https://bugzilla.mindrot.org/show_bug.cgi?id=3198
Bug ID: 3198
Summary: Custom critical options are not lexically ordered
Product: Portable OpenSSH
Version: -current
Hardware: amd64
OS: Mac OS X
Status: NEW
Severity: normal
Priority: P5
Component: ssh-keygen
Assignee: [email protected]
Reporter: [email protected]
According to PROTOCOL.certkeys critical options must be lexically
ordered by name:
```
Options must be lexically ordered by "name" if they appear in the
sequence. Each named option may only appear once in a certificate.
```
This works for the well-known options 'source-address' and
'force-command' but if custom critical options are passed, they will
appear in the order passed in:
```
$ ssh-keygen -I key-id -O critical:[email protected]=a -O critical:[email protected]=c
-O critical:[email protected]=b -s ca.key user.pub
Signed user key user-cert.pub: id "key-id" serial 0 valid forever
```
They will be stored in the same order and will appear in that order
when inspecting the certificate:
```
user-cert.pub:
Type: [email protected] user certificate
Public key: RSA-CERT
SHA256:5XSDsn5usZ40pRyDsJnR2KWKacRc29ufR+U8KLYBqGw
Signing CA: ECDSA
SHA256:rmAjupXaId7QQode/ThbhY/t427k9EKtTfNQHn5AkPk (using
ecdsa-sha2-nistp256)
Key ID: "key-id"
Serial: 0
Valid: forever
Principals: (none)
Critical Options:
[email protected] UNKNOWN OPTION (len 5)
[email protected] UNKNOWN OPTION (len 5)
[email protected] UNKNOWN OPTION (len 5)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
```
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
