On 11/14/2014 03:34 AM, Damien Miller wrote:
I recompiled openssh with that line added to krl.c but it gives the same result:What version of OpenSSH are you using? I fixed a bug in KRL generation a few months ago: https://anongit.mindrot.org/openssh.git/commit/krl.c?id=2cd7929250cf9e9f658d70dcd452f529ba08c942 On Thu, 13 Nov 2014, Peter Ankerst?l wrote:Hi! It seems to be a problem when I have revoked keys from multiple CAs in one KRL file. ssh refuses access and says: Nov 13 13:32:15 q sshd[35438]: error: buffer_get_string_ptr: bad string length 268032 Nov 13 13:32:15 q sshd[35438]: error: parse_revoked_certs: buffer error Nov 13 13:32:15 q sshd[35438]: error: Invalid KRL, refusing public key authentication How would I revoke keys from multiple CAs then? if I put multiple RevokedKeys it only considers one file. The KRL is generated by: ssh-keygen -k -u -f revoked_keys.bin -s ca1.pub revoked_keys1 ssh-keygen -k -u -f revoked_keys.bin -s ca2.pub revoked_keys2 revokes_keys[1-2] has the format: serial: 2134 serial: 2343 serial: 2842 serial: 8795
debug1: KRL version 0 generated at 20141114T080704 debug3: ssh_krl_from_blob: first pass, section 0x01 debug3: ssh_krl_from_blob: first pass, section 0x01 debug3: ssh_krl_from_blob: second pass, section 0x01 debug3: parse_revoked_certs: subsection type 0x20 debug3: revoked_certs_for_ca_key: new CA RSA debug3: parse_revoked_certs: subsection type 0x22 debug3: parse_revoked_certs: subsection type 0x20 debug3: ssh_krl_from_blob: second pass, section 0x01 debug3: parse_revoked_certs: subsection type 0x20 debug3: parse_revoked_certs: subsection type 0x22 debug3: parse_revoked_certs: subsection type 0x20 buffer_get_string_ptr: bad string length 268032 parse_revoked_certs: buffer error Invalid KRL, refusing public key authentication
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev