[empty image] [empty image]
[empty image]
[empty image] [empty image] [empty image]
[empty image]

OpenSSH secure shell
and
X.509 v3 certificates
(archive 6.x-series)

Check the current version!

4 February 2011 : Published versions x509-6.2.4 for OpenSSH 5.8p1.
Download:
Please find it on download page.

24 January 2011 : Published versions x509-6.2.4 for OpenSSH 5.7p1.
What's new:
  • OpenSSH version 5.7p1
    See release note for details of new version.
Download:
Go to download page to get X509 certificate support for new version.

24 August 2010 : Published versions x509-6.2.3 for OpenSSH 5.6p1.
What's new:
Download:
The diff for new version is on download page.

16 April 2010 : Published versions x509-6.2.3 for OpenSSH 5.5p1.
What's new:
Download:
The diff for new version is on download page.

9 Mart 2010 : Published versions x509-6.2.3 for OpenSSH 5.4p1.
What's new:
  • rerelease 6.2.2 as 6.2.3
    The sshd was incorrectly patched and break X.509 certificates as host-keys.
Download:
The new version is now on download page.
Thanks:
Kenneth Robinette

8 Mart 2010 : Published versions x509-6.2.2 for OpenSSH 5.4p1.
What's new:
Download:
Get certificate support for new version on download page.

28 February 2010 : Published versions x509-6.2.2 for OpenSSH 5.3p1.
What's new:
  • improved build with OpenSSL 1.x
    Version is ready for upcoming OpenSSL 1.x.
Download:
Get it from download page.
2 October 2009 : Published versions x509-6.2.1 for OpenSSH 5.3p1.
What's new:
Download:
Get X.509 certificate support for OpenSSH 5.3p1 from download page.

4 August 2009 : Published versions x509-6.2.1 for OpenSSH 5.2p1.
What's new:
  • build with OpenSSL 1.x
    Fixed compilation issues with upcoming OpenSSL 1.x.
  • build with OpenSSL 0.9.6
    Fixed regresion introduces in 6.2.
Download:
Grab new version from download page.

23 February 2009 : Published versions x509-6.2 for OpenSSH 5.2p1.
What's new:
Download:
Diff for OpenSSH versions 5.2p1 and former is available on download page.

15 February 2009 : Published versions x509-6.2 for OpenSSH 5.1p1.
What's new:
  • client fail to read certificate from identity file
    On some gnu libc afrer seek on file discriptor file position is not synchornised with position in file stream associated with the same file descriptor.
  • build on 64-bit systems
    Missing include in auth2-pubkey.c lead to integer return value of strsep() instead pointer.
Download:
Get new version from download page.
Thanks:
Mike Frysinger

22 July 2008 : Published versions x509-6.1.1 for OpenSSH 5.1p1.
What's new:
Download:
You can found diffs for OpenSSH versions 5.1p1 and former on download page.

3 Apr 2008 : Published versions x509-6.1.1 for OpenSSH 5.0p1.
What's new:
  • OpenSSH version 5.0p1
    On 3 Apr 2008 OpenSSH team announce version 5.0p1 short after 4.9p1 due security reasons. Since the new release(5.0p1) is too close to previous one, the diff for 4.9p1 is removed from site.
Download:
On download page you can found diffs for OpenSSH versions 4.5p1,4.6p1,4.7p1 and 5.0p1.

31 Mar 2008 : Published versions x509-6.1.1 (from International series) for OpenSSH.
What's new:
  • OpenSSH version 4.9p1
  • key/certificate extracted from PKCS #12 file
  • openldap 2.4+
  • build for 4.{5|6}p1
Details:
  • OpenSSH version 4.9p1
    On 31 Mar 2008 OpenSSH team announce version 4.9p1. Note that OpenSSH team skip version 4.8 .
  • key/certificate extracted from PKCS #12 file
    Now result file (as example from command openssl pkcs12 ....) can be used directly without file to be modified to list first primary key.
  • openldap 2.4+
    OpenLDAP version 2.4+ deprecate support for ldbm backend. As result regresion tests (if ldap support is enabled) fail Now default backend for tests is bdb.
  • build for 4.{5|6}p1
    Build for 4.{5|6}p1 don't require library ssl to be specified for configure command. A unnoticed failure during backporting from 4.7 to 4.5/6 lead to this problem.
Download:
On download page you can found diffs for OpenSSH versions 4.5p1,4.6p1,4.7p1 and 4.9p1.
Thanks:
Yaron Blachman,
Bruce Keats

26 Oct 2007 : Published versions x509-6.1 (from International series) for OpenSSH.
What's new:
  • distinguished name compare bug(security)
  • uniform format for distinguished name output
  • char to integer conversion bug
  • OCSP support enabled by default
  • use non-deprecated LDAP functions
Details:
  • distinguished name compare bug(security)
    The bug affect versions 6.0 and 6.0.1 only. The work around is to write in "authorized keys" or "known hosts" files certificates in "blob" format instead "distinguished name".
  • uniform format for distinguished name output
    Distinguished name print use common uniform format so that the name is same in all debug messages. The change also overcome existing prior limitation to print only first 512 characters form name.
  • char to integer conversion bug
    Problem with conversion of non-ascii characters to integers on some old systems is resolved. All versions prior 6.1 are affected. Work around is to write in "authorized keys" or "known hosts" files certificates in "blob" format. Linux is not affected and problem exist on some old Unix-es.
  • OCSP support enabled by default
    Now the OCSP support is build by default and users could configure theirs system to perform additional OCSP validation .
  • use non-deprecated LDAP functions
    The "X509 store" (if ldap support is build and configured) can query directory services for certificates. This is implemented as OpenSSL X509_LOOKUP method. The implementation is changed to avoid use of functions marked as deprecated in OpenLDAP headers. As result of the change "X509 store" option CAldapURL should be escaped (see details in man pages).
Download:
On download page you can found diffs for OpenSSH versions 4.5p1,4.6p1 and 4.7p1.
Credits:
Special credits to Andrea Weisskopf why report bugs and propose patches.

6 Sep 2007 : Published versions x509-6.0.1 and x509-5.5.2 for OpenSSH 4.7p1.
Details:
On 5 Sep 2007 OpenSSH team announce version 4.7p1.
Download:
For OpenSSH 4.7p1 go on download page to get diffs for versions 6.0.1 (International) and 5.5.2 (Validator) .

29 Aug 2007 : Published version x509-6.0.1.
What's new:
This is bugfix release that include fixes prepared for unpublished version 5.6 bug forgotten in 6.0.
  • make ldap tests to work with recent OpenLDAP versions (marked for 2.3.32)
  • ssh-keyscan don't require key types to be specified explicitly
Details:
  • make ldap tests to work with recent OpenLDAP versions marked for 2.3.32:
    Configuration for database backed cannot be splited between included and main slapd configuration file. Without patch is confimed that test work on OpenLDAP versions 2.3.20 and earlier (including 2.2.x and 2.1.x).
  • ssh-keyscan don't require key types to be specified explicitly
    If key types are not defined ssh-keyscan crash. Patch fixes this and make as default scan for protocol version 2 keys instead of "rsa1" (protocol v1)
Download:
For OpenSSH 4.5p1/4.6p1 go on download page to get 6.0.1 ("International") diffs.

7 Aug 2007 : Published version x509-6.0 (code name International).
What's new:
  • Printable X.509 name attributes compared in UTF-8
  • "Distinguished Name" with escaped symbols or in UTF-8 codeset(charset);
  • LDAP queries in conformance to [RFC2254];
  • Restored support for openssl 0.9.6;
  • Resolved cross-compilation issue in configure;
  • Certificates for RSA keys size greater than 2048;
  • Regression tests with multi-language "distinguished name" in utf-8.
Detailed:
  • Printable X.509 name attributes compared in UTF-8
    Printable attributes are converted to utf-8 before to compare. This allow distinguished name in "authorized keys" file to be in UTF-8.
  • "Distinguished Name" with escaped symbols or in UTF-8 codeset(charset)
    File "Authorized keys" can contain "Distinguished Name"(subject) with escaped symbols or in UTF-8 charset. If unescaped certificate subject contain characters with code above 127(us-ascii) it is handled always as UTF-8 string.
  • LDAP queries in conformance to [RFC2254]
    In validation process "X.509 store" lookup for certificates and CRLs in files stored on file system. If is enabled (at configure time) this lookup can query LDAP server too. Attributes in query should be escaped and the versions before current escape attributes as is described in [RFC2253]. Now attributes are escaped in addition as is recommended in [RFC2254].
  • Restored support for openssl 0.9.6
    OpenSSl EVP_MD structure that handle so called "dss-raw" signatures can be compiled with openssl 0.9.6.
  • Resolved cross-compilation issue
    Test for "Email" in "Distinguished Name" (openssl 0.9.6 and earlier) in file configure.ac is modified to handle cross-compilation.
  • Certificates for RSA keys size greater than 2048
    Limitation for big RSA keys is resolved.
  • Regression tests with multi-language "distinguished name" in utf-8
    To enable uncomment #SSH_DN_UTF8_FLAG='-utf8' in "[SOURECDIR]/tests/CA/config", go in "[BUILDIR]/" and run tests. If test certificates are created, before to run tests again with flag enabled, go in "[BUILDIR]/tests/CA/", run make clean (this will remove created test certificates), return to "[BUILDIR]/" and run tests again.
Download:
Diffs are available for OpenSSH 4.5p1 and 4.6p1(get it).


News archives:

[empty image]
[empty image] [empty image] Last modified : Monday August 22, 2011 [empty image]