[ssh_x509] PKIX-SSH release 12.1

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Jun 16 15:41:50 EEST 2019

Hello all,

New feature and security release was just published 
https://www.roumenpetrov.info/secsh/#news20190616 .

(x) Security:
* ensure that X.509 key is validated if is used key is authorized by 
command and if validation is not first:
   Work-around is to set daemon option ValidateFirst to yes if 
configuration uses authorized keys command.

(x) Features:
* added algorithm x509v3-rsa2048-sha256 (RFC 6187)
   For compatibility reasons is not used by default yet.
   It use could be forced with respective options that control used 

* export more android properties to child session:

* when signing custom certificates with an RSA key, default to using the 
rsa-sha2-256 signature format:
   Custom certificates signed by RSA keys will therefore be incompatible 
with PKIX-SSH < 8.8 or OpenSSH < 7.2 unless the default is overridden.

* allow to test daemon configuration containing match directive without 
to specify connection parameters:
   Assume any attribute not provided by -C does not match.

* check for user at host when parsing sftp target:
   This allows user@[] to work without a path in addition to with 

(x) Bugs:
* restore support pkcs#11 provided X.509 keys in agent:
   Regression in 12.0 release.

* no-op implementation of pam_putenv:
   Some platforms such as HP-UX do not have pam_putenv.

(x) Misc:
* check authorization files first before authorized keys command
* improve experimental implementation for ldap X.509 lookup based on 
* fixed some memory leaks
* improved some debug messages
* finalize removal of obsolete "X.509 key type" items from ssh key-type 
enumerate and related.

Roumen Petrov

More information about the ssh_x509 mailing list