diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2017-11-03 05:14:05 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2017-11-03 05:14:05 +0000 |
commit | dc30e5d1af8bfc09b56bf532d375f462260839bc (patch) | |
tree | 316044adfd09afc538d34ab6ca84834f75a69e82 /usr.bin | |
parent | ccbeea5c3a0f8b6736e0c93bf23095c5b36f29d0 (diff) |
allow certificate validity intervals that specify only a start or
stop time (we already support specifying both or neither)
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/ssh/ssh-keygen.1 | 23 | ||||
-rw-r--r-- | usr.bin/ssh/ssh-keygen.c | 12 |
2 files changed, 24 insertions, 11 deletions
diff --git a/usr.bin/ssh/ssh-keygen.1 b/usr.bin/ssh/ssh-keygen.1 index 5f1ec09b07a..0ade33de95f 100644 --- a/usr.bin/ssh/ssh-keygen.1 +++ b/usr.bin/ssh/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.144 2017/07/08 18:32:54 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.145 2017/11/03 05:14:04 djm Exp $ .\" .\" Author: Tatu Ylonen <ylo@cs.hut.fi> .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -35,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 8 2017 $ +.Dd $Mdocdate: November 3 2017 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -584,13 +584,20 @@ Specify a validity interval when signing a certificate. A validity interval may consist of a single time, indicating that the certificate is valid beginning now and expiring at that time, or may consist of two times separated by a colon to indicate an explicit time interval. -The start time may be specified as a date in YYYYMMDD format, a time -in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting -of a minus sign followed by a relative time in the format described in the +.Pp +The start time may be specified as the string +.Dq always +to indicate the certificate has no specified start time, +a date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format, +a relative time (to the current time) consisting of a minus sign followed by +an interval in the format described in the TIME FORMATS section of .Xr sshd_config 5 . -The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or -a relative time starting with a plus character. +.Pp +The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time, +a relative time starting with a plus character or the string +.Dq forever +to indicate that the certificate has no expirty date. .Pp For example: .Dq +52w1d @@ -601,6 +608,8 @@ For example: (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), .Dq -1d:20110101 (valid from yesterday to midnight, January 1st, 2011). +.Dq -1m:forever +(valid from one minute ago and never expiring). .It Fl v Verbose mode. Causes diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c index 2b9782c5c08..282324f7f59 100644 --- a/usr.bin/ssh/ssh-keygen.c +++ b/usr.bin/ssh/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.307 2017/07/07 03:53:12 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.308 2017/11/03 05:14:04 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -1816,7 +1816,7 @@ parse_absolute_time(const char *s) s, s + 4, s + 6, s + 8, s + 10, s + 12); break; default: - fatal("Invalid certificate time format %s", s); + fatal("Invalid certificate time format \"%s\"", s); } memset(&tm, 0, sizeof(tm)); @@ -1849,8 +1849,8 @@ parse_cert_times(char *timespec) /* * from:to, where - * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS - * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS + * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "always" + * to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "forever" */ from = xstrdup(timespec); to = strchr(from, ':'); @@ -1860,11 +1860,15 @@ parse_cert_times(char *timespec) if (*from == '-' || *from == '+') cert_valid_from = parse_relative_time(from, now); + else if (strcmp(from, "always") == 0) + cert_valid_from = 0; else cert_valid_from = parse_absolute_time(from); if (*to == '-' || *to == '+') cert_valid_to = parse_relative_time(to, now); + else if (strcmp(to, "forever") == 0) + cert_valid_to = ~(u_int64_t)0; else cert_valid_to = parse_absolute_time(to); |