From 7b81bec8aa79ccf0dfeffac9b52c5dcbce2c1760 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Tue, 26 Nov 2019 19:09:01 -0800
Subject: [PATCH] Use default duration for host certificates identity files.

---
 api/ssh.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/api/ssh.go b/api/ssh.go
index e3fff0b3..6382a27d 100644
--- a/api/ssh.go
+++ b/api/ssh.go
@@ -306,9 +306,13 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
 	// Sign identity certificate if available.
 	var identityCertificate []Certificate
 	if cr := body.IdentityCSR.CertificateRequest; cr != nil {
-		opts := provisioner.Options{
-			NotBefore: provisioner.NewTimeDuration(time.Unix(int64(cert.ValidAfter), 0)),
-			NotAfter:  provisioner.NewTimeDuration(time.Unix(int64(cert.ValidBefore), 0)),
+		var opts provisioner.Options
+		// Use same duration as ssh certificate for user certificates
+		if body.CertType == provisioner.SSHUserCert {
+			opts = provisioner.Options{
+				NotBefore: provisioner.NewTimeDuration(time.Unix(int64(cert.ValidAfter), 0)),
+				NotAfter:  provisioner.NewTimeDuration(time.Unix(int64(cert.ValidBefore), 0)),
+			}
 		}
 		ctx := authority.NewContextWithSkipTokenReuse(context.Background())
 		ctx = provisioner.NewContextWithMethod(ctx, provisioner.SignMethod)