summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
authorDamien Miller <djm@cvs.openbsd.org>2017-11-03 05:14:05 +0000
committerDamien Miller <djm@cvs.openbsd.org>2017-11-03 05:14:05 +0000
commitdc30e5d1af8bfc09b56bf532d375f462260839bc (patch)
tree316044adfd09afc538d34ab6ca84834f75a69e82 /usr.bin
parentccbeea5c3a0f8b6736e0c93bf23095c5b36f29d0 (diff)
allow certificate validity intervals that specify only a start or
stop time (we already support specifying both or neither)
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/ssh-keygen.123
-rw-r--r--usr.bin/ssh/ssh-keygen.c12
2 files changed, 24 insertions, 11 deletions
diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1
index 5f1ec09b07a..0ade33de95f 100644
--- a/usr.bin/ssh/ssh-keygen.1
+++ b/usr.bin/ssh/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.144 2017/07/08 18:32:54 jmc Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.145 2017/11/03 05:14:04 djm Exp $
.\"
.\" Author: Tatu Ylonen <ylo@cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd $Mdocdate: July 8 2017 $
+.Dd $Mdocdate: November 3 2017 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
@@ -584,13 +584,20 @@ Specify a validity interval when signing a certificate.
A validity interval may consist of a single time, indicating that the
certificate is valid beginning now and expiring at that time, or may consist
of two times separated by a colon to indicate an explicit time interval.
-The start time may be specified as a date in YYYYMMDD format, a time
-in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
-of a minus sign followed by a relative time in the format described in the
+.Pp
+The start time may be specified as the string
+.Dq always
+to indicate the certificate has no specified start time,
+a date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format,
+a relative time (to the current time) consisting of a minus sign followed by
+an interval in the format described in the
TIME FORMATS section of
.Xr sshd_config 5 .
-The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
-a relative time starting with a plus character.
+.Pp
+The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time,
+a relative time starting with a plus character or the string
+.Dq forever
+to indicate that the certificate has no expirty date.
.Pp
For example:
.Dq +52w1d
@@ -601,6 +608,8 @@ For example:
(valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
.Dq -1d:20110101
(valid from yesterday to midnight, January 1st, 2011).
+.Dq -1m:forever
+(valid from one minute ago and never expiring).
.It Fl v
Verbose mode.
Causes
diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index 2b9782c5c08..282324f7f59 100644
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.307 2017/07/07 03:53:12 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.308 2017/11/03 05:14:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1816,7 +1816,7 @@ parse_absolute_time(const char *s)
s, s + 4, s + 6, s + 8, s + 10, s + 12);
break;
default:
- fatal("Invalid certificate time format %s", s);
+ fatal("Invalid certificate time format \"%s\"", s);
}
memset(&tm, 0, sizeof(tm));
@@ -1849,8 +1849,8 @@ parse_cert_times(char *timespec)
/*
* from:to, where
- * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS
- * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS
+ * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "always"
+ * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "forever"
*/
from = xstrdup(timespec);
to = strchr(from, ':');
@@ -1860,11 +1860,15 @@ parse_cert_times(char *timespec)
if (*from == '-' || *from == '+')
cert_valid_from = parse_relative_time(from, now);
+ else if (strcmp(from, "always") == 0)
+ cert_valid_from = 0;
else
cert_valid_from = parse_absolute_time(from);
if (*to == '-' || *to == '+')
cert_valid_to = parse_relative_time(to, now);
+ else if (strcmp(to, "forever") == 0)
+ cert_valid_to = ~(u_int64_t)0;
else
cert_valid_to = parse_absolute_time(to);