Re: SSH cert extensions and authz key options

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 24 Jan 2018, Michael Ströder wrote:

> >> Are SSH cert extensions and authz key options treated case-insensitive?
> >> [1] does not say anything about this.
> > 
> > Cert extensions are case sensitive
> > 
> > authorized_keys options aren't.
> 
> Sorry for nitpicking some more:
> 
> Man page ssh-keygen(1) -O says lower-case "permit-x11-forwarding" [1]

That's a typo. I'll commit a fix. It should be "permit-X11-forwarding"

> Also [2] says that options and extensions have to be "lexically
> ordered". What does that mean exactly regarding the case?
> 
> E.g. in Python it makes a difference sorting case-sensitive or
> case-insensitive because capital letters are considered lower. Same in
> OpenSSH code?

Sorting should be case sensitive, i.e. upper-case first.

> $ python3
> Python 3.6.4 (default, Jan 03 2018, 13:52:55) [GCC] on linux
> Type "help", "copyright", "credits" or "license" for more information.
> >>> sorted(['permit-port-forwarding','permit-X11-forwarding','permit-pty'])
> ['permit-X11-forwarding', 'permit-port-forwarding', 'permit-pty']

This is the correct ordering, but you only need to worry about that
if you're writing certificates with your own code. ssh-keygen takes care
of putting things in the right order if you're using that to generate
certificates.

(also, I don't think the order is enforced anyway).

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux