[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options
https://bugzilla.mindrot.org/show_bug.cgi?id=3577 Damien Miller changed: What|Removed |Added Status|NEW |RESOLVED Blocks||3162 Resolution|--- |FIXED --- Comment #6 from Damien Miller --- thanks for the report - these have both been committed and will be in OpenSSH 8.4, due in a few months. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options
https://bugzilla.mindrot.org/show_bug.cgi?id=3577 Darren Tucker changed: What|Removed |Added Attachment #3701|ok?(dtuc...@dtucker.net)|ok+ Flags|| -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options
https://bugzilla.mindrot.org/show_bug.cgi?id=3577 Damien Miller changed: What|Removed |Added Attachment #3701||ok?(dtuc...@dtucker.net) Flags|| --- Comment #5 from Damien Miller --- Created attachment 3701 --> https://bugzilla.mindrot.org/attachment.cgi?id=3701&action=edit show only valid CA signing algorithms for -Q CASignatureAlgorithms > The patch indeed fixes the configuration-file behavior. It doesn't fix > `ssh -Q CASignatureAlgorithms` still producing the wrong output, however. Yeah, it was using the list of all signature algorithms. > Also: You introduced a new variable ca_only that is true for > CASignatureAlgorithms and false for all others. Shouldn't it then perhaps > be named more something like no_ca, as CASignatureAlgorithms does not > accept only ca alogrithms, but rather the exact opposite or what did I miss? ca_only = algorithms that are valid for CAs to sign certificates. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options
https://bugzilla.mindrot.org/show_bug.cgi?id=3577 --- Comment #4 from xspielinbox+mind...@protonmail.com --- Thank you for the clarification and the patch! The patch indeed fixes the configuration-file behavior. It doesn't fix `ssh -Q CASignatureAlgorithms` still producing the wrong output, however. Also: You introduced a new variable ca_only that is true for CASignatureAlgorithms and false for all others. Shouldn't it then perhaps be named more something like no_ca, as CASignatureAlgorithms does not accept only ca alogrithms, but rather the exact opposite or what did I miss? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options
https://bugzilla.mindrot.org/show_bug.cgi?id=3577 Darren Tucker changed: What|Removed |Added Attachment #3700|ok?(dtuc...@dtucker.net)|ok+ Flags|| -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options
https://bugzilla.mindrot.org/show_bug.cgi?id=3577 Damien Miller changed: What|Removed |Added CC||d...@mindrot.org, ||dtuc...@dtucker.net Attachment #3700||ok?(dtuc...@dtucker.net) Flags|| --- Comment #3 from Damien Miller --- Created attachment 3700 --> https://bugzilla.mindrot.org/attachment.cgi?id=3700&action=edit disallow certificate algorithms in CASignatureAlgorithms Certificate algorithms won't work when specified in CASignatureAlgorithms, but the option would incorrectly accepts them without error. This fixes that. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options
https://bugzilla.mindrot.org/show_bug.cgi?id=3577 --- Comment #2 from xspielinbox+mind...@protonmail.com --- that can be controlled via CASignatureAlgorithms, it does not make sense to me, why these options are valid, if a key using this algorithm cannot be obtained. Moreover: having an option that is only valid alongside another option without any explanation is very confusing. -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3577] CASignatureAlgorithms supports -cert algorithms when used alongside with other options
https://bugzilla.mindrot.org/show_bug.cgi?id=3577 xspielinbox+mind...@protonmail.com changed: What|Removed |Added Summary|CASignatureAlgorithms |CASignatureAlgorithms |supports -cert alogrithms |supports -cert algorithms ||when used alongside with ||other options --- Comment #1 from xspielinbox+mind...@protonmail.com --- To clarify: When only configuring one of the -cert algorithms with CASignatureAlgorithms, one gets an error, that the configuration is invalid, but when adding them alongside some other algorithm, they are supported. However, when signing a user certificate with an CA, ssh-keygen -L will always list the non -cert (the "normal" variant so to speak) as the algorithm behing "using" in the Signing CA. So e.g. for a ed25519 CA: Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA (using ssh-ed25519) I would not know how to get something that would then have: Signing CA: ED25519 SHA256:bfV6O1tWNL+L/rLib4dDFPn5eydAAhyyHUb5hz7yVjA (using ssh-ed25519-cert) As this algorithm in my understanding is the one -- You are receiving this mail because: You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs