Hi, we just entered DST here in Czech Republic, and my CA started generating certificates with a +1h offset: ssh-keygen -U -s some-ca-key.pub -V 20220328110400:20220328112400 -I 981-20220328-1104 -O extension:login at github.com=someone at github.com -I eed3f7c7-4809-46e7-892e-6e3642da59c8 438.pub Signed user key 438-cert.pub: id "eed3f7c7-4809-46e7-892e-6e3642da59c8 " serial 0 valid from 2022-03-28T12:04:00 to 2022-03-28T12:24:00 $ date Mon Mar 28 11:21:25 CEST 2022 $ ls -la /etc/localtime lrwxrwxrwx. 1 root root 35 Jun 8 2020 /etc/localtime -> ../usr/share/zoneinfo/Europe/Prague As a workaround, I set /usr/share/zoneinfo/Etc/GMT-1 as a timezone, but this is clearly not right. Any plans to fix this? Apparently I am not the only person who encountered it https://github.com/cloudtools/ssh-ca/blob/master/ssh_ca/utils.py#L72 <https://github.com/cloudtools/ssh-ca/blob/master/ssh_ca/utils.py#L72> Thanks Jan
On Mon, Mar 28, 2022 at 11:23:35AM +0200, Jan Schermer wrote:> Hi, > we just entered DST here in Czech Republic, and my CA started generating certificates with a +1h offset:[...]> Any plans to fix this? Apparently I am not the only person who encountered it https://github.com/cloudtools/ssh-ca/blob/master/ssh_ca/utils.py#L72 <https://github.com/cloudtools/ssh-ca/blob/master/ssh_ca/utils.py#L72>Assuming I'm read the man page right, I think this should fix it. diff --git a/misc.c b/misc.c index 85d223695..03e6e5f19 100644 --- a/misc.c +++ b/misc.c @@ -2429,6 +2429,7 @@ parse_absolute_time(const char *s, uint64_t *tp) memset(&tm, 0, sizeof(tm)); if (strptime(buf, fmt, &tm) == NULL) return SSH_ERR_INVALID_FORMAT; + tm.tm_isdst = -1; /* auto detect DST */ if ((tt = mktime(&tm)) < 0) return SSH_ERR_INVALID_FORMAT; /* success */ -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 3/28/22 11:23, Jan Schermer wrote:> we just entered DST here in Czech Republic, and my CA started > generating certificates with a +1h offset: > > ssh-keygen -U -s some-ca-key.pub -V 20220328110400:20220328112400 [..] > > Signed user key 438-cert.pub: id > "eed3f7c7-4809-46e7-892e-6e3642da59c8 " serial 0 valid from > 2022-03-28T12:04:00 to 2022-03-28T12:24:00Reading ssh-keygen(1) I have no clue whether time strings specified with -V are supposed to be local time or UTC. IMHO implying local time could cause all sorts of strange issues in case time-zone info is not correctly set for a service etc.> Any plans to fix this? Apparently I am not the only person who > encountered it > https://github.com/cloudtools/ssh-ca/blob/master/ssh_ca/utils.py#L72My own implementation only uses relative time format like "+4h". AFAICS the spec in PROTOCOL.certkeys defines the validity period based on time-stamps with senconds-since-epoch (UTC). Ciao, Michael.