===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sshsig.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- src/usr.bin/ssh/sshsig.c	2020/10/18 11:32:02	1.18
+++ src/usr.bin/ssh/sshsig.c	2021/01/26 00:49:30	1.19
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshsig.c,v 1.18 2020/10/18 11:32:02 djm Exp $ */
+/* $OpenBSD: sshsig.c,v 1.19 2021/01/26 00:49:30 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -807,7 +807,7 @@
 	} else if (sigopts->ca && sshkey_is_cert(sign_key) &&
 	    sshkey_equal_public(sign_key->cert->signature_key, found_key)) {
 		/* Match of certificate's CA key */
-		if ((r = sshkey_cert_check_authority(sign_key, 0, 1,
+		if ((r = sshkey_cert_check_authority(sign_key, 0, 1, 0,
 		    principal, &reason)) != 0) {
 			error("%s:%lu: certificate not authorized: %s",
 			    path, linenum, reason);
@@ -890,7 +890,7 @@
 			continue;
 		}
 		/* Check against principals list in certificate */
-		if ((r = sshkey_cert_check_authority(cert, 0, 1,
+		if ((r = sshkey_cert_check_authority(cert, 0, 1, 0,
 		    cp, &reason)) != 0) {
 			debug("%s:%lu: principal \"%s\" not authorized: %s",
 			    path, linenum, cp, reason);