Bug#939818: new magic: OpenSSH Key Revocation List (KRL)

Trent W. Buck Mon, 09 Sep 2019 01:33:18 -0700

Package: file
Version: 1:5.37-5
Severity: wishlist

Long, long ago, Debian accidentally made weak SSH keys.
As part of the fix, Debian patched OpenSSH to blacklist those bad keys:


    https://sources.debian.org/src/openssh-blacklist/

Much later, equivalent functionality landed upstream in OpenSSH itself.
This is called the "OpenSSH Key Revocation List".  The format is different.
The file format appears to be documented as PROTOCOL.krl:

    https://sources.debian.org/src/openssh/1:8.0p1-6/PROTOCOL.krl/
    https://sources.debian.org/src/openssh/1:6.6p1-4%7Ebpo70+1/PROTOCOL.krl/

You can generate a KRL like this:

    bash5$ ssh-keygen -k -f test.krl
    bash5$ file test.krl
    test.krl: data
    bash5$ hd test.krl
    00000000  53 53 48 4b 52 4c 0a 00  00 00 00 01 00 00 00 00  
|SSHKRL..........|
    00000010  00 00 00 00 00 00 00 00  5d 76 08 1e 00 00 00 00  
|........]v......|
    00000020  00 00 00 00 00 00 00 00  00 00 00 00              |............|
    0000002c

The magic is the same in a KRL with a key in it:

    bash5$ ssh-keygen -q -t ed25519 -N '' -f test.ed25519
    bash5$ ssh-keygen -k -f test.krl test.ed25519.pub
    Revoking from test.ed25519.pub
    bash5$ hd test.krl
    00000000  53 53 48 4b 52 4c 0a 00  00 00 00 01 00 00 00 00  
|SSHKRL..........|
    00000010  00 00 00 00 00 00 00 00  5d 76 08 8a 00 00 00 00  
|........]v......|
    00000020  00 00 00 00 00 00 00 00  00 00 00 00 02 00 00 00  
|................|
    00000030  37 00 00 00 33 00 00 00  0b 73 73 68 2d 65 64 32  
|7...3....ssh-ed2|
    00000040  35 35 31 39 00 00 00 20  29 13 5c 14 0d 21 49 ad  |5519... 
).\..!I.|
    00000050  5c a0 d9 a1 41 33 19 15  b9 ce 78 fd 42 eb 9e 67  
|\...A3....x.B..g|
    00000060  2a f0 3c 87 bc 9f d3 fd                           |*.<.....|
    00000068

Please teach file about this file format.


-- System Information:
Debian Release: 10.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 
'proposed-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages file depends on:
ii  libbz2-1.0  1.0.6-9.2~deb10u1
ii  libc6       2.28-10
ii  liblzma5    5.2.4-1
ii  libmagic1   1:5.37-5
ii  zlib1g      1:1.2.11.dfsg-1

file recommends no packages.

file suggests no packages.

-- no debconf information

Bug#939818: new magic: OpenSSH Key Revocation List (KRL)

Reply via email to