Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificateidentityhandling #53

Closed
wants to merge 4 commits into from
Closed

Certificateidentityhandling #53

wants to merge 4 commits into from
+124 −17

Conversation

aeijdenberg
Copy link

Creating pull request to link to in mailing list discussion.

@aeijdenberg
Add 4 failing tests that demonstrate:
3b1b52f 
1. IdentitiesOnly=yes not working as expected when certificates
   are specified.

2. IdentityFile=/private/key not working when certificate but no
   public key is present (regression from earlier versions).

3. CertificateFile=/path/to/key-cert.pub not implicitly picking up
   private key (as it does in the opposite direction).

Next commits fix these.
@aeijdenberg
If a CertificateFile is specified explicitly, or if a IdentitiesOnly=…
d2d26ad 
…yes is

specified, then do not load implicit identities.
@aeijdenberg
Restore the ability to use a certificate without the existence of a
ea5ee8f 
public key file.

Prior to 4e44a79 (in 7.2) it was
possible to use IdentityFile to point to a private key file, e.g.
"id_shortlived_rsa", with no corresponding public key file (such as
"id_shortlived_rsa.pub") and instead a public certificate, e.g.
"id_shortlived_rsa-cert.pub".

Upgrading to 7.2 broke our users configuration files and tools that
relied on this. While we were able to workaround by changing our tooling
to produce the ".pub" files, this is a regression from previous
behaviour.

(The reason we deliberately didn't produce the ".pub" files is that our
workflow regularly generates new private keys for users, and then issues
certificates for them. We prefer not to put the "id_shortlived_rsa.pub"
on disk, lest users get confused and start putting that in
authorized_keys files, or linking to their Git accounts.)
@aeijdenberg
Where a CertificateFile is specified, use the private key with equiva…
c09456a 
…lent

name when present, if no other IdentifyFiles are explicitly listed.

This mirrors the current behaviour where a Certifcate file is loaded for a
key if present.
@djmdjm
Copy link
Contributor

djmdjm commented Feb 10, 2018
edited

Please use https://bugzilla.mindrot.org/ instead of github PRs in future. We only use this site as a mirror and seldom check the PR queue (thus the inactivity).

AFAIK there have been a few fixes to bare cert keys since this was reported.

@djmdjm djmdjm closed this Feb 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@aeijdenberg @djmdjm