[empty image] [empty image]
[empty image]
[empty image] [empty image] [empty image]
[empty image]

secure shell with
X.509 v3 certificate support



20 Aug 2023 : Offical version 14.2.1
What's new:
  • Bugs:
    • timeout to multiplexing local socket
      Rewrite as previous implementation replace poll() with waitrfd(). Modification adds regression - signals are ignored. So, rewrite waitfd do take into account signals and to accept "mux termination" flag as parameter.
  • Misc:
    • portability
      Properly detect zlib 1.3 and use *ifaddrs* related configuration defines.

13 Aug 2023 : Offical version 14.2
What's new:
  • Security:
    • pkcs#11 module misuse
      Do not allow pkcs11 providers by default. Fixes finally CVE-2016-10009 and mitigates CVE-2023-38408.
  • Features:
    • connection tupple
      Add new daemon token - connection tupple(%C).
    • forward unix domain socket
      Experimental support for unix domain sockets to client forward request.
    • match localnetwork
      Add "localnetwork" case to match criteria.
    • configuration tags
      Support tags in client configuration.
    • android failback path
      Drop obsolete "failback path" management from Android packaging.
    • "command" based path model
      "command" based path model for Android application. Reserved for future.
  • Bugs:
    • fix public key serialisation if key contain only X.509 distinguished name
    • print correctly some PKCS#11 information
    • fork after authentication
      Ensure that fork after authentication work properly in multiplexed cases.
    • timeout in multiplexing
      Apply connection timeout to multiplexing local socket connections.
    • hostname canonicalization
      Do not disable hostname canonicalization if ProxyJump=none is used.
    • "no comment" for keys
      Resolved issue with missing "no comment" when keys without comment is processed after key with comment.
    • paraller sftp
      Try to fix crappy OpenBSD sftp client in parallel cases.
  • Misc:
    • remote terminal Do not open terminal when is requested do not execute command on remote.
    • scp in sftp Check in advance for source file when secure copy in sftp mode copy local to remote files.
    • correct a number of memory leaks
    • added checks for OpenSSL 3.0 releases
    • avoid matchpathcon Use selabel_lookup instead deprecated selinux matchpathcon function.
    • stop printing of "scanned" key information on output error
    • update ssh-copy-id script

16 Mar 2023 : Offical version 14.1.1
What's new:
  • Security:
    • bounds checking in getrrsetbyname() compatibility implementation
      A specifically crafted response from domain name server could cause function to perform an out-of-bounds reads Does not appear to be exploitable beyond denial-of-service to the ssh(1) client. This function is called only if client option VerifyHostKeyDNS is set and is used to check CERT or SSHFP resource records. Compatibility implementation is used only if is not provided by system resolver library.
  • Features:
    • hash algorithms in SSHFP RR
      Allow to specify hash algorithms used to generate SSHFP RR records for domain name servers.
    • print daemon configuration file
      Added daemon option -G that parses and prints the effective configuration without attempting to load private keys and perform other checks.
    • use sha256 when testing usability of rsa private key
    • rewrite checks for Kerberos 5 implementations
      Simplify, unify, and modernise configuration tests. In addition is added pkg-config based rule.
  • Bugs:
    • non-ascii file name in progress meter
      Rewrite progress meter to manage properly non-ascii file names.
    • clean channel flags
      Clean "file descriptors" flags when channel is closed. Note functionality was added in PKIX-SSH 14.1.
    • fix memory leak in sftp filename autocomplete
    • fix memory leak in sftp ls command if file status is not available
  • Misc:
    • improved manual pages
    • limit number of entries in "extension negotiation"
    • minimise warnings raised by static analysers
    • code clean-up - for instance remove unused secsh "compatibility" flags

4 Feb 2023 : Offical version 14.1
What's new:
  • Security:
    • fix use after free memory fault
      Compatibility KEX code introduced a double-free in PKIX-SSH 14.0. It is does not impact server side. Client could be impacted but when server is specially crafted.
  • Features:
    • control channel inactivity
      New daemon option ChannelTimeout automatically closes channels without traffic.
    • control unused connections
      New daemon option UnusedConnectionTimeout allows to terminate connections without open channels.
    • daemon command line argument -V
      Output version information like the client utility.
    • remove copy/transfer argument -X
      Add -X option to remove copy and file transfer programs. Currently sets SFTP parameters are the copy buffer length and the number of inflight requests. Obsoletes sftp argument -B/-R.
  • Bugs:
    • properly process client option PermitRemoteOpen
      Allow any/none argument only in first position.
    • default multi-string options
      Properly dump multi-string configuration options.
    • restrict sftp to reasonable values
      Do not allow sftp server "limits" extension to set unacceptable buffer sizes and number of open handles.
    • suggest system known-host file
      Avoid NULL print if user known-host files are not used. Note some C-library crash if printf function is called with NULL value for string format.
  • Misc:
    • allow writev in secure secure computing mode
    • optimise read buffers
      Use more suitable buffer size for main loops and channel Default sizes could set at build time.
    • no host-keys warning
      Emit warning if no host-keys for host-based authentication can be loaded.
    • use socketpair in remote copy utility
      Synchronise remote copy utility communication to ssh sub-processes with file transfer program.
    • dump original Host
      Add original "Host" line to the output of client configuration test.
    • import ed25519 code from SUPERCOP
      Update to 20221122 release.
    • unify and extend channel names
      Prerequisite for new channel controls.
    • rewrite some test to use multiplexed session

26 Dec 2022 : Offical version 14.0.3
What's new:
  • Bugs:
    • put on hold "deffer seed_rng invocation in daemon"
      Regression added in 14.0(14.0.1) release. Note "reexec" functionality clobbers file descriptors opened after closefrom call.

19 Dec 2022 : Offical version 14.0.2
What's new:
  • Bugs:
    • properly use EVP digest work-around for ECDSA keys
      On some Linux releases "OpenSSL's curve secp521r1 is NOT functional". For instance RHEL 6.

18 Dec 2022 : Offical version 14.0.1
What's new:
  • Features:
    • x509v3-ssh-ed25519
      Implementation of x509v3-ssh-ed25519 public-key algorithm.
    • scan by CIDR address ranges
      Allow gather secure shell public keys utility to accept CIDR address ranges.
    • prefer user's umask
      Honour user's umask if it is more restrictive then the ssh default.
    • warn if client cannot load public host-keys for host-based authentication
  • Bugs:
    • "globs" in sftp mode
      Better match scp/rcp's handling of "globs" when secure copy utility runs in experimental sftp mode.
    • handle remote forwarding in escape commandline's processing
    • properly check for duplicate experimental host-key update
  • Misc:
    • use key descriptions
      Describe keys into specific compilation with respective functional implementation.
    • modernised signature operations
      Unify sign and verify operations for RSA/DSA/EC keys and X.509 certificates and prefer EVP functions from OpenSSL 1.0+ API.
    • deffer seed_rng invocation in daemon
      Call after closefrom as work-around for random generator provided by an engine.
    • improve disabled tracing on FreeBSD
    • code clean-up, unification, readability, compatibility and portability
    • spelling errors
      Correct spelling errors in code and documentation including manual pages.
    • improved logging errors
    • check for valid canonical domain name when client resolves host-name
    • do not ever try to write an invalid name to a known-hosts file
    • add ECDSA on P-256 curve to X.509 "self-issued" test
    • add new client option EnableEscapeCommandline
    • more restrictive pledge(if supported) rules after session establishment


  • Issue tracking
    Development process is public hosted on GitLab. For mode details see project repository page. From project page you could monitor development process, propose enhancement or just report an issue.
  • Mailing list
    Project supports mailing list where you could share ideas, discuss your problems, receive project news and etc. The list is moderated, i.e. available only for list members. For more information about list (subscription, list archives) please visit this page.

Features (valid for latest version) :

  • X.509 certificate based public-key algorithms:
    • x509v3-ecdsa-sha2-nistp256
    • x509v3-ecdsa-sha2-nistp384
    • x509v3-ecdsa-sha2-nistp521
    • x509v3-sign-rsa
    • x509v3-ssh-rsa
    • x509v3-rsa2048-sha256
    • x509v3-sign-dss
    • x509v3-ssh-dss
    • x509v3-ssh-ed25519
    ECDSA, RSA, Ed25519 or DSA X.509 certificates could be used as "user identity" and/or "host key" in SSH "Public Key" and "Host-Based" authentications.
    • different "x509v3-sign-rsa" signatures
      As support for SHA-1 and MD5 signature format PKIX-SSH is interoperable with implementations from multiple vendors. Both formats are supported because "SSH Transport Layer Protocol" internet drafts does not specify signature format in case of X.509 certificate for RSA key.
    • different packing of "x509v3-sign-dss" signature
      PKIX-SSH is interoperable with implementations from multiple vendors. It support DSA signatures packed in format as is described in [RFC2459] and "dss_signature_blob" format as is specified in "SecSH Transport" draft and [RFC4253].
      Note "SSH Transport Layer Protocol" internet draft before version 12 specify "x509v3-sign-dss" public key algorithm to use signature format as is described in [RFC2459], i.e. r and s packed in ASN.1 SEQUENCE. Some vendors pack DSA signature values in "dss_signature_blob" as is specified in "SecSH transport" draft for "ssh-dss" signature.
    • use key and certificate stored in "external devices"
      Implementation requires working OpenSSL loadable module(engine). The identity used in client authentication could refer to external key and/or certificate in two formats:
      • store:[SCHEME:][URI],
        where [SCHEME] is specify OpenSSL STORE provider and [URI] is specific to that provider. Note by default is assumed file: scheme. This format allows load of user identify from unsupported file formats like PKCS#12.
      • engine:[ENGINE_NAME]:[CERT_CRITERIA],
        where [ENGINE_NAME] is name of OpenSSL engine and [CERT_CRITERIA] is specific to engine search criteria to find the key and certicate.
      For instance you could use "friendly name" to access key and certificate stored in "Network Security Services (NSS)" database with e_nss engine. Remark: NSS is used in programs(web-browser. e-mail client) like Firefox, SeaMonkey, Thunderbird.
    • "PKCS#11"module
      As second option PKIX-SSH could use PKCS#11 shared library(module) to use ECDSA or RSA X.509 certificates and private key provided by PKCS#11 tokens.
  • Key based only public-key algorithms:
    • ssh-rsa
    • rsa-sha2-256
    • rsa-sha2-512
    • ecdsa-sha2-nistp256
    • ecdsa-sha2-nistp384
    • ecdsa-sha2-nistp521
    • ssh-ed25519
    • ssh-dss
  • verification (default feature)
    By default server(sshd) and clients(ssh,scp,sftp) always verify signatures and validity of certificates in chain when a X.509 certificate based public-key algorithm is used in authentication process. When verification fail that public-key is disallowed.
    In additional client is able to verify remote key using DNS with CERT RR (resource record).
  • validation
    • CRL (default feature)
      When a X.509 certificate is used in authentication, server and client always verify signatures and validity of existing CRLs issued by authorities in certificate chain. Certificate is allowed only when no one of certificates in the chain is revoked.
    • OCSP (default feature)
      Additional validation is performed when PKIX-SSH is configured to use OCSP and a X.509 certificate is used in authentication.
    ssh can verify host identification using CERT Resource Record published in DNS.
  • PKIX-SSH Agent (ssh-agent and ssh-add programs)
    Authentication agent can hold X.509 certificates.
  • ssh-keyscan
    This tools can gather all above listed public-key algorithms including those with X.509 certificate as host key:
    • x509v3-ecdsa-sha2-nistp256
    • x509v3-ecdsa-sha2-nistp384
    • x509v3-ecdsa-sha2-nistp521
    • x509v3-sign-rsa
    • x509v3-ssh-rsa
    • x509v3-rsa2048-sha256
    • x509v3-sign-dss
    • x509v3-ssh-dss
    • x509v3-ssh-ed25519
  • ssh-keysign
    This tools used in "Host-Based Authentication" can sign "host keys" containing either X.509 certificate (ECDSA, RSA, Ed25519 or DSA) or "plain keys".
  • ssh-keygen
    when user identity contain a X.509 certificate, command:
    • creates public key and proposed "SECSH Public Key File Format" for that certificate.
    • shows fingerprint of certificate.
    • prints CERT RR (resource record) for specified hostname.
  • regression tests
  • manual pages
  • README.x509v3
    Brief description of server and client configuration, regression tests, troubleshooting and FAQ.

Get your version from download pages.


  • to implement wildcards(patterns) for DN in "authorized keys" and "known hosts" files;
  • to extend "time limits" with specified time for given revoked certificates.


  1. Initial
    Initial support began from 4 Apr 2002 with version "a". Version "b" issued on 11 Jun 2002 add "X509 store". The store is in use in verification process when a certificate is used as user's identity is ssh session. The store allow use of "distinguished name" in authorized keys file.
  2. Second stage
    In this phase certificate support is implemented in other PKIX-SSH executables. For first ssh-keygen support certificates since version "c" (20 Jun 2002). This version introduce regression tests. Later in version "d" (30 Jul 2002) support is added to ssh agent.
    As result PKIX-SSH support certificates as user identity entirely.
  3. Complete support
    Since version "e" (21 Nov 2002) manual pages are updated with information about X.509 certificate support. As well support for certificates as host key in introduced. As version "f" (30 Jan 2003) CRL are supported. Because certificate support is complete as version "f" client prefer algorithms with certificates for host key.
  4. Compatibility
    Compatibility phase begin with version "g" (3 Feb 2003). In version "g1" (30 Apr 2003) regression test scripts are updated to work well with various shells. Since version "g2" (12 Jun 2003) public key algorithm "x509v3-sign-rsa" accept "sha1" signatures in addition to "md5" and now PKIX-SSH is interoperable with all major ssh implementations. This version work fine with OpenSSL 0.9.7+. Later in versions "g3" (25 Feb 2004) and "g4" (9 Maj 2004) code, documentation and regression test are cleaned up.
  5. Validator
    Fifth phase began with OCSP (Online Certificate Status Protocol) support added in version "h" (6 Apr 2004). Later version schema is changed to more common format with numbers N.N{.N} and next version is 5.1. In version 5.3 compatibility is enhanced to support (in addition to [RFC3279] DSA signatures) format defined for "ssh-dss" signature. Self issued certificates can be permitted by "autorized keys" file since version 5.4 if configuration allow this. Correction for OCSP responder location obtained from certificate is added in version 5.4 and OCSP SSL support is enabled in 5.5.
  6. International
    Since version 6.0 (7 Aug 2007) PKIX-SSH can deal with "distinguished name" stored in autorized keys file as UTF-8 string or escaped. Before to compare printable attributes are converted to utf-8.
  7. Integration
    Starting from version 7.0 (22 Aug 2011) PKIX-SSH can communicate with other applications by using OpenSSL engines. For instance client could use certificates and keys stored in external devices.
    Version 7.1 (15 Jan. 2012) support build with FIPS enabled OpenSSL library and adds direct support of X.509 certificates(RSA) from PKCS11 module. Since this version sha1 is preferred algorithm and programs start to identify as PKIX in comment from ssh identification string.
    Build for android host is supported since version 7.2 (22 Apr. 2012). With version 7.5(19 May 2013) "known hosts" file may contain distinguished name of host X.509 certificate.
  8. Elliptic
    Version 8.0 (11 Aug.2014) is first secure shell implementation that support X.509 ECDSA algorithm as defined in [RFC6187] - initially for client and server. It is first version that provides complete tar archive for download. With version 8.2 (23 Nov. 2014) adds support of X.509 ECDSA algorithm in agent. From version 8.4 (1 Jul 2015) EC keys or X.509 certificates stored on external device could be used with loadable cryptographic modules - OpenSSL engines.
    Support for FIPS environments is enhanced in version 8.1 (29 Sep. 2014) with fipscheck for "Red Hat" FIPS validated environment. Version 8.2 (23 Nov. 2014) is successfully tested with Solaris 11.2 FIPS validated OpenSSL module.
    Lists with allowed algorithms support patterns since version 8.3 (18 Mart 2015).
    Support for EC keys and certificates stored in PKCS#11 tokens is added in version 8.8 (29 Feb 2016).
  9. New OpenSSL API
    Starting with version 9.0 code that uses OpenSSL is updated to use OpenSSL API introduced with version 1.1.0. Local accessor functions ensure compatibility with previous versions of cryptographic library.
  10. True RFC6187
    Version 10.0 (25 Feb 2017) correctly implements ecdsa X.509 algorithms according RFC6187. This is reason daemon to start to advertise PKIX-SSH release in connections. Also version adds rsa and dss algorithms according RFC6187 as well.
    In 10.1 (25 Mar 2017) is implemented adaptive public key algorithm selection functionality. It uses server extension "publickey-algorithms@roumenpetrov.info" (preferred) or "server-sig-algs" to find most suitable algorithm for user identity.
    With 10.2 (21 May 2017) Android port is considered complete and is packaged as application - SecureBox.
  11. Prefer RFC6187
    Version 11.0 (8 Oct 2017) prefer X.509 algorithms a described in RFC6187 over legacy one described in draft-ietf-secsh-transport-12.txt. Release starts to use more advanced adaptive algorithm selection based on extension "publickey-algorithms@roumenpetrov" with fail-back to "server-sig-algs". In addition daemon for each hostkey offers all supported public key algorithms based on key material.
  12. Modern
    Version 12.0 (18 Apr 2019) increase default RSA key size to 3072 bits, removes "insecure" key exchange methods from defaults and adds a post-quantum cryptography key exchange method. In 12.1 (29 Apr 2019) is added algorithm x509v3-rsa2048-sha256 (RFC 6187). Release 12.2 (26 Sep 2019) is prepared for packaging according Android 10 (API Level 29) requirements. Since 12.3 (13 Oct 2019) keys are stored using industrial standard PKCS#8 and use aes256 algorithm.

News archives:


Recommended cryptographic library is OpenSSL. Before to use PKIX-SSH please read
OpenSSL security advisories. In addition to cryptographic algorithms library allows to be used externally managed user identities(keys). Access is based on engine or store functionality. Fully supported releases start from ancient 0.9.7 up to recent stable 1.1.1.
Note: PKIX-SSH builds with OpenSSL releases 3.0* and 3.1* and pass regression tests. It does not support "provider" interface as is not considered stable enough. Also use of such builds is not yet recommended due to overall issues.

[empty image]
[empty image] [empty image] Last modified : Sunday August 20, 2023 [empty image]