[ssh_x509] PKIX-SSH release 12.3

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun Oct 13 11:01:16 EEST 2019

Hello all,

New regular  release was just published - 
https://www.roumenpetrov.info/secsh/#news20191013 .

(x) Features:
* store identities(keys) in PKCS#8 PEM format and use aes256 algorithm

* fetch pkcs#11 RSA/EC public key
   Fetch public key if X.509 certificate was not found and in absence of 
keys try interactive login and fetch again.

* process the verbose flag when searching for host keys in known hosts
   Command "ssh-keygen -F host -l -v" will print random-art of host 
public key.

* allow %n to be expanded in ProxyCommand strings
* print explicit "not modified" message
   If a file was requested for resumed sftp download but was considered 
already complete.

* better error messages for "bits" limit in key generation

* limit number of parse permiopen/permitlisten directives on a single line

* allow prepending default set of algorithms by starting the list with 
the '^' character

(x) Bugs:
* build fixes: function prototypes, compatibility functions

* make <esc><right> move right to the closest end of a word in sftp

* properly support OpenSSL error management functionality

* clean again set of signal handlers inside handlers(it is expected 
current system to has reliable signals)

(x) Miscellaneous:
* deny shmdt in "preauth" unprivileged child in secure computing mode
   Resolves fatal on some Linux OS distributions with 3.* kernel using 
OpenSSL version 1.1.1d.

* on Solaris remove PRIV_PROC_SESSION
   Privilege which was limiting ability to send signal SIGWINCH to 
other(multiplexed) sessions.

* retain Solaris PRIV_FILE_LINK_ANY in sftp-server
   It is required for the legacy sftp rename operation.

* allow mprotect(2) with PROT_(READ|WRITE|NONE) only
   Allow in secure computing mode as is used by some hardened heap 

* allows s390-specific ioctl for ECC hardware support
   (in secure computing mode)

* add sendfd to pledge(2)
   Note that later in same code path pledge restriction is reduces.

* unify checks for function return value
   Some are checked for negative value while other exactly for -1.

* on OS X use proc_pidinfo()-based closefrom()

* supports build with OpenSSL master branch even with enabled API 

* change level of PKCS#11 message "provider returned no slots" from 
error to debug

* fix some memory leaks, mostly in error path

* separate regression test targets

* restrict regression test to keys supported by executable

* fix integer overflow in experimental XMSS private key
   Note XMSS is not enabled by default.

* "key shielding" feature
   Not enabled by default as key stored on secure device has better 

Roumen Petrov

More information about the ssh_x509 mailing list