PKIX-SSH secure shell with
X.509 v3 certificate support
(archive 13.x-series)
Check the current version here!
- 5 Oct 2022 : Official version x509-13.5
- What's new:
-
- Features:
- new RequiredRSASize configuration directive
Used by client and daemon. Allows to raise limit from the default of 1024 bits.
- sftp server extension "home-directory"
Used by some sftp clients.
- custom sftp extension "users-groups-by-id"
When available used to fill in user/group names for directory listings.
- allow arguments to sftp -D option
- Bugs:
- strictly enforce the maximum allowed SSH2 banner size in gather public key utility
Fixes a one-byte overflow in secsh-banner processing.
- work-around for incorrect ed25519 bits in some OpenSSL releases
- Misc:
- more clever sftp completions
- add powerpc to supported architectures in secure computing mode
- clean up configuration script
Includes removal of "X.509 store support" flag as is required since PKIX-SSH 9.0.
- improved manual pages
- 23 Jun 2022 : Official version x509-13.4.1
- What's new:
-
- Features:
- work-around for OpenSSL 3.0
Note due to broken design OpenSSL 3.0 cannot ensure compatibility with existing code base.
Reordered PKIX-SSH code allows to throw away mis-functional OpenSSL 3.0 key manager from keys.
- exclude DSA from default host-keys generated by authentication key utility
- allow multiple SetEnv directives in client and daemon configuration
Ensures that first name win as is supposed configuration to work.
Includes unified processing of environment related directives in client and daemon configuration
and test over multiplexed connection.
- Bugs:
- restore management of locked account
Regression introduced in PKIX-SSH 13.3.2.
- PKCS#11 "raw" ec point
Properly try "raw" encoded EC-point if DER encoding fail.
- memory leak in PKCS#11 EC keys
Avoid memory leak in error path when is constructed PKCS#11 EC key.
- clean-up password in user authentication error path
- scp in experimental SFTP mode
When performing operations on a remote path specified as pattern, ensure that the implicit working directory used to construct that path escapes wild-card characters
This prevents wild-card characters from being processed in places they should not, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation treat the path "/tmp/a*" literally and not attempt to expand it.
Arrange secure copy to not truncate files early.
Note previous behaviour of unconditionally truncating the destination file would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to delete all the contents of their destination.
- Misc:
- improved manual pages
- avoid non standard printf() conversion specifier %m in capsicum sandbox
- cache timezone data in capsicum sandbox
- accept only numbers for CIDR mask length
- use 64-bit in moduli generation
Avoid overflow when trying to generate modp groups > 16k bits
- improve TERM variable passing over multiplexed connection
Use different test if regression test is run from real tty or not.
Restore "multiplex" test to regular list as this was second blocking issue.
Remark: first is race conditions temporary avoided by some extra "sleep" in test.
- 11 Apr 2022 : Version x509-13.3.2
- What's new:
-
- Features:
- hybrid Streamlined NTRU Prime + x25519 key exchange method
Add to default KEX methods if is build and document use in manual pages.
- Bugs:
- return only requested events in ppoll compatible implementation
Returning flags for events not requested, can apparently cause a hang.
- fmt_scaled() with negative argument
Properly check negative argument to fmt_scaled().
- scan_scaled() and negative numbers
Properly process negative numbers in scan_scaled().
- do not resolve ListenAddress directives in daemon "re-exec path"
Result is never used and if the operation fails then it can prevent connections from being accepted.
- shadow password and libiaf locked account
Fixes incorrect free when shadow password and libiaf are used.
- Misc:
- alarm handler signal
In alarm handler do not send alarm to "preauth" child.
- move configure check for rlimit sandbox at end
Prefer specific to OS sandbox.
- test "if select works with descriptor rlimit"
Removed configure test because of its misconceptions.
- build improvement
- build with Linux auditing enabled in rpm-spec files
- 5 Mar 2022 : Version x509-13.3.1
- What's new:
-
- Features:
- FIPS mode for OpenSSL 1.1
Vendor OpenSSL 1.1 release support FIPS.
In addition rpm-spec files were updated to request more precisely FIPS related packages.
In consequence FIPS build is enabled by default.
Also FIPS tests are activated but errors are ignored for now.
Note if FIPS mode is not active it could be requests by environment variable OPENSSL_FIPS.
- Misc:
- selinux rules
Enable 64-bit time ppoll and disable socket system calls in security-enhanced Linux.
- OS releases compatibility
Updates to ensure functionality on "old" Linux.
For instance rpm-spec files were updated to request package available in respective OS release.
LDAP tests use "hdb" backend on "old" Linux.
- cryptographic library compatibility
Ensures work with ancient OpenSSL releases and OpenSSL compatible library.
- no DSA in pkcs11
Remove unfinished support for DSA keys in pkcs11.
- 24 Feb 2022 : Version x509-13.3
- What's new:
-
- Features:
- New compatible implementation of poll(2) based on new ppoll(2) that uses pselect(2).
This version starts transition from select to poll.
- switch ssh-keyscan from select to ppoll
- switch sftp-server from select to poll
- switch "packet" from select to ppoll
- switch daemon from pselect to ppoll
- unified management of limits in sandboxes due to poll requirements
- use compatible poll(2) implementation on OS X and Minix
- do not enable by default Capsicum sandbox on FreeBSD 9/10
Remaining uses in client and server loop will be transferred in future when use is stabilised.
- Use sftp protocol in secure copy utility.
This experimental feature includes following corrections:
- when secure copy transfers multiple files create the destination directory, if it does not already exist
- return "No such file or directory" message if expand of user path fail in secure sftp server subsystem
- fix some corner cases in handling of tilde-prefixed patch
- rewrite tilde_expand_filename to handle ~user paths with no trailing slash
- use status error message to communicate ~user expansion failures
- show un-expanded paths in error messages
- added extra debug messages on sftp client side
- set default protocol from environment
Note sftp mode is highly experimental and secure copy utility will use scp protocol by default.
- Update of host-keys
Implementation of this experimental feature was updated:
- new model for host keys updates
- accept rsa/sha2 signatures on client side
- use rsa/sha2 signatures if client support them
- Bugs:
- improvements and spelling corrections in manual pages, documents and program comments
- atomicio* should return bytes already read even on error
- do not set raw tty mode if command execution is not allowed
- use proper parameter when decompressing zlib compressed packets
- allow sha{384|512} key exchange hashes in host-based authentication helper utility
- correct handling of pselect(2) exceptfds/POLLPRI in ppoll(2) compatibility implementation
- check "revents" for POLLHUP wherever is checked for POLLIN
- use proper flag for IPQoS le option
- modify ssh-keyscan to hash host:port when is asked for
(Fixes hashes for non-default ports)
- suppress "Connection to ... closed" message at log levels less then "information"
- unify checks for ipv4 loopback interface
(Fixes issue with BindInterface that consider "localhost" as the only local loopback interface)
- do not use closefrom() implementation from GNU C library
(It may die in "chroot" environment if read from /proc/self/fd fail.
Also use close_range() if available, i.e. glibc 2.34.)
- remove broken realpath compatibility implementation
- revert use of realpath when is created "ssh user directory" as it relies on broken functionality
- use specific realpath only in sftp server related code
- re-enable sftp protocol for secure copy regression tests
- fix memory leaks in pkcs11
- fix memory leak in ecdsa signature conversions function for X.509 algorithms
- fix memory leak when sftp client process replies from upload side
- improve work-around for STREAMS based ptys when daemon acquire a controlling terminal
- Misc:
- clean-up more buffers used in bcrypt_pbkdf compatible implementation
- clean-up cached host-key to ensure more clean OpenSSL shuthdown
- allow gettid in secure secure computing mode
- modernise OCSP - use TLS_client_method() if OpenSSL >= 1.1
- some OpenSSL 3.0 compatibility improvements
- use compatibility getline() on HP-UX 10.*
- seteuid breaks setuid on Minix
- remove possibility to build without "revocation" code for X.509 certificates.
- use mdb(memory-mapped database) in ldap regression tests
(Note bdb and hdb are removed in openldap 2.5+ and mdb is available in openldap 2.4+)
- restored build on ancient OS-es
(C99 compiler is not strictly required.
For instance code builds fine with gcc 4.1.2 with default language standard level as if compiler is gcc configure script sets language standard to gnu99 (-std=gnu99) if LLONG_MAX is not found by default.)
- 23 Oct 2021 : Version x509-13.2.3
- What's new:
-
- Bugs:
- system control on FreeBSD
Precise use of procctl(2).
- scp via sftp in regression test
This experimental feature now is excluded for regression tests.
An environment variable could be used to reactivate tests.
- use "broken" realpath in sftp-server
Force use of provided for compatibility but broken realpath in sftp server code.
To ensure consistent and reliable work, for instance on Android,
PKIX-SSH forces use realpath implementation provided for compatibility.
OpenBSD pretend that a function is broken is does not work as OpenBSD implementation.
For function realpath reality is quite different - OpenBSD implementation is broken.
Unfortunately is some FORTIFY_SOURCE builds redirect is forced to lib C implementation.
This breaks sftp functionality inherited from OpenBSD that relies on broken implementation.
- 11 Oct 2021 : Version x509-13.2.2
- What's new:
-
- Security:
- supplementary groups for command
Now daemon initialise supplementary group access list before to execute a helper command like AuthorizedKeysCommand.
Due to defect if command is set to run as a different user it would inherit the groups that daemon was started with.
Depending on system configuration, inherited groups may allow helper command to gain unintended privilege.
Note commands are not used by default.
- Features:
- scp via sftp
Allow secure cope utility to use sftp v3 protocol for file transfer.
Note that there is no attempt to provide compatibility with scp's "double shell" quoting rules.
Requires sftp server extension "expand-path" to support path relative to user's home directories.
- portability
On FreeBSD agent use system control(procctl(2)) to disable traces(ptrace(2)).
- Bugs:
- custom certificate as host-key in agent
PKIX-SSH allows to run daemon in unprivileged mode.
Now in this mode daemon could use host-key in agent in the same manner as privileged mode.
- interrupt on sftp command line
Restored existing functionality broken in PKIX-SSH 13.2 by "experimental handle interrupt on sftp "editline" related code".
- Misc:
- "none" argument
Accept "none" as argument for some configuration options.
Only for compatibility.
- manual improvements
- 8 Sep 2021 : Version x509-13.2.1
- What's new:
-
- Bugs:
- management of TERM environment in shared session
Correct regression 13.2 introduced by "allow client directive SetEnv to override environment variable TERM".
- memory leak
Fix memory leak in PAM authentication "query" error path.
- pselect compatible implementation
Use highest FD number plus one in pselect compatible implementation.
- AuthorizedKeysFile spelling
Typo in some manuals that mention daemon option AuthorizedKeysFile.
- Misc:
- manual page consistency
Refer to KEX "algorithms" instead of "methods".
- use key utility to generate non-existing host keys upon "startup"
- 30 Aug 2021 : Version x509-13.2
- What's new:
-
- Features:
- client and daemon option CAStoreURI
Options that use OpenSSL "Store API" for X.509 look-up.
- X.509 look-up "by store" for OpenSSL 1.1.1*
Note OpenSSL 3.0 provides "by store" X.509 look-up.
- client option KnownHostsCommand
- degrade sftp-server extension
degrade gracefully if a sftp-server offers the limits extension but fails when the client tries to invoke it
- environment variable TERM
allow client directive SetEnv to override environment variable TERM
- use only KbdInteractiveAuthentication client and daemon directives
- deprecate outdated SKeyAuthentication and TISAuthentication client directives
- client directive "SessionType"
Allows client configuration file to offer equivalent control to the -N (no session) and -s (subsystem) command-line flags
- client directive "StdinNull"
Client configuration option equal to command line argument -n.
- client directive "ForkAfterAuthentication
Client configuration option equal to command line argument -f.
- postpone "Authenticated to ..." message
Move "Authenticated to ..." verbose messages to the end of user authentication process.
Also add method name to the message.
- show only the final path component in the sftp progress meter
- sftp server extension "expand-path"
Reserved for future to allow scp over sftp to accept ~-prefixed paths.
- use pselect in daemon
Switch server loop and listening loop to use pselect.
Use exiting self-pipe trick to provide compatible implementation.
- Bugs:
- do not log partial successes as failures
- restore blocking status on standart input/output file descriptors before close
- sftp server "limits"
make "limits" extension available in read-only mode
- use password cache in key utility
Note that get password function may return value that point to a static area, and so it may be overwritten by subsequent calls.
- remove needless client options UserCAldapURL and UserCAldapVersion
There is no tilde ($HOME) expansion.
- handle group with GID > 2^31
AIX LONG_MAX related compatibility in getgrouplist.
- DNS SSHFP RR processing
use only supported key types and digests for DNS SSHFP resource records.
- explicitly check for and start time-based re-keying in the client and daemon loops
- make first environment variable win in option parse
Also limit variables to 1024.
- on fatal errors, make scp wait for ssh connection before exiting
- Misc:
- rewrite client and daemon configuration parser
Make them more strict and unified.
Raise error on configuration directive with empty pattern.
Add management of escaped "space" character.
Also for all single value directives ensure than only first obtained value is used.
- rewrite X.509 look-ups
If "by store" look-up is available it will handle ldap queries.
In such case X.509 look-up "by ldap" is not build.
- updated manuals
- openssl compatibility
Note provider based implementation will be based on OpenSSL 3.1 API.
- more regression tests
Also use more portable shell substitutions everywhere in regression tests.
- log sftp flags and permissions attribute
- experimental handle interrupt on sftp "editline" related code
- 21 Apr 2021 : Version x509-13.1
- What's new:
-
- Features:
- exit client with code that correspond to signal
- print scanned host-keys in generic DNS RR record format
- display other host-keys
When prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key
- handle sftp-server reads up to maximum packet size or with zero length
- use sftp protocol extension "limits"
Use sftp protocol extension "limits" to let the client select good limits based on what the server supports
- new daemon option ModuliFile
- more gtk 3.0 compatible ssh-askpass
- Bugs:
- restore use of rsa plain keys in pkcs#11 operations
- adjust number of verbose options passed to ssh client from sftp program
- various corrections in manual pages
- backslash in "authorized" command arguments
Multiple backslashes were not being unquoted correctly in "authorized" commands
- space in "authorized" command arguments
Quoted space in the middle of a string was being incorrectly split in "authorized" commands
- Misc:
- allow/deny more system calls in secure computing mode
- 15 Mar 2021 : Version x509-13.0.1
- What's new:
-
- Security:
- properly report unsupported agent extension
Avoid use after free when is reported unsupported "secure-key" constraint proceed only for compatibility.
- Misc:
- disallow fstatat64 more system calls in secure secure computing mode
Used by OpenSSL is some specific builds.
- 3 Mar 2021 : Version x509-13.0
- What's new:
-
- Security:
- Always validate loaded keys, also in signing and verification.
Note in addition to file key sources could be "store", "engine",
secure token device, third party utility that loads keys into agent.
- Prevent excessively long username going to PAM on Solaris.
This is a mitigation for a buffer overflow in Solaris PAM username handling
(CVE-2020-14871), and is only enabled for Sun-derived PAM implementations.
- Features:
- Require C99 to build.
- Prefer RFC6187 public key algorithms to legacy. Note X.509 based.
- Prefer "Edwards-Curve Digital Signature Algorithm"(*ed25519*) to
"Elliptic Curve Digital Signature Algorithm"(*ecdsa*) public key algorithms.
- Prefer PKCS#8 format for Ed25519 keys. Usable with OpenSSL 1.1.1+.
- Support exact algorithm in host-based authentication,
i.e. complete algorithm support including X.509 algorithms from RFC6187
and RSA algorithms from RFC8332.
- Set the specified TOS/DSCP for interactive use prior to TCP connect.
Note connection phase of a SSH session is time-sensitive.
The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
- Change client option CheckHostIP default to "no" -
makes know host files more simple
and it must be unset if connection is to host with multiple addresses.
- Client option PermitRemoteOpen for restriction of
remote dynamic forwarding with SOCKS.
- Daemon options to restrict number of unauthenticated connections
per source address - PerSourceMaxStartups and PerSourceNetBlockSize.
- Value none to first client option UserKnownHostsFile or GlobalKnownHostsFile
indicates that user or global host key database should not be used.
- Enhance key generation utility to store private keys in traditional PEM format.
Avoids use of OpenSSL utilities to convert from PKCS#8 to traditional PEM format.
- Allow or disallow more system calls in secure secure computing mode.
- Adapt mainstream updated of ssh-copy-id like install keys via sftp.
- Try to read public key from "private" if pub-file is not present.
Applicable for X.509 identities where certificate is part of file with "private" key.
Also usable for keys stored in custom format.
- Custom sftp extension for server limits.
- Drop build requirements for fipscheck on Fedora 33 or newer.
- Support post 2.69 autoconf releases like 2.70 and 2.71.
- Remove the pre-standardization cipher rijndael-cbc@lysator.liu.se from list.
It is an alias for aes256-cbc described in RFC4253 (2006),
disabled by default since PKIX-SSH 8.8 (Feb 2016) and
never listed in manual pages.
- New LogVerbose keyword for client and daemon.
Allows forcing maximum debug logging by file/function/line pattern-list.
- Bugs:
- Do not check for "custom" revocation if key is not specified when in host-key query.
- Do not free string returned by login_getcapstr(3) - compatibility with some BSDs.
- In sftp command properly sort remote directory listing.
- When doing an sftp recursive upload or download of a read-only directory,
ensure that the directory is created with write and execute permissions
in the interim so that we can actually complete the transfer,
then set the directory permission as the final step.
- More strictly enforce key exchange state-machine by rejecting packet types once they are received. Avoid memory leak.
- Revert "audit for x32 systems".
- In keyboard interactive prompts and use (user@host) as prefix -
make it easier to determine which connection they are associated
with in cases like scp -3, ProxyJump, etc.
- Allow full range of UIDs and GIDs for sftp chown and chgrp on
32-bit platforms instead of being limited by 32-bit LONG_MAX.
- Remove debug message from daemon "child" signal handler -
problems on some platforms.
- Properly measure elapsed time when code waits for event on a file descriptor.
- Do not reset handler for signal 0 in child sub-process.
- Various corrections in manual pages.
- Proper license for XMSS reference code.
- Misc:
- Rewrite code to use only EVP_PKEY as attribute on key structure.
PKEY eliminates direct use of RSA, DSA, EC, DH keys deprecated in OpenSSL 3.0.
OpenSSL API 3.0 will not be supported.
Planed is support for next major release - 3.1 or 4.0.
- Various code refactoring to capsulate functionality into single source file,
unify key serialisation and validation,
define compatibility functions only in source where is used,
eliminate duplicate code,
eliminate needless function arguments and structure attributes,
remove unused global variables, improve readability.
- Replace the experimental post-quantim hybrid key exchange method
based on Streamlined NTRU Prime (coupled with X25519), i.e.
"sntrup4591761x25519-sha512@tinyssh.org" -> "sntrup761x25519-sha512@openssh.com"
as per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.
News archives:
|