[empty image] [empty image]
[empty image]
[empty image] [empty image] [empty image]
[empty image]

secure shell with
X.509 v3 certificate support
(archive 8.x-series)

Check the current version here!

10 Mar 2016 : Version x509-8.9
What's new:
  • fixes for Android OS
    Rewrite detection of /dev/ptmx and use device on android.
    Replace bionic stubs ttyname and ttyname_r with working implementation.
  • builds with upcoming OpenSSL 1.1
    The version builds fine with current(master branch) versions of OpenSSL library.
    For alpha version you should rename EVP_CIPHER_CTX_get_cipher_data to EVP_CIPHER_CTX_cipher_data, i.e. without _get.
  • includes openssh 7.2p2
    With bug fix sshd - sanitise X11 authentication credentials to avoid xauth command injection when X11Forwarding is enabled.

29 Feb 2016 : Version x509-8.8
What's new:
  • pkcs11 module support EC keys
    PKCS11 module could use EC based X.509 certificates and keys either from command line (ssh -I argument) for from agent (loaded with ssh-add -s ...).
    PKCS11 engine is still supported but current implementation can not be used in all possible OpenSSL configurations.
  • improved support of pkcs11 module
    Use context extra data specific to ssh to avoid clash with default context. Note that default context could be used by OpenSSL library itself.
    RSA method is based exactly on OpenSSL RSA method not default one. Note that default RSA method could be provided by loadable cryptographic module(engine).
  • builds with upcoming OpenSSL 1.1
    It could be build with 1.1 alpha 1,2 and 3 versions of OpenSSL library.
  • LDAP tests for Solaris
    Note that build with OpenLDAP is supported only.
  • includes openssh 7.2p1
    You could build with define EXPERIMENTAL_RSA_SHA2_256 to enable experimental support for rsa-sha2-256 and rsa-sha2-512 public key algorithms. Note that those algorithms are be managed yet with options like PubkeyAlgorithms or HostbasedAlgorithms.
  • configure option compatibility
    Accept bogus openssh arguments --without-openssl and --with-ssh1.
    Note that build with --without-openssl will fail as support for X.509 certificates requires OpenSSL as cryptographic library. Please use --enable-ssh1 instead ambiguous --with-ssh1.

16 Jan 2016 : Version x509-8.7
What's new:
  • builds with upcoming OpenSSL 1.1
    OpenSSL version 1.1 is major change of API - almost all structures are opaque. Application has to use accessors functions to manipulate structure attributes. Note that OpenSSL library is in alpha stage.
    Version 8.7 of PKIX-SSH is first version that builds with OpenSSL 1.1. It could be build with OpenSSL aplha versions 1.1.0-pre1 and 1.1.0-pre2 and regression tests pass.
  • includes openssh 7.1p2

23 Aug 2015 : Version x509-8.6
What's new:
  • support for ssh-dss in client
    Previous version does not keep properly support for ssh-dss in list announced by client to server. This version completely restore ssh-dss in client including dump of configuration.
  • based on openssh 7.1p1

12 Aug 2015 : Version x509-8.5
What's new:
  • based on openssh 7.0p1
  • support for ssh-dss
    Public key algorithm ssh-dss is defined as required for secure shells. For compatibility with commercial implementations PKIX-SSH will continue to support it in default configuration .
  • portability fixes
    Precise autoconf macros that detect supported compiler and linker flags to minimize impact over detection process from flags specified by user. As result of correction GNU C compiler flag like -fPIE and linker -pie should be detected. This could impact linking with FIPS enabled OpenSSL library. In such case you could configure with --without-pie.
    Minimize undefined functions - result of some optimizations in included headers.
    Proper implementation of statvfs and fstatvfs for Android and perhaps other platforms.

1 Jul 2015 : Version x509-8.4
What's new:
  • dump X.509 purpose
    Server(sshd) output properly AllowedCertPurpose in extended test mode(option -T).
  • look up by LDAP errors and reasons
    Properly initialize offset of error codes and reasons in OpenSSL look up method X.509 'By LDAP'.
  • ECDSA for OpenSSL 0.9.8+(compatibility)
    With implementation of custom EVP digest methods X.509 EC certificates could be used in OpenSSL 0.9.8 versions.
  • EC keys from engine(experimental)
    OpenSSL engine support now could use EC keys from external devices.

1 April 2015 : Version x509-8.3.1
What's new:
  • pattern matching for public key algorithms
    Reimplementation of pattern matching added for first time in 8.3. Now options PubkeyAlgorithms and HostbasedAlgorithms accept patterns for X.509 key algorithms.
  • allowed algorithms, match block and privilege separation
    Integration of some compatibility options in 8.3 adds regression in options PubkeyAlgorithms and HostbasedAlgorithms - values from match block are not transferred properly to privilege process. Integration of compatibility options is revised in 8.3.1.
  • some improvements from base
  • regression test
    Updated to use more generic names for distinguished name items.

18 Mart 2015 : Version x509-8.3
What's new:
  • Version 8.3 includes OpenSSH 6.8p1
    Continue refactoring of key-related functions to be more library-like.
    Minimum supported OpenSSL version is 0.9.7.
  • pattern in allowed algorithms
    Version 5.4 published on 24 November 2004 (for more details see news archives), implement for first time new server options PubkeyAlgorithms and HostbasedAlgorithms to restrict allowed protocol version 2 algorithms in public-key or host-based authentication. Also PubkeyAlgorithms is available in client. With version 8.2 format is changed to accept wildcard pattern with default value *, i.e. allowed all algorithms. Note that wildcard pattern format is backward compatible with previous lists.
    For consistency version 8.2 adds new client option - HostbasedAlgorithms. The default value of client options is *, i.e. allowed all algorithms. Both client options also support pattern matching.
  • OpenSSL engine support
    With code refactoring of key-related functions to be more library-like in version 8.2 broke engine support. Now code of engine related functions is refactored and support is restored.
  • Portability
    This version adds some portability improvements for born shell scripts used in regression tests.

23 November 2014 : Version x509-8.2
What's new:
  • Version 8.2 includes OpenSSH 6.7p1
    OpenSSH 6.7p1 refactor key-related functions to be more library-like.
    Also OpenSSH 6.7p1 drop TCP-wrappers and adds requires at lest OpenSSL 0.9.8f to build.
  • Minimum OpenSSL version - 0.9.7
    PKIX-SSH drop support for OpenSSL 0.9.6. It continue to support OpenSSL 0.9.7 and all 0.9.8 with wrapper functions for missing or buggy functionality. Note that engine functionality in OpenSSL 0.9.7 is not so stable and in some host configurations load of OpenSSL engines may fail.
  • TCP-wrappers support
    PKIX-SSH continue to support TCP-wrappers.
  • Support ECDSA X.509 keys in agent
    Unfortunately version 8.1 was released without support in agent. Version 8.2 correct this mistake.
  • Portability fixes
    Correction is in regression tests to use more portable command invocation.
    Also detection of "unix" netcat in multiplex tests is improved. Now tests pass on solaris.
    Note that netcat commands used in linux distributions does not fulfill yet requirement of multiplex regression test.
  • How to build with FIPS enabled OpenSSL on Solaris 11
    PKIX-SSH pass all test on Solaris 11 using FIPS enabled OpenSSL with following configuration:
    CONFIG_SHELL=/bin/ksh \
    CC='gcc -m64' \
    CPPFLAGS='-I/usr/include/openldap -I/usr/include/openssl/fips-140' \
    .../configure \
    --enable-ldap --with-ldap-libs='-lldap-2.4 -llber-2.4' --with-ldap-libexecdir=/usr/lib \
    --enable-openssl-fips \
    --enable-x509v3-ecdsa ...
    Note that compiler flag -m64 is required for build with FIPS enabled OpenSSL library.

29 September 2014 : Version x509-8.1
What's new:
  • remove EVP_dss1raw as does not work with OpenSSL 1.0.2 in FIPS mode
    OpenSSL 1.0.2 does not export any more FIPS EVP structures. This impact custom implemenation of EVP_dss1 with signature encoding according SSH norms. In version 8.1 EVP_MD struture dss1raw is replaced with wraper for OpenSSL methods EVP_SignFinal and EVP_VerifyFinal that recode signature according SSH norms.
  • support fipscheck library
    Red Hat-and Red Hat based distribution like CentOS use own FIPS validated OpenSSL implementation and own process for verification if FIPS mode based of fipscheck library.
  • restore arc4random in FIPS mode
    Unfortunately replacement of of RC4 based arc4random* functions in version 7.8 based on OpenSSH 6.5p1 does not follow previous rules. Regression is corrected in this version 8.1 based on OpenSSH 6.5p1.
  • ssh-keysign avoid dependency from "X.509 store" objects
    Now dependencies of ssh-keysign to external libraries are minimized.
  • search know host file by key subtype
    Search for host keys in know host file is enhanced to take into account curve used for EC keys.

11 August 2014 : Version x509-8.0
What's new:
  • Implementation of x509v3-ecdsa-sha2-* keys
    Version 8.0 start to support of x509v3-ecdsa-sha2-* public key algorithms as described in [RFC6187]. You could use configure with --enable-x509v3-ecdsa to enable by default support of those keys.
    For public key algorithms defined in [RFC6187] identity file has to contain X.509 certificate that match private key and chain of certificates leading to a trusted certificate authority.
  • engine and OpenSSL 1.0.1g
    Since OpenSSL version 1.0.1g engines are register internally as result engine support was broken due to attempt to register again. Now pkix-ssh durring engine initialization check whether an engine is registered internally before to request its registration.
  • new distribution model
    Version 8.0 is distributed as complete source package. Authenticity of tar archive could be checked with pgp key <pkixssh-announce@roumenpetrov.info>

News archives:

[empty image]
[empty image] [empty image] Last modified : Saturday February 11, 2023 [empty image]