[ssh_x509] PKIX-SSH release 13.4.1

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Thu Jun 23 10:58:03 EEST 2022

Dear list members,

Official release 13.4.1 is ready for download.

(x) Features:
* work-around for OpenSSL 3.0
   Note due to broken design OpenSSL 3.0 cannot ensure compatibility with existing code base. Reordered PKIX-SSH code allows to throw away mis-functional OpenSSL 3.0 key manager from keys.

* exclude DSA from default host-keys generated by authentication key utility

* allow multiple SetEnv directives in client and daemon configuration
   Ensures that first name win as is supposed configuration to work. Includes unified processing of environment related directives in client and daemon configuration and test over multiplexed connection.

(x) Bugs:
* restore management of locked account
   Regression introduced in PKIX-SSH 13.3.2.

* PKCS#11 "raw" ec point
   Properly try "raw" encoded EC-point if DER encoding fail.
* memory leak in PKCS#11 EC keys
   Avoid memory leak in error path when is constructed PKCS#11 EC key.

* clean-up password in user authentication error path

* scp in experimental SFTP mode
   When performing operations on a remote path specified as pattern, ensure that the implicit working directory used to construct that path escapes wild-card characters This prevents wild-card characters from being processed in places they should not, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation treat the path "/tmp/a*" literally and not attempt to expand it.
   Arrange secure copy to not truncate files early. Note previous behaviour of unconditionally truncating the destination file would cause "scp ~/foo localhost:" and "scp localhost:foo ~/" to delete all the contents of their destination.

(x) Misc:
* improved manual pages
* avoid non standard printf() conversion specifier %m in capsicum sandbox

* cache timezone data in capsicum sandbox

* accept only numbers for CIDR mask length

* use 64-bit in moduli generation
Avoid overflow when trying to generate modp groups > 16k bits

* improve TERM variable passing over multiplexed connection
   Use different test if regression test is run from real tty or not.
   Restore "multiplex" test to regular list as this was second blocking issue. Remark: first is race conditions temporary avoided by some extra "sleep" in test.

Roumen Petrov

More information about the ssh_x509 mailing list