[ssh_x509] PKIX-SSH release 11.5

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Fri Oct 19 21:51:23 EEST 2018

Hello all,

Source of release 11.5 is ready for download ( 
http://roumenpetrov.info/secsh/download.html ).
It includes following updates ( 
http://roumenpetrov.info/secsh/#news20181019 ) :

* Client verbose modes:
   Increase client verbose modes by one. Now client "verbose mode" 
starts from LogLevel "VERBOSE". At this level client outputs messages 
for offered keys.
   Exiting scripts could be updated with one "-v" more to reach the same 
level of details as before.

* Client query argument "key-alg":
   This new argument to client query option (-Q) list all supported 
public key algorithms.

* Client option ForwardX11Timeout with zero argument:
Zero value for client option ForwardX11Timeout disables the timeout and 
permit X11 forwarding for the life of the connection.

* Enhancement of client option Port:
   Port could be expressed either by number or by service name, i.e. 

* Server support "signal" channel request:
   Signal are accepted only for session that is not subsystem and is not 
started with a forced command.

* Translation on OpenSSL errors:
   Translation of OpenSSL error codes after failed read of private key 
is reverted. Now all cases are treated as "invalid password" as before 
version 11.0.
   Remark: In some cases invalid password could "decode" key to garbage. 
"Error translation" returns invalid format and system refuse to use this 
key. Expected is system to ask for password again up to certain limit.
   In addition removed code relies on OpenSSL internal error management 
which is subject of modifications without notice, i.e. not reliable.

* Removed GCC Spectre mitigation flags:
   Now configuration excludes GCC flags "-mfunction-return=thunk" and 
"-mindirect-branch=thunk" from hardening. Options could cause 
miscompilation due to some GCC bugs. And on Linux retpolines are more 
suitable for kernel then userspace.

* logging:
   Various messages are changed to include error information from 
cryptographic library. Some messages related to keys or channels are 
unified and enhanced.

* memory leaks and optimizations:
         Key creation is optimized to minimize memory allocations due to 
use of OpenSSL 1.1 API. Memory leaks in process of key load or x.509 
load from ldap are fixed.

* cross-compilation:
         Configuration checks for snprintf functionality now use "cache" 
variables. This allows in case of cross-compilation user to specify 
faulty behaviour and so programs to use functions from "compat"-library 
instead broken system ones. Ditto for setresuid and setresgid.

Roumen Petrov

More information about the ssh_x509 mailing list