Displaying 6 results from an estimated 6 matches for "cert_principals".
2025 Apr 29
1
Multiple allowed signer files in `ssh-keygen -Y verify`
...ssing principal ID");
exit(1);
}
- return sig_match_principals(identity_file, cert_key_id,
- opts, nopts);
+ return sig_match_principals(identity_files,
+ nidentity_files, cert_key_id, opts, nopts);
} else if (strncmp(sign_op, "sign", 4) == 0) {
/* NB. cert_principals is actually namespace, via -n */
if (cert_principals == NULL ||
@@ -3645,6 +3693,10 @@ main(int argc, char **argv)
"missing key");
exit(1);
}
+ if (nidentity_files > 1) {
+ error("Too many keys specified for sign");
+ exit(1);
+ }
return si...
2025 Apr 23
1
Multiple allowed signer files in `ssh-keygen -Y verify`
Hello,
I'm currently evaluating using `ssh-keygen -Y verify` to check OS
artifacts (e.g. packages) and I noticed that the `-f
allowed_signers_file` option can be passed only once. A side remark:
technically it can be passed multiple times without a warning but the
last invocation overrides all previous ones. Tested using:
$ ssh-keygen -Y verify -f allowed_signers -f /dev/null -n file -s
2025 May 22
1
LogLevel INFO shows few details for Certificate invalid: not yet valid / expired
...ason;
}
if ((finalopts = sshauthopt_merge(keyopts, certopts, &reason)) == NULL)
- goto fail_reason;
+ goto cert_fail_reason;
/*
* If the user has specified a list of principals as
@@ -361,12 +361,12 @@ auth_check_authkey_line(struct passwd *pw, struct sshkey *key,
if (keyopts->cert_principals != NULL &&
!match_principals_option(keyopts->cert_principals, key->cert)) {
reason = "Certificate does not contain an authorized principal";
- goto fail_reason;
+ goto cert_fail_reason;
}
if (sshkey_cert_check_authority_now(key, 0, 0, 0,
keyopts->cert...
2010 Mar 03
2
Viewing cetificate details
Hi,
I don't see any way to view the details of a certificate once it is
generated. Having such a capability would be very handy for debugging
purposes to check what constraints, principals, and validity interval
are associated with a given cert.
--
Iain Morgan
2025 May 21
1
LogLevel INFO shows few details for Certificate invalid: not yet valid / expired
On 4/5/25 15:01, Lars Nood?n wrote:
> I notice that when using log level INFO it seems sshd(8) provides very
> little information about failed SSH certificate log in attempts:
>
> Apr? 5 14:44:41 server sshd-session[51695]: error: Certificate invalid:
> not yet valid
>
> Apr? 5 14:45:31 server sshd-session[88953]: error: Certificate invalid:
> expired
>
>
2012 Jul 28
1
[PATCH] ssh-keygen: support public key import/export using SubjectPublicKeyInfo
...@ main(int argc, char **argv)
convert_format = FMT_PEM;
break;
}
+ if (strcasecmp(optarg, "SUBJECTINFO") == 0) {
+ convert_format = FMT_SUBJECTINFO;
+ break;
+ }
fatal("Unsupported conversion format \"%s\"", optarg);
case 'n':
cert_principals = optarg;
--
1.7.8.6