[sshd] Add support to disable valid_after check
In debugging scenarios where the platform has not had a chance to
acquire time, developers may still need to SSH by presenting a
certificate that only is valid for some given time range. In these
cases, the platform time cannot be used to make a determination whether
the presented certificate is valid.
However, platform builds may default to a build date, which could make
the valid_before check reasonable. This change adds an option that build
configurations can add to their sshd_config that disables this check.
This option is meant for debugging purposes only and should not be used
in production environments.
Test: Key exchange continues to fail in the default configuration unless
the platform time is within the valid range. In configurations where
sshd_config adds this option, the platform accepts certificates so long
as the not_before time has not passed.
Change-Id: Ia6264498427d9cbca4ba59eade13401ecb5350b6
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 3d9f9af..070194a 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -774,6 +774,11 @@
}
if (use_authorized_principals && principals_opts == NULL)
fatal("%s: internal error: missing principals_opts", __func__);
+ if (options.ignore_valid_after != 0) {
+ debug2("%s: ignoring start time of certificate based on config",
+ __func__);
+ key->cert->valid_after = 0;
+ }
if (sshkey_cert_check_authority(key, 0, 1,
use_authorized_principals ? NULL : pw->pw_name, &reason) != 0)
goto fail_reason;
diff --git a/servconf.c b/servconf.c
index c0f6af0..f5f3d45 100644
--- a/servconf.c
+++ b/servconf.c
@@ -83,6 +83,7 @@
/* Portable-specific options */
options->use_pam = -1;
+ options->ignore_valid_after = -1;
/* Standard Options */
options->num_ports = 0;
@@ -259,6 +260,8 @@
/* Portable-specific options */
if (options->use_pam == -1)
options->use_pam = 0;
+ if (options->ignore_valid_after == -1)
+ options->ignore_valid_after = 0;
/* Standard Options */
if (options->num_host_key_files == 0) {
@@ -459,7 +462,7 @@
typedef enum {
sBadOption, /* == unknown option */
/* Portable-specific options */
- sUsePAM,
+ sUsePAM, sIgnoreValidAfter,
/* Standard Options */
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel,
@@ -513,6 +516,7 @@
{ "usepam", sUnsupported, SSHCFG_GLOBAL },
#endif
{ "pamauthenticationviakbdint", sDeprecated, SSHCFG_GLOBAL },
+ { "ignorevalidafter", sIgnoreValidAfter, SSHCFG_GLOBAL },
/* Standard Options */
{ "port", sPort, SSHCFG_GLOBAL },
{ "hostkey", sHostKeyFile, SSHCFG_GLOBAL },
@@ -1251,6 +1255,9 @@
intptr = &options->use_pam;
goto parse_flag;
+ case sIgnoreValidAfter:
+ intptr = &options->ignore_valid_after;
+ goto parse_flag;
/* Standard Options */
case sBadOption:
return -1;
diff --git a/servconf.h b/servconf.h
index 557521d..fbe3dd1 100644
--- a/servconf.h
+++ b/servconf.h
@@ -181,6 +181,7 @@
char *adm_forced_command;
int use_pam; /* Enable auth via PAM */
+ int ignore_valid_after; /* Ignore certificate start validity check */
int permit_tun;