[ssh_x509] PKIX-SSH release 12.6

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Sat Oct 3 19:36:10 EEST 2020

Dear list members,

New regular 12.6 release ( https://roumenpetrov.info/secsh/#news20201003 ) was just uploaded.

It is mostly bugfix with following updates highlighted:

(x) Features:
* additional control use of "askpass" program via environment variable "SSH_ASKPASS_REQUIRE"

* allow some keywords to expand shell-style ${ENV} environment variables on the client side
* token expand for "user known host files" client option including new token %k (key-alias)

* allow -A to explicitly enable agent forwarding in scp and sftp commands
* delete agent keys read from standard input
* let client option AddKeysToAgent accept a time limit in addition

* builds with Android API 29
* seccomp audit support for riscv64-* and x32 hosts

(x) Bugs:
* fix regression in 'process "exit-signal" ssh channel message'
* restore functionality of client multiplexing option "proxy"
* fix some memory leaks
* restore posibility "plain" key material to clean agent key
* process "-B" client command line option
* prevent hidden lost of precision when is used convtime() result

(x) Misc:
* improve logging for MaxStartups connection throttling
* limit channel input buffer size to 16MB
* better terminology in some manuals
* defer creation of user ssh directory (~/.ssh) by client until attempt to write to it
* handle EINTR in functions waitfd and timeout_connect
* also compare user name when checking for JumpHost loops
* catch address/mask mismatches when parsing before they to cause problems at run-time
* when redirecting daemon log output to a file undo redirection in child process for client session
* reset the server alive check only when client receive traffic from the server and ignore traffic from a port forwarding
   (prevents client from keeping a connection alive when it should be terminated)
* always send any PAM account messages.
* improve daemon on re-exec

Roumen Petrov

Branch security_keys is updated regularly. It contain experimental feature subject of non-stop modifications. Large code base and unstable code prevent inclusion in main branch due to security risk.
Note that unlike origin you could use it still with libfido2 1.4.0 but 1.5.0 is recommended.

More information about the ssh_x509 mailing list