On Feb 17, 2020, at 9:43 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: > On Mon, 17 Feb 2020, Ron Frederick wrote: >> The other issue I ran across is that specifying “-O no-touch-required” >> when generating the certificate didn’t work, despite that being >> documented in the man page. It appears that ssh-keygen treats this >> keyword as an unknown “critical” value, rather than an “extension”. >> So, the generated certificate ended up looking something like: >> >> Critical Options: >> no-touch-required UNKNOWN OPTION (len 0) > > This should fix that problem. I'll take a look at the others separately. > > > Index: ssh-keygen.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v > retrieving revision 1.398 > diff -u -p -r1.398 ssh-keygen.c > --- ssh-keygen.c 7 Feb 2020 03:27:54 -0000 1.398 > +++ ssh-keygen.c 18 Feb 2020 05:43:41 -0000 > @@ -1656,7 +1656,7 @@ prepare_options_buf(struct sshbuf *c, in > if ((which & OPTIONS_EXTENSIONS) != 0 && > (certflags_flags & CERTOPT_USER_RC) != 0) > add_flag_option(c, "permit-user-rc"); > - if ((which & OPTIONS_CRITICAL) != 0 && > + if ((which & OPTIONS_EXTENSIONS) != 0 && > (certflags_flags & CERTOPT_NO_REQUIRE_USER_PRESENCE) != 0) > add_flag_option(c, "no-touch-required"); > if ((which & OPTIONS_CRITICAL) != 0 && Thanks - that does indeed seem to fix the problem of needing to add “extension:” explicitly. -- Ron Frederick ronf@xxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
