[ssh_x509] PKIX-SSH release 13.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Aug 30 22:10:12 EEST 2021

Dear list members,

Perhaps you note that new release was tagged on 2021-08-26. Now release tar-bal is available for immediate download.

Within this release ( also on https://roumenpetrov.info/secsh/#news20210830 ):

(x) Features:
* client and daemon option CAStoreURI
   Options that use OpenSSL "Store API" for X.509 look-up.

* X.509 look-up "by store" for OpenSSL 1.1.1*
   Note OpenSSL 3.0 provides "by store" X.509 look-up.

* client option KnownHostsCommand

* degrade sftp-server extension
   degrade gracefully if a sftp-server offers the limits extension but fails when the client tries to invoke it

* environment variable TERM
   allow client directive SetEnv to override environment variable TERM

* use only KbdInteractiveAuthentication client and daemon directives

* deprecate outdated SKeyAuthentication and TISAuthentication client directives

* client directive "SessionType"
   Allows client configuration file to offer equivalent control to the -N (no session) and -s (subsystem) command-line flags

* client directive "StdinNull"
   Client configuration option equal to command line argument -n.

* client directive "ForkAfterAuthentication
   Client configuration option equal to command line argument -f.

* postpone "Authenticated to ..." message
   Move "Authenticated to ..." verbose messages to the end of user authentication process. Also add method name to the message.

* show only the final path component in the sftp progress meter

* sftp server extension "expand-path"
   Reserved for future to allow scp over sftp to accept ~-prefixed paths.

* use pselect in daemon
   Switch server loop and listening loop to use pselect. Use exiting self-pipe trick to provide compatible implementation.

(x) Bugs:
* do not log partial successes as failures
   restore blocking status on standart input/output file descriptors before close

* sftp server "limits"
   make "limits" extension available in read-only mode

* use password cache in key utility
   Note that get password function may return value that point to a static area, and so it may be overwritten by subsequent calls.

* remove needless client options UserCAldapURL and UserCAldapVersion
   There is no tilde ($HOME) expansion.

* handle group with GID > 2^31
   AIX LONG_MAX related compatibility in getgrouplist.

* DNS SSHFP RR processing
   use only supported key types and digests for DNS SSHFP resource records.

* explicitly check for and start time-based re-keying in the client and daemon loops

* make first environment variable win in option parse
   Also limit variables to 1024.

* on fatal errors, make scp wait for ssh connection before exiting

(x) Misc:
* rewrite client and daemon configuration parser
   Make them more strict and unified. Raise error on configuration directive with empty pattern. Add management of escaped "space" character. Also for all single value directives ensure than only first obtained value is used.

* rewrite X.509 look-ups
   If "by store" look-up is available it will handle ldap queries. In such case X.509 look-up "by ldap" is not build.

* updated manuals

* openssl compatibility
   Note provider based implementation will be based on OpenSSL 3.1 API.

* more regression tests
   Also use more portable shell substitutions everywhere in regression tests.

* log sftp flags and permissions attribute

* experimental handle interrupt on sftp "editline" related code

Roumen Petrov

More information about the ssh_x509 mailing list