OpenSSH secure shell
and
X.509 v3 certificates
(archive d-series and early)
Check the current version!
- 30 Jul 2002
- What's new:
- released version d.
- ssh-agent and ssh-add by now support X.509 certificates;
- check for allowed client certificate purpose;
- fixes related to autoconf.
- This file contain tips for client and server configuration with X.509 certificate support
- Downloads (diff against version):
- NOTE: No more diffs for OpenSSH versions before 3.4x (see OpenSSH advisory) !
- 28 Jun 2002
- What's new:
- added diffs for version 3.4x.
- Downloads (diff against version):
- NOTE (from OpenSSH home page):
At least one major security vulnerability exists in many deployed OpenSSH versions (2.3.1 to 3.3).
Please see the ISS advisory or OpenSSH advisory
on this topic where simple patches are provided for the pre-authentication problem. Systems running with
UsePrivilegeSeparation yes are not vulnerable due to the jailed nature. As well, most systems
configured with both ChallengeResponseAuthentication no and PAMAuthenticationViaKbdInt no
are not affected. However some OpenSSH versions modified from the original may still be affected even
with the later two options, so we urge an upgrade or patch.
The 3.4 release contain many other fixes done over a week long audit started when this issue came to light.
We believe that some of those fixes are likely to be important security fixes. Therefore, we urge an upgrade to 3.4.
- 27 Jun 2002
- What's new:
- removed backup files "key.c.XXXX" from 3.3 diff;
- Downloads (diff against version):
- 25 Jun 2002
- NOTE (about version 3.3p1) :
If you have message in log file like this:
fatal: mmap(<NUMBER>): Invalid argument
please edit ".../tests/CA/openssh_tests.sh" and in method creTestSSHDcfgFile ( line 149 ) add option:
Compression no
If this cannot solve connection problem add is same method option:
UsePrivilegeSeparation no
- 24 Jun 2002
- What's new:
- removed backup file "authfile.c.ORIG" from 3.2.3p1 diff;
- added diffs for version 3.3x.
- Downloads (diff against version):
- NOTE: Do not forget to add user sshd for version 3.3x - otherwise script ".../tests/CA/openssh_tests.sh" fail !
- 20 Jun 2002
- What's new:
- released version c.
- tests/CA/README - new file;
- tests/CA/* scripts - rewriten;
- 'ssh-keygen' can change passphrase of a private key with certificate;
- added OpenBSD diff.
- Downloads (diff against version):
- 11 Jun 2002
- What's new:
- released second version.
- added authorization by 'Distinguished Name';
- added x509 CA store (new options in sshd_config);
- client certificate is verified against CA certificates in x509 store;
- added shell scripts to create test CA and test client certificates.
- first version is retired.
- Downloads (diff against OpenSSH portable version):
- 4 Apr 2002
- What's new:
|