[empty image] [empty image]
[empty image]
[empty image] [empty image] [empty image]
[empty image]

secure shell with
X.509 v3 certificate support



5 Oct 2022 : Offical version x509-13.5
What's new:
  • Features:
    • new RequiredRSASize configuration directive
      Used by client and daemon. Allows to raise limit from the default of 1024 bits.
    • sftp server extension "home-directory"
      Used by some sftp clients.
    • custom sftp extension "users-groups-by-id"
      When available used to fill in user/group names for directory listings.
    • allow arguments to sftp -D option
  • Bugs:
    • strictly enforce the maximum allowed SSH2 banner size in gather public key utility
      Fixes a one-byte overflow in secsh-banner processing.
    • work-around for incorrect ed25519 bits in some OpenSSL releases
  • Misc:
    • more clever sftp completions
    • add powerpc to supported architectures in secure computing mode
    • clean up configuration script
      Includes removal of "X.509 store support" flag as is required since PKIX-SSH 9.0.
    • improved manual pages

23 Jun 2022 : Offical version x509-13.4.1
What's new:
  • Features:
    • work-around for OpenSSL 3.0
      Note due to broken design OpenSSL 3.0 cannot ensure compatibility with existing code base. Reordered PKIX-SSH code allows to throw away mis-functional OpenSSL 3.0 key manager from keys.
    • exclude DSA from default host-keys generated by authentication key utility
    • allow multiple SetEnv directives in client and daemon configuration
      Ensures that first name win as is supposed configuration to work. Includes unified processing of environment related directives in client and daemon configuration and test over multiplexed connection.
  • Bugs:
    • restore management of locked account
      Regression introduced in PKIX-SSH 13.3.2.
    • PKCS#11 "raw" ec point
      Properly try "raw" encoded EC-point if DER encoding fail.
    • memory leak in PKCS#11 EC keys
      Avoid memory leak in error path when is constructed PKCS#11 EC key.
    • clean-up password in user authentication error path
    • scp in experimental SFTP mode
      When performing operations on a remote path specified as pattern, ensure that the implicit working directory used to construct that path escapes wild-card characters This prevents wild-card characters from being processed in places they should not, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation treat the path "/tmp/a*" literally and not attempt to expand it.
      Arrange secure copy to not truncate files early. Note previous behaviour of unconditionally truncating the destination file would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to delete all the contents of their destination.
  • Misc:
    • improved manual pages
    • avoid non standard printf() conversion specifier %m in capsicum sandbox
    • cache timezone data in capsicum sandbox
    • accept only numbers for CIDR mask length
    • use 64-bit in moduli generation
      Avoid overflow when trying to generate modp groups > 16k bits
    • improve TERM variable passing over multiplexed connection
      Use different test if regression test is run from real tty or not.
      Restore "multiplex" test to regular list as this was second blocking issue. Remark: first is race conditions temporary avoided by some extra "sleep" in test.

11 Apr 2022 : Version x509-13.3.2
What's new:
  • Features:
    • hybrid Streamlined NTRU Prime + x25519 key exchange method
      Add to default KEX methods if is build and document use in manual pages.
  • Bugs:
    • return only requested events in ppoll compatible implementation
      Returning flags for events not requested, can apparently cause a hang.
    • fmt_scaled() with negative argument
      Properly check negative argument to fmt_scaled().
    • scan_scaled() and negative numbers
      Properly process negative numbers in scan_scaled().
    • do not resolve ListenAddress directives in daemon "re-exec path"
      Result is never used and if the operation fails then it can prevent connections from being accepted.
    • shadow password and libiaf locked account
      Fixes incorrect free when shadow password and libiaf are used.
  • Misc:
    • alarm handler signal
      In alarm handler do not send alarm to "preauth" child.
    • move configure check for rlimit sandbox at end
      Prefer specific to OS sandbox.
    • test "if select works with descriptor rlimit"
      Removed configure test because of its misconceptions.
    • build improvement
    • build with Linux auditing enabled in rpm-spec files

5 Mar 2022 : Version x509-13.3.1
What's new:
  • Features:
    • FIPS mode for OpenSSL 1.1
      Vendor OpenSSL 1.1 release support FIPS. In addition rpm-spec files were updated to request more precisely FIPS related packages. In consequence FIPS build is enabled by default. Also FIPS tests are activated but errors are ignored for now.
      Note if FIPS mode is not active it could be requests by environment variable OPENSSL_FIPS.
  • Misc:
    • selinux rules Enable 64-bit time ppoll and disable socket system calls in security-enhanced Linux.
    • OS releases compatibility
      Updates to ensure functionality on "old" Linux. For instance rpm-spec files were updated to request package available in respective OS release. LDAP tests use "hdb" backend on "old" Linux.
    • cryptographic library compatibility
      Ensures work with ancient OpenSSL releases and OpenSSL compatible library.
    • no DSA in pkcs11 Remove unfinished support for DSA keys in pkcs11.

24 Feb 2022 : Version x509-13.3
What's new:
  • Features:
    • New compatible implementation of poll(2) based on new ppoll(2) that uses pselect(2).
      This version starts transition from select to poll.
      • switch ssh-keyscan from select to ppoll
      • switch sftp-server from select to poll
      • switch "packet" from select to ppoll
      • switch daemon from pselect to ppoll
      • unified management of limits in sandboxes due to poll requirements
      • use compatible poll(2) implementation on OS X and Minix
      • do not enable by default Capsicum sandbox on FreeBSD 9/10
      Remaining uses in client and server loop will be transferred in future when use is stabilised.
    • Use sftp protocol in secure copy utility.
      This experimental feature includes following corrections:
      • when secure copy transfers multiple files create the destination directory, if it does not already exist
      • return "No such file or directory" message if expand of user path fail in secure sftp server subsystem
      • fix some corner cases in handling of tilde-prefixed patch
      • rewrite tilde_expand_filename to handle ~user paths with no trailing slash
      • use status error message to communicate ~user expansion failures
      • show un-expanded paths in error messages
      • added extra debug messages on sftp client side
      • set default protocol from environment
      Note sftp mode is highly experimental and secure copy utility will use scp protocol by default.
    • Update of host-keys
      Implementation of this experimental feature was updated:
      • new model for host keys updates
      • accept rsa/sha2 signatures on client side
      • use rsa/sha2 signatures if client support them
  • Bugs:
    • improvements and spelling corrections in manual pages, documents and program comments
    • atomicio* should return bytes already read even on error
    • do not set raw tty mode if command execution is not allowed
    • use proper parameter when decompressing zlib compressed packets
    • allow sha{384|512} key exchange hashes in host-based authentication helper utility
    • correct handling of pselect(2) exceptfds/POLLPRI in ppoll(2) compatibility implementation
    • check "revents" for POLLHUP wherever is checked for POLLIN
    • use proper flag for IPQoS le option
    • modify ssh-keyscan to hash host:port when is asked for
      (Fixes hashes for non-default ports)
    • suppress "Connection to ... closed" message at log levels less then "information"
    • unify checks for ipv4 loopback interface
      (Fixes issue with BindInterface that consider "localhost" as the only local loopback interface)
    • do not use closefrom() implementation from GNU C library
      (It may die in "chroot" environment if read from /proc/self/fd fail. Also use close_range() if available, i.e. glibc 2.34.)
    • remove broken realpath compatibility implementation
      • revert use of realpath when is created "ssh user directory" as it relies on broken functionality
      • use specific realpath only in sftp server related code
      • re-enable sftp protocol for secure copy regression tests
    • fix memory leaks in pkcs11
    • fix memory leak in ecdsa signature conversions function for X.509 algorithms
    • fix memory leak when sftp client process replies from upload side
    • improve work-around for STREAMS based ptys when daemon acquire a controlling terminal
  • Misc:
    • clean-up more buffers used in bcrypt_pbkdf compatible implementation
    • clean-up cached host-key to ensure more clean OpenSSL shuthdown
    • allow gettid in secure secure computing mode
    • modernise OCSP - use TLS_client_method() if OpenSSL >= 1.1
    • some OpenSSL 3.0 compatibility improvements
    • use compatibility getline() on HP-UX 10.*
    • seteuid breaks setuid on Minix
    • remove possibility to build without "revocation" code for X.509 certificates.
    • use mdb(memory-mapped database) in ldap regression tests
      (Note bdb and hdb are removed in openldap 2.5+ and mdb is available in openldap 2.4+)
    • restored build on ancient OS-es
      (C99 compiler is not strictly required. For instance code builds fine with gcc 4.1.2 with default language standard level as if compiler is gcc configure script sets language standard to gnu99 (-std=gnu99) if LLONG_MAX is not found by default.)

23 Oct 2021 : Version x509-13.2.3
What's new:
  • Bugs:
    • system control on FreeBSD
      Precise use of procctl(2).
    • scp via sftp in regression test
      This experimental feature now is excluded for regression tests. An environment variable could be used to reactivate tests.
    • use "broken" realpath in sftp-server
      Force use of provided for compatibility but broken realpath in sftp server code. To ensure consistent and reliable work, for instance on Android, PKIX-SSH forces use realpath implementation provided for compatibility. OpenBSD pretend that a function is broken is does not work as OpenBSD implementation. For function realpath reality is quite different - OpenBSD implementation is broken. Unfortunately is some FORTIFY_SOURCE builds redirect is forced to lib C implementation. This breaks sftp functionality inherited from OpenBSD that relies on broken implementation.

11 Oct 2021 : Version x509-13.2.2
What's new:
  • Security:
    • supplementary groups for command
      Now daemon initialise supplementary group access list before to execute a helper command like AuthorizedKeysCommand. Due to defect if command is set to run as a different user it would inherit the groups that daemon was started with. Depending on system configuration, inherited groups may allow helper command to gain unintended privilege. Note commands are not used by default.
  • Features:
    • scp via sftp
      Allow secure cope utility to use sftp v3 protocol for file transfer. Note that there is no attempt to provide compatibility with scp's "double shell" quoting rules. Requires sftp server extension "expand-path" to support path relative to user's home directories.
    • portability
      On FreeBSD agent use system control(procctl(2)) to disable traces(ptrace(2)).
  • Bugs:
    • custom certificate as host-key in agent
      PKIX-SSH allows to run daemon in unprivileged mode. Now in this mode daemon could use host-key in agent in the same manner as privileged mode.
    • interrupt on sftp command line
      Restored existing functionality broken in PKIX-SSH 13.2 by "experimental handle interrupt on sftp "editline" related code".
  • Misc:
    • "none" argument
      Accept "none" as argument for some configuration options. Only for compatibility.
    • manual improvements

8 Sep 2021 : Version x509-13.2.1
What's new:
  • Bugs:
    • management of TERM environment in shared session
      Correct regression 13.2 introduced by "allow client directive SetEnv to override environment variable TERM".
    • memory leak
      Fix memory leak in PAM authentication "query" error path.
    • pselect compatible implementation
      Use highest FD number plus one in pselect compatible implementation.
    • AuthorizedKeysFile spelling
      Typo in some manuals that mention daemon option AuthorizedKeysFile.
  • Misc:
    • manual page consistency
      Refer to KEX "algorithms" instead of "methods".
    • use key utility to generate non-existing host keys upon "startup"

30 Aug 2021 : Version x509-13.2
What's new:
  • Features:
    • client and daemon option CAStoreURI
      Options that use OpenSSL "Store API" for X.509 look-up.
    • X.509 look-up "by store" for OpenSSL 1.1.1*
      Note OpenSSL 3.0 provides "by store" X.509 look-up.
    • client option KnownHostsCommand
    • degrade sftp-server extension
      degrade gracefully if a sftp-server offers the limits extension but fails when the client tries to invoke it
    • environment variable TERM
      allow client directive SetEnv to override environment variable TERM
    • use only KbdInteractiveAuthentication client and daemon directives
    • deprecate outdated SKeyAuthentication and TISAuthentication client directives
    • client directive "SessionType"
      Allows client configuration file to offer equivalent control to the -N (no session) and -s (subsystem) command-line flags
    • client directive "StdinNull"
      Client configuration option equal to command line argument -n.
    • client directive "ForkAfterAuthentication
      Client configuration option equal to command line argument -f.
    • postpone "Authenticated to ..." message
      Move "Authenticated to ..." verbose messages to the end of user authentication process. Also add method name to the message.
    • show only the final path component in the sftp progress meter
    • sftp server extension "expand-path"
      Reserved for future to allow scp over sftp to accept ~-prefixed paths.
    • use pselect in daemon
      Switch server loop and listening loop to use pselect. Use exiting self-pipe trick to provide compatible implementation.
  • Bugs:
    • do not log partial successes as failures
    • restore blocking status on standart input/output file descriptors before close
    • sftp server "limits"
      make "limits" extension available in read-only mode
    • use password cache in key utility
      Note that get password function may return value that point to a static area, and so it may be overwritten by subsequent calls.
    • remove needless client options UserCAldapURL and UserCAldapVersion
      There is no tilde ($HOME) expansion.
    • handle group with GID > 2^31
      AIX LONG_MAX related compatibility in getgrouplist.
    • DNS SSHFP RR processing
      use only supported key types and digests for DNS SSHFP resource records.
    • explicitly check for and start time-based re-keying in the client and daemon loops
    • make first environment variable win in option parse
      Also limit variables to 1024.
    • on fatal errors, make scp wait for ssh connection before exiting
  • Misc:
    • rewrite client and daemon configuration parser
      Make them more strict and unified. Raise error on configuration directive with empty pattern. Add management of escaped "space" character. Also for all single value directives ensure than only first obtained value is used.
    • rewrite X.509 look-ups
      If "by store" look-up is available it will handle ldap queries. In such case X.509 look-up "by ldap" is not build.
    • updated manuals
    • openssl compatibility
      Note provider based implementation will be based on OpenSSL 3.1 API.
    • more regression tests
      Also use more portable shell substitutions everywhere in regression tests.
    • log sftp flags and permissions attribute
    • experimental handle interrupt on sftp "editline" related code

21 Apr 2021 : Version x509-13.1
What's new:
  • Features:
    • exit client with code that correspond to signal
    • print scanned host-keys in generic DNS RR record format
    • display other host-keys
      When prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key
    • handle sftp-server reads up to maximum packet size or with zero length
    • use sftp protocol extension "limits"
      Use sftp protocol extension "limits" to let the client select good limits based on what the server supports
    • new daemon option ModuliFile
    • more gtk 3.0 compatible ssh-askpass
  • Bugs:
    • restore use of rsa plain keys in pkcs#11 operations
    • adjust number of verbose options passed to ssh client from sftp program
    • various corrections in manual pages
    • backslash in "authorized" command arguments
      Multiple backslashes were not being unquoted correctly in "authorized" commands
    • space in "authorized" command arguments
      Quoted space in the middle of a string was being incorrectly split in "authorized" commands
  • Misc:
    • allow/deny more system calls in secure computing mode

15 Mar 2021 : Version x509-13.0.1
What's new:
  • Security:
    • properly report unsupported agent extension
      Avoid use after free when is reported unsupported "secure-key" constraint proceed only for compatibility.
  • Misc:
    • disallow fstatat64 more system calls in secure secure computing mode
      Used by OpenSSL is some specific builds.

3 Mar 2021 : Version x509-13.0
What's new:
  • Security:
    • Always validate loaded keys, also in signing and verification. Note in addition to file key sources could be "store", "engine", secure token device, third party utility that loads keys into agent.
    • Prevent excessively long username going to PAM on Solaris. This is a mitigation for a buffer overflow in Solaris PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations.
  • Features:
    • Require C99 to build.
    • Prefer RFC6187 public key algorithms to legacy. Note X.509 based.
    • Prefer "Edwards-Curve Digital Signature Algorithm"(*ed25519*) to "Elliptic Curve Digital Signature Algorithm"(*ecdsa*) public key algorithms.
    • Prefer PKCS#8 format for Ed25519 keys. Usable with OpenSSL 1.1.1+.
    • Support exact algorithm in host-based authentication, i.e. complete algorithm support including X.509 algorithms from RFC6187 and RSA algorithms from RFC8332.
    • Set the specified TOS/DSCP for interactive use prior to TCP connect. Note connection phase of a SSH session is time-sensitive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.
    • Change client option CheckHostIP default to "no" - makes know host files more simple and it must be unset if connection is to host with multiple addresses.
    • Client option PermitRemoteOpen for restriction of remote dynamic forwarding with SOCKS.
    • Daemon options to restrict number of unauthenticated connections per source address - PerSourceMaxStartups and PerSourceNetBlockSize.
    • Value none to first client option UserKnownHostsFile or GlobalKnownHostsFile indicates that user or global host key database should not be used.
    • Enhance key generation utility to store private keys in traditional PEM format. Avoids use of OpenSSL utilities to convert from PKCS#8 to traditional PEM format.
    • Allow or disallow more system calls in secure secure computing mode.
    • Adapt mainstream updated of ssh-copy-id like install keys via sftp.
    • Try to read public key from "private" if pub-file is not present. Applicable for X.509 identities where certificate is part of file with "private" key. Also usable for keys stored in custom format.
    • Custom sftp extension for server limits.
    • Drop build requirements for fipscheck on Fedora 33 or newer.
    • Support post 2.69 autoconf releases like 2.70 and 2.71.
    • Remove the pre-standardization cipher rijndael-cbc@lysator.liu.se from list. It is an alias for aes256-cbc described in RFC4253 (2006), disabled by default since PKIX-SSH 8.8 (Feb 2016) and never listed in manual pages.
    • New LogVerbose keyword for client and daemon. Allows forcing maximum debug logging by file/function/line pattern-list.
  • Bugs:
    • Do not check for "custom" revocation if key is not specified when in host-key query.
    • Do not free string returned by login_getcapstr(3) - compatibility with some BSDs.
    • In sftp command properly sort remote directory listing.
    • When doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that we can actually complete the transfer, then set the directory permission as the final step.
    • More strictly enforce key exchange state-machine by rejecting packet types once they are received. Avoid memory leak.
    • Revert "audit for x32 systems".
    • In keyboard interactive prompts and use (user@host) as prefix - make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc.
    • Allow full range of UIDs and GIDs for sftp chown and chgrp on 32-bit platforms instead of being limited by 32-bit LONG_MAX.
    • Remove debug message from daemon "child" signal handler - problems on some platforms.
    • Properly measure elapsed time when code waits for event on a file descriptor.
    • Do not reset handler for signal 0 in child sub-process.
    • Various corrections in manual pages.
    • Proper license for XMSS reference code.
  • Misc:
    • Rewrite code to use only EVP_PKEY as attribute on key structure. PKEY eliminates direct use of RSA, DSA, EC, DH keys deprecated in OpenSSL 3.0. OpenSSL API 3.0 will not be supported. Planed is support for next major release - 3.1 or 4.0.
    • Various code refactoring to capsulate functionality into single source file, unify key serialisation and validation, define compatibility functions only in source where is used, eliminate duplicate code, eliminate needless function arguments and structure attributes, remove unused global variables, improve readability.
    • Replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519), i.e. "sntrup4591761x25519-sha512@tinyssh.org" -> "sntrup761x25519-sha512@openssh.com" as per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.

3 Oct 2020 : Version x509-12.6
What's new:
  • Features:
    • askpass
      additional control use of "askpass" program via environment variable "SSH_ASKPASS_REQUIRE"
    • configuration
      allow some keywords to expand shell-style ${ENV} environment variables on the client side
      token expand for "user known host files" client option including new token %k (key-alias)
    • agent
      allow -A to explicitly enable agent forwarding in scp and sftp commands
      delete agent keys read from standard input
      let client option AddKeysToAgent accept a time limit in addition
    • portability
      builds with Android API 29
      seccomp audit support for riscv64-* and x32 hosts
  • Bugs:
    • fix regression in 'process "exit-signal" ssh channel message'
    • restore functionality of client multiplexing option "proxy"
    • fix some memory leaks
    • restore posibility "plain" key material to clean agent key
    • process "-B" client command line option
    • prevent hidden lost of precision when is used convtime() result
  • Misc:
    • improve logging for MaxStartups connection throttling
    • limit channel input buffer size to 16MB
    • better terminology in some manuals
    • defer creation of user ssh directory (~/.ssh) by client until attempt to write to it
    • handle EINTR in functions waitfd and timeout_connect
    • also compare user name when checking for JumpHost loops
    • catch address/mask mismatches when parsing before they to cause problems at run-time
    • when redirecting daemon log output to a file undo redirection in child process for client session
    • reset the server alive check only when client receive traffic from the server and ignore traffic from a port forwarding
      (prevents client from keeping a connection alive when it should be terminated)
    • always send any PAM account messages.
    • improve daemon on re-exec

7 Jun 2020 : Version x509-12.5.1
What's new:
  • Bugs:
    • built-in chacha20-poly1305 for OpenSSL 1.1.0*
      For OpenSSL 1.1.0* releases use slow built-in chacha20-poly1305 due to regression in EVP_CipherInit(). Although regression is fixed officially in OpenSSL 1.1.0g exclude all to avoid issue with vendor releases.
    • fixes for include directive in daemon configuration
      Properly process Port and Match directive.
    • fix "TIME FORMATS" with multiple qualifiers
      Fix multiplier in convtime() when handling seconds after other units
    • preserve group/world read permission on known hosts file
      Runs of "ssh-keygen -Rf /path" keep permission instead to remove all rights for group/other as before.
    • fix off-by-one error in sftp client
      Caused sftp downloads to make one more concurrent request that desired.

31 May 2020 : Version x509-12.5
What's new:
  • Security:
    • in "remote copy program" (scp) send single error message to avoid desynchronisation
  • Features:
    • enhance and unify token expansion in client options and properly document used tokens
    • allows IgnoreRhosts to be used anywhere in server configuration
    • make daemon option IgnoreRhosts a tri-state option
    • allows list of agent-keys to print X.509 identity in public key format instead certificate distinguished name: ssh-add -L -k
    • add sftp flag that re-enable verbose output in batch mode
    • add textual representation for some common PKCS#11 errors
    • use EVP_chacha20 from cryptographic library (ignored for broken LibreSSL)
    • run the 2nd ssh with BatchMode for scp -3
    • environment variable for engine configuration file: SSH_ENGINE_CONF
    • load default dsa identity last
  • Bugs:
    • postpone build of certificate chain for agent keys: correction for keys used with RFC6187 algorithms if IdentityFile is set
    • properly limit pkcs#11 provider keys when option IdentitiesOnly is set
    • ensure that tunnel forwarding failures terminate the connection when ExitOnForwardFailure is enabled
    • document order of authorized keys: files are first and falling back to command
    • some clarifications in manual pages
    • enable "explicit routing domain" daemon option only if supported by platform
    • prepend bindir to "USER_PATH" found by configure script
    • disable use of completely broken "visually encode characters" functions
  • Miscellaneous:
    • precise environment section in manual pages
    • clarify and document use of ssh-askpass in manual pages
    • miscellaneous portability fixes
    • refactor program code for load, serialisation and deserialisation of keys
    • correct spelling in manual pages, documents and code
    • forward compatibility with OpenSSL library: use only EVP_PKEY interface, avoid use of deprecated API
    • exclude ldap test from default list
    • check if SA_RESTART signals will interrupt select

21 Mar 2020 : Version x509-12.4.3
What's new:
  • Bugs:
    • X.509 based host-keys validation
      Regression was not fixed properly in previous release. Now result of X.509 based host-keys validation is checked properly.
    • cancellation of remote forwarding
      Correct uninitialised pointer variables in cancellation of remote forwarding from local side.
    • if load of pkcs#11 fail
      Initialise label variable to avoid failure if load of pkcs#11 fail.
    • parse error in service request
      Properly exit in service request parse errors.
    • sshd_config includes
      Correct relative includes in daemon configuration.
  • Miscellaneous:
    • force use of "askpass" on Android
      On Android force use of "askpass" if environment variable SSH_ASKPASS is set. Note environment variable DISPLAY is ignored.
    • use of "askpass"
      Remove spurious check for environment variable DISPLAY when use of "askpass" is requested.
    • ask for hostkey update
      Ask for hostkey update is unified with other permission requests. All of them may use "ask-pass" for confirmation.
    • manual pages
      Correct spelling errors in key utility page. Merge environment section is agent page.
    • some improvements for Android

23 Feb 2020 : Version x509-12.4.2
What's new:
  • Bugs:
    • use X.509 host-key algorithms as well
      Restore use of all supported algorithms when client build host-key algorithm list for key exchange message. Regression introduced in release 12.4.
      Note that client reorder algorithms preferences based on known host files. This functionality is disabled if client option HostKeyAlgorithms starts with "^". If this case algorithms from option take precedence.
    • validation of X.509 based host-keys
      Unexpected loss of functionality in PKIS-SSH 11.3 due to code refactor. Unlike before restored verification and validation of X.509 based host-keys is performed before authorisation by known host.
  • Miscellaneous:
    • prevent ProxyJump loops
      Detect and prevent simple configuration loops when using ProxyJump.

17 Feb 2020 : Version x509-12.4.1
What's new:
  • Bugs:
    • compatibility with OpenSSH 7.2
      OpenSSH 7.2 is yet another release that announce broken list with supported algorithms. Ignoring announced list allows use of non-RA keys.
    • included OpenSSH release
      OpenSSH release source with old version. Now PKIX-SSH announce compatibility with OpenSSH_8.2.
  • Miscellaneous:
    • simplify spec-files
      Provided sample spec-files exclude from default FIPS and LDAP enable builds. Those features has to be enabled per OS release.

15 Feb 2020 : Version x509-12.4
What's new:
  • Features:
    • multiple daemon configuration files
      New daemon configuration directive "Include" allows inclusion of files.
    • ask-pass hints
      Now ask-pass uses hints: confirmation in addition to prompt, none is reserved for notifications. Depending of hint ask-pass creates suitable dialog.
    • notification "Exceeded MaxStartups"
      Send a notification "Exceeded MaxStartups" prior to the SSH2 protocol banner when clients get denied by MaxStartups.
    • no X.509 store in agent
      Revert X.509 store from agent utilities, i.e. remove ssh-add(1) option "-S".
    • paths in ForwardAgent
      Client option ForwardAgent accepts path or name of environment variable in which to find the path in addition to yes/no
  • Miscellaneous:
    • improved manual pages
    • improved OS portability
    • crypto library compatibility
    • allow more system calls in seccomp sandbox
    • download PKCS#11 public key labels as comments
    • build without compression support - configure time option
    • startups in the process title
      Expose the number of currently authenticating connections along with the MaxStartups limit in the process title
    • replace single-letter key generator "moduli" flags with options
    • use signal wrapper around sigaction(2)

13 Oct 2019 : Version x509-12.3
What's new:
  • Features:
    • store identities(keys) in PKCS#8 PEM format and use aes256 algorithm
    • fetch pkcs#11 RSA/EC public key
      Fetch public key if X.509 certificate was not found and in absence of keys try interactive login and fetch again.
    • process the verbose flag when searching for host keys in known hosts
      Command "ssh-keygen -F host -l -v" will print random-art of host public key.
    • allow %n to be expanded in ProxyCommand strings
    • print explicit "not modified" message
      If a file was requested for resumed sftp download but was considered already complete.
    • better error messages for "bits" limit in key generation
    • limit number of parse permiopen/permitlisten directives on a single line
    • allow prepending default set of algorithms by starting the list with the '^' character
  • Bugs:
    • build fixes: function prototypes, compatibility functions
    • make <esc><right> move right to the closest end of a word in sftp
    • properly support OpenSSL error management functionality
    • clean again set of signal handlers inside handlers(it is expected current system to has reliable signals)
  • Miscellaneous:
    • deny shmdt in "preauth" unprivileged child in secure computing mode
      Resolves fatal on some Linux OS distributions with 3.* kernel using OpenSSL version 1.1.1d.
    • on Solaris remove PRIV_PROC_SESSION
      Privilege which was limiting ability to send signal SIGWINCH to other(multiplexed) sessions.
    • retain Solaris PRIV_FILE_LINK_ANY in sftp-server
      It is required for the legacy sftp rename operation.
    • allow mprotect(2) with PROT_(READ|WRITE|NONE) only
      Allow in secure computing mode as is used by some hardened heap allocators.
    • allows s390-specific ioctl for ECC hardware support
      (in secure computing mode)
    • add sendfd to pledge(2)
      Note that later in same code path pledge restriction is reduces.
    • unify checks for function return value
      Some are checked for negative value while other exactly for -1.
    • on OS X use proc_pidinfo()-based closefrom()
    • supports build with OpenSSL master branch even with enabled API deprecation
    • change level of PKCS#11 message "provider returned no slots" from error to debug
    • fix some memory leaks, mostly in error path
    • separate regression test targets
    • restrict regression test to keys supported by executable
    • fix integer overflow in experimental XMSS private key
      Note XMSS is not enabled by default.
    • "key shielding" feature
      Not enabled by default as key stored on secure device has better protection.

26 Sep 2019 : Version x509-12.2
What's new in this Android special release:
  • Features:
    • prepared for packaging of executable into android application "library directory"
      Added extra integration between executable and Adndroid application. Note Android 10 SELinux rules forbid execution if binary is in writable directory.
    • wrap rename for Android
      Required by ssh-keygen -A to work.
    • sftp manual page and usage updates
      For get/put and reget/reput command use 'p' and 'R' as arguments. Keep 'P' and 'r' as redundant/deprecated flag. Add the -f flag to reput and reget.
  • Bugs:
    • rewrite sftp progress meter to avoid garbage output
      Also ensure that it works on narrow terminals.

29 Apr 2019 : Version x509-12.1
What's new:
  • Security:
    • ensure that X.509 key is validated if is used key is authorized by command and if validation is not first
      Work-around is to set daemon option ValidateFirst to yes if configuration uses authorized keys command.
  • Features:
    • added algorithm x509v3-rsa2048-sha256 (RFC 6187)
      For compatibility reasons is not used by default yet. It use could be forced with respective options that control used algorithms.
    • export more android properties to child session
    • when signing custom certificates with an RSA key, default to using the rsa-sha2-256 signature format
      Custom certificates signed by RSA keys will therefore be incompatible with PKIX-SSH < 8.8 or OpenSSH < 7.2 unless the default is overridden.
    • allow to test daemon configuration containing match directive without to specify connection parameters
      Assume any attribute not provided by -C does not match.
    • check for user@host when parsing sftp target
      This allows user@[] to work without a path in addition to with one.
  • Bugs:
    • restore support pkcs#11 provided X.509 keys in agent
      Regression in 12.0 release
    • no-op implementation of pam_putenv
      Some platforms such as HP-UX do not have pam_putenv.
  • Miscellaneous:
    • check authorization files first before authorized keys command
    • improve experimental implementation for ldap X.509 lookup based on OpenSSL STORE API
    • fixed some memory leaks
    • improved some debug messages
    • finalize removal of obsolete "X.509 key type" items from ssh key-type enumerate and related

29 Apr 2019 : Version x509-12.0.1
What's new:
  • Bugs:
    • "carriage return" in "protocol identification string"
      Relax missing "carriage return" in "protocol identification string". Even today, more than 10 years after RFC4253, some implementation still fail to send "Carriage Return"(CR) before "Line Feed"(LF) in protocol version identification string.
    • size of RSA key
      Document new default RSA key size in "keygen" manual page.
    • STREAMS modules
      Do not install duplicate STREAMS modules on Solaris.
  • Miscellaneous:
    • rpm-build specification
      Sample rpm-build specification for Redhat and SUSE. Now "spec"-files are used mainly for regression tests.
    • exclude multiplex from regular regression test
      Test fail regularly on medium loaded system. It could be requested explicitly.
    • ldap backend in tests
      Allow ldap backend settings to be overridden from environment. Also module directory could be specified to load dynamic backend module.

18 Apr 2019 : Version x509-12.0
What's new:
  • Features:
    • increase the default RSA key size to 3072 bits.
      Follows NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level.
    • new sftp extension "lsetstat@openssh.com"
      Support SFTP extension "lsetstat@openssh.com" that replicates the functionality of the existing SSH_FXP_SETSTAT operation but does not follow symbolic-links. Activated by "-h" argument to sftp command chgrp, chmod and chown.
    • pseudo localization on Android
      Allows file transfer program to display file name with UTF-8 character instead octal escape sequence.
    • "final" criteria for keyword Match
      Enhance Match keyword in client configuration with "final" criteria - it matches in same pass as "canonical" but doesn't require enabled hostname canonicalization.
    • usability of agent keys
      Test whether keys in an agent are usable - new ssh-add option "-T" that performs a signature and a verification with agent-key that match specified public part.
    • option "-J" for file transfer command
      New file transfer command (scp and sftp) option "-J" as alias to match with client configuration Proxyjump. None that local configuration is not used for Proxyjump host.
    • log more connection drops
      Log connection drop for attempt to run a command when ForceCommand=internal-sftp is in effect.
    • new KEX method "sntrup4591761x25519-sha512@tinyssh.org"
      Experimental post-quantum cryptography key exchange method sntrup4591761x25519-sha512@tinyssh.org enabled only compilation time. Method is based on "Streamlined NTRU Prime 4591^761" and X25519.
    • exclude KEX "diffie-hellman-group-exchange-sha1"
      Remove key exchange method "diffie-hellman-group-exchange-sha1" from client defaults.
    • do not use "PKCS11Provider"
      Allow "none" argument for client option "PKCS11Provider" to indicate that no provider should be used. Note "none" is default.
    • "keyscan" exit status
      Command "keyscan" returns a non-zero exit status if no keys were found.
  • Bugs:
    • calculate bandwidth limits
      Fixed calculation of initial bandwidth limits in file transfer commands.
    • management of "ext-info-c" extension
      Daemon consider the "ext-info-c" extension only during the initial key exchange.
    • fixed a number of memory leaks.
    • file name match in secure copy
      On local side secure copy tool performs simple match that files send from remote match request. This mitigate weakness in the tool and protocol (CVE-2019-6111). Note that remote and local could perform different wildcard expansion. For this reason command argument "-T" disables client side verification at the risk hostile remote to create or replace unexpectedly local files with attacker-controlled content. Note that recommended mitigation of scp protocol issue is for file transfer to use more modern protocols like sftp and and rsync instead.
    • SIGPIPE and child process
      Avoids sending SIGPIPE to child processes after their parent exits if they attempt to write to standard error stream.
    • no duplicate "keepalives"
      Prevents sending two "keepalives" successively and prematurely terminating connection when ClientAliveInterval is used in server configuration.
    • avoid connection close
      Correct interaction between server options ClientAliveInterval and RekeyLimit that could lead to incorrect connection close.
    • authentication failures due to option override
      Correct authentication failures when "any" argument of server option "AuthenticationMethods" used in a Match block overrides a more restrictive global.
    • no redirection to /dev/null
      Prevent client to redirect standard output stream to /dev/null if is used "ProxyCommand=-".
    • race conditions in daemon restart
      Correct two race conditions related to SIGHUP daemon restart.
    • strict protocol banners
      Strict processing of protocol banners, allowing \r characters only immediately before \n.
    • timeout management
      Correct interaction between the client options ConnectTimeout and ConnectionAttempts - connection attempts after the first were ignoring the requested timeout.
  • Miscellaneous:
    • obsolete host/port syntax
      Remove support for obsolete host/port syntax from daemon configuration (slash notation from ListenAddress and PermitOpen). For IPv6 users there are standards like [::1]:22.
    • Android compatibility
      Many improvements for Android that ensure better cross-version compatibility.
    • use of global variables
      Minimize use of global variables, either by us of connection or other structures, or make them static.
    • Refactor "packet" related code to use new-API
    • Refactor "KEX" code
    • Refactor "LDAP" code
      Also prepare it for use by upcoming X.509 lookup based on OpenSSL Store API.
    • Refactor "pkcs#11" code
      This includes support for verbose mode in ssh-add command and pkcs11-helper.
    • improvements for Cygwin
      configurable service name; case-insensitive user/group matching; run under SYSTEM again and create user token using S4U with failback NtCreateToken if not supported.
    • fingerprint as a synonym for "yes"
      Client accepts host-key fingerprint as a synonym for "yes" when accepting an unknown host-key.
    • PAM environment
      Do not export $MAIL to PAM environment.
    • support upcoming OpenSSL 3.0
      Ensure builds with current OpenSSL master branch(future 3.0.0).
    • RUN-PATH configuration
      Configuration options --with-rpath accepts argument in addition to "yes"/"no".
    • minimize key-type enumeration values
      Stop to use custom key-type enumeration values for keys with X.509 certificates.
    • file name display in secure copy
      In secure copy tool sanitize file names in progress meter to allow UTF-8 characters without terminal control sequences.

18 Dec 2018 : Version x509-11.6
What's new:
  • improved compatibility with OpenSSL 1.1+ APIs
    Code base is updated to use methods compatible with recent OpenSSL API. Also update replace references to SSLeay*. This allows build with OpenSSL that deprecate backward compatibility API.
    Note PKIX-SSH requires as minimum OpenSSL 0.9.7 and in this release completely removes test and work-around for earlier version.
  • remote exit on signal
    Client process "exit-signal" received from server in ssh channel message and exits with code "signal number"+128, i.e. in shell style. Remark: message is send by server when remote is killed by signal.
  • lazy binding
    Prefer to use lazy binding when is loaded pkcs11 module.
  • echo of sftp commands
    Prefix @ suppress echo of sftp batch commands.
  • expose $SSH_CONNECTION
    Now daemon(server) exposes $SSH_CONNECTION in the PAM environment.
  • Support new OpenSSL version scheme
    Next OpenSSL version will be 3.0.0. It introduces new version scheme currently available in master branch. This PKIX-SSH release is ready to use modern OpenSSL version scheme.
  • android port - fake password
    Fixed issue with use of function getenv - prevents crash on 64-bit Android OS-es.
  • android port - session user environment
    Fixed issue when is prepared specific to Android environment for user session. Regression introduced in 11.4 release.
  • ssh-agent socket
    Fixed bug in client that was keeping a redundant ssh-agent socket around for the life of the connection.

19 Oct 2018 : Version x509-11.5
What's new:
  • Client verbose modes
    Increase client verbose modes by one. Now client "verbose mode" starts from LogLevel "VERBOSE". At this level client outputs messages for offered keys.
    Exiting scripts could be updated with one "-v" more to reach the same level of details as before.
  • Client query argument "key-alg"
    This new argument to client query option (-Q) list all supported public key algorithms.
  • Client option ForwardX11Timeout with zero argument
    Zero value for client option ForwardX11Timeout disables the timeout and permit X11 forwarding for the life of the connection.
  • Enhancement of client option Port
    Port could be expressed either by number or by service name, i.e. Port=ssh.
  • Server support "signal" channel request
    Signal are accepted only for session that is not subsystem and is not started with a forced command.
  • Translation on OpenSSL errors
    Translation of OpenSSL error codes after failed read of private key is reverted. Now all cases are treated as "invalid password" as before version 11.0.
    Remark: In some cases invalid password could "decode" key to garbage. "Error translation" returns invalid format and system refuse to use this key. Expected is system to ask for password again up to certain limit.
    In addition removed code relies on OpenSSL internal error management which is subject of modifications without notice, i.e. not reliable.
  • Removed GCC Spectre mitigation flags
    Now configuration excludes GCC flags "-mfunction-return=thunk" and "-mindirect-branch=thunk" from hardening. Options could cause miscompilation due to some GCC bugs. And on Linux retpolines are more suitable for kernel then userspace.
  • logging
    Various messages are changed to include error information from cryptographic library. Some messages related to keys or channels are unified and enhanced.
  • memory leaks and optimizations
    Key creation is optimized to minimize memory allocations due to use of OpenSSL 1.1 API. Memory leaks in process of key load or x.509 load from ldap are fixed.
  • cross-compilation
    Configuration checks for snprintf functionality now use "cache" variables. This allows in case of cross-compilation user to specify faulty behaviour and so programs to use functions from "compat"-library instead broken system ones. Ditto for setresuid and setresgid.

24 Aug 2018 : Version x509-11.4
What's new:
  • IPQoS defaults
    Change defaults IPQoS in client and daemon to DSCP(differentiated services code point):
    • AF21: for interactive and
    • CS1: for bulk traffic
  • ssh-askpass alternatives
    Update information for ssh-askpass alternatives. Also added shell script that wraps KDialog.
  • limit agent connections
    Authentication agent postpone accepting new connections when maximum number of file descriptor is exceeded.
  • algorithms for keyscan
    Command keyscan uses -t argument as algorithm filter (pattern-list).
  • SendEnv arguments
    Use pattern-list for client option SendEnv. Note option allows negated match.
  • new option SetEnv
    New client and daemon option SetEnv. Processing of user environment settings in daemon is updated do not allow user to override server settings.
  • PermitUserEnvironment arguments
    Daemon option PermitUserEnvironment accepts in addition a pattern-list of "white-listed" environment variable names.
  • new option PermitListen
    New daemon option PermitListen that controls client requests for remote forwarding (ssh -R).
  • expansion of user id
    User id is available as a %-expansion everywhere that the user name is available currently (%i for client and %U for daemon).
  • keysign use
    Hostbased authentication always uses ssh-keysign. This avoids one of reasons for "setuid" root client.
  • no "setuid" client
    Removed support for running client "setuid". Also deprecate client option UsePrivilegedPort.
  • without "S/Key"
    Removed support for "S/Key" authentication
  • private key formats
    "ssh-keygen" command option -m PEM with -p flag could be used to convert private keys in widely used and more portable PEM format.
    Not applicable for ed25519 keys yet. Those keys still use proprietary format.

10 May 2018 : Version x509-11.3.2
What's new:
  • restore tun/tap functionality
    Functionality on tun/tap interface is restored for Linux and FreeBSD. It was broken in 11.3 with an enhancement that shows device name if applicable.
  • restore client hostbased authentication
    It was broken in 11.3 when is excluded from keysign default key for experimental xmss algorithm.
  • build fixes
    Added some fixes from master branch, i.e. fixed build on system without function strndup() like AIX and more robust configuration checks that avoid implicit declaration of functions.
  • configuration
    Client configuration does not offer cbc-ciphers by default and dump a couple of missed options.

18 Apr 2018 : Public development process
What's new:
  • public source repository
    After release 11.3.1 development process is switched to source code repository hosted by GitLab. On 9 Apr 2018 repository was initialized with source of 11.3.1. It is available for public use - for more see repository home page.

8 Apr 2018 : Version x509-11.3.1
What's new:
  • build fixes
    Fixed build on Darwin (tun support) and detection of ABI for 64-bit MIPS platforms.

3 Apr 2018 : Version x509-11.3
What's new:
  • re-authentication for keys stored into security tokens
    Private key stored on a security token may have attribute "always authenticate". If attribute is set user have to supply pin for each use of key.
    To distinguish from normal(user) login re-authentication prompt starts with string "Enter context pin for " followed by single quoted label of key.
    Remark: User must have working askpass program if keys are loaded to agent (ssh-add ... -s pkcs11_module ...).
  • new server flag "ValidateFirst"
    Specifies whether first to perform validation of X.509 certificate and then authorization of public key. By default is not set, i.e. existing behavior.
  • new keyscan option: -D
    Print keys found as DNS Resource Records (CERT or SSHFP).
  • raise key operation errors in openssl error-format
    Some methods are used in key operations like pkcs#11 sign. Those methods are invoked indirectly by cryptography library. Before update errors from pkcs#11 library was spread into multiple log-messages and was not clear which error is failure reason for key operation.
    Now this part of program code is rewritten to raise errors in openssl error-format with additional details. The high level methods are updated to extract extra error data supplied with error message. For instance if sign operation fail in log user may see message like this one: "ssh_x509_sign: crypto message: error:81064067:SSH PKCS#11:login:C_Login fail:pkcs#11 result 0xa0". In this particular sample "pkcs#11 result 0xa0" is extra error details and hexadecimal 0xa0 correspond to return value CKR_PIN_INCORRECT.
  • improve support for "external" rfc6187 keys
    Build X.509 certificate chain for keys loaded from pkcs#11 device or engine.
  • try also en_US.UTF-8 locale
    Some command (ssh, sftp, scp and etc.) try to switch to UTF-8 based user locale. The list with fail-back locales is added en_US.UTF-8 supported on some Unixes, for instance Solaris.

12 Feb 2018 : Version x509-11.2
What's new:
  • X.509 name compare error
    Authorized keys or know host files may contain record (line) with X.509 certificate details (distinguished name or X.509 certificate blob, aka. public key). In such case if key (client or host) is a X.509 key, equality checks compare items of certificate distinguished name. Unfortunately in PKIX-SSH 9.1 one of ports to OpenSSL 1.1.0* introduce critical error in X.509 name compare method - if both items are from PrintableString type they are considered equal. Error does not exist if other types are compared.
    Work-around is authorized keys or know hosts to contain only plain public key blob. Thus compare will use public key part of X.509 certificate.
    Thanks to Nicolas Fournil and Emmanuel Deloget for report.
  • use of hostname after free
    For use in session key renegotiation process host name is stored into a global variable!!! PKIX-SSH 8.9 has a number of memory leak fixes. One of fixes frees allocated copy of host-name created in method ssh_login. Issue is that one of called methods store value to a global variable for later user in rekeying.
    Work-around around is do not use option RekeyLimit.
    Thanks to Lukas Kuster for report.
  • build with libressl
    PKIX-SSH 11.0 start to use macro DEFINE_STACK_OF from OpenSSL 1.1.0* API. Program code provides fail-back solution for builds with earlier versions. LibreSSL pretend to be compatible with OpenSSL but fail to announce properly compatibility version. As result fail-back solution was not activated and build fail. Detection of DEFINE_STACK_OF is rewritten to allows build with various LibreSSL versions.
  • key load crash if crypto is libressl 2.6*
    For performance reasons PKIX-SSH uses BIO_new_mem_buf - BIO interfaces with read only memory buffer that avoid extra allocation of memory. Due to mix of issues - insufficient libressl linkage options and broken function implementation inherited from OpenSSH (openbsd "compat"-library) PKIX-SSH commands crash on key load.
    Now broken function in corrected in PKIX-SSH code but application is not immune to similar failures in the future even with earlier version of libressl.
  • libressl 2.6* failure with DSA/ECDSA signature
    At configure time PKIX-SSH warns if build is with libressl 2.6*. Also commands raise warning at run-time if are linked with libressl 2.6*.
    Work-around is to use earlier versions. If this is not possible please disable all key algorithms that use dsa and ecdsa signature, otherwise application may crash.
  • legacy RSA/DSA code clean up
    PKIX-SSH 7.1 (15 Jan 2012) was first release that support FIPS enabled OpenSSL library. Support requires rsa/dsa code for plain-keys to use modern "EVP"-API. FIPS support remain outdated OpenSSH code for rsa/dsa sign and verify operations was still available under "C"-preprocessor conditions.
    So more the five years later outdated code, inherited from OpenSSH, is removed from PKIX-SSH code base.
  • legacy PKCS#11 code clean up
    Code inherited from OpenSSH is removed - it does not work well with secure tokens that has X.509 certificate. Also it has limited functionality - only RSA keys.
    Note that PKIX-SSH code supports RSA and EC keys and work well with secure tokens as those devices usually store X.509 certificate and public key is optional.

19 Dec 2017 : Version x509-11.1
What's new:
  • Protected authentication path for EC-keys
    Use of RSA keys stored on a secure token supports protected authentication path (pinpad reader). Unfortunately functionality was not implemented for EC-keys. With refactoring PKCS#11 login functionality protected authentication path is available for EC-keys as well.
  • print public key for externally stored identities
    Now ssh-keygen command option -y, that print an public key to stdout, accepts keyfile name in enhanced identity format.
    Remark: PKIX-SSH could use externally stored identities - for mode details see description of IdentityFile in manual page ssh_config(5). In brief if identity name start with "engine:" instead from file identity load is redirected to "loadable cryptographic module" (engine). Prefix "store:" could be used if cryptographic library supports ossl_store(7) functionality (upcoming OpenSSL functionality).
  • build fixes
    Build system is modernized to use more recent scripts. Also duplicate dependency objects or libraries are removed.

8 Oct 2017 : Version x509-11.0
What's new:
  • Extension server-sig-algs
    As finally agreed in "draft-ietf-curdle-ssh-ext-info" extension lists public-key algorithm names instead signature names.
    No impact on deployed installations as PKIX-SSH prefer own extension publickey-algorithms@roumenpetrov.info that lists by design public-key algorithm. Other ssh implementation that support extensions does not support RFC 6187 keys. As result for them list of signature algorithms is same as list of public-key algorithm.
  • prefer RFC 6187 key format
    For connection to remove host client first tries X.509 algorithms. Now algorithm in RFC 6187 format will take precedence of legacy format, if server send algorithm extension. With other words order of algorithms in option X509KeyAlgorithm has no more effect. In practice PKIX-SSH 11.0+ clients (in default configuration) will prefer RFC 6187 format in connections to PKIX-SSH 10.1+ hosts.
    Note that to use an X.509 algorithm in has to be allowed by configuration (option PubkeyAlgorithms) and listed in algorithm extension offered by server.
  • multi-algorithm host-keys
    Now daemon (server) for each hostkey offers all public key algorithms and could use any of offered algorithms in ssh protocol. For instance RSA host key with X.509 certificate could be used in following public-key algorithms: "x509v3-sign-rsa", "x509v3-ssh-rsa", "ssh-rsa", "rsa-sha2-256" or "rsa-sha2-512".
    Host key notification is updated as well.
  • OpenSSL Store-API
    Upcoming OpenSSL version 1.1.1 supports store retrieval functions - ref. manual page ossl_store(7). The store functionality allows applications to retrieve keys, X.509 certificates and etc. using universal interface (API).
    PKIX-SSH engine related code is refactored and updated to load identities using store-API. In such case identify name should starts with "store:" followed by URI of scheme supported by openssl store. For instance with "e_nss" openssl loadable module (engine) you use identity named either "engine:[friendly name]" for custom interface or "store:[nss_uri]" for store interface where "[nss_uri]" is in format "nss:[friendly name]".
    Note store result could be tested with command openssl storeutl .... [nss_uri].
  • Remove ssh v1
    Complete remove of code that supports legacy ssh protocol verision 1. Modification includes removal of configure option --enable-ssh1 as well.
  • Program version for ssh-keyscan
    Announce PKIX-SSH version in keyscan to be used in compatibility detection.
  • X.509 key fingerprint
    Until now fingerprint (hash) of X.509 keys was computed over certificate that match private key.
    Key material (user identity or host key) could be used in various public-key algorithms, with or without X.509 certificate. For instance lets identity with X.509 RSA certificate is used as x509v3-sign-rsa in session to host 1 and as ssh-rsa in connection to host 2. In such case key fingerprint will be different depending of session in spite of fact that private key is one and the same.
    To avoid ambiguities code is updated to calculate fingerprint only over common part - public key. Modification may impact some programs that monitor log files.
  • X.509 code refactoring
    X.509 related code is updated and refactored to use library like functions.
  • Management of X.509 keys for agent
    Agent code is improved to use newly functions that better detect X.509 keys. Now agent and its key management utility (ssh-add) use by default user and system ca-store in all cases. This is useful for keys in RFC 6187 format where key format contain list of extra certificates used to build chain. Utility ssh-add accepts multiple arguments for options -S as specified options argument could be either file or directory (new). Argument is similar to client options CACertificateFile and CACertificatePath and is used as additional locations to search for certificate when is build chain for keys in RFC 6187 format.
  • Manual pages
    Precise content of identity or host-keys files - file may contain extra certificates not only for ECDSA but for RSA and DSA keys as well.
    Do not mention "protocol version 2" as legacy version 1 is not supported at all.


  • Issue tracking
    Development process is public hosted on GitLab. For mode details see project repository page. From project page you could monitor development process, propose enhancement or just report an issue.
  • Mailing list
    Project supports mailing list where you could share ideas, discuss your problems, receive project news and etc. The list is moderated, i.e. available only for list members. For more information about list (subscription, list archives) please visit this page.

Features (valid for latest version) :

  • X.509 certificate based public-key algorithms:
    • x509v3-ecdsa-sha2-nistp256
    • x509v3-ecdsa-sha2-nistp384
    • x509v3-ecdsa-sha2-nistp521
    • x509v3-sign-rsa
    • x509v3-ssh-rsa
    • x509v3-rsa2048-sha256
    • x509v3-sign-dss
    • x509v3-ssh-dss
    ECDSA, RSA or DSA X.509 certificates could be used as "user identity" and/or "host key" in SSH "Public Key" and "Host-Based" authentications.
    • different "x509v3-sign-rsa" signatures
      As support for SHA-1 and MD5 signature format PKIX-SSH is interoperable with implementations from multiple vendors. Both formats are supported because "SSH Transport Layer Protocol" internet drafts does not specify signature format in case of X.509 certificate for RSA key.
    • different packing of "x509v3-sign-dss" signature
      PKIX-SSH is interoperable with implementations from multiple vendors. It support DSA signatures packed in format as is described in [RFC2459] and "dss_signature_blob" format as is specified in "SecSH Transport" draft and [RFC4253].
      Note "SSH Transport Layer Protocol" internet draft before version 12 specify "x509v3-sign-dss" public key algorithm to use signature format as is described in [RFC2459], i.e. r and s packed in ASN.1 SEQUENCE. Some vendors pack DSA signature values in "dss_signature_blob" as is specified in "SecSH transport" draft for "ssh-dss" signature.
    • use key and certificate stored in "external devices"
      Implementation requires working OpenSSL engine. The identity used in client authentication could refer to external key and/or certificate in format engine:[ENGINE_NAME]:[CERT_CRITERIA], where [ENGINE_NAME] is name of OpenSSL engine and [CERT_CRITERIA] is specific to engine search criteria to find the key and certicate.
      For instance you could use "friendly name" to access key and certificate stored in "Network Security Services (NSS)" database with e_nss engine from https://roumenpetrov.info/e_nss/. NSS s used in programs(web-browser. e-mail client) like Firefox, SeaMonkey, Thunderbird.
    • "PKCS#11"module
      As second option PKIX-SSH could use PKCS#11 shared library(module) to communicate with EC or RSA X.509 certificates and private key provided by PKCS#11 tokens.
  • Key based only public-key algorithms:
    • ssh-rsa
    • rsa-sha2-256
    • rsa-sha2-512
    • ecdsa-sha2-nistp256
    • ecdsa-sha2-nistp384
    • ecdsa-sha2-nistp521
    • ssh-ed25519
    • ssh-dss
  • verification (default feature)
    By default server(sshd) and clients(ssh,scp,sftp) always verify signatures and validity of certificates in chain when a X.509 certificate based public-key algorithm is used in authentication process. When verification fail that public-key is disallowed.
    In additional client is able to verify remote key using DNS with CERT RR (resource record).
  • validation
    • CRL (default feature)
      When a X.509 certificate is used in authentication, server and client always verify signatures and validity of existing CRLs issued by authorities in certificate chain. Certificate is allowed only when no one of certificates in the chain is revoked.
    • OCSP (default feature)
      Additional validation is performed when PKIX-SSH is configured to use OCSP and a X.509 certificate is used in authentication.
    ssh can verify host identification using CERT Resource Record published in DNS.
  • PKIX-SSH Agent (ssh-agent and ssh-add programs)
    Authentication agent can hold X.509 certificates.
  • ssh-keyscan
    This tools can gather all above listed public-key algorithms including those with X.509 certificate as host key:
    • x509v3-ecdsa-sha2-nistp256
    • x509v3-ecdsa-sha2-nistp384
    • x509v3-ecdsa-sha2-nistp521
    • x509v3-sign-rsa
    • x509v3-ssh-rsa
    • x509v3-rsa2048-sha256
    • x509v3-sign-dss
    • x509v3-ssh-dss
  • ssh-keysign
    This tools used in "Host-Based Authentication" can sign "host keys" containing either X.509 certificate (ECDSA, RSA or DSA) or "plain keys".
  • ssh-keygen
    when user identity contain a X.509 certificate, command:
    • creates public key and proposed "SECSH Public Key File Format" for that certificate.
    • shows fingerprint of certificate.
    • prints CERT RR (resource record) for specified hostname.
  • regression tests
  • manual pages
  • README.x509v3
    Brief description of server and client configuration, regression tests, troubleshooting and FAQ.

Get your version from download pages.


  • to implement wildcards(patterns) for DN in "authorized keys" and "known hosts" files;
  • to extend "time limits" with specified time for given revoked certificates.


  1. Initial
    Initial support began from 4 Apr 2002 with version "a". Version "b" issued on 11 Jun 2002 add "X509 store". The store is in use in verification process when a certificate is used as user's identity is ssh session. The store allow use of "distinguished name" in authorized keys file.
  2. Second stage
    In this phase certificate support is implemented in other PKIX-SSH executables. For first ssh-keygen support certificates since version "c" (20 Jun 2002). This version introduce regression tests. Later in version "d" (30 Jul 2002) support is added to ssh agent.
    As result PKIX-SSH support certificates as user identity entirely.
  3. Complete support
    Since version "e" (21 Nov 2002) manual pages are updated with information about X.509 certificate support. As well support for certificates as host key in introduced. As version "f" (30 Jan 2003) CRL are supported. Because certificate support is complete as version "f" client prefer algorithms with certificates for host key.
  4. Compatibility
    Compatibility phase begin with version "g" (3 Feb 2003). In version "g1" (30 Apr 2003) regression test scripts are updated to work well with various shells. Since version "g2" (12 Jun 2003) public key algorithm "x509v3-sign-rsa" accept "sha1" signatures in addition to "md5" and now PKIX-SSH is interoperable with all major ssh implementations. This version work fine with OpenSSL 0.9.7+. Later in versions "g3" (25 Feb 2004) and "g4" (9 Maj 2004) code, documentation and regression test are cleaned up.
  5. Validator
    Fifth phase began with OCSP (Online Certificate Status Protocol) support added in version "h" (6 Apr 2004). Later version schema is changed to more common format with numbers N.N{.N} and next version is 5.1. In version 5.3 compatibility is enhanced to support (in addition to [RFC3279] DSA signatures) format defined for "ssh-dss" signature. Self issued certificates can be permitted by "autorized keys" file since version 5.4 if configuration allow this. Correction for OCSP responder location obtained from certificate is added in version 5.4 and OCSP SSL support is enabled in 5.5.
  6. International
    Since version 6.0 (7 Aug 2007) PKIX-SSH can deal with "distinguished name" stored in autorized keys file as UTF-8 string or escaped. Before to compare printable attributes are converted to utf-8.
  7. Integration
    Starting from version 7.0 (22 Aug 2011) PKIX-SSH can communicate with other applications by using OpenSSL engines. For instance client could use certificates and keys stored in external devices.
    Version 7.1 (15 Jan. 2012) support build with FIPS enabled OpenSSL library and adds direct support of X.509 certificates(RSA) from PKCS11 module. Since this version sha1 is preferred algorithm and programs start to identify as PKIX in comment from ssh identification string.
    Build for android host is supported since version 7.2 (22 Apr. 2012). With version 7.5(19 May 2013) "known hosts" file may contain distinguished name of host X.509 certificate.
  8. Elliptic
    Version 8.0 (11 Aug.2014) is first secure shell implementation that support X.509 ECDSA algorithm as defined in [RFC6187] - initially for client and server. It is first version that provides complete tar archive for download. With version 8.2 (23 Nov. 2014) adds support of X.509 ECDSA algorithm in agent. From version 8.4 (1 Jul 2015) EC keys or X.509 certificates stored on external device could be used with loadable cryptographic modules - OpenSSL engines.
    Support for FIPS environments is enhanced in version 8.1 (29 Sep. 2014) with fipscheck for "Red Hat" FIPS validated environment. Version 8.2 (23 Nov. 2014) is successfully tested with Solaris 11.2 FIPS validated OpenSSL module.
    Lists with allowed algorithms support patterns since version 8.3 (18 Mart 2015).
    Support for EC keys and certificates stored in PKCS#11 tokens is added in version 8.8 (29 Feb 2016).
  9. New OpenSSL API
    Starting with version 9.0 code that uses OpenSSL is updated to use OpenSSL API introduced with version 1.1.0. Local accessor functions ensure compatibility with previous versions of cryptographic library.
  10. True RFC6187
    Version 10.0 (25 Feb 2017) correctly implements ecdsa X.509 algorithms according RFC6187. This is reason daemon to start to advertise PKIX-SSH release in connections. Also version adds rsa and dss algorithms according RFC6187 as well.
    In 10.1 (25 Mar 2017) is implemented adaptive public key algorithm selection functionality. It uses server extension "publickey-algorithms@roumenpetrov.info" (preferred) or "server-sig-algs" to find most suitable algorithm for user identity.
    With 10.2 (21 May 2017) Android port is considered complete and is packaged as application - SecureBox.

News archives:


Recommendet OpenSSL library versions:
Before to use X.509 certificates please read OpenSSL security advisories:
OpenSSL library versions:

[empty image]
[empty image] [empty image] Last modified : Wednesday October 05, 2022 [empty image]