[empty image] [empty image]
[empty image]
[empty image] [empty image] [empty image]
[empty image]

PKIX-SSH
secure shell with
X.509 v3 certificate support


Content:



News:

12 Mar 2024 : Official version 15.0
What's new:
  • Features:
    • build without DSA keys
      A configuration option could be used to enable public algorithms based on DSA keys.
      Also regression tests prefer Intermediate CA with EC keys if build is with OpenSSL 1.1+.
    • use poll for main loops
      Convert daemon and client main loop from pselect to ppoll.
    • stricter handling of channel window limits
      This makes client and server more strict in handling non-compliant peers that send more data than the advertised channel window allows. Previously the additional data would be silently discarded. This change will cause client or server to terminate the connection if the channel window is exceeded by more than a small grace allowance (~10%).
    • client as login shell
      Manage case when terminal program executes secsh client as login shell.
    • "global" ChannelTimeout
      Add a "global" ChannelTimeout to client and daemon.
  • Bugs:
    • non-completed connection
      Manage non-completed connection in channel post processing.
    • long messages
      Ensure eof on long messages to standard error.
    • space in configuration directive
      Do not append space if subsystem lacks arguments.
    • parse single string array options separately
      In match block allows option override where first argument could be a specific keyword.
    • signal logs
      Avoid logging in ssh agent signal handler.
  • Misc:
    • harden madvise rules in Linux seccomp sandbox
      Linux madvise(2) syscalls support quite a number of flags and is not expected that secsh daemon to use them. This should exclude kernel attack surface by filtering madvise arguments.
    • build configuration
      Use autoconf macro for fgrep. Note egrep and fgrep commands have been deprecated since 2007. Command is standardized by POSIX with -E and -F flags.
      Use plain apostrophes in configuration quotes. Follow autoconf 2.72 changes.
    • unlimited argument name in configuration
      Do not restrict number of canonical domains and CNAMEs when canonicalizing hostnames.
    • manuals
      Documentation and usage corrections and improvements.
    • force use of ssh askpass for pkcs#11 tests
      Avoid to run a program in a new session i.e., replaces perl based setsid functionality.
    • change pkcs#11 module used in tests
      Use SoftHSM2 module in agent pkcs#11 regression tests. Also test EC key as well.
    • add certificate tests with pkcs#11 token and pkcs#11 engine
      Based on SoftHSM2 module. Test are not enabled by default as depend on many external packages.
    • certificate regression tests
      Prefer SHA256 digest to create test certificates. Activated if build is with OpenSSL 1.1+.
      Test with 2048-bit RSA keys.
      In hostkey algorithm tests use only RSA based Intermediate CA.
    • interoperability tests
      Improve conch and putty interoperability tests. Added tests with dropbear client.
    • SHA1 signatures in regression tests
      Enable SHA1 signatures in regression tests if deprecated by system policy.

13 Jan 2024 : Official version 14.4.2
What's new:
  • Bugs:
    • release GSS OIDs only at end of authentication Correct previous to avoid build failure.
  • Misc:
    • NULL user information on Android
      User information in password structure is also NULL on Android. Prevent crash if "fake" password file is missing.
    • kerberos builds
      Enable Kerberos 5 build by default is spec-files. Also list kerberos libraries before "common" one.

6 Jan 2024 : Official version 14.4.1
What's new:
  • Features:
    • do not prefer OpenSSH EtM functionality
    • exclude EtM functionality from defaults
      A pre-processor directive allows to exclude EtM functionality from default configurations. This is yet another work-around to avoid prefix truncation attack on the ssh binary packet protocol. Also avoids use of custom "strict key exchange" extension.
  • Bugs:
    • fix memory leak in dh and ecdh key exchange
  • Misc:
    • selinux compatibility with ancient OS-es
      Restore use of matchpathcon if selabel_lookup is not.
    • autoconf compatibility with ancient OS-es

20 Dec 2023 : Official version 14.4
What's new:
  • Security:
    • custom "strict key exchange" extension
      Avoid prefix truncation attack on the secsh binary packet protocol(terrapin attack). Another work-around is do not use ChaCha20-Poly1305 and EtM MACs, for more details see "Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation".
    • shell meta-characters
      Refuse user or host names provided on the command line that contain most shell meta-characters. Note this countermeasure is not guaranteed to be effective in all cases.
  • Features:
    • generate RSA key by default in FIPS mode
      Note since PKIX-SSH 14.3 is generated Ed25519 key by default.
    • add ChannelTimeout support to the client
    • add %j token that expands to the configured ProxyJump hostname
  • Bugs:
    • sftp limits
      Return error if custom "limits" extender extension does not receive reply.
    • %H token
      Update KnownHostsCommand to use exact value for %H token.
    • x509v3-ssh-ed25519 in FIPS mode
      Explicitly deactivate algorithm "x509v3-ssh-ed25519" from defaults in FIPS mode. Some vendor OpenSSL 1.1.1 releases crash in EVP_MD_flags() when library is in FIPS mode and "none" digest as argument.
    • address filter
      When connecting via socket filter addresses by AddressFamily if one was specified.
  • Misc:
    • prefer PRIV_XPOLICY to PRIV_LIMIT on Solaris 11.1+
    • log unmatched paths in secure copy
    • release GSS OIDs only at end of authentication
      Avoids unnecessary init/cleanup cycles.
    • manual pages
      Spelling and etc.

5 Oct 2023 : Official version 14.3
What's new:
  • Features:
    • generate Ed25519 key by default
      Ed25519 public keys are very convenient due to their small size.
    • run separate pkcs11 helper per module
      Allows easily to reload keys from a pkcs11 module.
    • allow override of subsystem directives in match blocks of daemon configuration
  • Bugs:
    • correct checks for ClientAliveInterval
      Fix regression from "correct server loop "client alive probing" logic" that caused the probes to be sent less frequently.
    • set interactive mode for ControlPersist sessions if they originally requested a tty
    • recursive secure copy in SFTP mode with symbolic links to other directories
      In SCP mode, the links are followed, but in SFTP mode they were not. So, fix experimental SFTP mode of secure copy recursive download and upload of directories that contain symbolic links to other directories.
    • close socket pair if cannot fork for pkcs11 helper
      Avoid handle leak on error path.
  • Misc:
    • log invalid secsh identification string with debug level
      Minimises pre-authentication "log spam".
    • preserve quoting of subsystem commands and arguments
      Potentially incompatible change.
    • do not exit on duplicate duplicate Subsystem directives
    • do not delay at all for the "none" authentication mechanism
      Also limit login delay to a reasonable maximum (5s).
    • pkcs11 helper messages
      Improve logging functionality.

20 Aug 2023 : Official version 14.2.1
What's new:
  • Bugs:
    • timeout to multiplexing local socket
      Rewrite as previous implementation replace poll() with waitrfd(). Modification adds regression - signals are ignored. So, rewrite waitfd do take into account signals and to accept "mux termination" flag as parameter.
  • Misc:
    • portability
      Properly detect zlib 1.3 and use *ifaddrs* related configuration defines.

13 Aug 2023 : Official version 14.2
What's new:
  • Security:
    • pkcs#11 module misuse
      Do not allow pkcs11 providers by default. Fixes finally CVE-2016-10009 and mitigates CVE-2023-38408.
  • Features:
    • connection tupple
      Add new daemon token - connection tupple(%C).
    • forward unix domain socket
      Experimental support for unix domain sockets to client forward request.
    • match localnetwork
      Add "localnetwork" case to match criteria.
    • configuration tags
      Support tags in client configuration.
    • android failback path
      Drop obsolete "failback path" management from Android packaging.
    • "command" based path model
      "command" based path model for Android application. Reserved for future.
  • Bugs:
    • fix public key serialisation if key contain only X.509 distinguished name
    • print correctly some PKCS#11 information
    • fork after authentication
      Ensure that fork after authentication work properly in multiplexed cases.
    • timeout in multiplexing
      Apply connection timeout to multiplexing local socket connections.
    • hostname canonicalization
      Do not disable hostname canonicalization if ProxyJump=none is used.
    • "no comment" for keys
      Resolved issue with missing "no comment" when keys without comment is processed after key with comment.
    • paraller sftp
      Try to fix crappy OpenBSD sftp client in parallel cases.
  • Misc:
    • remote terminal Do not open terminal when is requested do not execute command on remote.
    • scp in sftp Check in advance for source file when secure copy in sftp mode copy local to remote files.
    • correct a number of memory leaks
    • added checks for OpenSSL 3.0 releases
    • avoid matchpathcon Use selabel_lookup instead deprecated selinux matchpathcon function.
    • stop printing of "scanned" key information on output error
    • update ssh-copy-id script

16 Mar 2023 : Official version 14.1.1
What's new:
  • Security:
    • bounds checking in getrrsetbyname() compatibility implementation
      A specifically crafted response from domain name server could cause function to perform an out-of-bounds reads Does not appear to be exploitable beyond denial-of-service to the ssh(1) client. This function is called only if client option VerifyHostKeyDNS is set and is used to check CERT or SSHFP resource records. Compatibility implementation is used only if is not provided by system resolver library.
  • Features:
    • hash algorithms in SSHFP RR
      Allow to specify hash algorithms used to generate SSHFP RR records for domain name servers.
    • print daemon configuration file
      Added daemon option -G that parses and prints the effective configuration without attempting to load private keys and perform other checks.
    • use sha256 when testing usability of rsa private key
    • rewrite checks for Kerberos 5 implementations
      Simplify, unify, and modernise configuration tests. In addition is added pkg-config based rule.
  • Bugs:
    • non-ascii file name in progress meter
      Rewrite progress meter to manage properly non-ascii file names.
    • clean channel flags
      Clean "file descriptors" flags when channel is closed. Note functionality was added in PKIX-SSH 14.1.
    • fix memory leak in sftp filename autocomplete
    • fix memory leak in sftp ls command if file status is not available
  • Misc:
    • improved manual pages
    • limit number of entries in "extension negotiation"
    • minimise warnings raised by static analysers
    • code clean-up - for instance remove unused secsh "compatibility" flags

4 Feb 2023 : Official version 14.1
What's new:
  • Security:
    • fix use after free memory fault
      Compatibility KEX code introduced a double-free in PKIX-SSH 14.0. It is does not impact server side. Client could be impacted but when server is specially crafted.
  • Features:
    • control channel inactivity
      New daemon option ChannelTimeout automatically closes channels without traffic.
    • control unused connections
      New daemon option UnusedConnectionTimeout allows to terminate connections without open channels.
    • daemon command line argument -V
      Output version information like the client utility.
    • remove copy/transfer argument -X
      Add -X option to remove copy and file transfer programs. Currently sets SFTP parameters are the copy buffer length and the number of inflight requests. Obsoletes sftp argument -B/-R.
  • Bugs:
    • properly process client option PermitRemoteOpen
      Allow any/none argument only in first position.
    • default multi-string options
      Properly dump multi-string configuration options.
    • restrict sftp to reasonable values
      Do not allow sftp server "limits" extension to set unacceptable buffer sizes and number of open handles.
    • suggest system known-host file
      Avoid NULL print if user known-host files are not used. Note some C-library crash if printf function is called with NULL value for string format.
  • Misc:
    • allow writev in secure secure computing mode
    • optimise read buffers
      Use more suitable buffer size for main loops and channel Default sizes could set at build time.
    • no host-keys warning
      Emit warning if no host-keys for host-based authentication can be loaded.
    • use socketpair in remote copy utility
      Synchronise remote copy utility communication to ssh sub-processes with file transfer program.
    • dump original Host
      Add original "Host" line to the output of client configuration test.
    • import ed25519 code from SUPERCOP
      Update to 20221122 release.
    • unify and extend channel names
      Prerequisite for new channel controls.
    • rewrite some test to use multiplexed session

26 Dec 2022 : Official version 14.0.3
What's new:
  • Bugs:
    • put on hold "deffer seed_rng invocation in daemon"
      Regression added in 14.0(14.0.1) release. Note "reexec" functionality clobbers file descriptors opened after closefrom call.

19 Dec 2022 : Official version 14.0.2
What's new:
  • Bugs:
    • properly use EVP digest work-around for ECDSA keys
      On some Linux releases "OpenSSL's curve secp521r1 is NOT functional". For instance RHEL 6.

18 Dec 2022 : Official version 14.0.1
What's new:
  • Features:
    • x509v3-ssh-ed25519
      Implementation of x509v3-ssh-ed25519 public-key algorithm.
    • scan by CIDR address ranges
      Allow gather secure shell public keys utility to accept CIDR address ranges.
    • prefer user's umask
      Honour user's umask if it is more restrictive then the ssh default.
    • warn if client cannot load public host-keys for host-based authentication
  • Bugs:
    • "globs" in sftp mode
      Better match scp/rcp's handling of "globs" when secure copy utility runs in experimental sftp mode.
    • handle remote forwarding in escape commandline's processing
    • properly check for duplicate experimental host-key update
  • Misc:
    • use key descriptions
      Describe keys into specific compilation with respective functional implementation.
    • modernised signature operations
      Unify sign and verify operations for RSA/DSA/EC keys and X.509 certificates and prefer EVP functions from OpenSSL 1.0+ API.
    • deffer seed_rng invocation in daemon
      Call after closefrom as work-around for random generator provided by an engine.
    • improve disabled tracing on FreeBSD
    • code clean-up, unification, readability, compatibility and portability
    • spelling errors
      Correct spelling errors in code and documentation including manual pages.
    • improved logging errors
    • check for valid canonical domain name when client resolves host-name
    • do not ever try to write an invalid name to a known-hosts file
    • add ECDSA on P-256 curve to X.509 "self-issued" test
    • add new client option EnableEscapeCommandline
    • more restrictive pledge(if supported) rules after session establishment



Support:

  • Issue tracking
    Development process is public hosted on GitLab. For mode details see project repository page. From project page you could monitor development process, propose enhancement or just report an issue.
  • Mailing list
    Project supports mailing list where you could share ideas, discuss your problems, receive project news and etc. The list is moderated, i.e. available only for list members. For more information about list (subscription, list archives) please visit this page.

Features (valid for latest version) :

  • X.509 certificate based public-key algorithms:
    • x509v3-ecdsa-sha2-nistp256
    • x509v3-ecdsa-sha2-nistp384
    • x509v3-ecdsa-sha2-nistp521
    • x509v3-sign-rsa
    • x509v3-ssh-rsa
    • x509v3-rsa2048-sha256
    • x509v3-sign-dss
    • x509v3-ssh-dss
    • x509v3-ssh-ed25519
    ECDSA, RSA, Ed25519 or DSA X.509 certificates could be used as "user identity" and/or "host key" in SSH "Public Key" and "Host-Based" authentications.
    • different "x509v3-sign-rsa" signatures
      As support for SHA-1 and MD5 signature format PKIX-SSH is interoperable with implementations from multiple vendors. Both formats are supported because "SSH Transport Layer Protocol" internet drafts does not specify signature format in case of X.509 certificate for RSA key.
    • different packing of "x509v3-sign-dss" signature
      PKIX-SSH is interoperable with implementations from multiple vendors. It support DSA signatures packed in format as is described in [RFC2459] and "dss_signature_blob" format as is specified in "SecSH Transport" draft and [RFC4253].
      Note "SSH Transport Layer Protocol" internet draft before version 12 specify "x509v3-sign-dss" public key algorithm to use signature format as is described in [RFC2459], i.e. r and s packed in ASN.1 SEQUENCE. Some vendors pack DSA signature values in "dss_signature_blob" as is specified in "SecSH transport" draft for "ssh-dss" signature.
    • use key and certificate stored in "external devices"
      Implementation requires working OpenSSL loadable module(engine). The identity used in client authentication could refer to external key and/or certificate in two formats:
      • store:[SCHEME:][URI],
        where [SCHEME] is specify OpenSSL STORE provider and [URI] is specific to that provider. Note by default is assumed file: scheme. This format allows load of user identify from unsupported file formats like PKCS#12.
      • engine:[ENGINE_NAME]:[CERT_CRITERIA],
        where [ENGINE_NAME] is name of OpenSSL engine and [CERT_CRITERIA] is specific to engine search criteria to find the key and certicate.
      For instance you could use "friendly name" to access key and certificate stored in "Network Security Services (NSS)" database with e_nss engine. Remark: NSS is used in programs(web-browser. e-mail client) like Firefox, SeaMonkey, Thunderbird.
    • "PKCS#11"module
      As second option PKIX-SSH could use PKCS#11 shared library(module) to use ECDSA or RSA X.509 certificates and private key provided by PKCS#11 tokens.
  • Key based only public-key algorithms:
    • ssh-rsa
    • rsa-sha2-256
    • rsa-sha2-512
    • ecdsa-sha2-nistp256
    • ecdsa-sha2-nistp384
    • ecdsa-sha2-nistp521
    • ssh-ed25519
    • ssh-dss
  • verification (default feature)
    By default server(sshd) and clients(ssh,scp,sftp) always verify signatures and validity of certificates in chain when a X.509 certificate based public-key algorithm is used in authentication process. When verification fail that public-key is disallowed.
    In additional client is able to verify remote key using DNS with CERT RR (resource record).
  • validation
    • CRL (default feature)
      When a X.509 certificate is used in authentication, server and client always verify signatures and validity of existing CRLs issued by authorities in certificate chain. Certificate is allowed only when no one of certificates in the chain is revoked.
    • OCSP (default feature)
      Additional validation is performed when PKIX-SSH is configured to use OCSP and a X.509 certificate is used in authentication.
  • CERT RR
    ssh can verify host identification using CERT Resource Record published in DNS.
  • PKIX-SSH Agent (ssh-agent and ssh-add programs)
    Authentication agent can hold X.509 certificates.
  • ssh-keyscan
    This tools can gather all above listed public-key algorithms including those with X.509 certificate as host key:
    • x509v3-ecdsa-sha2-nistp256
    • x509v3-ecdsa-sha2-nistp384
    • x509v3-ecdsa-sha2-nistp521
    • x509v3-sign-rsa
    • x509v3-ssh-rsa
    • x509v3-rsa2048-sha256
    • x509v3-sign-dss
    • x509v3-ssh-dss
    • x509v3-ssh-ed25519
  • ssh-keysign
    This tools used in "Host-Based Authentication" can sign "host keys" containing either X.509 certificate (ECDSA, RSA, Ed25519 or DSA) or "plain keys".
  • ssh-keygen
    when user identity contain a X.509 certificate, command:
    • creates public key and proposed "SECSH Public Key File Format" for that certificate.
    • shows fingerprint of certificate.
    • prints CERT RR (resource record) for specified hostname.
  • regression tests
    Strong.
  • manual pages
    Detailed.
  • README.x509v3
    Brief description of server and client configuration, regression tests, troubleshooting and FAQ.

Get your version from download pages.



Todo:

  • to implement wildcards(patterns) for DN in "authorized keys" and "known hosts" files;
  • to extend "time limits" with specified time for given revoked certificates.

History:

  1. Initial
    Initial support began from 4 Apr 2002 with version "a". Version "b" issued on 11 Jun 2002 add "X509 store". The store is in use in verification process when a certificate is used as user's identity is ssh session. The store allow use of "distinguished name" in authorized keys file.
  2. Second stage
    In this phase certificate support is implemented in other PKIX-SSH executables. For first ssh-keygen support certificates since version "c" (20 Jun 2002). This version introduce regression tests. Later in version "d" (30 Jul 2002) support is added to ssh agent.
    As result PKIX-SSH support certificates as user identity entirely.
  3. Complete support
    Since version "e" (21 Nov 2002) manual pages are updated with information about X.509 certificate support. As well support for certificates as host key in introduced. As version "f" (30 Jan 2003) CRL are supported. Because certificate support is complete as version "f" client prefer algorithms with certificates for host key.
  4. Compatibility
    Compatibility phase begin with version "g" (3 Feb 2003). In version "g1" (30 Apr 2003) regression test scripts are updated to work well with various shells. Since version "g2" (12 Jun 2003) public key algorithm "x509v3-sign-rsa" accept "sha1" signatures in addition to "md5" and now PKIX-SSH is interoperable with all major ssh implementations. This version work fine with OpenSSL 0.9.7+. Later in versions "g3" (25 Feb 2004) and "g4" (9 Maj 2004) code, documentation and regression test are cleaned up.
  5. Validator
    Fifth phase began with OCSP (Online Certificate Status Protocol) support added in version "h" (6 Apr 2004). Later version schema is changed to more common format with numbers N.N{.N} and next version is 5.1. In version 5.3 compatibility is enhanced to support (in addition to [RFC3279] DSA signatures) format defined for "ssh-dss" signature. Self issued certificates can be permitted by "autorized keys" file since version 5.4 if configuration allow this. Correction for OCSP responder location obtained from certificate is added in version 5.4 and OCSP SSL support is enabled in 5.5.
  6. International
    Since version 6.0 (7 Aug 2007) PKIX-SSH can deal with "distinguished name" stored in autorized keys file as UTF-8 string or escaped. Before to compare printable attributes are converted to utf-8.
  7. Integration
    Starting from version 7.0 (22 Aug 2011) PKIX-SSH can communicate with other applications by using OpenSSL engines. For instance client could use certificates and keys stored in external devices.
    Version 7.1 (15 Jan. 2012) support build with FIPS enabled OpenSSL library and adds direct support of X.509 certificates(RSA) from PKCS11 module. Since this version sha1 is preferred algorithm and programs start to identify as PKIX in comment from ssh identification string.
    Build for android host is supported since version 7.2 (22 Apr. 2012). With version 7.5(19 May 2013) "known hosts" file may contain distinguished name of host X.509 certificate.
  8. Elliptic
    Version 8.0 (11 Aug.2014) is first secure shell implementation that support X.509 ECDSA algorithm as defined in [RFC6187] - initially for client and server. It is first version that provides complete tar archive for download. With version 8.2 (23 Nov. 2014) adds support of X.509 ECDSA algorithm in agent. From version 8.4 (1 Jul 2015) EC keys or X.509 certificates stored on external device could be used with loadable cryptographic modules - OpenSSL engines.
    Support for FIPS environments is enhanced in version 8.1 (29 Sep. 2014) with fipscheck for "Red Hat" FIPS validated environment. Version 8.2 (23 Nov. 2014) is successfully tested with Solaris 11.2 FIPS validated OpenSSL module.
    Lists with allowed algorithms support patterns since version 8.3 (18 Mart 2015).
    Support for EC keys and certificates stored in PKCS#11 tokens is added in version 8.8 (29 Feb 2016).
  9. New OpenSSL API
    Starting with version 9.0 code that uses OpenSSL is updated to use OpenSSL API introduced with version 1.1.0. Local accessor functions ensure compatibility with previous versions of cryptographic library.
  10. True RFC6187
    Version 10.0 (25 Feb 2017) correctly implements ecdsa X.509 algorithms according RFC6187. This is reason daemon to start to advertise PKIX-SSH release in connections. Also version adds rsa and dss algorithms according RFC6187 as well.
    In 10.1 (25 Mar 2017) is implemented adaptive public key algorithm selection functionality. It uses server extension "publickey-algorithms@roumenpetrov.info" (preferred) or "server-sig-algs" to find most suitable algorithm for user identity.
    With 10.2 (21 May 2017) Android port is considered complete and is packaged as application - SecureBox.
  11. Prefer RFC6187
    Version 11.0 (8 Oct 2017) prefer X.509 algorithms a described in RFC6187 over legacy one described in draft-ietf-secsh-transport-12.txt. Release starts to use more advanced adaptive algorithm selection based on extension "publickey-algorithms@roumenpetrov" with fail-back to "server-sig-algs". In addition daemon for each hostkey offers all supported public key algorithms based on key material.
  12. Modern
    Version 12.0 (18 Apr 2019) increase default RSA key size to 3072 bits, removes "insecure" key exchange methods from defaults and adds a post-quantum cryptography key exchange method. In 12.1 (29 Apr 2019) is added algorithm x509v3-rsa2048-sha256 (RFC 6187). Release 12.2 (26 Sep 2019) is prepared for packaging according Android 10 (API Level 29) requirements. Since 12.3 (13 Oct 2019) keys are stored using industrial standard PKCS#8 and use aes256 algorithm.

News archives:

Miscellaneous:

Cryptography
Recommended cryptographic library is OpenSSL. Before to use PKIX-SSH please read
OpenSSL security advisories. In addition to cryptographic algorithms library allows to be used externally managed user identities(keys). Access is based on engine or store functionality. Fully supported releases start from ancient 0.9.7 up to recent stable 1.1.1.
Note: PKIX-SSH builds with OpenSSL releases 3.0* and 3.1* and pass regression tests. It does not support "provider" interface as is not considered stable enough. Also use of such builds is not yet recommended due to overall issues.

[empty image]
[empty image] [empty image] Last modified : Thursday March 14, 2024 [empty image]