Content:

• News
• Features
• Mailing list
• Downloads ^{(on other page)}
• History
• Todo
• News archives
• Miscellaneous

News:

19 May 2013 : Version x509-7.5

What's new:

• restore support for multiple key types in authorized keys
  Version 7.4 introduce regression in processing of authorized keys files - keys from file are not processed properly if "key-type" is different.

• pkcs11 module support DSA keys
  

• public key permit X.509 certificate as host key
  Similarly as "authorized keys" files, now public key listed in "know host" file allow X.509 host certificate to be accepted if public part match.

• minimize use of Key type enumerate in allowed algorithms
  Implementation of options PubkeyAlgorithms and HostbasedAlgorithms now is modified do not use Key type enumerate,

• new configuration variable ssh_cv_complete_ecc
  Configure script check "whether OpenSSL has complete ECC support" but part of test is based on library version. For instance ECC code is enabled if OpenSSL version is at least 0.9.8g. In addition FIPS enabled build will exclude ecsda keys for all 0.9.8* versions. Some vendors distribute patched crypto library with reliable ECC code. In this case variable "ssh_cv_complete_ecc" has to be preset to yes to override configure defaults (ref. "Site Configuration" from autoconf manual).

• documentation updates
  As order of private part and X.509 certificate that match it is not important in identity files, now manual pages and README.x509v3 are updated do not state that X.509 certificate has to follow private key.

Download:

Version 7.5 is available for OpenSSH 6.0p1, 6.1p1 and 6.1p2 .

23 March 2013 : Version x509-7.4.1

What's new:

• support OpenSSH version 6.2p1 (released on 22 March 2013)
  Refer to release note for details.
  

Download:

Version 7.4.1, i.e. 7.4 specific for OpenSSH 6.2p1, is available on download page.

4 Jan 2013 : Version x509-7.4

What's new:

• remove deprecated option X509rsaSigType
  
• document use of X.509 certificates from DNS server and add RSASHA1 algorithm as described in rfc4034
  
• change authorized message
  If public identity contain X.509 certificate message is changed to "Authorized by " followed by key type and X.509 certificate distigushed name or public key fingerprint depending from data found in user authorised keys
• clarify processing if X.509 store is not built-in>
  
• enhance regression tests
  Enhance self-signed test and new tests for HostKeyAlgorithms and fail back for PubkeyAlgorithms. Later is used in authentication when user identity contain X.509 certificate but remote host lack support for X.509 certificates
• order of key and X.509 certificate is not important in user identity file
  Although manual pages state that X.509 certificate has to follow private key since long time order was not important. This functionality was broken in the past, then fixed and now is fixed again. Last issue is related to fact that OpenSSL bio seek does not work on memory buffer. Impacted are all versions based on OpenSSH 5.7 and later.
• minimize use of Key type enumerate
  Prepare code for next main release avoid additional updates when new key algorithms will be added.

Download:

Please find version 7.4 (on download page) available for OpenSSH 6.0p1 and 6.1p1.

30 Sep 2012 : Version x509-7.3

Main updates:

• enable AES cipher in CRT mode for FIPS build
  Build with FIPS enabled OpenSSL now use openssl implementation.
• initialization of OpenSSL engines
  Engine initialization is improved and now OpenSSL static engines are initialized only once. Double initialization lead to application crash in engine cleanup, even without use of engines.
  Note that dynamic engines are not impacted.
• exclude X.509 regression test
  If SSH_X509TESTS is set to skip, X.509 regression test will not be run when is requested regression tests to be run as example:

  make check SSH_X509TESTS=skip

• fips regression test
  Standard regression tests are enhanced with connect-privsep and try-ciphers test run in FIPS mode. Tests could be executed only manually as example:

  make FIPS_LTESTS=[name_of_test] REGRESS_TARGETS=f-exec

Download:

Version 7.3 is available on download page for OpenSSH 6.0p1 and 6.1p1.

30 Aug 2012 : Version x509-7.2.1

What's new:

• support OpenSSH version 6.1p1 (released on 29 Aug 2012)
  Refer to release note for details.
  
• unlimited size of X.509 certificate in OpenSSH public key format
  10 years old limitation of 4096 bytes now is gone. Note that use of "Distinguished Name" in authorized keys file is preferred.
• document that sha1 hash is preferred
  Since version 7.1 sha1 is preferred over md5 and documentation is corrected to address this.
• daemon log FIPS mode
  SSH daemon build with FIPS capable OpenSSL log in whith mode is run : FIPS or Non-FIPS.

Download:

Version 7.2.1 for OpenSSH 6.0p1 and 6.1p1 is available on download page.

25 May 2012 : Version x509-7.2

What's new:

• cross-build for Android host
  The version 7.2 was successfully build and tested in emulated Andorid environment. The test was performed with OpenSSL 1.0+ version. Android build require library ldns and following additional argumets to configure script:

          .../configure \
          ... \
          --without-sandbox \
          --with-default-path=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin \
          --without-tcp-wrappers \
          --without-xauth \
          --with-ldns \
          --disable-strip \
          \
          --build=...-pc-linux \
          --host=arm-linux-androideabi
          

• proper engine shutdown
  Support for OpenSSl engines in ssh client was improved to shutdown engines. Starting from 7.2 engine support is considered mature.
• FIPS tests for OpenSSL 1.0.1+ releases
  FIPS capable OpenSSL 0.9.8x in FIPS mode create pkcs8 keys by default. Unfortunately, in such case, 1.0.1 releases does not create pkcs8 keys by default and creation of test certificates fail. X.509 certificate regression test script implement a work-arround but only for OpenSSL 1.0.1* development and beta versions. Now work-arround is activated for all 1.0.1* versions.
• korn shell in regression tests
  Since 7.1 X.509 version fully support configuration and execution of tests with various born compatible shells. One of tested shells (korn sheel, 93t+ 2010-06-21) fail to expand properly last command line argument if is a empty string. Version 7.2 use different order of shell script arguments to avoid ksh failure.

Download:

Find version 7.2 on download page.

22 April 2012 : Uploaded version version x509-7.1 for OpenSSH 6.0p1

What's new:

• OpenSSH version 6.0p1
  Refer to release note for details.
  
• regression test with FIPS enabled OpenSSL
  It is known that OpenSSL 0.9.8 in FIPS mode create RSA key in PKCS8 format by default. Version 7.1 was tested with FIPS enabled OpenSSL 0.9.8+ and 1.0.1 prereleases. Unfortunately this functionality is not activated in OpenSSL 1.0.1+ stable releases.
  Regression tests suite perform converssion to PKCS8 format only for OpenSSL 1.0.1 beta or development version. To test with FIPS enabled build open file ".../tests/CA/config" and find line "*1.0.1*beta*|*1.0.1*dev*)", replace with "*1.0*)", save and then run test. The issue is addressed in 7.2 version that will be published soon.

Download:

Go to download page to get 7.1 version.

15 January 2012 : Version x509-7.1

What's new:

• X.509 certificates with RSA key algorithm prefer sha1 to md5 signature:
  This version change order of accepted signatures for X.509 certificate with RSA key. Since OpenSSH client and server accept all listed in X509KeyAlgorithm such update affect only third party servers and clients. For details see X509KeyAlgorithm option in sshd_config(5) and ssh_config(5) manual pages.
  Note that version 7.1 start to identify as PKIX in comments from ssh identification string.
• X.509 certificates from pkcs11 module:
  Now command like "ssh -I pkcs11 ..." and "ssh-add -s pkcs11 ...", where "pkcs11" is PKCS#11 shared library, use X.509 certificates for authentication. Note that currently only RSA algorithm is supported.
  Hint: If server does not support X.509 certificates set option "PubkeyAlgorithms" to "ssh-rsa" either on command line or in client configuraton file.
• Build with FIPS capable OpenSSL:
  If site OpenSSL library is FIPS capable you could use configure option "--enable-openssl-fips" to build. Next if environment variable "OPENSSL_FIPS" is set programs will initialise OpenSSL in FIPS mode. In such mode only fips approved ciphers and macs are allowed. Also if fips mode is activated X509KeyAlgorithm use only sha1 signatures and refuse md5.
  Hint: Run "OPENSSL_FIPS=1 absolute_path_to_sshd -T" to get list with allowed ciphers and macs.

13 November 2011 :OpenSSL NSS engine location

Details:

• Since 9 October 2011 engine home page is moved to http://roumenpetrov.info/e_nss as old host will discontinue hosting by end of the year (31.12.2011)
• Since 8 October 2011 engine repository is hosted by Gitorious

8 September 2011 : Uploaded version x509-7.0 for OpenSSH 5.9p1.

What's new:

• OpenSSH version 5.9p1
  After some packaging issues OpenSSH team re-release portable 5.9 version. Please see release note for details of new version.
  On download page you could grab diff with X.509 certificate support.

22 August 2011 : Version x509-7.0 (code name Integration) for OpenSSH 5.8p1.

What's new:

• external devices
  The new version allow client to use as identity keys and certificates stored into "external devices". Format of client identity is engine:[ENGINE_NAME]:[CERT_CRITERIA]. Version is tested with OpenSSL E_NSS engine http://developer.berlios.de/projects/enss/.
  In brief you could use certificates and keys from Firefox, SeaMonkey, Thunderbird security database to authenticate to remote hosts.
• 64-bit system support
  Code is verified and updated to ensure build on 64-bit system without warnings.
• regresion tests
  Now regresion test generate sample X.509 certificates that could be used, in additon, from mozilla's security PKI database - Network Security Services (NSS). The certificates from previous versions are used to test compatibility between X.509 certificate support in OpenSSH and Microsoft CryptoAPI, used as external key provider, by commercial clients like Tectia (former ssh.com) and SecureCRT.

Download:

Go to download page to get new version.

17 August 2011 : Community support list

What's new:

Starting form 17th of August 2011 you coul get community support for X.509 certificate support in OpenSSH. The mail list archives are available here. To subsribe you could use either subscription page or you could send email to ssh_x509-request AT roumenpetrov.info with subject "subscribe".

Features _{(valid for latest version)} :

• "x509v3-sign-rsa" and "x509v3-sign-dss" public key algorithms
  X.509 certificates can used as "user identity" and/or "host key" in SSH "Public Key" and "Host-Based" authentications.
  • different "x509v3-sign-rsa" signatures
    As support for MD5 and SHA-1 signature format OpenSSH is interoperable with implementations from multiple vendors. Since "SSH Transport Layer Protocol" internet draft does not specify signature format in case of X.509 certificate for RSA key OpenSSH support both formats.
  • different packing of "x509v3-sign-dss" signature
    As support for DSA signatures packed in format as is described in [RFC2459] and "dss_signature_blob" as is specified in "SecSH transport" draft OpenSSH is interoperable with implementations from multiple vendors. "SSH Transport Layer Protocol" internet draft before version 12 specify "x509v3-sign-dss" public key algorithm to use signature in format is described in [RFC2459], i.e. r and s packed in ASN.1 SEQUENCE. Some vendors pack DSA signature values in "dss_signature_blob" as is specified in "SecSH transport" draft for "ssh-dss" signature.
  • use key and certificate stored in "external devices"
    Implementation require working OpenSSL engine. The identity used in client authentication could refer to external key and/or certificate in format engine:[ENGINE_NAME]:[CERT_CRITERIA], where [ENGINE_NAME] is name of OpenSSL engine and [CERT_CRITERIA] is specific to engine search criteria to find the key and certicate. For instance you could use "friendly name" to access key and certificate stored in "Network Security Services (NSS)" database with e_nss engine from http://developer.berlios.de/projects/enss/. NSS s used in programs(web-browser. e-mail client) like Firefox, SeaMonkey, Thunderbird.
• verification (default feature)
  By default server(sshd) and clients(ssh,scp,sftp) always verify signatures and validity of certificates in chain when a X.509 certificate is used in authentication. When verification fail that certificate is disallowed. Certificate verification can be disabled when OpenSSH is build without "X.509 store", i.e. configure script is run with --disable-x509store option. In additional client is able to verify remote key using DNS and CERT RR.
• validation
  • CRL (default feature)
    When a X.509 certificate is used in authentication, server and clients always verify signatures and validity of existing CRLs issued by authorities in certificate chain. Certificate is allowed only when no one of certificates in the chain is revoked. Validation is disabled only when OpenSSH is build without "X.509 store" feature.
  • OCSP (default feature)
    Additional validation is performed when OpenSSH is configured to use OCSP and a X.509 certificate is used in authentication.
• CERT RR
  ssh can verify host identification using CERT Resource Record published in DNS.
• OpenSSH Agent (ssh-agent and ssh-add programs)
  Authentication agent can hold X.509 certificates.
• ssh-keyscan
  This tools can gather "x509v3-sign-rsa" and "x509v3-sign-dss" host keys.
• ssh-keysign
  This tools used in "Host-Based Authentication" can sign "host keys" containing X.509 certificate.
• ssh-keygen
  when user identity contain X.509 certificate:
  • create OpenSSH public key and proposed "SECSH Public Key File Format" for that certificate.
  • show fingerprint of certificate.
  • print CERT RR (resource record) for specified hostname.
• regression tests
  Strong.
• manual pages
  Detailed.
• README.x509v3
  Brief description of server and client configuration, regression tests, troubleshooting and FAQ.

Get your version from download pages.

Todo:

• to implement wildcards(patterns) for DN in "authorized keys" and "know hosts" files;
• to extend "time limits" with specified time for given revoked certificates.

History:

1. Initial
   Initial support began from 4 Apr 2002 with version "a". Version "b" issued on 11 Jun 2002 add "X509 store". The store is in use in verification process when a certificate is used as user's identity is ssh session. The store allow use of "distinguished name" in authorized keys file.
2. Second stage
   In this phase certificate support is implemented in other OpenSSH executables. For first ssh-keygen support certificates since version "c" (20 Jun 2002). This version introduce regression tests. Later in version "d" (30 Jul 2002) support is added to ssh agent.
   As result OpenSSH support certificates as user identity entirely.
3. Complete support
   Since version "e" (21 Nov 2002) manual pages are updated with information about X.509 certificate support. As well support for certificates as host key in introduced. As version "f" (30 Jan 2003) CRL are supported. Because certificate support is complete as version "f" client prefer algorithms with certificates for host key.
4. Compatibility
   Compatibility phase begin with version "g" (3 Feb 2003). In version "g1" (30 Apr 2003) regression test scripts are updated to work well with various shells. Since version "g2" (12 Jun 2003) public key algorithm "x509v3-sign-rsa" accept "sha1" signatures in addition to "md5" and now OpenSSH is interoperable with all major ssh implementations. This version work fine with OpenSSL 0.9.7+. Later in versions "g3" (25 Feb 2004) and "g4" (9 Maj 2004) code, documentation and regression test are cleaned up.
5. Validator
   Fifth phase began with OCSP (Online Certificate Status Protocol) support added in version "h" (6 Apr 2004). Later version schema is changed to more common format with numbers N.N{.N} and next version is 5.1. In version 5.3 compatibility is enhanced to support (in addition to [RFC3279] DSA signatures) format defined for "ssh-dss" signature. Self issued certificates can be pertimed by "autorized keys" file since version 5.4 if configuration allow this. Correction for OCSP responder location obtained from certificate is added in version 5.4 and OCSP SSL support is enabled in 5.5.
6. International
   Since version 6.0 (7 Aug 2007) openssh can deal with "distinguished name" stored in autorized keys file as UTF-8 string or escaped. Before to compare printable attributes are converted to utf-8.
7. Integration
   Starting from version 7.0 (22 Aug 2011) openssh can communicate with other applications by using openssl engines. For instance client could use certificates and keys stored in external devices.
   Version 7.1 (15 Jan. 2012) support build with FIPS enabled OpenSSL library and adds direct support of X.509 certificates from PKCS1 module. Since this version sha1 is preferred algorithm and programs start to identify as PKIX in comment from ssh identification string.

News archives:

• 17 Aug 2011 (6.x/International-series)
• 10 Mar 2007 (5.x/Validator-series)
• 19 Aug 2004 (h/Compatibility-series)
• 9 Mar 2004 (g-series)
• 30 Jan 2003 (f and e-series)
• 30 Jul 2002 (d-series and early)

Miscellaneous:

Recommendet OpenSSL library versions:

Before to use please read:

• the OpenSSL Security Advisory [25 Mart 2009]
• the OpenSSL Security Advisory [7 January 2009] (no impact on this project)
• the OpenSSL Security Advisory [28 September 2006]
• the OpenSSL Security Advisory [5 September 2006]
• the OpenSSL Security Advisory [30 September 2003]
• the OpenSSL Security Advisory [30 July 2002] or/and CERT advisory !

OpenSSL library versions:

• 0.9.6k+patches_{(may be is time for upgrade)}
  First vulnerability in "ASN.1 Denial of Service Attacks" from OpenSSL Security Advisory [28 September 2006] don't affect 0.9.6 versions but the second one may affect all 0.9.6 versions. For all 0.9.6 versions see OpenSSL Security Advisory [5 September 2006]. For versions before 0.9.6k see OpenSSL Security Advisory [30 July 2002]. For version 0.9.6i see this mail. For versions 0.9.6h+ see X509_NAME_cmp later in document.
• 0.9.7l+patches_{(may be is time for upgrade)}
  For versions before 0.9.7l see OpenSSL Security Advisory [28 September 2006]. For versions before 0.9.7k see OpenSSL Security Advisory [5 September 2006]. For versions before 0.9.7c see OpenSSL Security Advisory [30 July 2002]
• 0.9.8k
  For versions before 0.9.8k see OpenSSL Security Advisory [25 Mart 2009]. For versions before 0.9.8d see OpenSSL Security Advisory [28 September 2006]. For versions before 0.9.8c see OpenSSL Security Advisory [5 September 2006].
• 1.0.0
  For OpenSSL 1.0.0 (published on 29 Mart 2010) ot later you must download at least 6.2.1 version of diff.
• X509_NAME_cmp
  Method X509_NAME_cmp is changed first in 0.9.7beta4.
  This method remain without modification in betas:0.9.7beta5/6 and in stable 0.9.7+ too.
  Stable OpenSSL versions 0.9.6h+ contain same method.
  Changed method conform with [RFC2459] specification when compare attribute values in PrintableString and IA5String format. This method check type of attributes and when attributes has diffrent types return code is nonzero, i.e. different X509_NAME. O-o-o-p-s-s-s. What happen when one attribute is PrintableString in the first certificate and same attribute is TeletexString in the second? When atribute, as example CN (common name), in a certificate contain as example underscore "_" OpenSSL use type TeletexString but Microsoft Windows implementation treat this incorrectly as PrintableString. Problem is also when a certificate contain atribute as TeletexString "Windows Keystore" convert (!!!!) this attribute to PrintableString. As result client who use that certificate from "Windows Keystore" cannot connect to server using these OpenSSL libraries.
  
  This method affect all version of "X.509 certificates support in OpenSSH" before version "f". Since version "f" X.509 certificates support in OpenSSH is not affected because contains own method to compare two X509_NAMEs.