When I have a KRL containing revokations from multiple CA it gets corrupted some way. sshd cant read it. This is what sshd says: debug1: KRL version 0 generated at 20141114T080704 debug3: ssh_krl_from_blob: first pass, section 0x01 debug3: ssh_krl_from_blob: first pass, section 0x01 debug3: ssh_krl_from_blob: second pass, section 0x01 debug3: parse_revoked_certs: subsection type 0x20 debug3: revoked_certs_for_ca_key: new CA RSA debug3: parse_revoked_certs: subsection type 0x22 debug3: parse_revoked_certs: subsection type 0x20 debug3: ssh_krl_from_blob: second pass, section 0x01 debug3: parse_revoked_certs: subsection type 0x20 debug3: parse_revoked_certs: subsection type 0x22 debug3: parse_revoked_certs: subsection type 0x20 buffer_get_string_ptr: bad string length 268032 parse_revoked_certs: buffer error Invalid KRL, refusing public key authentication I generated the KRL using two textfiles containing multiple serial: <serial> lines like this: ssh-keygen -k -u -f revoked_keys.bin -s ca1.pub revoked_keys1 ssh-keygen -k -u -f revoked_keys.bin -s ca2.pub revoked_keys2 I have tried to remove the revoked_keys.bin and generate a new one without success. I even tried revoking from ca2 first and then ca1..
Fixed in -current and will be released in OpenSSH 6.8: > commit 9f9fad0191028edc43d100d0ded39419b6895fdf > Author: djm@openbsd.org <djm@openbsd.org> > Date: Mon Nov 17 00:21:40 2014 +0000 > > upstream commit > > fix KRL generation when multiple CAs are in use > > We would generate an invalid KRL when revoking certs by serial > number for multiple CA keys due to a section being written out > twice. > > Also extend the regress test to catch this case by having it > produce a multi-CA KRL. > > Reported by peter AT pean.org
openssh-6.8 is released