[ssh_x509] X.509 certificate support v7.5 for openssh 6.1p1, 6.2p1 and 6.2p2 is available for download

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Tue May 21 18:47:28 EEST 2013


Deal All,

I would like to inform you that version 7.5 of X.509 certificate support 
for openssh is just published. This version include a fix for regression 
introduced in 7.4, some new features
and documentation updates. Complete list follow:

- restore support for multiple key types in authorized keys
         Version 7.4 introduce regression in processing of authorized 
keys files - keys from file are not processed properly if "key-type" is 
different.

- pkcs11 module support DSA keys

- public key permit X.509 certificate as host key
         Similarly as "authorized keys" files, now public key listed in 
"know host" file allow X.509 host certificate to be accepted if public 
part match.

- minimize use of Key type enumerate in allowed algorithms
         Implementation of options PubkeyAlgorithms and 
HostbasedAlgorithms now is modified do not use Key type enumerate,

- new configuration variable ssh_cv_complete_ecc
         Configure script check "whether OpenSSL has complete ECC 
support" but part of test is based on library version. For instance ECC 
code is enabled if OpenSSL version is at least 0.9.8g. In addition FIPS 
enabled build will exclude ecsda keys for all 0.9.8* versions. Some 
vendors distribute patched crypto library with reliable ECC code. In 
this case variable "ssh_cv_complete_ecc" has to be preset to yes to 
override configure defaults (ref. "Site Configuration" from autoconf 
manual).

- documentation updates:
         As order of private part and X.509 certificate that match it is 
not important in identity files, now manual pages and README.x509v3 are 
updated do not state that X.509 certificate has to follow private key.


Best Regards,
Roumen Petrov




More information about the ssh_x509 mailing list