Hi OpenSSH, We've started using openssh certificates for server access in our team and came across a regression (introduced in https://github.com/openssh/openssh-portable/commit/4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8) whereby our local clients who were able to successfully connect using version 6.9, were not able to do so with the same configuration on version 7.2. Our configs for clients look roughly like: IdentityFile /Users/aeijdenberg/.ssh/id_shortlived_rsa IdentitiesOnly yes and in our .ssh directory we have: id_shortlived_rsa id_shortlived_rsa-cert.pub but no "id_shortlived_rsa.pub". The reason we don't have the "id_shortlived_rsa.pub" is that we didn't want our users accidentally adding that to any authorized_keys files or linking to their Git accounts, since it will rotate often. I wrote some tests demonstrating the issue, and created a patch that I believe solves the problem. While doing so I came across a few other issues related to specifying certificates. For example, while specifying an IdentifyFile will automatically load a certificate with the same name (and common suffix), the reverse is not true, which would be convenient for our usage. Additionally, when a CertificateFile is explicitly listed, if no IdentifyFiles are listed, then implicit paths such as ~/.ssh/id_rsa are used, even when IdentitiesOnly=yes is set. I created tests for each of these, and a series of commits that I think fixes each one. I see there is a related bug here for our original issue, so it looks like we are not the only ones operating in this type of configuration: https://bugzilla.mindrot.org/show_bug.cgi?id=2617 Appreciate your consideration. I'm a first time openssh contributor, so apologies if I've missed any steps in the process. I rolled this up into a pull request here: https://github.com/openssh/openssh-portable/pull/53 I suspect that isn't how you actually pull the changes in, but thought it would be a meaningful way to share a link to the patches. Cheers, Adam _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
