[ssh_x509] PKIX-SSH release 13.2.2

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Mon Oct 11 10:10:46 EEST 2021

Dear list members,

New bugfix release 13.2.2. was just uploaded ( https://roumenpetrov.info/secsh/#news20211011 ) wit following updates:

(x) Security:
* supplementary groups for command
   Now daemon initialise supplementary group access list before to execute a helper command like AuthorizedKeysCommand. Due to defect if command is set to run as a different user it would inherit the groups that daemon was started with. Depending on system configuration, inherited groups may allow helper command to gain unintended privilege. Note commands are not used by default.

(x) Features:
* scp via sftp
   Allow secure cope utility to use sftp v3 protocol for file transfer. Note that there is no attempt to provide compatibility with scp's "double shell" quoting rules. Requires sftp server extension "expand-path" to support path relative to user's home directories.

* portability
   On FreeBSD agent use system control(procctl(2)) to disable traces(ptrace(2)).

(x) Bugs:
* custom certificate as host-key in agent
   PKIX-SSH allows to run daemon in unprivileged mode. Now in this mode daemon could use host-key in agent in the same manner as privileged mode.

* interrupt on sftp command line
   Restored existing functionality broken in PKIX-SSH 13.2 by "experimental handle interrupt on sftp "editline" related code".

(x) Misc:
* "none" argument
   Accept "none" as argument for some configuration options. Only for compatibility.

* manual improvements

Remark: there is no plans to disable any supported algorithm.

Roumen Petrov

More information about the ssh_x509 mailing list