secure shell with
X.509 v3 certificate support
Check the current version here!
- 18 Dec 2018 : Version x509-11.6
- What's new:
- improved compatibility with OpenSSL 1.1+ APIs
Code base is updated to use methods compatible with recent OpenSSL API.
Also update replace references to SSLeay*.
This allows build with OpenSSL that deprecate backward compatibility API.
Note PKIX-SSH requires as minimum OpenSSL 0.9.7 and in this release completely
removes test and work-around for earlier version.
- remote exit on signal
Client process "exit-signal" received from server in ssh channel message and
exits with code "signal number"+128, i.e. in shell style.
Remark: message is send by server when remote is killed by signal.
- lazy binding
Prefer to use lazy binding when is loaded pkcs11 module.
- echo of sftp commands
Prefix @ suppress echo of sftp batch commands.
- expose $SSH_CONNECTION
Now daemon(server) exposes $SSH_CONNECTION in the PAM environment.
- Support new OpenSSL version scheme
Next OpenSSL version will be 3.0.0.
It introduces new version scheme currently available in master branch.
This PKIX-SSH release is ready to use modern OpenSSL version scheme.
- android port - fake password
Fixed issue with use of function getenv - prevents crash on 64-bit Android OS-es.
- android port - session user environment
Fixed issue when is prepared specific to Android environment for user session.
Regression introduced in 11.4 release.
- ssh-agent socket
Fixed bug in client that was keeping a redundant ssh-agent socket around for the life of the connection.
- 19 Oct 2018 : Version x509-11.5
- What's new:
- Client verbose modes
Increase client verbose modes by one. Now client "verbose mode" starts from LogLevel "VERBOSE".
At this level client outputs messages for offered keys.
Exiting scripts could be updated with one "-v" more to reach the same level of details as before.
- Client query argument "key-alg"
This new argument to client query option (-Q) list all supported public key algorithms.
- Client option ForwardX11Timeout with zero argument
Zero value for client option ForwardX11Timeout disables the timeout and permit X11 forwarding for the life of the connection.
- Enhancement of client option Port
Port could be expressed either by number or by service name, i.e. Port=ssh.
- Server support "signal" channel request
Signal are accepted only for session that is not subsystem and is not started with a forced command.
- Translation on OpenSSL errors
Translation of OpenSSL error codes after failed read of private key is reverted.
Now all cases are treated as "invalid password" as before version 11.0.
Remark: In some cases invalid password could "decode" key to garbage.
"Error translation" returns invalid format and system refuse to use this key.
Expected is system to ask for password again up to certain limit.
In addition removed code relies on OpenSSL internal error management which is subject of modifications without notice, i.e. not reliable.
- Removed GCC Spectre mitigation flags
Now configuration excludes GCC flags "-mfunction-return=thunk" and "-mindirect-branch=thunk" from hardening.
Options could cause miscompilation due to some GCC bugs.
And on Linux retpolines are more suitable for kernel then userspace.
Various messages are changed to include error information from cryptographic library.
Some messages related to keys or channels are unified and enhanced.
- memory leaks and optimizations
Key creation is optimized to minimize memory allocations due to use of OpenSSL 1.1 API.
Memory leaks in process of key load or x.509 load from ldap are fixed.
Configuration checks for snprintf functionality now use "cache" variables.
This allows in case of cross-compilation user to specify faulty behaviour and so programs
to use functions from "compat"-library instead broken system ones.
Ditto for setresuid and setresgid.
- 24 Aug 2018 : Version x509-11.4
- What's new:
- IPQoS defaults
Change defaults IPQoS in client and daemon to DSCP(differentiated services code point):
- AF21: for interactive and
- CS1: for bulk traffic
- ssh-askpass alternatives
Update information for ssh-askpass alternatives.
Also added shell script that wraps KDialog.
- limit agent connections
Authentication agent postpone accepting new connections when maximum number of file descriptor is exceeded.
- algorithms for keyscan
Command keyscan uses -t argument as algorithm filter (pattern-list).
- SendEnv arguments
Use pattern-list for client option SendEnv.
Note option allows negated match.
- new option SetEnv
New client and daemon option SetEnv.
Processing of user environment settings in daemon is updated do not allow user to override server settings.
- PermitUserEnvironment arguments
Daemon option PermitUserEnvironment accepts in addition
a pattern-list of "white-listed" environment variable names.
- new option PermitListen
New daemon option PermitListen that controls client requests for remote forwarding (ssh -R).
- expansion of user id
User id is available as a %-expansion everywhere that the user name is available currently
(%i for client and %U for daemon).
- keysign use
Hostbased authentication always uses ssh-keysign.
This avoids one of reasons for "setuid" root client.
- no "setuid" client
Removed support for running client "setuid".
Also deprecate client option UsePrivilegedPort.
- without "S/Key"
Removed support for "S/Key" authentication
- private key formats
"ssh-keygen" command option -m PEM with -p flag could be used to
convert private keys in widely used and more portable PEM format.
Not applicable for ed25519 keys yet. Those keys still use proprietary format.
- 10 May 2018 : Version x509-11.3.2
- What's new:
- restore tun/tap functionality
Functionality on tun/tap interface is restored for Linux and FreeBSD.
It was broken in 11.3 with an enhancement that shows device name if applicable.
- restore client hostbased authentication
It was broken in 11.3 when is excluded from keysign default key for experimental xmss algorithm.
- build fixes
Added some fixes from master branch, i.e. fixed build on system without function strndup() like AIX
and more robust configuration checks that avoid implicit declaration of functions.
Client configuration does not offer cbc-ciphers by default and dump a couple of missed options.
- 18 Apr 2018 : Public development process
- What's new:
- public source repository
After release 11.3.1 development process is switched to
source code repository hosted by GitLab.
On 9 Apr 2018 repository was initialized with source of 11.3.1.
It is available for public use - for more see
repository home page.
- 8 Apr 2018 : Version x509-11.3.1
- What's new:
- build fixes
Fixed build on Darwin (tun support) and detection of ABI for 64-bit MIPS platforms.
- 3 Apr 2018 : Version x509-11.3
- What's new:
- re-authentication for keys stored into security tokens
Private key stored on a security token may have attribute "always authenticate".
If attribute is set user have to supply pin for each use of key.
To distinguish from normal(user) login re-authentication prompt starts with string
"Enter context pin for " followed by single quoted label of key.
Remark: User must have working askpass program if keys are loaded to agent (ssh-add ... -s pkcs11_module ...).
- new server flag "ValidateFirst"
Specifies whether first to perform validation of X.509 certificate and then authorization of public key.
By default is not set, i.e. existing behavior.
- new keyscan option: -D
Print keys found as DNS Resource Records (CERT or SSHFP).
- raise key operation errors in openssl error-format
Some methods are used in key operations like pkcs#11 sign.
Those methods are invoked indirectly by cryptography library.
Before update errors from pkcs#11 library was spread into multiple log-messages and
was not clear which error is failure reason for key operation.
Now this part of program code is rewritten to raise errors in openssl error-format with additional details.
The high level methods are updated to extract extra error data supplied with error message.
For instance if sign operation fail in log user may see message like this one:
"ssh_x509_sign: crypto message: error:81064067:SSH PKCS#11:login:C_Login fail:pkcs#11 result 0xa0".
In this particular sample "pkcs#11 result 0xa0" is extra error details and
hexadecimal 0xa0 correspond to return value CKR_PIN_INCORRECT.
- improve support for "external" rfc6187 keys
Build X.509 certificate chain for keys loaded from pkcs#11 device or engine.
- try also en_US.UTF-8 locale
Some command (ssh, sftp, scp and etc.) try to switch to UTF-8 based user locale.
The list with fail-back locales is added en_US.UTF-8 supported on some Unixes, for instance Solaris.
- 12 Feb 2018 : Version x509-11.2
- What's new:
- X.509 name compare error
Authorized keys or know host files may contain record (line) with X.509 certificate details
(distinguished name or X.509 certificate blob, aka. public key).
In such case if key (client or host) is a X.509 key,
equality checks compare items of certificate distinguished name.
Unfortunately in PKIX-SSH 9.1 one of ports to OpenSSL 1.1.0* introduce
critical error in X.509 name compare method -
if both items are from PrintableString type they are considered equal.
Error does not exist if other types are compared.
Work-around is authorized keys or know hosts to contain only plain public key blob.
Thus compare will use public key part of X.509 certificate.
Thanks to Nicolas Fournil and Emmanuel Deloget for report.
- use of hostname after free
For use in session key renegotiation process host name is stored into a global variable!!!
PKIX-SSH 8.9 has a number of memory leak fixes.
One of fixes frees allocated copy of host-name created in method ssh_login.
Issue is that one of called methods store value to a global variable for later user in rekeying.
Work-around around is do not use option RekeyLimit.
Thanks to Lukas Kuster for report.
- build with libressl
PKIX-SSH 11.0 start to use macro DEFINE_STACK_OF from OpenSSL 1.1.0* API.
Program code provides fail-back solution for builds with earlier versions.
LibreSSL pretend to be compatible with OpenSSL but fail to announce properly compatibility version.
As result fail-back solution was not activated and build fail.
Detection of DEFINE_STACK_OF is rewritten to allows build with various LibreSSL versions.
- key load crash if crypto is libressl 2.6*
For performance reasons PKIX-SSH uses BIO_new_mem_buf - BIO interfaces with read only memory buffer
that avoid extra allocation of memory.
Due to mix of issues - insufficient libressl linkage options and
broken function implementation inherited from OpenSSH (openbsd "compat"-library)
PKIX-SSH commands crash on key load.
Now broken function in corrected in PKIX-SSH code but application is not immune
to similar failures in the future even with earlier version of libressl.
- libressl 2.6* failure with DSA/ECDSA signature
At configure time PKIX-SSH warns if build is with libressl 2.6*.
Also commands raise warning at run-time if are linked with libressl 2.6*.
Work-around is to use earlier versions.
If this is not possible please disable all key algorithms that use dsa and ecdsa signature,
otherwise application may crash.
- legacy RSA/DSA code clean up
PKIX-SSH 7.1 (15 Jan 2012) was first release that support FIPS enabled OpenSSL library.
Support requires rsa/dsa code for plain-keys to use modern "EVP"-API.
FIPS support remain outdated OpenSSH code for rsa/dsa sign and verify operations
was still available under "C"-preprocessor conditions.
So more the five years later outdated code, inherited from OpenSSH, is removed from PKIX-SSH code base.
- legacy PKCS#11 code clean up
Code inherited from OpenSSH is removed - it does not work well with secure tokens
that has X.509 certificate. Also it has limited functionality - only RSA keys.
Note that PKIX-SSH code supports RSA and EC keys and work well with secure tokens
as those devices usually store X.509 certificate and public key is optional.
- 19 Dec 2017 : Version x509-11.1
- What's new:
- Protected authentication path for EC-keys
Use of RSA keys stored on a secure token supports protected authentication path (pinpad reader).
Unfortunately functionality was not implemented for EC-keys.
With refactoring PKCS#11 login functionality protected authentication path is available for EC-keys as well.
- print public key for externally stored identities
Now ssh-keygen command option -y, that print an public key to stdout, accepts keyfile name in enhanced identity format.
Remark: PKIX-SSH could use externally stored identities - for mode details see description of IdentityFile in manual page ssh_config(5).
In brief if identity name start with "engine:" instead from file identity load is redirected to "loadable cryptographic module" (engine).
Prefix "store:" could be used if cryptographic library supports ossl_store(7) functionality (upcoming OpenSSL functionality).
- build fixes
Build system is modernized to use more recent scripts.
Also duplicate dependency objects or libraries are removed.
- 8 Oct 2017 : Version x509-11.0
- What's new:
- Extension server-sig-algs
As finally agreed in "draft-ietf-curdle-ssh-ext-info" extension lists public-key algorithm names instead signature names.
No impact on deployed installations as PKIX-SSH prefer own extension firstname.lastname@example.org
that lists by design public-key algorithm.
Other ssh implementation that support extensions does not support RFC 6187 keys.
As result for them list of signature algorithms is same as list of public-key algorithm.
- prefer RFC 6187 key format
For connection to remove host client first tries X.509 algorithms.
Now algorithm in RFC 6187 format will take precedence of legacy format, if server send algorithm extension.
With other words order of algorithms in option X509KeyAlgorithm has no more effect.
In practice PKIX-SSH 11.0+ clients (in default configuration) will prefer RFC 6187 format in connections to PKIX-SSH 10.1+ hosts.
Note that to use an X.509 algorithm in has to be allowed by configuration (option PubkeyAlgorithms)
and listed in algorithm extension offered by server.
- multi-algorithm host-keys
Now daemon (server) for each hostkey offers all public key algorithms and could use any of offered algorithms in ssh protocol.
For instance RSA host key with X.509 certificate could be used in following public-key algorithms:
"x509v3-sign-rsa", "x509v3-ssh-rsa", "ssh-rsa", "rsa-sha2-256" or "rsa-sha2-512".
Host key notification is updated as well.
- OpenSSL Store-API
Upcoming OpenSSL version 1.1.1 supports store retrieval functions - ref. manual page ossl_store(7).
The store functionality allows applications to retrieve keys, X.509 certificates and etc. using universal interface (API).
PKIX-SSH engine related code is refactored and updated to load identities using store-API.
In such case identify name should starts with "store:" followed by URI of scheme supported by openssl store.
For instance with "e_nss" openssl loadable module (engine) you use identity named
either "engine:[friendly name]" for custom interface
or "store:[nss_uri]" for store interface where "[nss_uri]" is in format "nss:[friendly name]".
Note store result could be tested with command openssl storeutl .... [nss_uri].
- Remove ssh v1
Complete remove of code that supports legacy ssh protocol verision 1.
Modification includes removal of configure option --enable-ssh1 as well.
- Program version for ssh-keyscan
Announce PKIX-SSH version in keyscan to be used in compatibility detection.
- X.509 key fingerprint
Until now fingerprint (hash) of X.509 keys was computed over certificate that match private key.
Key material (user identity or host key) could be used in various public-key algorithms, with or without X.509 certificate.
For instance lets identity with X.509 RSA certificate is used as x509v3-sign-rsa in session to host 1 and
as ssh-rsa in connection to host 2. In such case key fingerprint will be different depending of session
in spite of fact that private key is one and the same.
To avoid ambiguities code is updated to calculate fingerprint only over common part - public key.
Modification may impact some programs that monitor log files.
- X.509 code refactoring
X.509 related code is updated and refactored to use library like functions.
- Management of X.509 keys for agent
Agent code is improved to use newly functions that better detect X.509 keys.
Now agent and its key management utility (ssh-add) use by default user and system ca-store in all cases.
This is useful for keys in RFC 6187 format where key format contain list of extra certificates used to build chain.
Utility ssh-add accepts multiple arguments for options -S as specified options argument could be either file or directory (new).
Argument is similar to client options CACertificateFile and CACertificatePath and is used as additional locations to search
for certificate when is build chain for keys in RFC 6187 format.
- Manual pages
Precise content of identity or host-keys files - file may contain extra certificates not only for ECDSA but for RSA and DSA keys as well.
Do not mention "protocol version 2" as legacy version 1 is not supported at all.