rsa-cert-v01 at openssh.com user certificate >> ??????? Public key: RSA-CERT SHA256:kPitwgxblaUH4viBoFoozSPq9Pblubbedk >> ??????? Signing CA: ED25519 SHA256:8p2foobarQo3Tfcblubb5+I5cboeckvpnktiHdUs >> ??????? Key ID: "test at myhost.mydomain.example" >> ??????? Serial: 18 >> ??????? Valid: from 2019-07-29T02:08:00 to 2020-07-28T02:09:43 >> ??????? Principals: >> ??????????????? test >> ??????? Critical Options: (none) >> ??????? Extensions: >> ??????????????? permit-X11-forwarding >> ??????????????? permit-agent-forwarding >> ??????????????? permit-port-forwarding >> ??????????????? permit-pty >> ??????????????? permit-user-rc >> >> >> Now i try to revoke this certificate with >> >> ssh-keygen -s ../user_ca.pub -kf /etc/ssh/revoked_keys -z 17 >> id_user_rsa-cert.pub >> >> The serial is 1 less the serial of my created certificate >> >> Check, if my certificate is valid >> >> root at host # ssh-keygen -Qf /etc/ssh/revoked_keys id_user_rsa-cert.pub >> id_user_rsa-cert.pub (test on myhost - created by ansible (1564358942)): >> REVOKED >> >> Why? I thougt, when i use -s <Serialnumber> only this specific >> certificate for a pubkey is revoked... > If you compile krl.c with -DDEBUG_KRL=1 then you can get some extra > debugging that might show what is going on. You'll probably need to > add -vvv to ssh-keygen's flags too. > > -d > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-- lore ipsum
Damien Miller
2019-Sep-17 00:02 UTC
revoking ssh-cert.pub with serial revokes also younger certs
On Mon, 16 Sep 2019, Jakob Sch?rz wrote:> Hi Daminan! > > Hmmm... thought about a little... > > when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug > is compiled in.debugging is compiled in generally, but the the recipe I mentioned turns on extra KRL debugging.> ssh-keygen --help gives me > > ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ... > > so... option -z is not the serial of the certificate, it is the > version-number of the KRL-File...oops, yes.> My openssh-Verision from Debian is 1:7.4p1-10+deb9u7. Maybe, this > openssh-version does not support revoking a certificate by it's > serialnumber.It almost certainly does, but you'd need to use a KRL specification file. See the "KEY REVOCATION LISTS" section in the ssh-keygen manpage.> This leads me to the next question... The serial-number of > a certificate is uniq over all certificates, or is it allowed, to > increment serial-numbers for each certificate separate? How is the design?what goes in the serial number is totally up to the CA. OpenSSH doesn't make any authentication decisions based on it - it's in the certificate mostly to allow very compact revocation lists. -d
Jakob Schürz
2019-Sep-17 06:26 UTC
revoking ssh-cert.pub with serial revokes also younger certs
Thank you for your answer. Am 17.09.19 um 02:02 schrieb Damien Miller:> On Mon, 16 Sep 2019, Jakob Sch?rz wrote: > >> Hi Daminan! >> >> Hmmm... thought about a little... >> >> when i use -vvv with ssh-keygen -Qf i see "debug1:..." So i think, debug >> is compiled in. > debugging is compiled in generally, but the the recipe I mentioned turns > on extra KRL debugging.I think, it's not necessary now.> >> ssh-keygen --help gives me >> >> ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] file ... >> >> so... option -z is not the serial of the certificate, it is the >> version-number of the KRL-File... > oops, yes.This means, with -z i can give my KRL-File a serial-number? How can i dump the revoke-file infos?> >> My openssh-Verision from Debian is 1:7.4p1-10+deb9u7. Maybe, this >> openssh-version does not support revoking a certificate by it's >> serialnumber. > It almost certainly does, but you'd need to use a KRL specification file. > See the "KEY REVOCATION LISTS" section in the ssh-keygen manpage.This section is not clear enough. Please add some examples.> >> This leads me to the next question... The serial-number of >> a certificate is uniq over all certificates, or is it allowed, to >> increment serial-numbers for each certificate separate? How is the design? > what goes in the serial number is totally up to the CA. OpenSSH doesn't > make any authentication decisions based on it - it's in the certificate > mostly to allow very compact revocation lists.I played around a little. I have a bunch of different certificates (different users, rsa, ecdsa, ed25519-keys...). Some with the same serial-number, some with different. I set up my CA to increment each certificate for each pubkey separate. This means, The pubkey id_userA_rsa.pub and id_userA_ecdsa.pub start with 1 and each counts up for itself. Then i tried to revoke the certificate for id_userA_rsa.pub (id_userA_rsa-cert.pub) with serial 8. The KRL says, i have to fill one line with ??? serial: 8 i can not add a key-id to the serial-number. Only "serial: 8" is possible. When i check, if certificate is revoked with ??? ssh-keygen -Qf ... i get a "REVOKED". It's ok. id_userA_ecdsa-cert.pub has serial 9, so this certificate is not revoked. But if it has also serial 8, both certificates are revoked. If i write ??? id: userA at hostX in my KRL, all certificates for this pubkey (id) are revoked, independend from their serial. Its the same effect as if i give the path to id_userA_rsa-cert.pub or id_userA_rsa.pub. So if i wand a clean an proper revokation of old certificates, there MUST be only one incremental-line over all certificates. This is NOT clear in the man-pages. Would i be possible, that someone update the docs, that it gets a bit more understandable for newbies (as me). thank you Jakob