[ssh_x509] PKIX-SSH release 12.5

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sun May 31 20:09:51 EEST 2020

Dear list members,

New regular 12.5 release ( https://roumenpetrov.info/secsh/#news20200531 ) is uploaded.

(x) Security:
* in "remote copy program" (scp) send single error message to avoid desynchronisation

(x) Features:
* enhance and unify token expansion in client options and properly document used tokens
* allows IgnoreRhosts to be used anywhere in server configuration
* make daemon option IgnoreRhosts a tri-state option
* allows list of agent-keys to print X.509 identity in public key format instead certificate distinguished name: ssh-add -L -k
* add sftp flag that re-enable verbose output in batch mode
* add textual representation for some common PKCS#11 errors
* use EVP_chacha20 from cryptographic library (ignored for broken LibreSSL)
* run the 2nd ssh with BatchMode for scp -3
* environment variable for engine configuration file: SSH_ENGINE_CONF
* load default dsa identity last

(x) Bugs:
* postpone build of certificate chain for agent keys: correction for keys used with RFC6187 algorithms if IdentityFile is set
* properly limit pkcs#11 provider keys when option IdentitiesOnly is set
* ensure that tunnel forwarding failures terminate the connection when ExitOnForwardFailure is enabled
* document order of authorized keys: files are first and falling back to command
* some clarifications in manual pages
* enable "explicit routing domain" daemon option only if supported by platform
* prepend bindir to "USER_PATH" found by configure script
* disable use of completely broken "visually encode characters" functions

(x) Misc:
* precise environment section in manual pages
* clarify and document use of ssh-askpass in manual pages
* miscellaneous portability fixes
* refactor program code for load, serialisation and deserialisation of keys
* correct spelling in manual pages, documents and code
* forward compatibility with OpenSSL library: use only EVP_PKEY interface, avoid use of deprecated API
* exclude ldap test from default list
* check if SA_RESTART signals will interrupt select

Roumen Petrov

More information about the ssh_x509 mailing list