On Wed, 24 Jan 2018, Michael Ströder wrote: > >> Are SSH cert extensions and authz key options treated case-insensitive? > >> [1] does not say anything about this. > > > > Cert extensions are case sensitive > > > > authorized_keys options aren't. > > Sorry for nitpicking some more: > > Man page ssh-keygen(1) -O says lower-case "permit-x11-forwarding" [1] That's a typo. I'll commit a fix. It should be "permit-X11-forwarding" > Also [2] says that options and extensions have to be "lexically > ordered". What does that mean exactly regarding the case? > > E.g. in Python it makes a difference sorting case-sensitive or > case-insensitive because capital letters are considered lower. Same in > OpenSSH code? Sorting should be case sensitive, i.e. upper-case first. > $ python3 > Python 3.6.4 (default, Jan 03 2018, 13:52:55) [GCC] on linux > Type "help", "copyright", "credits" or "license" for more information. > >>> sorted(['permit-port-forwarding','permit-X11-forwarding','permit-pty']) > ['permit-X11-forwarding', 'permit-port-forwarding', 'permit-pty'] This is the correct ordering, but you only need to worry about that if you're writing certificates with your own code. ssh-keygen takes care of putting things in the right order if you're using that to generate certificates. (also, I don't think the order is enforced anyway). -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev