[empty image] [empty image]
[empty image]
[empty image] [empty image] [empty image]
[empty image]

PKIX-SSH
secure shell with
X.509 v3 certificate support
(archive 9.x-series)

Check the current version here!

19 Dec 2016 : Version x509-9.3
What's new:
  • EC token keys for OpenSSL 1.1+
    PKCS#11 module was not fully ported to OpenSSL API v1.1. Forgotten method is now implemented.
    Note new options related to pkcs#11 module - whitelist path pattern, for instance ssh-agent option -P.
  • Protocol 1 keys for SSH server
    PKIX-SSH still support SSH1 server keys. They will be removed in major release (10.0).
  • Android port
    Work-around for getsid syscall wrapper, missing in some versions of bionic C-library.

18 Sep 2016 : Version x509-9.2
What's new:
  • crash after processing X.509 certificate subject in known hosts file
    One code optimisation OpenSSH code adds pointer to end of key set when processing keys in regular "blob" format (key pub-file). Key part optionally is followed by key comment. X.509 certificate subject format is specific and is processed separately. Key comment is not applicable in that case and end pointer left unassigned. At some point client code try to clear leading spaces from end pointer (comment) and in case of X.509 subject reads from uninitialised memory.
    PKIX-SSH version 8.8, 8.9, 9.0 and 9.1 are impacted. Work-around is to use temporary "blob" format for X.509 keys.
    Crash is not triggered always. For instance it is somehow in build with high level of optimization(gcc -Q2).
  • host-based authentication and RFC 6187
    Helper program for host-based authentication (ssh-keysign) is updated to support system default X.509 store. As result ecdsa key server host key with X.509 certificates may contain optionally extra certificates.
  • document internal build of certificate chain
    Update manual details use of extra certificates used in internal build of certificate chain implemented in version 9.0.
  • precise support of libcrypto features
    Support properly some ancient OpenSSL version - without sha-256. As result PKIX-SSH works with wide range of OpenSSL version - from 0.9.7 to 1.1.

26 Aug 2016 : Version x509-9.1
What's new:
  • Updates in supported OpenSSL API versions
    OpenSSL 1.1.0 is published on 25 Aug 2016. Unfortunately in last few weeks API is changed again. PKIX-SSH version 9.1 is updated to release version of OpenSSL 1.1 API.
    Until now PKIX-SSH still support OpenSSL 0.9.6 API, although build raise error if detect OpenSSL version before 0.9.7. Finally specific PKIX-SSH workaround for OpenSSL 0.9.6 is removed from code.
  • recent autotool configuration
    Update to recent version detection (config.guess) and validation (config.sub) scripts. Configure script is generated with autoconf 2.69.
  • ECDSA algorithms in documentation
    Manual pages and readme first list ECDSA, then for RSA and DSA X.509 public key algorithms. Documentation order match how code list public key algorithms in order of precedence.
  • do not generate missing rsa1 keys
    Default startup script will not generate missing rsa1 keys if support for SSH1 is not enabled.

3 Aug 2016 : Version x509-9.0
What's new:
  • internal build of certificate chain
    Public key algorithms described in [RFC6187] require a chain of certificates leading to a trusted certificate authority to be sent as part of public key data.
    Before version 9.0 it was user responsibility to specify those certificates as part of private key file. It was not possible for keys and X.509 certificates stored in external devices to satisfy [RFC6187] requirement. Now when a [RFC6187] key is loaded programs (client, server) use certificates from private file and X.509 store to build the chain.
    PKCS11 module is a specific case. It is case when module is used with agent (ssh-add -s ..). Now ssh agent support certificate X.509 and use system default store defined at build time. In addition new ssh-add option -S allows user to add extra certificates to store. Those certificates and system default are used to build certificate chain.
  • remove build option --disable-x509store
    Support of [RFC6187] public key algorithms require working X.509 store.
  • remove build option --enable-x509v3-ecdsa
    Support of x509v3-ecdsa-sha2-... now is default for X509KeyAlgorithm option. With other words support for X.509 certificates with EC is considered complete.
  • port to OpenSSL 1.1 API
    Most of code is rewritten to use API from OpenSSL 1.1 development branch.
    The new API is back-ported locally and used if build is with OpenSSL versions before 1.1. The model for functional checks at configure time allows build with OpenSSL compatible libraries.
  • Android port
    Code is updated to support various versions of Bionic "C" libraries.
    Now specific to Android logging functionality is used from all executable.
    A simplified password file is managed. It supports only one password record with md5 hash. This allows ssh daemon to support password authentication.
  • dump of configuration
    Command that dump client/server configurations now properly generate directive VAType.

2 Aug 2016 : Version x509-9.0
New major release in progress...

News archives:

[empty image]
[empty image] [empty image] Last modified : Saturday February 11, 2023 [empty image]