https://bugzilla.mindrot.org/show_bug.cgi?id=3961
Bug ID: 3961
Summary: Make ssh-keygen -k less dangerous regarding user
errors
Product: Portable OpenSSH
Version: 9.6p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-keygen
Assignee: [email protected]
Reporter: [email protected]
In OpenSSH KRL are not easy to reconstruct when lost.
I had revoked some certificate using a script that uses ssh-keygen to
handle revocation. After that I wanted to display the current KRL
file, but due to bad memory I thought the command to handle is "-k", so
I tried:
ssh-keygen -kf CA.krl
That command did not output anything, so I thought I need a different
option to display the contents, not being aware that the previous
command just had emptied the KRL!
The correct command would have been, but the output showed that a new
empty KRL file had been created:
ssh-keygen -Qlf CA.krl
Considering that creating a new KRL file is much more common than
emptying an existing KRL file, I suggest to (one or more of the
following):
- refuse to empty an existing KRL file in general (the user would have
to remove or rename the existing KRL file)
- add a new "--force" option to force emptying an existing KRL file
- ask interactively whether to actually do that
I'm aware that this would introduce some incompatibility compared to
existing usage scenarios, so alternative possibilities would be:
- create a backup version (no specific naming suggested) of the
existing KRL, obviously not overwriting existing backups (so if the
ssh-keygen would add ".bak" to the KRL filename to create the backup
filename, then when the user empties the KRL file twice by mistake,
the backup would the the KRL file emptied the first tine). So if a
backup already exists, either refuse to empty the KRL file, or create
another backup file (so naming mechanism suggested)
- a new option could be used to prevent creation of backup files
BTW: The same may apply when creating certificates, but overwriting an
existing certificate is less serious than emptying a KRL file.
Possible backup name generators could be (just what came into my mind):
- append ".OLD" to the KRL filename
- append ".#" to the KRL filename where "#" is a natural number; if the
file exists already, increment the number and retry
- use Emacs-like suffix "~", not overwriting an existing backup
- append ".#" where "#" is the number of seconds since the epoch (i.e.
UNIX time())
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
