[ssh_x509] PKIX-SSH release 13.0

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Mar 3 18:42:37 EET 2021

Dear list members,

New major PKIX-SSH release is ready and soon will be available for download. It includes changes in preferred order of supported algorithm, complete rewrite of key management and finally unset CheckHostIP.

(x) Security:
* Always validate loaded keys, also in signing and verification. Note in addition to file key sources could be "store", "engine", secure token device, third party utility that loads keys into agent.

* Prevent excessively long username going to PAM on Solaris. This is a mitigation for a buffer overflow in Solaris PAM username handling (CVE-2020-14871), and is only enabled for Sun-derived PAM implementations.

(x) Features:
* Require C99 to build.

* Prefer RFC6187 public key algorithms to legacy. Note X.509 based.

* Prefer "Edwards-Curve Digital Signature Algorithm"(*ed25519*) to "Elliptic Curve Digital Signature Algorithm"(*ecdsa*) public key algorithms.

* Prefer PKCS#8 format for Ed25519 keys. Usable with OpenSSL 1.1.1+.

* Support exact algorithm in host-based authentication, i.e. complete algorithm support including  X.509 algorithms from RFC6187 and RSA algorithms from RFC8332.

* Set the specified TOS/DSCP for interactive use prior to TCP connect. Note connection phase of a SSH session is time-sensitive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes.

* Change client option CheckHostIP default to "no" - makes know host files more simple and it must be unset if connection is to host with multiple addresses.

* Client option PermitRemoteOpen for restriction of remote dynamic forwarding with SOCKS.

* Daemon options to restrict number of unauthenticated connections per source address - PerSourceMaxStartups and PerSourceNetBlockSize.

* Value none to first client option UserKnownHostsFile or GlobalKnownHostsFile indicates that user or global host key database should not be used.

* Enhance key generation utility to store private keys in traditional PEM format. Avoids use of OpenSSL utilities to convert from PKCS#8 to traditional PEM format.

* Allow or disallow more system calls in secure secure computing mode.

* Adapt mainstream updated of ssh-copy-id like install keys via sftp.

* Try to read public key from "private" if pub-file is not present. Applicable for X.509 identities where certificate is part of file with "private" key. Also usable for keys stored in custom format.

* Custom sftp extension for server limits.

* Drop build requirements for fipscheck on Fedora 33 or newer.

* Support post 2.69 autoconf releases like 2.70 and 2.71.

* Remove the pre-standardization cipher rijndael-cbc at lysator.liu.se from list. It is an alias for aes256-cbc described in RFC4253 (2006), disabled by default since PKIX-SSH 8.8 (Feb 2016) and never listed in manual pages.

* New LogVerbose keyword for client and daemon. Allows forcing maximum debug logging by file/function/line pattern-list.

(x) Bugs:
* Do not check for "custom" revocation if key is not specified when in host-key query.

* Do not free string returned by login_getcapstr(3) - compatibility with some BSDs.

* In sftp command properly sort remote directory listing.

* When doing an sftp recursive upload or download of a read-only directory, ensure that the directory is created with write and execute permissions in the interim so that we can actually complete the transfer, then set the directory permission as the final step.

* More strictly enforce key exchange state-machine by rejecting packet types once they are received. Avoid memory leak.

* Revert "audit for x32 systems".

* In keyboard interactive prompts and use (user at host) as prefix - make it easier to determine which connection they are associated with in cases like scp -3, ProxyJump, etc.

* Allow full range of UIDs and GIDs for sftp chown and chgrp on 32-bit platforms instead of being limited by 32-bit LONG_MAX.

* Remove debug message from daemon "child" signal handler to problems on some platforms.

* Properly measure elapsed time when code waits for event on a file descriptor.

* Do not reset handler for signal 0 in child sub-process.

* Various corrections in manual pages.

* Proper license for XMSS reference code.

(x) Notes:
* Rewrite code to use only EVP_PKEY as attribute on key structure. PKEY eliminates direct use of RSA, DSA, EC, DH keys deprecated in OpenSSL 3.0. OpenSSL API 3.0 will not be supported. Planed is support for next major release - 3.1 or 4.0.

* Various code refactoring to capsulate functionality into single source file, unify key serialisation and validation, define compatibility functions only in source where is used, eliminate duplicate code, eliminate needless function arguments and structure attributes, remove unused global variables, improve readability.

* Replace the experimental post-quantim hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519), i.e. "sntrup4591761x25519-sha512 at tinyssh.org" -> "sntrup761x25519-sha512 at openssh.com" as per the authors, sntrup4591761 was replaced almost two years ago by sntrup761.

Roumen Petrov

More information about the ssh_x509 mailing list