Content:

• News
• Support
• Features
• Downloads ^{(on other page)}
• History
• Todo
• News archives
• Miscellaneous

News:

11 Oct 2025 : Official version 17.1.2

What's new:

• Features:
  
  • allow the authentication key utility to "export" keys stored "externally"
    This allows to export public part of store: or engine: identities in "The Secure Shell (SSH) Public Key File Format", see RFC4716, or PKCS8, or PEM. Note that OpenSSL utilites also allows exports in PEM formats either PKCS#8 or traditional.
• Bugs:
  
  • fix regression in "Protocol Version Exchange"
    Restore output of "Version Addendum" broken in 17.1.* releases.
• Misc:
  
  • do not set PAM_RHOST if hostname is UNKNOWN
    Avoids reverse DNS query from a PAM module.
  • add clock_gettime() compatible implementation
    Fixes the builds on old OS-es like macOS before 10.12 (Sierra).
  • allows building key-shielding on operating systems without memory mapped pages
    Note feature is not enabled.

7 Oct 2025 : Official version 17.1.1

What's new:

• Security:
  
  • do not allow NUL characters in url-encoded string
    
• Features:
  
  • use pattern "PACKAGE_NAME[PACKAGE_VERSION]" as software version in "Protocol Version Exchange"
    Note PACKAGE_NAME is PKIX_SSH and PACKAGE_VERSION is 17.1.1 for this release.
  • check the user did not change during PAM transaction
    
  • use address family compatible IP tunnel on FreeBSD
    
  • always shutdown cryptographic library in authentication key utility
    
  • log active channels/sessions if client or "session" daemon receive "usr1" signal
    
  • allows enabling build-in ML-KEM key exchange algorithm at configure time
    
• Bugs:
  
  • continue fetch PKCS#11 keys loop if cannot recognise key material
    
  • use first obtained value for MaxStartups
    
  • during sftp uploads, avoid a condition where a failed write could be ignored if a subsequent write succeeded
    
  • do not log audit messages with UNKNOWN hostname
    
  • wait unprivileged daemon authentication process to exist before to close file descriptors
    
  • check only major versions to match for OpenSSL >= 3.0
    
• Misc:
  
  • get rid of the malfunctioning XMSS key algorithm
    
  • fix a number of memory leaks
    
  • describe "X509 store" option CAStoreURI
    
  • log if PKCS#11 does not support known key type
    
  • correct typographical and spelling errors
    
  • support logging to file in authentication agent utility and PKCS#11 helper utility
    
  • add GSSAPIStrictAcceptorCheck to output daemon configuration
    

29 Aug 2025 : Official version 17.0

What's new:

• Features:
  
  • add hybrid key exchange algorithms based on ML-KEM and traditional Elliptic-curve Diffie-Hellman
    Support all ML-KEM algorithms described in "draft-kampanakis-curdle-ssh-pq-ke" internet draft i.e., mlkem768nistp256-sha256, mlkem1024nistp384-sha384, mlkem768x25519-sha256. Note requires OpenSSL 3.* that provides ML-KEM algorithms i.e., OpenSSL 3.5* or OpenSSL 3.* with activated Open Quantum Safe provider.
  • limiting default Diffie-Hellman key exchange algorithms
    
  • change IPQoS defaults
    Use Expedited Forwarding (EF) as default IPQoS for interactive sessions. Use the operating system default DSCP marking for non-interactive traffic.
  • remove support for IPv4 type-of-service IPQoS keyword arguments
    Deprecated in PKIX-SSH 11.4 (24 Aug 2018). System default is used instead.
  • add client option RefuseConnection
    
• Misc:
  
  • unify ecdh and ecx key exchange functionality
    Prepare ECDH and ECX for use as traditional keys in hybrid key exchange.
  • add key exchange based on encapsulation mechanism
    Support ML-KEM-768 and ML-KEM-1024 algorithms provided by cryptographic library as post-quantum ephemeral keys of hybrid key exchange.
  • add benchmarking capability for unit tests
    
  • add benchmark support to key exchange unit tests
    
  • allows disabling Diffie-Hellman key exchange algorithms at configure time
    

19 Jul 2025 : Official version 16.2.1

What's new:

• Bugs:
  
  • unit test with ancient compilers
    Some compilers (GCC 4.*) fail with error "error: redefinition of typedef 'sshsig_t'".
  • properly check local forward cancellation
    Incorrect check prevents error response.
  • fixed a number of memory leaks
    
  • match !final parse
    make "Match !final" not trigger a second pass to parse client configuration
• Misc:
  
  • unit test benchmark stub
    
  • unify maximum size of monitor messages
    
  • Xdialog and zenity passphrase wrappers
    Mention born shell passphrase request wrappers based on Xdialog and zenity.
  • fail gracefully if getgrouplist fails
    
  • improve debug logging when client loads keys
    

25 Jun 2025 : Official version 16.2

What's new:

• Features:
  
  • provider managed identities
    Store functionality works with keys obtained from OpenSSL 3x providers like nss, pkcs#11, tpm2.
• Bugs:
  
  • fixed a number of memory leaks
    
• Misc:
  
  • improved compatibility with vendor FIPS validated OpenSSL 1.1+
    Version 16.0 rewrite implementation of key exchange methods. This implementation uses generic structure (PKEY) to hold diverse types of asymmetric keys. Vendor FIPS validated OpenSSL 1.1x does not allows some key algorithms when cryptographic library runs in FIPS mode. Work-around is to exclude curve448-sha512 and curve25519-sha256 when daemon or client runs in FIPS mode. New release automatically excludes them in FIPS enabled build with vendor specific cryptographic library.
  • prevent out-of-bounds read if the "known hosts" file is truncated after the hostname
    
  • properly use dirname() when checking a given path for security
    
  • check maximum display number relative to offset
    

10 Apr 2025 : Official version 16.1.1

What's new:

• Security:
  
  • disable forwarding globally
    Disable agent and X11 forwarding as well via global daemon option.
• Features:
  
  • pass "ControlMaster no"
    Pass "ControlMaster no" to client when invoked by secure copy or secure file transfer.
  • SetEnv expansion
    Allows expansion of tokens and environment variables in the "SetEnv" client option.
  • without appinfo
    Remove obsolete appinfo wrapper for Android. The "addon" model is the only working model with post Android API 28 releases i.e., on Android 10 or newer.
• Bugs:
  
  • sftp high-water when resuming
    Set "high-water" when sftp upload is resumed. Prevents bogus "server reordered ACKs" debug message.
• Misc:
  
  • documentation
    Documentation and manual page improvements.
  • compatibility
    Improve compatibility with cryptographic library and third party implementations.

8 Mar 2025 : Official version 16.0

What's new:

• Security:
  
  • add missing return codes
    Add return codes in error paths when is checked public-key authentication, verified host key or processed custom certificate.
• Features:
  
  • rewrite implementation of key exchange methods
    Complete rewrite of implementation model using an up-to-date cryptographic API and supporting backward compatibility. In addition are added key exchange methods "curve448-sha512" and diffie-hellman with 3k and 6k groups.
  • rpm spec-files for recent OS releases
    Adapt build rules to functionality supported in recent OS releases.
  • wrap host-key generation on Android
    
  • wtmp and Y2038
    Add experimental wtmpdb support as Y2038 safe wtmp replacement.
  • drop all keys
    Make authentication agent drop all keys when it receives SIGUSR1.
  • allows key-shielding to be enabled at build time
    
  • allow wildcard patterns for daemon directive AuthorizedPrincipalsFile
    
  • allow wildcard patterns for daemon directive AuthorizedKeysFile
    
  • add Invalid-User condition to daemon Match block
    
  • add daemon option "RefuseConnection"
    
  • add client option VersionAddendum uses same as existing daemon option
    
  • token expand for client "include" directive
    
  • log information for current system at startup
    
• Bugs:
  
  • avoid bus-error if logging in privileged process fail
    
  • prevent integer overflow in X11 port handling
    
  • consistent "progress" display in secure file transfer
    
  • build-in ML-KEM-768 implementation with corrections for big-endian systems
    
  • require control-escape character sequences passed via the '-e ^x' command line to be exactly two characters long
    
  • write proper "user specific delay" log message
    
• Misc:
  
  • refactor loadable modules support
    Separate UI and STORE2 method to allow more easily to exclude engine support.
  • fingerprint and carriage return
    Properly output fingerprint of specified public key if file contains carriage return characters.
  • "new passphrase" and "passphrase" arguments
    Precise how authentication key utility uses "new passphrase" and "passphrase" arguments.
  • unify version debug output printed by client and daemon
    
  • remove "side effects" from pselect compatibility implementation
    Stateless "pselect" compatibility implementation.
  • relax check for valid domain name
    Allow underscore as first character.
  • prohibit comma in hostnames
    

3 Oct 2024 : Official version 15.3

What's new:

• Features:
  
  • notify systemd on listen and reload
    Also support "systemd" service file.
  • up to date ssh-copy-id
    Synchronise ssh-copy-id "install script" with upstream.
  • update the Streamlined NTRU Prime code
    Switch from "ref" to faster "compact" implementation. Use sntrup761x25519-sha512 key exchange method as alias to existing one hybrid key exchange algorithm now has an IANA-assigned name.
  • ML-KEM768 key exchange
    Add experimental support for hybrid post-quantum key exchange ML-KEM768 (coupled with X25519).
  • randomise grace login time (up to 4 extra seconds)
    
  • place shielded keys into memory excluded from a core dump
    Note key-shielding is not enabled by default. Limited to Linux and *BSD.
  • add daemon option "RefuseConnection"
    
• Bugs:
  
  • correct proxy multiplexing bug
    If a mux started with ControlPersist then later has a forwarding added using mux proxy connection and the forwarding was used, then when the mux proxy session terminates, the mux master process will send a channel close to the server with a bad channel id and crash the connection. This was caused by stupidly reusing c->remote_id for multiplexing channel associations.
  • apply authorized keys options only when signature verification pass
    Prevents key options to be applied to subsequent keys listed in authorized keys.
  • fix memory leak when is processed daemon subsystem configuration
    
• Misc:
  
  • consistently look for the last @ in the match user pattern
    This makes it possible to use usernames that contain '@' characters.
  • allow short key names only in key generation utility
    Be more strict when is parsed key time name.
  • restore daemon functionality on Android
    Copy more session specific user variables. Do not check daemon for absolute path. Do not drop supplementary groups as is not allowed by selinux rules.
  • modernise key generation
    Use "keygen" functionality in program code if build is with OpenSSL 1.1 or newer.
  • documentation
    Documentation and manual page improvements.
  • code and regression tests clean-up
    Includes performance improvements in rekey regression test.

11 Aug 2024 : Official version 15.2

What's new:

• Security:
  
  • prefer sigaction()
    To send a signal in alarm signal handler is used sigaction() if available. This avoids logging in ssh_signal() done on error path. Note sigaction() should be available on all modern OS-es.
• Features:
  
  • enhance login class based checks
    Added function checks for any host restrictions and checks to see that a given time value is within allowed times.
    Remark: FreeBSD functionality.
  • only "addon" model on Android
    Link only with application wrapper library. Stop to use application information library.
    Remark: This allows application like SecureBox to stop to share "user id" with terminal application. Also, with separate id terminal application has only read only access to secure shell configuration.
• Bugs:
  
  • sftp and very long symbolic link
    Avoid silent truncation in sftp server readlink processing.
• Misc:
  
  • wrap rename
    Stop to wrap rename() for Android builds. It was added to allow key generation utility to create host-keys. With new "addon" model this is application responsibility.
  • autoconf 2.72
    Suppress Android large file for 32-bit platforms as well if bootstrap uses autoconf 2.72.
  • path to ssh utility
    Revise construction and how is used path to ssh utility is secure copy and file transfer programs. Note on Android is construction uses path running utility and this avoids communication with application.
  • documentation
    Documentation and manual page improvements. Note information related to DSA algorithms and keys is excluded from manual pages.

6 Jul 2024 : Official version 15.1

What's new:

• Security:
  
  • disable again logging in alarm handler
    Race condition could lead to code execution on some C libraries. Affected PKIX-SSH 13.3.2-15.0.
• Features:
  
  • SSH_AUTH_INFO_0 and PAM
    Export SSH_AUTH_INFO_0 in PAM password authentication method.
  • askpass on wayland
    Enable secsh "askpass" on wayland display as well.
• Bugs:
  
  • properly implement sftp home-directory extension
    It always returned the current user's home directory contrary to the spec.
  • utmpx login
    Use appropriate variable to record "utmpx" login.
  • sftp-prompt
    flush stdout after output of "sftp>" prompt
• Misc:
  
  • askpass scripts
    More secsh askpass scripts based on dialog programs like xdialog and zenity.
  • use terminal wrappers to open files
    Reserved for "TermOne Plus"(Android) generic "addon" command interface.
  • print specified user in sftp connections
    Make connection message consistent regardless of whether how destination is specified on command line.
  • simplify client quit message handling
    Also write quit message before to send disconnect packet.
  • promote connection-closed messages from verbose to information level
    Used if the client does not send a "disconnect" message.
  • quiet mode when utility gather public keys from servers
    Do not emit comment lines with hostname and SSH protocol banner.
  • never close stdin in gather public keys utility
    
  • add daemon option PamServiceName
    Reserved for future.
  • documentation
    Many documentation and manual page improvements.

12 Mar 2024 : Official version 15.0

What's new:

• Features:
  
  • build without DSA keys
    A configuration option could be used to enable public algorithms based on DSA keys.
    Also regression tests prefer Intermediate CA with EC keys if build is with OpenSSL 1.1+.
  • use poll for main loops
    Convert daemon and client main loop from pselect to ppoll.
  • stricter handling of channel window limits
    This makes client and server more strict in handling non-compliant peers that send more data than the advertised channel window allows. Previously the additional data would be silently discarded. This change will cause client or server to terminate the connection if the channel window is exceeded by more than a small grace allowance (~10%).
  • client as login shell
    Manage case when terminal program executes secsh client as login shell.
  • "global" ChannelTimeout
    Add a "global" ChannelTimeout to client and daemon.
• Bugs:
  
  • non-completed connection
    Manage non-completed connection in channel post processing.
  • long messages
    Ensure eof on long messages to standard error.
  • space in configuration directive
    Do not append space if subsystem lacks arguments.
  • parse single string array options separately
    In match block allows option override where first argument could be a specific keyword.
  • signal logs
    Avoid logging in ssh agent signal handler.
• Misc:
  
  • harden madvise rules in Linux seccomp sandbox
    Linux madvise(2) syscalls support quite a number of flags and is not expected that secsh daemon to use them. This should exclude kernel attack surface by filtering madvise arguments.
  • build configuration
    Use autoconf macro for fgrep. Note egrep and fgrep commands have been deprecated since 2007. Command is standardized by POSIX with -E and -F flags.
    Use plain apostrophes in configuration quotes. Follow autoconf 2.72 changes.
  • unlimited argument name in configuration
    Do not restrict number of canonical domains and CNAMEs when canonicalizing hostnames.
  • manuals
    Documentation and usage corrections and improvements.
  • force use of ssh askpass for pkcs#11 tests
    Avoid to run a program in a new session i.e., replaces perl based setsid functionality.
  • change pkcs#11 module used in tests
    Use SoftHSM2 module in agent pkcs#11 regression tests. Also test EC key as well.
  • add certificate tests with pkcs#11 token and pkcs#11 engine
    Based on SoftHSM2 module. Test are not enabled by default as depend on many external packages.
  • certificate regression tests
    Prefer SHA256 digest to create test certificates. Activated if build is with OpenSSL 1.1+.
    Test with 2048-bit RSA keys.
    In hostkey algorithm tests use only RSA based Intermediate CA.
  • interoperability tests
    Improve conch and putty interoperability tests. Added tests with dropbear client.
  • SHA1 signatures in regression tests
    Enable SHA1 signatures in regression tests if deprecated by system policy.

Support:

• Issue tracking
  Development process is public hosted on GitLab. For mode details see project repository page. From project page you could monitor development process, propose enhancement or just report an issue.
• Mailing list
  Project supports mailing list where you could share ideas, discuss your problems, receive project news and etc. The list is moderated, i.e. available only for list members. For more information about list (subscription, list archives) please visit this page.

Features _{(valid for latest version)} :

• X.509 certificate based public-key algorithms:
  
  • x509v3-ecdsa-sha2-nistp256
  • x509v3-ecdsa-sha2-nistp384
  • x509v3-ecdsa-sha2-nistp521
  • x509v3-sign-rsa
  • x509v3-ssh-rsa
  • x509v3-rsa2048-sha256
  • x509v3-sign-dss
  • x509v3-ssh-dss
  • x509v3-ssh-ed25519
  ECDSA, RSA, Ed25519 or DSA X.509 certificates could be used as "user identity" and/or "host key" in SSH "Public Key" and "Host-Based" authentications.
  • different "x509v3-sign-rsa" signatures
    As support for SHA-1 and MD5 signature format PKIX-SSH is interoperable with implementations from multiple vendors. Both formats are supported because "SSH Transport Layer Protocol" internet drafts does not specify signature format in case of X.509 certificate for RSA key.
  • different packing of "x509v3-sign-dss" signature
    PKIX-SSH is interoperable with implementations from multiple vendors. It support DSA signatures packed in format as is described in [RFC2459] and "dss_signature_blob" format as is specified in "SecSH Transport" draft and [RFC4253].
    Note "SSH Transport Layer Protocol" internet draft before version 12 specify "x509v3-sign-dss" public key algorithm to use signature format as is described in [RFC2459], i.e. r and s packed in ASN.1 SEQUENCE. Some vendors pack DSA signature values in "dss_signature_blob" as is specified in "SecSH transport" draft for "ssh-dss" signature.
  • use key and certificate stored in "external devices"
    Implementation requires working OpenSSL loadable module(provider or engine). The identity used in client authentication could refer to external key and/or certificate in two formats:
    
    • store:[SCHEME:][URI],
      where [SCHEME] is specify OpenSSL STORE provider and [URI] is specific to that provider. Note by default is assumed file: scheme. This format allows load of user identify from unsupported file formats like PKCS#12.
    • engine:[ENGINE_NAME]:[CERT_CRITERIA],
      where [ENGINE_NAME] is name of OpenSSL engine and [CERT_CRITERIA] is specific to engine search criteria to find the key and certicate.
    For instance you could use "friendly name" to access key and certificate stored in "Network Security Services (NSS)" database using loadable modules either provider or engine. Remark: NSS is used in programs(web-browser. e-mail client) like Firefox, SeaMonkey, Thunderbird.
    The engine: scheme allows use or certificates or keys provided by number of OpenSSL PKCS#11 engines.TPM engine should work as well.
    Use PKCS#11 providers or TPM provider with store: scheme to access certificates or keys from respective security device.
  • "PKCS#11"module
    As second option PKIX-SSH could use PKCS#11 shared library(module) to use ECDSA or RSA X.509 certificates and private key provided by PKCS#11 tokens.
• Key based only public-key algorithms:
  
  • ssh-rsa
  • rsa-sha2-256
  • rsa-sha2-512
  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • ssh-ed25519
  • ssh-dss
• Key exchange algorithms:
  
  • mlkem768nistp256-sha256
  • mlkem1024nistp384-sha384
  • mlkem768x25519-sha256
  • curve448-sha512
  • curve25519-sha256
  • curve25519-sha256@libssh.org
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group-exchange-sha1 (**)
  • diffie-hellman-group18-sha512
  • diffie-hellman-group16-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group17-sha512
  • diffie-hellman-group15-sha512
  • sntrup761x25519-sha512 (*)
  • sntrup761x25519-sha512@openssh.com (*)
  • diffie-hellman-group14-sha1
  • diffie-hellman-group1-sha1 (**)
  Note the algorithm availablity depends on OpenSSL release, installed providers build(*) or configuration(**) settings.
• verification (default feature)
  By default server(sshd) and clients(ssh,scp,sftp) always verify signatures and validity of certificates in chain when a X.509 certificate based public-key algorithm is used in authentication process. When verification fail that public-key is disallowed.
  In additional client is able to verify remote key using DNS with CERT RR (resource record).
• validation
  • CRL (default feature)
    When a X.509 certificate is used in authentication, server and client always verify signatures and validity of existing CRLs issued by authorities in certificate chain. Certificate is allowed only when no one of certificates in the chain is revoked.
  • OCSP (default feature)
    Additional validation is performed when PKIX-SSH is configured to use OCSP and a X.509 certificate is used in authentication.
• CERT RR
  ssh can verify host identification using CERT Resource Record published in DNS.
• PKIX-SSH Agent (ssh-agent and ssh-add programs)
  Authentication agent can hold X.509 certificates.
• ssh-keyscan
  This tools can gather all above listed public-key algorithms including those with X.509 certificate as host key:
  • x509v3-ecdsa-sha2-nistp256
  • x509v3-ecdsa-sha2-nistp384
  • x509v3-ecdsa-sha2-nistp521
  • x509v3-sign-rsa
  • x509v3-ssh-rsa
  • x509v3-rsa2048-sha256
  • x509v3-sign-dss
  • x509v3-ssh-dss
  • x509v3-ssh-ed25519
• ssh-keysign
  This tools used in "Host-Based Authentication" can sign "host keys" containing either X.509 certificate (ECDSA, RSA, Ed25519 or DSA) or "plain keys".
• ssh-keygen
  when user identity contain a X.509 certificate, command:
  • creates public key and proposed "SECSH Public Key File Format" for that certificate.
  • shows fingerprint of certificate.
  • prints CERT RR (resource record) for specified hostname.
• regression tests
  Strong.
• manual pages
  Detailed.
• README.x509v3
  Brief description of server and client configuration, regression tests, troubleshooting and FAQ.

Get your version from download pages.

Todo:

• to implement wildcards(patterns) for DN in "authorized keys" and "known hosts" files;
• to extend "time limits" with specified time for given revoked certificates.

History:

1. Initial
   Initial support began from 4 Apr 2002 with version "a". Version "b" issued on 11 Jun 2002 add "X509 store". The store is in use in verification process when a certificate is used as user's identity is ssh session. The store allow use of "distinguished name" in authorized keys file.
2. Second stage
   In this phase certificate support is implemented in other PKIX-SSH executables. For first ssh-keygen support certificates since version "c" (20 Jun 2002). This version introduce regression tests. Later in version "d" (30 Jul 2002) support is added to ssh agent.
   As result PKIX-SSH support certificates as user identity entirely.
3. Complete support
   Since version "e" (21 Nov 2002) manual pages are updated with information about X.509 certificate support. As well support for certificates as host key in introduced. As version "f" (30 Jan 2003) CRL are supported. Because certificate support is complete as version "f" client prefer algorithms with certificates for host key.
4. Compatibility
   Compatibility phase begin with version "g" (3 Feb 2003). In version "g1" (30 Apr 2003) regression test scripts are updated to work well with various shells. Since version "g2" (12 Jun 2003) public key algorithm "x509v3-sign-rsa" accept "sha1" signatures in addition to "md5" and now PKIX-SSH is interoperable with all major ssh implementations. This version work fine with OpenSSL 0.9.7+. Later in versions "g3" (25 Feb 2004) and "g4" (9 Maj 2004) code, documentation and regression test are cleaned up.
5. Validator
   Fifth phase began with OCSP (Online Certificate Status Protocol) support added in version "h" (6 Apr 2004). Later version schema is changed to more common format with numbers N.N{.N} and next version is 5.1. In version 5.3 compatibility is enhanced to support (in addition to [RFC3279] DSA signatures) format defined for "ssh-dss" signature. Self issued certificates can be permitted by "autorized keys" file since version 5.4 if configuration allow this. Correction for OCSP responder location obtained from certificate is added in version 5.4 and OCSP SSL support is enabled in 5.5.
6. International
   Since version 6.0 (7 Aug 2007) PKIX-SSH can deal with "distinguished name" stored in autorized keys file as UTF-8 string or escaped. Before to compare printable attributes are converted to utf-8.
7. Integration
   Starting from version 7.0 (22 Aug 2011) PKIX-SSH can communicate with other applications by using OpenSSL engines. For instance client could use certificates and keys stored in external devices.
   Version 7.1 (15 Jan. 2012) support build with FIPS enabled OpenSSL library and adds direct support of X.509 certificates(RSA) from PKCS11 module. Since this version sha1 is preferred algorithm and programs start to identify as PKIX in comment from ssh identification string.
   Build for android host is supported since version 7.2 (22 Apr. 2012). With version 7.5(19 May 2013) "known hosts" file may contain distinguished name of host X.509 certificate.
8. Elliptic
   Version 8.0 (11 Aug.2014) is first secure shell implementation that support X.509 ECDSA algorithm as defined in [RFC6187] - initially for client and server. It is first version that provides complete tar archive for download. With version 8.2 (23 Nov. 2014) adds support of X.509 ECDSA algorithm in agent. From version 8.4 (1 Jul 2015) EC keys or X.509 certificates stored on external device could be used with loadable cryptographic modules - OpenSSL engines.
   Support for FIPS environments is enhanced in version 8.1 (29 Sep. 2014) with fipscheck for "Red Hat" FIPS validated environment. Version 8.2 (23 Nov. 2014) is successfully tested with Solaris 11.2 FIPS validated OpenSSL module.
   Lists with allowed algorithms support patterns since version 8.3 (18 Mart 2015).
   Support for EC keys and certificates stored in PKCS#11 tokens is added in version 8.8 (29 Feb 2016).
9. New OpenSSL API
   Starting with version 9.0 code that uses OpenSSL is updated to use OpenSSL API introduced with version 1.1.0. Local accessor functions ensure compatibility with previous versions of cryptographic library.
10. True RFC6187
    Version 10.0 (25 Feb 2017) correctly implements ecdsa X.509 algorithms according RFC6187. This is reason daemon to start to advertise PKIX-SSH release in connections. Also version adds rsa and dss algorithms according RFC6187 as well.
    In 10.1 (25 Mar 2017) is implemented adaptive public key algorithm selection functionality. It uses server extension "publickey-algorithms@roumenpetrov.info" (preferred) or "server-sig-algs" to find most suitable algorithm for user identity.
    With 10.2 (21 May 2017) Android port is considered complete and is packaged as application - SecureBox.
11. Prefer RFC6187
    Version 11.0 (8 Oct 2017) prefer X.509 algorithms a described in RFC6187 over legacy one described in draft-ietf-secsh-transport-12.txt. Release starts to use more advanced adaptive algorithm selection based on extension "publickey-algorithms@roumenpetrov" with fail-back to "server-sig-algs". In addition daemon for each hostkey offers all supported public key algorithms based on key material.
12. Modern
    Version 12.0 (18 Apr 2019) increase default RSA key size to 3072 bits, removes "insecure" key exchange methods from defaults and adds a post-quantum cryptography key exchange method. In 12.1 (29 Apr 2019) is added algorithm x509v3-rsa2048-sha256 (RFC 6187). Release 12.2 (26 Sep 2019) is prepared for packaging according Android 10 (API Level 29) requirements. Since 12.3 (13 Oct 2019) keys are stored using industrial standard PKCS#8 and use aes256 algorithm.

News archives:

• 13 Jan 2024 (14.x-series)
• 5 Oct 2022 (13.x-series)
• 3 Oct 2020 (12.x/Modern-series)
• 18 Dec 2018 (11.x/Prefer RFC6187-series)
• 21 May 2017 (10.x/True RFC6187-series)
• 19 Dec 2016 (9.x/New OpenSSL API-series)
• 10 Mar 2016 (8.x/Elliptic-series)
• 16 Mar 2014 (7.x/Integration-series)
• 17 Aug 2011 (6.x/International-series)
• 10 Mar 2007 (5.x/Validator-series)
• 19 Aug 2004 (h/Compatibility-series)
• 9 Mar 2004 (g-series)
• 30 Jan 2003 (f and e-series)
• 30 Jul 2002 (d-series and early)

Miscellaneous:

Cryptography

Recommended cryptographic library is OpenSSL. Before to use PKIX-SSH please read
OpenSSL security advisories. In addition to cryptographic algorithms library allows to be used externally managed user identities(keys). Access is based on engine or store functionality. Fully supported releases start from ancient 0.9.7 up to recent stable 1.1.1.
Note: PKIX-SSH builds with OpenSSL releases 3.0* and 3.1* and pass regression tests. It does not support "provider" interface as is not considered stable enough. Also use of such builds is not yet recommended due to overall issues.