[empty image] [empty image]
[empty image]
[empty image] [empty image] [empty image]
[empty image]

OpenSSH secure shell
X.509 v3 certificates



16 Mar 2014 : Version x509-7.9
What's new:
  • support OpenSSL 1.0.2 stable branch
    OpenSSL 1.0.2 stable branch includes important modification in FIPS build - "...FIPS capable OpenSSL isn't forced to use the (often lower performance) FIPS implementations outside FIPS mode...". As side effect flags in digest structure must be accessed through a function. This function is specific for 1* branches, i.e. does not exists in 0.9.* releases.
    PKIX ssh use those flags to determine at run time is digest if FIPS capable or not. From functional point of view in FIPS enabled mode PKIX version 7.9 build with openssl 1.0.2 (still in beta stage) could be used either with openssl 1.0.1+ or 1.0.2+ fips capable libraries. but reverse is not possible.
    Now new EVP compatible wrapper function to EVP_MD_flags is used to ensure compatibility with OpenSSL releases.
  • support OpenSSH version 6.6p1
    For more details see release note.
Diffs of PKIX release 7.9 for on OpenSSH 6.5p1 and 6.6p1 are available on download page.

31 Jan 2014 : Version x509-7.8
What's new:
  • based on OpenSSH version 6.5p1
    For more details see release note.
  • client key -Q report key algorithms for X.509 certificates
    Also FIPS enabled build report only macs and ciphers allowed in FIPS mode if activated.
Get it from download page .

9 Nov 2013 : Version x509-7.7
What's new:
  • based on OpenSSH version 6.4p1
    See OpenSSH security advisory: gcmrekey.adv.
  • allow use of internal AES-CTR in FIPS mode
    This will allow use of AES-CTR in FIPS on systems where AES-CRT in not available. For instance systems with custom FIPS validated OpenSSL based on 1.0.0.
  • build with kerberos enabled openssl
    Kerberos support is not enabled by default and if is not explicitly requested (--with-kerberos5) at configure time build fail if openssl support kerberos. Now users could build ssh either with or without kerberos support.
    In addition dependency of ssl library for some executable, like ssh-keygen was removed. Remark: ssl library is required if OCSP is enabled.
  • basic support for certificate chain
    Preparation of code for keys format described in RFC6187 .
Please find version 7.7 for OpenSSH 6.4p1 .

14 Sep 2013 : Version x509-7.6
What's new:
  • distinguished name in "known hosts" file
    Version 7.5 is enhanced and now use "known hosts" file may contain distinguished name of host X.509 certificate
  • ssh use -G to specify engine configuration file
    OpenSSH start to use -E as flag for ssh command. To avoid collision -G is selected as ssh command line to specify engine configuration file.
  • follow-up mainstream code cleanup
    OpenSSH version 6.3p1 includes many code cleanups like xfree(..) replaced by free(..) and etc. See release note with official list of changes.
Version 7.6 is available for OpenSSH 6.3p1 .

19 May 2013 : Version x509-7.5
What's new:
  • restore support for multiple key types in authorized keys
    Version 7.4 introduce regression in processing of authorized keys files - keys from file are not processed properly if "key-type" is different.
  • pkcs11 module support DSA keys
  • public key permit X.509 certificate as host key
    Similarly as "authorized keys" files, now public key listed in "known hosts" file allow X.509 host certificate to be accepted if public part match.
  • minimize use of Key type enumerate in allowed algorithms
    Implementation of options PubkeyAlgorithms and HostbasedAlgorithms now is modified do not use Key type enumerate,
  • new configuration variable ssh_cv_complete_ecc
    Configure script check "whether OpenSSL has complete ECC support" but part of test is based on library version. For instance ECC code is enabled if OpenSSL version is at least 0.9.8g. In addition FIPS enabled build will exclude ecsda keys for all 0.9.8* versions. Some vendors distribute patched crypto library with reliable ECC code. In this case variable "ssh_cv_complete_ecc" has to be preset to yes to override configure defaults (ref. "Site Configuration" from autoconf manual).
  • documentation updates
    As order of private part and X.509 certificate that match it is not important in identity files, now manual pages and README.x509v3 are updated do not state that X.509 certificate has to follow private key.
Version 7.5 is available for OpenSSH 6.1p1, 6.2p1 and 6.2p2 .

23 March 2013 : Version x509-7.4.1
What's new:
  • support OpenSSH version 6.2p1 (released on 22 March 2013)
    Refer to release note for details.
Version 7.4.1, i.e. 7.4 specific for OpenSSH 6.2p1, is available on download page.

4 Jan 2013 : Version x509-7.4
What's new:
  • remove deprecated option X509rsaSigType
  • document use of X.509 certificates from DNS server and add RSASHA1 algorithm as described in rfc4034
  • change authorized message
    If public identity contain X.509 certificate message is changed to "Authorized by " followed by key type and X.509 certificate distigushed name or public key fingerprint depending from data found in user authorised keys
  • clarify processing if X.509 store is not built-in>
  • enhance regression tests
    Enhance self-signed test and new tests for HostKeyAlgorithms and fail back for PubkeyAlgorithms. Later is used in authentication when user identity contain X.509 certificate but remote host lack support for X.509 certificates
  • order of key and X.509 certificate is not important in user identity file
    Although manual pages state that X.509 certificate has to follow private key since long time order was not important. This functionality was broken in the past, then fixed and now is fixed again. Last issue is related to fact that OpenSSL bio seek does not work on memory buffer. Impacted are all versions based on OpenSSH 5.7 and later.
  • minimize use of Key type enumerate
    Prepare code for next main release avoid additional updates when new key algorithms will be added.
Please find version 7.4 (on download page) available for OpenSSH 6.0p1 and 6.1p1.

30 Sep 2012 : Version x509-7.3
Main updates:
  • enable AES cipher in CRT mode for FIPS build
    Build with FIPS enabled OpenSSL now use openssl implementation.
  • initialization of OpenSSL engines
    Engine initialization is improved and now OpenSSL static engines are initialized only once. Double initialization lead to application crash in engine cleanup, even without use of engines.
    Note that dynamic engines are not impacted.
  • exclude X.509 regression test
    If SSH_X509TESTS is set to skip, X.509 regression test will not be run when is requested regression tests to be run as example:
    make check SSH_X509TESTS=skip
  • fips regression test
    Standard regression tests are enhanced with connect-privsep and try-ciphers test run in FIPS mode. Tests could be executed only manually as example:
    make FIPS_LTESTS=[name_of_test] REGRESS_TARGETS=f-exec
Version 7.3 is available on download page for OpenSSH 6.0p1 and 6.1p1.

30 Aug 2012 : Version x509-7.2.1
What's new:
  • support OpenSSH version 6.1p1 (released on 29 Aug 2012)
    Refer to release note for details.
  • unlimited size of X.509 certificate in OpenSSH public key format
    10 years old limitation of 4096 bytes now is gone. Note that use of "Distinguished Name" in authorized keys file is preferred.
  • document that sha1 hash is preferred
    Since version 7.1 sha1 is preferred over md5 and documentation is corrected to address this.
  • daemon log FIPS mode
    SSH daemon build with FIPS capable OpenSSL log in whith mode is run : FIPS or Non-FIPS.
Version 7.2.1 for OpenSSH 6.0p1 and 6.1p1 is available on download page.

25 May 2012 : Version x509-7.2
What's new:
  • cross-build for Android host
    The version 7.2 was successfully build and tested in emulated Andorid environment. The test was performed with OpenSSL 1.0+ version. Android build require library ldns and following additional argumets to configure script:
            .../configure \
            ... \
            --without-sandbox \
            --with-default-path=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin \
            --without-tcp-wrappers \
            --without-xauth \
            --with-ldns \
            --disable-strip \
            --build=...-pc-linux \
  • proper engine shutdown
    Support for OpenSSl engines in ssh client was improved to shutdown engines. Starting from 7.2 engine support is considered mature.
  • FIPS tests for OpenSSL 1.0.1+ releases
    FIPS capable OpenSSL 0.9.8x in FIPS mode create pkcs8 keys by default. Unfortunately, in such case, 1.0.1 releases does not create pkcs8 keys by default and creation of test certificates fail. X.509 certificate regression test script implement a work-arround but only for OpenSSL 1.0.1* development and beta versions. Now work-arround is activated for all 1.0.1* versions.
  • korn shell in regression tests
    Since 7.1 X.509 version fully support configuration and execution of tests with various born compatible shells. One of tested shells (korn sheel, 93t+ 2010-06-21) fail to expand properly last command line argument if is a empty string. Version 7.2 use different order of shell script arguments to avoid ksh failure.
Find version 7.2 on download page.

22 April 2012 : Uploaded version version x509-7.1 for OpenSSH 6.0p1
What's new:
  • OpenSSH version 6.0p1
    Refer to release note for details.
  • regression test with FIPS enabled OpenSSL
    It is known that OpenSSL 0.9.8 in FIPS mode create RSA key in PKCS8 format by default. Version 7.1 was tested with FIPS enabled OpenSSL 0.9.8+ and 1.0.1 prereleases. Unfortunately this functionality is not activated in OpenSSL 1.0.1+ stable releases.
    Regression tests suite perform converssion to PKCS8 format only for OpenSSL 1.0.1 beta or development version. To test with FIPS enabled build open file ".../tests/CA/config" and find line "*1.0.1*beta*|*1.0.1*dev*)", replace with "*1.0*)", save and then run test. The issue is addressed in 7.2 version that will be published soon.
Go to download page to get 7.1 version.

15 January 2012 : Version x509-7.1
What's new:
  • X.509 certificates with RSA key algorithm prefer sha1 to md5 signature:
    This version change order of accepted signatures for X.509 certificate with RSA key. Since OpenSSH client and server accept all listed in X509KeyAlgorithm such update affect only third party servers and clients. For details see X509KeyAlgorithm option in sshd_config(5) and ssh_config(5) manual pages.
    Note that version 7.1 start to identify as PKIX in comments from ssh identification string.
  • X.509 certificates from pkcs11 module:
    Now command like "ssh -I pkcs11 ..." and "ssh-add -s pkcs11 ...", where "pkcs11" is PKCS#11 shared library, use X.509 certificates for authentication. Note that currently only RSA algorithm is supported.
    Hint: If server does not support X.509 certificates set option "PubkeyAlgorithms" to "ssh-rsa" either on command line or in client configuraton file.
  • Build with FIPS capable OpenSSL:
    If site OpenSSL library is FIPS capable you could use configure option "--enable-openssl-fips" to build. Next if environment variable "OPENSSL_FIPS" is set programs will initialise OpenSSL in FIPS mode. In such mode only fips approved ciphers and macs are allowed. Also if fips mode is activated X509KeyAlgorithm use only sha1 signatures and refuse md5.
    Hint: Run "OPENSSL_FIPS=1 absolute_path_to_sshd -T" to get list with allowed ciphers and macs.

13 November 2011 :OpenSSL NSS engine location
  • Since 9 October 2011 engine home page is moved to http://roumenpetrov.info/e_nss as old host will discontinue hosting by end of the year (31.12.2011)
  • Since 8 October 2011 engine repository is hosted by Gitorious

8 September 2011 : Uploaded version x509-7.0 for OpenSSH 5.9p1.
What's new:
  • OpenSSH version 5.9p1
    After some packaging issues OpenSSH team re-release portable 5.9 version. Please see release note for details of new version.
    On download page you could grab diff with X.509 certificate support.

22 August 2011 : Version x509-7.0 (code name Integration) for OpenSSH 5.8p1.
What's new:
  • external devices
    The new version allow client to use as identity keys and certificates stored into "external devices". Format of client identity is engine:[ENGINE_NAME]:[CERT_CRITERIA]. Version is tested with OpenSSL E_NSS engine http://developer.berlios.de/projects/enss/.
    In brief you could use certificates and keys from Firefox, SeaMonkey, Thunderbird security database to authenticate to remote hosts.
  • 64-bit system support
    Code is verified and updated to ensure build on 64-bit system without warnings.
  • regresion tests
    Now regresion test generate sample X.509 certificates that could be used, in additon, from mozilla's security PKI database - Network Security Services (NSS). The certificates from previous versions are used to test compatibility between X.509 certificate support in OpenSSH and Microsoft CryptoAPI, used as external key provider, by commercial clients like Tectia (former ssh.com) and SecureCRT.
Go to download page to get new version.

17 August 2011 : Community support list
What's new:
Starting form 17th of August 2011 you coul get community support for X.509 certificate support in OpenSSH. The mail list archives are available here. To subsribe you could use either subscription page or you could send email to ssh_x509-request AT roumenpetrov.info with subject "subscribe".

Features (valid for latest version) :

  • "x509v3-sign-rsa" and "x509v3-sign-dss" public key algorithms
    X.509 certificates can used as "user identity" and/or "host key" in SSH "Public Key" and "Host-Based" authentications.
    • different "x509v3-sign-rsa" signatures
      As support for MD5 and SHA-1 signature format OpenSSH is interoperable with implementations from multiple vendors. Since "SSH Transport Layer Protocol" internet draft does not specify signature format in case of X.509 certificate for RSA key OpenSSH support both formats.
    • different packing of "x509v3-sign-dss" signature
      As support for DSA signatures packed in format as is described in [RFC2459] and "dss_signature_blob" as is specified in "SecSH transport" draft OpenSSH is interoperable with implementations from multiple vendors. "SSH Transport Layer Protocol" internet draft before version 12 specify "x509v3-sign-dss" public key algorithm to use signature in format is described in [RFC2459], i.e. r and s packed in ASN.1 SEQUENCE. Some vendors pack DSA signature values in "dss_signature_blob" as is specified in "SecSH transport" draft for "ssh-dss" signature.
    • use key and certificate stored in "external devices"
      Implementation require working OpenSSL engine. The identity used in client authentication could refer to external key and/or certificate in format engine:[ENGINE_NAME]:[CERT_CRITERIA], where [ENGINE_NAME] is name of OpenSSL engine and [CERT_CRITERIA] is specific to engine search criteria to find the key and certicate. For instance you could use "friendly name" to access key and certificate stored in "Network Security Services (NSS)" database with e_nss engine from http://developer.berlios.de/projects/enss/. NSS s used in programs(web-browser. e-mail client) like Firefox, SeaMonkey, Thunderbird.
  • verification (default feature)
    By default server(sshd) and clients(ssh,scp,sftp) always verify signatures and validity of certificates in chain when a X.509 certificate is used in authentication. When verification fail that certificate is disallowed. Certificate verification can be disabled when OpenSSH is build without "X.509 store", i.e. configure script is run with --disable-x509store option. In additional client is able to verify remote key using DNS and CERT RR.
  • validation
    • CRL (default feature)
      When a X.509 certificate is used in authentication, server and clients always verify signatures and validity of existing CRLs issued by authorities in certificate chain. Certificate is allowed only when no one of certificates in the chain is revoked. Validation is disabled only when OpenSSH is build without "X.509 store" feature.
    • OCSP (default feature)
      Additional validation is performed when OpenSSH is configured to use OCSP and a X.509 certificate is used in authentication.
    ssh can verify host identification using CERT Resource Record published in DNS.
  • OpenSSH Agent (ssh-agent and ssh-add programs)
    Authentication agent can hold X.509 certificates.
  • ssh-keyscan
    This tools can gather "x509v3-sign-rsa" and "x509v3-sign-dss" host keys.
  • ssh-keysign
    This tools used in "Host-Based Authentication" can sign "host keys" containing X.509 certificate.
  • ssh-keygen
    when user identity contain X.509 certificate:
    • create OpenSSH public key and proposed "SECSH Public Key File Format" for that certificate.
    • show fingerprint of certificate.
    • print CERT RR (resource record) for specified hostname.
  • regression tests
  • manual pages
  • README.x509v3
    Brief description of server and client configuration, regression tests, troubleshooting and FAQ.

Get your version from download pages.


  • to implement wildcards(patterns) for DN in "authorized keys" and "known hosts" files;
  • to extend "time limits" with specified time for given revoked certificates.


  1. Initial
    Initial support began from 4 Apr 2002 with version "a". Version "b" issued on 11 Jun 2002 add "X509 store". The store is in use in verification process when a certificate is used as user's identity is ssh session. The store allow use of "distinguished name" in authorized keys file.
  2. Second stage
    In this phase certificate support is implemented in other OpenSSH executables. For first ssh-keygen support certificates since version "c" (20 Jun 2002). This version introduce regression tests. Later in version "d" (30 Jul 2002) support is added to ssh agent.
    As result OpenSSH support certificates as user identity entirely.
  3. Complete support
    Since version "e" (21 Nov 2002) manual pages are updated with information about X.509 certificate support. As well support for certificates as host key in introduced. As version "f" (30 Jan 2003) CRL are supported. Because certificate support is complete as version "f" client prefer algorithms with certificates for host key.
  4. Compatibility
    Compatibility phase begin with version "g" (3 Feb 2003). In version "g1" (30 Apr 2003) regression test scripts are updated to work well with various shells. Since version "g2" (12 Jun 2003) public key algorithm "x509v3-sign-rsa" accept "sha1" signatures in addition to "md5" and now OpenSSH is interoperable with all major ssh implementations. This version work fine with OpenSSL 0.9.7+. Later in versions "g3" (25 Feb 2004) and "g4" (9 Maj 2004) code, documentation and regression test are cleaned up.
  5. Validator
    Fifth phase began with OCSP (Online Certificate Status Protocol) support added in version "h" (6 Apr 2004). Later version schema is changed to more common format with numbers N.N{.N} and next version is 5.1. In version 5.3 compatibility is enhanced to support (in addition to [RFC3279] DSA signatures) format defined for "ssh-dss" signature. Self issued certificates can be pertimed by "autorized keys" file since version 5.4 if configuration allow this. Correction for OCSP responder location obtained from certificate is added in version 5.4 and OCSP SSL support is enabled in 5.5.
  6. International
    Since version 6.0 (7 Aug 2007) openssh can deal with "distinguished name" stored in autorized keys file as UTF-8 string or escaped. Before to compare printable attributes are converted to utf-8.
  7. Integration
    Starting from version 7.0 (22 Aug 2011) openssh can communicate with other applications by using openssl engines. For instance client could use certificates and keys stored in external devices.
    Version 7.1 (15 Jan. 2012) support build with FIPS enabled OpenSSL library and adds direct support of X.509 certificates from PKCS1 module. Since this version sha1 is preferred algorithm and programs start to identify as PKIX in comment from ssh identification string.

News archives:


Recommendet OpenSSL library versions:
Before to use please read:
OpenSSL library versions:
  • 0.9.6k+patches(may be is time for upgrade)
    First vulnerability in "ASN.1 Denial of Service Attacks" from OpenSSL Security Advisory [28 September 2006] don't affect 0.9.6 versions but the second one may affect all 0.9.6 versions. For all 0.9.6 versions see OpenSSL Security Advisory [5 September 2006]. For versions before 0.9.6k see OpenSSL Security Advisory [30 July 2002]. For version 0.9.6i see this mail. For versions 0.9.6h+ see X509_NAME_cmp later in document.
  • 0.9.7l+patches(may be is time for upgrade)
    For versions before 0.9.7l see OpenSSL Security Advisory [28 September 2006]. For versions before 0.9.7k see OpenSSL Security Advisory [5 September 2006]. For versions before 0.9.7c see OpenSSL Security Advisory [30 July 2002]
  • 0.9.8k
    For versions before 0.9.8k see OpenSSL Security Advisory [25 Mart 2009]. For versions before 0.9.8d see OpenSSL Security Advisory [28 September 2006]. For versions before 0.9.8c see OpenSSL Security Advisory [5 September 2006].
  • 1.0.0
    For OpenSSL 1.0.0 (published on 29 Mart 2010) ot later you must download at least 6.2.1 version of diff.
  • X509_NAME_cmp
    Method X509_NAME_cmp is changed first in 0.9.7beta4.
    This method remain without modification in betas:0.9.7beta5/6 and in stable 0.9.7+ too.
    Stable OpenSSL versions 0.9.6h+ contain same method.
    Changed method conform with [RFC2459] specification when compare attribute values in PrintableString and IA5String format. This method check type of attributes and when attributes has diffrent types return code is nonzero, i.e. different X509_NAME. O-o-o-p-s-s-s. What happen when one attribute is PrintableString in the first certificate and same attribute is TeletexString in the second? When atribute, as example CN (common name), in a certificate contain as example underscore "_" OpenSSL use type TeletexString but Microsoft Windows implementation treat this incorrectly as PrintableString. Problem is also when a certificate contain atribute as TeletexString "Windows Keystore" convert (!!!!) this attribute to PrintableString. As result client who use that certificate from "Windows Keystore" cannot connect to server using these OpenSSL libraries.

    This method affect all version of "X.509 certificates support in OpenSSH" before version "f". Since version "f" X.509 certificates support in OpenSSH is not affected because contains own method to compare two X509_NAMEs.

[empty image]
[empty image] [empty image] Last modified : Sunday March 16, 2014 [empty image]