On Mon, 17 Feb 2020, Ron Frederick wrote: > The other issue I ran across is that specifying “-O no-touch-required” > when generating the certificate didn’t work, despite that being > documented in the man page. It appears that ssh-keygen treats this > keyword as an unknown “critical” value, rather than an “extension”. > So, the generated certificate ended up looking something like: > > Critical Options: > no-touch-required UNKNOWN OPTION (len 0) This should fix that problem. I'll take a look at the others separately. Index: ssh-keygen.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.398 diff -u -p -r1.398 ssh-keygen.c --- ssh-keygen.c 7 Feb 2020 03:27:54 -0000 1.398 +++ ssh-keygen.c 18 Feb 2020 05:43:41 -0000 @@ -1656,7 +1656,7 @@ prepare_options_buf(struct sshbuf *c, in if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_USER_RC) != 0) add_flag_option(c, "permit-user-rc"); - if ((which & OPTIONS_CRITICAL) != 0 && + if ((which & OPTIONS_EXTENSIONS) != 0 && (certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0) add_flag_option(c, "no-touch-required"); if ((which & OPTIONS_CRITICAL) != 0 && _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
