Package: openssh-client
Version: 1:5.8p1-7
Severity: minor
The manpage ssh-keygen.1 has this to say about the `-V' option.
-V validity_interval
Specify a validity interval when signing a certificate. A
validity interval may consist of a single time, indicating
that the certificate is valid beginning now and expiring at
that time, or may consist of two times separated by a colon
to indicate an explicit time interval. The start time may
be specified as a date in YYYYMMDD format, a time in YYYYM‐
MDDHHMMSS format or a relative time (to the current time)
consisting of a minus sign followed by a relative time in
the format described in the TIME FORMATS section of
sshd_config(5). The end time may be specified as a YYYYM‐
MDD date, a YYYYMMDDHHMMSS time or a relative time starting
with a plus character.
For example: “+52w1d” (valid from now to 52 weeks and one
day from now), “-4w:+4w” (valid from four weeks ago to four
weeks from now), “20100101123000:20110101123000” (valid
from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st,
2011), “-1d:20110101” (valid from yesterday to midnight,
January 1st, 2011).
The source code, on the other hand, says this (ssh-keygen.c):
static void
parse_cert_times(char *timespec)
{
char *from, *to;
time_t now = time(NULL);
int64_t secs;
/* ... snip snip ... */
if (*from == '-' || *from == '+')
cert_valid_from = parse_relative_time(from, now);
else
cert_valid_from = parse_absolute_time(from);
if (*to == '-' || *to == '+')
cert_valid_to = parse_relative_time(to, cert_valid_from);
else
cert_valid_to = parse_absolute_time(to);
if (cert_valid_to <= cert_valid_from)
fatal("Empty certificate validity interval");
xfree(from);
}
That is, the implementation interprets a relative end time with respect
to the start time, and not to the current time as stated quite clearly
in the manpage.
I'd submit a patch, but I don't know which of the documentation or the
implementation to fix (and besides, either way is very easy). The
documented behaviour is more intuitive to me at least: it's what I
assumed would happen before I read the manpage to check (but now I've
found the discrepancy because SSH refused to accept my certificates).
But I'd guess changing the documentation is likely safer in the
following sense. Since the start date is probably in the past, the
implementation will produce certificates that expire /early/ compared to
the documented behaviour. Anyone out there who is assuming the
currently implemented behaviour would therefore, if it's changed to
match the manual, issue certificates with overly long validity periods.
(It would therefore suffice to change the parenthetical text `to the
current time' to `to the start time' and the example `-4w:+4w' to
`-4w:+8w'.)
(Severity `minor': there isn't a `very minor' -- it's easily worked
around if you know it's there, and certificates are a rather esoteric
feature anyway -- but there's definitely something wrong here so it's
not `wishlist'.)
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.39-2-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssh-client depends on:
ii adduser 3.113 add and remove users and groups
ii debconf [debconf-2.0 1.5.40 Debian configuration management sy
ii dpkg 1.16.0.3 Debian package management system
ii libc6 2.13-18 Embedded GNU C Library: Shared lib
ii libedit2 2.11-20080614-3 BSD editline and history libraries
ii libgssapi-krb5-2 1.9.1+dfsg-1 MIT Kerberos runtime libraries - k
ii libselinux1 2.0.98-1.1 SELinux runtime shared libraries
ii libssl1.0.0 1.0.0d-3 SSL shared libraries
ii passwd 1:4.1.4.2+svn3283-3 change and administer password and
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages openssh-client recommends:
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.6-1 X authentication utility
Versions of packages openssh-client suggests:
pn keychain <none> (no description available)
pn libpam-ssh <none> (no description available)
pn monkeysphere <none> (no description available)
pn ssh-askpass <none> (no description available)
-- Configuration Files:
/etc/ssh/moduli changed:
[Very boring file omitted]
/etc/ssh/ssh_config changed:
Host *
## These are a bad idea to use with sites you don't trust. Users can
## override this if they feel brave.
ForwardAgent no
ForwardX11 no
ForwardX11Trusted no
## Send locale information.
SendEnv LANG LC_*
## Don't make the known_hosts file incomprehensible.
HashKnownHosts no
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
