PKIX-SSH secure shell with
X.509 v3 certificate support
(archive 12.x-series)
Check the current version here!
- 3 Oct 2020 : Version x509-12.6
- What's new:
-
- Features:
- askpass
additional control use of "askpass" program via environment variable "SSH_ASKPASS_REQUIRE"
- configuration
allow some keywords to expand shell-style ${ENV} environment variables on the client side
token expand for "user known host files" client option including new token %k (key-alias)
- agent
allow -A to explicitly enable agent forwarding in scp and sftp commands
delete agent keys read from standard input
let client option AddKeysToAgent accept a time limit in addition
- portability
builds with Android API 29
seccomp audit support for riscv64-* and x32 hosts
- Bugs:
- fix regression in 'process "exit-signal" ssh channel message'
- restore functionality of client multiplexing option "proxy"
- fix some memory leaks
- restore posibility "plain" key material to clean agent key
- process "-B" client command line option
- prevent hidden lost of precision when is used convtime() result
- Misc:
- improve logging for MaxStartups connection throttling
- limit channel input buffer size to 16MB
- better terminology in some manuals
- defer creation of user ssh directory (~/.ssh) by client until attempt to write to it
- handle EINTR in functions waitfd and timeout_connect
- also compare user name when checking for JumpHost loops
- catch address/mask mismatches when parsing before they to cause problems at run-time
- when redirecting daemon log output to a file undo redirection in child process for client session
- reset the server alive check only when client receive traffic from the server and ignore traffic from a port forwarding
(prevents client from keeping a connection alive when it should be terminated)
- always send any PAM account messages.
- improve daemon on re-exec
- 7 Jun 2020 : Version x509-12.5.1
- What's new:
-
- Bugs:
- built-in chacha20-poly1305 for OpenSSL 1.1.0*
For OpenSSL 1.1.0* releases use slow built-in chacha20-poly1305 due to regression in EVP_CipherInit().
Although regression is fixed officially in OpenSSL 1.1.0g exclude all to avoid issue with vendor releases.
- fixes for include directive in daemon configuration
Properly process Port and Match directive.
- fix "TIME FORMATS" with multiple qualifiers
Fix multiplier in convtime() when handling seconds after other units
- preserve group/world read permission on known hosts file
Runs of "ssh-keygen -Rf /path" keep permission instead to remove all rights for group/other as before.
- fix off-by-one error in sftp client
Caused sftp downloads to make one more concurrent request that desired.
- 31 May 2020 : Version x509-12.5
- What's new:
-
- Security:
- in "remote copy program" (scp) send single error message to avoid desynchronisation
- Features:
- enhance and unify token expansion in client options and properly document used tokens
- allows IgnoreRhosts to be used anywhere in server configuration
- make daemon option IgnoreRhosts a tri-state option
- allows list of agent-keys to print X.509 identity in public key format instead certificate distinguished name: ssh-add -L -k
- add sftp flag that re-enable verbose output in batch mode
- add textual representation for some common PKCS#11 errors
- use EVP_chacha20 from cryptographic library (ignored for broken LibreSSL)
- run the 2nd ssh with BatchMode for scp -3
- environment variable for engine configuration file: SSH_ENGINE_CONF
- load default dsa identity last
- Bugs:
- postpone build of certificate chain for agent keys: correction for keys used with RFC6187 algorithms if IdentityFile is set
- properly limit pkcs#11 provider keys when option IdentitiesOnly is set
- ensure that tunnel forwarding failures terminate the connection when ExitOnForwardFailure is enabled
- document order of authorized keys: files are first and falling back to command
- some clarifications in manual pages
- enable "explicit routing domain" daemon option only if supported by platform
- prepend bindir to "USER_PATH" found by configure script
- disable use of completely broken "visually encode characters" functions
- Miscellaneous:
- precise environment section in manual pages
- clarify and document use of ssh-askpass in manual pages
- miscellaneous portability fixes
- refactor program code for load, serialisation and deserialisation of keys
- correct spelling in manual pages, documents and code
- forward compatibility with OpenSSL library: use only EVP_PKEY interface, avoid use of deprecated API
- exclude ldap test from default list
- check if SA_RESTART signals will interrupt select
- 21 Mar 2020 : Version x509-12.4.3
- What's new:
-
- Bugs:
- X.509 based host-keys validation
Regression was not fixed properly in previous release.
Now result of X.509 based host-keys validation is checked properly.
- cancellation of remote forwarding
Correct uninitialised pointer variables in cancellation of remote forwarding from local side.
- if load of pkcs#11 fail
Initialise label variable to avoid failure if load of pkcs#11 fail.
- parse error in service request
Properly exit in service request parse errors.
- sshd_config includes
Correct relative includes in daemon configuration.
- Miscellaneous:
- force use of "askpass" on Android
On Android force use of "askpass" if environment variable SSH_ASKPASS is set.
Note environment variable DISPLAY is ignored.
- use of "askpass"
Remove spurious check for environment variable DISPLAY when use of "askpass" is requested.
- ask for hostkey update
Ask for hostkey update is unified with other permission requests.
All of them may use "ask-pass" for confirmation.
- manual pages
Correct spelling errors in key utility page.
Merge environment section is agent page.
- some improvements for Android
- 23 Feb 2020 : Version x509-12.4.2
- What's new:
-
- Bugs:
- use X.509 host-key algorithms as well
Restore use of all supported algorithms when client build host-key algorithm list for key exchange message.
Regression introduced in release 12.4.
Note that client reorder algorithms preferences based on known host files.
This functionality is disabled if client option HostKeyAlgorithms starts with "^".
If this case algorithms from option take precedence.
- validation of X.509 based host-keys
Unexpected loss of functionality in PKIX-SSH 11.3 due to code refactor.
Unlike before restored verification and validation of X.509 based host-keys
is performed before authorisation by known host.
- Miscellaneous:
- prevent ProxyJump loops
Detect and prevent simple configuration loops when using ProxyJump.
- 17 Feb 2020 : Version x509-12.4.1
- What's new:
-
- Bugs:
- compatibility with OpenSSH 7.2
OpenSSH 7.2 is yet another release that announce broken list with supported algorithms.
Ignoring announced list allows use of non-RA keys.
- included OpenSSH release
OpenSSH release source with old version. Now PKIX-SSH announce compatibility with OpenSSH_8.2.
- Miscellaneous:
- simplify spec-files
Provided sample spec-files exclude from default FIPS and LDAP enable builds.
Those features has to be enabled per OS release.
- 15 Feb 2020 : Version x509-12.4
- What's new:
-
- Features:
- multiple daemon configuration files
New daemon configuration directive "Include" allows inclusion of files.
- ask-pass hints
Now ask-pass uses hints: confirmation in addition to prompt, none is reserved for notifications.
Depending of hint ask-pass creates suitable dialog.
- notification "Exceeded MaxStartups"
Send a notification "Exceeded MaxStartups" prior to the SSH2 protocol banner when clients get denied by MaxStartups.
- no X.509 store in agent
Revert X.509 store from agent utilities, i.e. remove ssh-add(1) option "-S".
- paths in ForwardAgent
Client option ForwardAgent accepts path or name of environment variable in which to find the path in addition to yes/no
- Miscellaneous:
- improved manual pages
- improved OS portability
- crypto library compatibility
- allow more system calls in seccomp sandbox
- download PKCS#11 public key labels as comments
- build without compression support - configure time option
- startups in the process title
Expose the number of currently authenticating connections along with the MaxStartups limit in the process title
- replace single-letter key generator "moduli" flags with options
- use signal wrapper around sigaction(2)
- 13 Oct 2019 : Version x509-12.3
- What's new:
-
- Features:
- store identities(keys) in PKCS#8 PEM format and use aes256 algorithm
- fetch pkcs#11 RSA/EC public key
Fetch public key if X.509 certificate was not found and
in absence of keys try interactive login and fetch again.
- process the verbose flag when searching for host keys in known hosts
Command "ssh-keygen -F host -l -v" will print random-art of host public key.
- allow %n to be expanded in ProxyCommand strings
- print explicit "not modified" message
If a file was requested for resumed sftp download but was considered already complete.
- better error messages for "bits" limit in key generation
- limit number of parse permiopen/permitlisten directives on a single line
- allow prepending default set of algorithms by starting the list with the '^' character
- Bugs:
- build fixes: function prototypes, compatibility functions
- make <esc><right> move right to the closest end of a word in sftp
- properly support OpenSSL error management functionality
- clean again set of signal handlers inside handlers(it is expected current system to has reliable signals)
- Miscellaneous:
- deny shmdt in "preauth" unprivileged child in secure computing mode
Resolves fatal on some Linux OS distributions with 3.* kernel using OpenSSL version 1.1.1d.
- on Solaris remove PRIV_PROC_SESSION
Privilege which was limiting ability to send signal SIGWINCH to other(multiplexed) sessions.
- retain Solaris PRIV_FILE_LINK_ANY in sftp-server
It is required for the legacy sftp rename operation.
- allow mprotect(2) with PROT_(READ|WRITE|NONE) only
Allow in secure computing mode as is used by some hardened heap allocators.
- allows s390-specific ioctl for ECC hardware support
(in secure computing mode)
- add sendfd to pledge(2)
Note that later in same code path pledge restriction is reduces.
- unify checks for function return value
Some are checked for negative value while other exactly for -1.
- on OS X use proc_pidinfo()-based closefrom()
- supports build with OpenSSL master branch even with enabled API deprecation
- change level of PKCS#11 message "provider returned no slots" from error to debug
- fix some memory leaks, mostly in error path
- separate regression test targets
- restrict regression test to keys supported by executable
- fix integer overflow in experimental XMSS private key
Note XMSS is not enabled by default.
- "key shielding" feature
Not enabled by default as key stored on secure device has better protection.
- 26 Sep 2019 : Version x509-12.2
- What's new in this Android special release:
-
- Features:
- prepared for packaging of executable into android application "library directory"
Added extra integration between executable and Android application.
Note Android 10 SELinux rules forbid execution if binary is in writable directory.
- wrap rename for Android
Required by ssh-keygen -A to work.
- sftp manual page and usage updates
For get/put and reget/reput command use 'p' and 'R' as arguments.
Keep 'P' and 'r' as redundant/deprecated flag.
Add the -f flag to reput and reget.
- Bugs:
- rewrite sftp progress meter to avoid garbage output
Also ensure that it works on narrow terminals.
- 29 Apr 2019 : Version x509-12.1
- What's new:
-
- Security:
- ensure that X.509 key is validated if is used key is authorized by command and if validation is not first
Work-around is to set daemon option ValidateFirst to yes if configuration uses authorized keys command.
- Features:
- added algorithm x509v3-rsa2048-sha256 (RFC 6187)
For compatibility reasons is not used by default yet.
It use could be forced with respective options that control used algorithms.
- export more android properties to child session
Added ANDROID_STORAGE, ANDROID_RUNTIME_ROOT, ANDROID_TZDATA_ROOT and SYSTEMSERVERCLASSPATH
- when signing custom certificates with an RSA key, default to using the rsa-sha2-256 signature format
Custom certificates signed by RSA keys will therefore be incompatible with
PKIX-SSH < 8.8 or OpenSSH < 7.2 unless the default is overridden.
- allow to test daemon configuration containing match directive without to specify connection parameters
Assume any attribute not provided by -C does not match.
- check for user@host when parsing sftp target
This allows user@[1.2.3.4] to work without a path in addition to with one.
- Bugs:
- restore support pkcs#11 provided X.509 keys in agent
Regression in 12.0 release
- no-op implementation of pam_putenv
Some platforms such as HP-UX do not have pam_putenv.
- Miscellaneous:
- check authorization files first before authorized keys command
- improve experimental implementation for ldap X.509 lookup based on OpenSSL STORE API
- fixed some memory leaks
- improved some debug messages
- finalize removal of obsolete "X.509 key type" items from ssh key-type enumerate and related
- 29 Apr 2019 : Version x509-12.0.1
- What's new:
-
- Bugs:
- "carriage return" in "protocol identification string"
Relax missing "carriage return" in "protocol identification string".
Even today, more than 10 years after RFC4253, some implementation still fail to send "Carriage Return"(CR) before "Line Feed"(LF) in protocol version identification string.
- size of RSA key
Document new default RSA key size in "keygen" manual page.
- STREAMS modules
Do not install duplicate STREAMS modules on Solaris.
- Miscellaneous:
- rpm-build specification
Sample rpm-build specification for Redhat and SUSE.
Now "spec"-files are used mainly for regression tests.
- exclude multiplex from regular regression test
Test fail regularly on medium loaded system.
It could be requested explicitly.
- ldap backend in tests
Allow ldap backend settings to be overridden from environment.
Also module directory could be specified to load dynamic backend module.
- 18 Apr 2019 : Version x509-12.0
- What's new:
-
- Features:
- increase the default RSA key size to 3072 bits.
Follows NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level.
- new sftp extension "lsetstat@openssh.com"
Support SFTP extension "lsetstat@openssh.com" that replicates the functionality of the existing SSH_FXP_SETSTAT operation but does not follow symbolic-links. Activated by "-h" argument to sftp command chgrp, chmod and chown.
- pseudo localization on Android
Allows file transfer program to display file name with UTF-8 character instead octal escape sequence.
- "final" criteria for keyword Match
Enhance Match keyword in client configuration with "final" criteria - it matches in same pass as "canonical" but doesn't require enabled hostname canonicalization.
- usability of agent keys
Test whether keys in an agent are usable - new ssh-add option "-T" that performs a signature and a verification with agent-key that match specified public part.
- option "-J" for file transfer command
New file transfer command (scp and sftp) option "-J" as alias to match with client configuration Proxyjump. None that local configuration is not used for Proxyjump host.
- log more connection drops
Log connection drop for attempt to run a command when ForceCommand=internal-sftp is in effect.
- new KEX method "sntrup4591761x25519-sha512@tinyssh.org"
Experimental post-quantum cryptography key exchange method sntrup4591761x25519-sha512@tinyssh.org enabled only compilation time. Method is based on "Streamlined NTRU Prime 4591^761" and X25519.
- exclude KEX "diffie-hellman-group-exchange-sha1"
Remove key exchange method "diffie-hellman-group-exchange-sha1" from client defaults.
- do not use "PKCS11Provider"
Allow "none" argument for client option "PKCS11Provider" to indicate that no provider should be used. Note "none" is default.
- "keyscan" exit status
Command "keyscan" returns a non-zero exit status if no keys were found.
- Bugs:
- calculate bandwidth limits
Fixed calculation of initial bandwidth limits in file transfer commands.
- management of "ext-info-c" extension
Daemon consider the "ext-info-c" extension only during the initial key exchange.
- fixed a number of memory leaks.
- file name match in secure copy
On local side secure copy tool performs simple match that files send from remote match request.
This mitigate weakness in the tool and protocol (CVE-2019-6111).
Note that remote and local could perform different wildcard expansion.
For this reason command argument "-T" disables client side verification at the risk hostile remote
to create or replace unexpectedly local files with attacker-controlled content.
Note that recommended mitigation of scp protocol issue is for file transfer
to use more modern protocols like sftp and and rsync instead.
- SIGPIPE and child process
Avoids sending SIGPIPE to child processes after their parent exits
if they attempt to write to standard error stream.
- no duplicate "keepalives"
Prevents sending two "keepalives" successively and prematurely terminating connection
when ClientAliveInterval is used in server configuration.
- avoid connection close
Correct interaction between server options ClientAliveInterval and RekeyLimit
that could lead to incorrect connection close.
- authentication failures due to option override
Correct authentication failures when "any" argument of server option "AuthenticationMethods"
used in a Match block overrides a more restrictive global.
- no redirection to /dev/null
Prevent client to redirect standard output stream to /dev/null if is used "ProxyCommand=-".
- race conditions in daemon restart
Correct two race conditions related to SIGHUP daemon restart.
- strict protocol banners
Strict processing of protocol banners, allowing \r characters only immediately before \n.
- timeout management
Correct interaction between the client options ConnectTimeout and ConnectionAttempts
- connection attempts after the first were ignoring the requested timeout.
- Miscellaneous:
- obsolete host/port syntax
Remove support for obsolete host/port syntax from daemon configuration
(slash notation from ListenAddress and PermitOpen). For IPv6 users there are standards like [::1]:22.
- Android compatibility
Many improvements for Android that ensure better cross-version compatibility.
- use of global variables
Minimize use of global variables, either by us of connection or other structures, or make them static.
- Refactor "packet" related code to use new-API
- Refactor "KEX" code
- Refactor "LDAP" code
Also prepare it for use by upcoming X.509 lookup based on OpenSSL Store API.
- Refactor "pkcs#11" code
This includes support for verbose mode in ssh-add command and pkcs11-helper.
- improvements for Cygwin
configurable service name;
case-insensitive user/group matching;
run under SYSTEM again and create user token using S4U with failback NtCreateToken if not supported.
- fingerprint as a synonym for "yes"
Client accepts host-key fingerprint as a synonym for "yes" when accepting an unknown host-key.
- PAM environment
Do not export $MAIL to PAM environment.
- support upcoming OpenSSL 3.0
Ensure builds with current OpenSSL master branch(future 3.0.0).
- RUN-PATH configuration
Configuration options --with-rpath accepts argument in addition to "yes"/"no".
- minimize key-type enumeration values
Stop to use custom key-type enumeration values for keys with X.509 certificates.
- file name display in secure copy
In secure copy tool sanitize file names in progress meter to allow UTF-8 characters without terminal control sequences.
News archives:
|