PROTOCOL.certkeys does not document the special case when "valid before" is set to 0. A certificate like this will be always valid ("forever"). This is the current text in the PROTOCOL.certkeys: ``` "valid after" and "valid before" specify a validity period for the certificate. Each represents a time in seconds since 1970-01-01 00:00:00. A certificate is considered valid if: valid after <= current time < valid before ``` With that description a certificate with valid before set to 0 will not be valid.
what special case are you referring to? AFAIK this is no such special case.
The special case is that you can create an SSH certificate without expiration date if you set the valid before to 0. See the flag -V in `man ssh-keygen`: https://github.com/openssh/openssh-portable/blob/d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d/ssh-keygen.1#L613-L643 I haven't tried to debug the code, but in /auth.c there's code to skip the expiration check if opts->valid_before is 0. https://github.com/openssh/openssh-portable/blob/2dc328023f60212cd29504fc05d849133ae47355/auth.c#L963-L969 And that "forever" mode, as `man ssh-keygen` says, it is not documented on the PROTOCOL.certkeys
"forever" in ssh-keygen sets valid_after=0 and valid_before=0xffffffffffffffff, so that's not the case you're talking about here unless you're considering wall clock times before 1970 or many billions of years in the future: https://github.com/openssh/openssh-portable/blob/d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d/ssh-keygen.c#L1954 The other case has nothing to do with certificates (note that the 'opts' variable here is not a key, but another type). It is to support the authorized_keys "expiry-time" keyword: https://github.com/openssh/openssh-portable/blob/d3cc4d650ce3e59f3e370b101778b0e8f1c02c4d/sshd.8#L527
You're right, didn't understand the `~` in `~(u_int64_t)0;`
closing bugs resolved before openssh-8.9