[ssh_x509] PKIX-SSH release 12.1

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Jun 16 15:41:50 EEST 2019


Hello all,

New feature and security release was just published 
https://www.roumenpetrov.info/secsh/#news20190616 .


(x) Security:
* ensure that X.509 key is validated if is used key is authorized by 
command and if validation is not first:
   Work-around is to set daemon option ValidateFirst to yes if 
configuration uses authorized keys command.


(x) Features:
* added algorithm x509v3-rsa2048-sha256 (RFC 6187)
   For compatibility reasons is not used by default yet.
   It use could be forced with respective options that control used 
algorithms.

* export more android properties to child session:
   Added ANDROID_STORAGE, ANDROID_RUNTIME_ROOT, ANDROID_TZDATA_ROOT and 
SYSTEMSERVERCLASSPATH.

* when signing custom certificates with an RSA key, default to using the 
rsa-sha2-256 signature format:
   Custom certificates signed by RSA keys will therefore be incompatible 
with PKIX-SSH < 8.8 or OpenSSH < 7.2 unless the default is overridden.

* allow to test daemon configuration containing match directive without 
to specify connection parameters:
   Assume any attribute not provided by -C does not match.

* check for user at host when parsing sftp target:
   This allows user@[1.2.3.4] to work without a path in addition to with 
one.


(x) Bugs:
* restore support pkcs#11 provided X.509 keys in agent:
   Regression in 12.0 release.

* no-op implementation of pam_putenv:
   Some platforms such as HP-UX do not have pam_putenv.


(x) Misc:
* check authorization files first before authorized keys command
* improve experimental implementation for ldap X.509 lookup based on 
OpenSSL STORE API
* fixed some memory leaks
* improved some debug messages
* finalize removal of obsolete "X.509 key type" items from ssh key-type 
enumerate and related.


Regards,
Roumen Petrov




More information about the ssh_x509 mailing list