PKIX-SSH
secure shell with
X.509 v3 certificate support
Content:
News:
- 3 Oct 2024 : Official version 15.3
- What's new:
- Features:
- notify systemd on listen and reload
Also support "systemd" service file.
- up to date ssh-copy-id
Synchronise ssh-copy-id "install script" with upstream.
- update the Streamlined NTRU Prime code
Switch from "ref" to faster "compact" implementation.
Use sntrup761x25519-sha512 key exchange method as alias to existing one hybrid key exchange algorithm now has an IANA-assigned name.
- ML-KEM768 key exchange
Add experimental support for hybrid post-quantum key exchange ML-KEM768 (coupled with X25519).
- randomise grace login time (up to 4 extra seconds)
- place shielded keys into memory excluded from a core dump
Note key-shielding is not enabled by default. Limited to Linux and *BSD.
- add daemon option "RefuseConnection"
- Bugs:
- correct proxy multiplexing bug
If a mux started with ControlPersist then later has a forwarding added using mux proxy connection and the forwarding was used,
then when the mux proxy session terminates, the mux master process will send a channel close to the server with a bad channel id and crash the connection.
This was caused by stupidly reusing c->remote_id for multiplexing channel associations.
- apply authorized keys options only when signature verification pass
Prevents key options to be applied to subsequent keys listed in authorized keys.
- fix memory leak when is processed daemon subsystem configuration
- Misc:
- consistently look for the last @ in the match user pattern
This makes it possible to use usernames that contain '@' characters.
- allow short key names only in key generation utility
Be more strict when is parsed key time name.
- restore daemon functionality on Android
Copy more session specific user variables.
Do not check daemon for absolute path.
Do not drop supplementary groups as is not allowed by selinux rules.
- modernise key generation
Use "keygen" functionality in program code if build is with OpenSSL 1.1 or newer.
- documentation
Documentation and manual page improvements.
- code and regression tests clean-up
Includes performance improvements in rekey regression test.
- 11 Aug 2024 : Official version 15.2
- What's new:
- Security:
- prefer sigaction()
To send a signal in alarm signal handler is used sigaction() if available.
This avoids logging in ssh_signal() done on error path.
Note sigaction() should be available on all modern OS-es.
- Features:
- enhance login class based checks
Added function checks for any host restrictions and
checks to see that a given time value is within allowed times.
Remark: FreeBSD functionality.
- only "addon" model on Android
Link only with application wrapper library.
Stop to use application information library.
Remark: This allows application like SecureBox to stop to share "user id" with terminal application.
Also, with separate id terminal application has only read only access to secure shell configuration.
- Bugs:
- sftp and very long symbolic link
Avoid silent truncation in sftp server readlink processing.
- Misc:
- wrap rename
Stop to wrap rename() for Android builds.
It was added to allow key generation utility to create host-keys.
With new "addon" model this is application responsibility.
- autoconf 2.72
Suppress Android large file for 32-bit platforms as well if bootstrap uses autoconf 2.72.
- path to ssh utility
Revise construction and how is used path to ssh utility is secure copy and file transfer programs.
Note on Android is construction uses path running utility and this avoids communication with application.
- documentation
Documentation and manual page improvements.
Note information related to DSA algorithms and keys is excluded from manual pages.
- 6 Jul 2024 : Official version 15.1
- What's new:
- Security:
- disable again logging in alarm handler
Race condition could lead to code execution on some C libraries.
Affected PKIX-SSH 13.3.2-15.0.
- Features:
- SSH_AUTH_INFO_0 and PAM
Export SSH_AUTH_INFO_0 in PAM password authentication method.
- askpass on wayland
Enable secsh "askpass" on wayland display as well.
- Bugs:
- properly implement sftp home-directory extension
It always returned the current user's home directory contrary to the spec.
- utmpx login
Use appropriate variable to record "utmpx" login.
- sftp-prompt
flush stdout after output of "sftp>" prompt
- Misc:
- askpass scripts
More secsh askpass scripts based on dialog programs like xdialog and zenity.
- use terminal wrappers to open files
Reserved for "TermOne Plus"(Android) generic "addon" command interface.
- print specified user in sftp connections
Make connection message consistent regardless of whether how destination is specified on command line.
- simplify client quit message handling
Also write quit message before to send disconnect packet.
- promote connection-closed messages from verbose to information level
Used if the client does not send a "disconnect" message.
- quiet mode when utility gather public keys from servers
Do not emit comment lines with hostname and SSH protocol banner.
- never close stdin in gather public keys utility
- add daemon option PamServiceName
Reserved for future.
- documentation
Many documentation and manual page improvements.
- 12 Mar 2024 : Official version 15.0
- What's new:
- Features:
- build without DSA keys
A configuration option could be used to enable public algorithms based on DSA keys.
Also regression tests prefer Intermediate CA with EC keys if build is with OpenSSL 1.1+.
- use poll for main loops
Convert daemon and client main loop from pselect to ppoll.
- stricter handling of channel window limits
This makes client and server more strict in handling non-compliant peers that send more data than the advertised channel window allows. Previously the additional data would be silently discarded. This change will cause client or server to terminate the connection if the channel window is exceeded by more than a small grace allowance (~10%).
- client as login shell
Manage case when terminal program executes secsh client as login shell.
- "global" ChannelTimeout
Add a "global" ChannelTimeout to client and daemon.
- Bugs:
- non-completed connection
Manage non-completed connection in channel post processing.
- long messages
Ensure eof on long messages to standard error.
- space in configuration directive
Do not append space if subsystem lacks arguments.
- parse single string array options separately
In match block allows option override where first argument could be a specific keyword.
- signal logs
Avoid logging in ssh agent signal handler.
- Misc:
- harden madvise rules in Linux seccomp sandbox
Linux madvise(2) syscalls support quite a number of flags and is not expected that secsh daemon to use them.
This should exclude kernel attack surface by filtering madvise arguments.
- build configuration
Use autoconf macro for fgrep. Note egrep and fgrep commands have been deprecated since 2007.
Command is standardized by POSIX with -E and -F flags.
Use plain apostrophes in configuration quotes. Follow autoconf 2.72 changes.
- unlimited argument name in configuration
Do not restrict number of canonical domains and CNAMEs when canonicalizing hostnames.
- manuals
Documentation and usage corrections and improvements.
- force use of ssh askpass for pkcs#11 tests
Avoid to run a program in a new session i.e., replaces perl based setsid functionality.
- change pkcs#11 module used in tests
Use SoftHSM2 module in agent pkcs#11 regression tests.
Also test EC key as well.
- add certificate tests with pkcs#11 token and pkcs#11 engine
Based on SoftHSM2 module. Test are not enabled by default as depend on many external packages.
- certificate regression tests
Prefer SHA256 digest to create test certificates. Activated if build is with OpenSSL 1.1+.
Test with 2048-bit RSA keys.
In hostkey algorithm tests use only RSA based Intermediate CA.
- interoperability tests
Improve conch and putty interoperability tests.
Added tests with dropbear client.
- SHA1 signatures in regression tests
Enable SHA1 signatures in regression tests if deprecated by system policy.
- 13 Jan 2024 : Official version 14.4.2
- What's new:
- Bugs:
- release GSS OIDs only at end of authentication
Correct previous to avoid build failure.
- Misc:
- NULL user information on Android
User information in password structure is also NULL on Android.
Prevent crash if "fake" password file is missing.
- kerberos builds
Enable Kerberos 5 build by default is spec-files.
Also list kerberos libraries before "common" one.
- 6 Jan 2024 : Official version 14.4.1
- What's new:
- Features:
- do not prefer OpenSSH EtM functionality
- exclude EtM functionality from defaults
A pre-processor directive allows to exclude EtM functionality from default configurations.
This is yet another work-around to avoid prefix truncation attack on the ssh binary packet protocol.
Also avoids use of custom "strict key exchange" extension.
- Bugs:
- fix memory leak in dh and ecdh key exchange
- Misc:
- selinux compatibility with ancient OS-es
Restore use of matchpathcon if selabel_lookup is not.
- autoconf compatibility with ancient OS-es
- 20 Dec 2023 : Official version 14.4
- What's new:
- Security:
- custom "strict key exchange" extension
Avoid prefix truncation attack on the secsh binary packet protocol(terrapin attack).
Another work-around is do not use ChaCha20-Poly1305 and EtM MACs,
for more details see
"Terrapin Attack: Breaking SSH Channel Integrity By Sequence Number Manipulation".
- shell meta-characters
Refuse user or host names provided on the command line that contain most shell meta-characters.
Note this countermeasure is not guaranteed to be effective in all cases.
- Features:
- generate RSA key by default in FIPS mode
Note since PKIX-SSH 14.3 is generated Ed25519 key by default.
- add ChannelTimeout support to the client
- add %j token that expands to the configured ProxyJump hostname
- Bugs:
- sftp limits
Return error if custom "limits" extender extension does not receive reply.
- %H token
Update KnownHostsCommand to use exact value for %H token.
- x509v3-ssh-ed25519 in FIPS mode
Explicitly deactivate algorithm "x509v3-ssh-ed25519" from defaults in FIPS mode.
Some vendor OpenSSL 1.1.1 releases crash in EVP_MD_flags() when library is in FIPS mode and "none" digest as argument.
- address filter
When connecting via socket filter addresses by AddressFamily if one was specified.
- Misc:
- prefer PRIV_XPOLICY to PRIV_LIMIT on Solaris 11.1+
- log unmatched paths in secure copy
- release GSS OIDs only at end of authentication
Avoids unnecessary init/cleanup cycles.
- manual pages
Spelling and etc.
- 5 Oct 2023 : Official version 14.3
- What's new:
- Features:
- generate Ed25519 key by default
Ed25519 public keys are very convenient due to their small size.
- run separate pkcs11 helper per module
Allows easily to reload keys from a pkcs11 module.
- allow override of subsystem directives in match blocks of daemon configuration
- Bugs:
- correct checks for ClientAliveInterval
Fix regression from "correct server loop "client alive probing" logic" that caused the probes to be sent less frequently.
- set interactive mode for ControlPersist sessions if they originally requested a tty
- recursive secure copy in SFTP mode with symbolic links to other directories
In SCP mode, the links are followed, but in SFTP mode they were not.
So, fix experimental SFTP mode of secure copy recursive download and upload of directories that contain symbolic links to other directories.
- close socket pair if cannot fork for pkcs11 helper
Avoid handle leak on error path.
- Misc:
- log invalid secsh identification string with debug level
Minimises pre-authentication "log spam".
- preserve quoting of subsystem commands and arguments
Potentially incompatible change.
- do not exit on duplicate duplicate Subsystem directives
- do not delay at all for the "none" authentication mechanism
Also limit login delay to a reasonable maximum (5s).
- pkcs11 helper messages
Improve logging functionality.
- 20 Aug 2023 : Official version 14.2.1
- What's new:
- Bugs:
- timeout to multiplexing local socket
Rewrite as previous implementation replace poll() with waitrfd().
Modification adds regression - signals are ignored.
So, rewrite waitfd do take into account signals and to accept "mux termination" flag as parameter.
- Misc:
- portability
Properly detect zlib 1.3 and use *ifaddrs* related configuration defines.
- 13 Aug 2023 : Official version 14.2
- What's new:
- Security:
- pkcs#11 module misuse
Do not allow pkcs11 providers by default. Fixes finally CVE-2016-10009 and mitigates CVE-2023-38408.
- Features:
- connection tupple
Add new daemon token - connection tupple(%C).
- forward unix domain socket
Experimental support for unix domain sockets to client forward request.
- match localnetwork
Add "localnetwork" case to match criteria.
- configuration tags
Support tags in client configuration.
- android failback path
Drop obsolete "failback path" management from Android packaging.
- "command" based path model
"command" based path model for Android application. Reserved for future.
- Bugs:
- fix public key serialisation if key contain only X.509 distinguished name
- print correctly some PKCS#11 information
- fork after authentication
Ensure that fork after authentication work properly in multiplexed cases.
- timeout in multiplexing
Apply connection timeout to multiplexing local socket connections.
- hostname canonicalization
Do not disable hostname canonicalization if ProxyJump=none is used.
- "no comment" for keys
Resolved issue with missing "no comment" when keys without comment is processed after key with comment.
- paraller sftp
Try to fix crappy OpenBSD sftp client in parallel cases.
- Misc:
- remote terminal
Do not open terminal when is requested do not execute command on remote.
- scp in sftp
Check in advance for source file when secure copy in sftp mode copy local to remote files.
- correct a number of memory leaks
- added checks for OpenSSL 3.0 releases
- avoid matchpathcon
Use selabel_lookup instead deprecated selinux matchpathcon function.
- stop printing of "scanned" key information on output error
- update ssh-copy-id script
- 16 Mar 2023 : Official version 14.1.1
- What's new:
- Security:
- bounds checking in getrrsetbyname() compatibility implementation
A specifically crafted response from domain name server could cause function to perform an out-of-bounds reads
Does not appear to be exploitable beyond denial-of-service to the ssh(1) client.
This function is called only if client option VerifyHostKeyDNS is set and is used to check CERT or SSHFP resource records.
Compatibility implementation is used only if is not provided by system resolver library.
- Features:
- hash algorithms in SSHFP RR
Allow to specify hash algorithms used to generate SSHFP RR records for domain name servers.
- print daemon configuration file
Added daemon option -G that parses and prints the effective configuration without attempting to load private keys and perform other checks.
- use sha256 when testing usability of rsa private key
- rewrite checks for Kerberos 5 implementations
Simplify, unify, and modernise configuration tests.
In addition is added pkg-config based rule.
- Bugs:
- non-ascii file name in progress meter
Rewrite progress meter to manage properly non-ascii file names.
- clean channel flags
Clean "file descriptors" flags when channel is closed.
Note functionality was added in PKIX-SSH 14.1.
- fix memory leak in sftp filename autocomplete
- fix memory leak in sftp ls command if file status is not available
- Misc:
- improved manual pages
- limit number of entries in "extension negotiation"
- minimise warnings raised by static analysers
- code clean-up - for instance remove unused secsh "compatibility" flags
- 4 Feb 2023 : Official version 14.1
- What's new:
- Security:
- fix use after free memory fault
Compatibility KEX code introduced a double-free in PKIX-SSH 14.0. It is does not impact server side.
Client could be impacted but when server is specially crafted.
- Features:
- control channel inactivity
New daemon option ChannelTimeout automatically closes channels without traffic.
- control unused connections
New daemon option UnusedConnectionTimeout allows to terminate connections without open channels.
- daemon command line argument -V
Output version information like the client utility.
- remove copy/transfer argument -X
Add -X option to remove copy and file transfer programs.
Currently sets SFTP parameters are the copy buffer length and the number of inflight requests.
Obsoletes sftp argument -B/-R.
- Bugs:
- properly process client option PermitRemoteOpen
Allow any/none argument only in first position.
- default multi-string options
Properly dump multi-string configuration options.
- restrict sftp to reasonable values
Do not allow sftp server "limits" extension to set unacceptable buffer sizes and number of open handles.
- suggest system known-host file
Avoid NULL print if user known-host files are not used.
Note some C-library crash if printf function is called with NULL value for string format.
- Misc:
- allow writev in secure secure computing mode
- optimise read buffers
Use more suitable buffer size for main loops and channel
Default sizes could set at build time.
- no host-keys warning
Emit warning if no host-keys for host-based authentication can be loaded.
- use socketpair in remote copy utility
Synchronise remote copy utility communication to ssh sub-processes with file transfer program.
- dump original Host
Add original "Host" line to the output of client configuration test.
- import ed25519 code from SUPERCOP
Update to 20221122 release.
- unify and extend channel names
Prerequisite for new channel controls.
- rewrite some test to use multiplexed session
- 26 Dec 2022 : Official version 14.0.3
- What's new:
- Bugs:
- put on hold "deffer seed_rng invocation in daemon"
Regression added in 14.0(14.0.1) release.
Note "reexec" functionality clobbers file descriptors opened after closefrom call.
- 19 Dec 2022 : Official version 14.0.2
- What's new:
- Bugs:
- properly use EVP digest work-around for ECDSA keys
On some Linux releases "OpenSSL's curve secp521r1 is NOT functional". For instance RHEL 6.
- 18 Dec 2022 : Official version 14.0.1
- What's new:
- Features:
- x509v3-ssh-ed25519
Implementation of x509v3-ssh-ed25519 public-key algorithm.
- scan by CIDR address ranges
Allow gather secure shell public keys utility to accept CIDR address ranges.
- prefer user's umask
Honour user's umask if it is more restrictive then the ssh default.
- warn if client cannot load public host-keys for host-based authentication
- Bugs:
- "globs" in sftp mode
Better match scp/rcp's handling of "globs" when secure copy utility runs in experimental sftp mode.
- handle remote forwarding in escape commandline's processing
- properly check for duplicate experimental host-key update
- Misc:
- use key descriptions
Describe keys into specific compilation with respective functional implementation.
- modernised signature operations
Unify sign and verify operations for RSA/DSA/EC keys and X.509 certificates and prefer EVP functions from OpenSSL 1.0+ API.
- deffer seed_rng invocation in daemon
Call after closefrom as work-around for random generator provided by an engine.
- improve disabled tracing on FreeBSD
- code clean-up, unification, readability, compatibility and portability
- spelling errors
Correct spelling errors in code and documentation including manual pages.
- improved logging errors
- check for valid canonical domain name when client resolves host-name
- do not ever try to write an invalid name to a known-hosts file
- add ECDSA on P-256 curve to X.509 "self-issued" test
- add new client option EnableEscapeCommandline
- more restrictive pledge(if supported) rules after session establishment
Support:
- Issue tracking
Development process is public hosted on GitLab.
For mode details see project repository page.
From project page you could monitor development process, propose enhancement or just report an issue.
- Mailing list
Project supports mailing list where you could share ideas,
discuss your problems, receive project news and etc.
The list is moderated, i.e. available only for list members.
For more information about list (subscription, list archives) please visit
this page.
Features (valid for latest version) :
- X.509 certificate based public-key algorithms:
- x509v3-ecdsa-sha2-nistp256
- x509v3-ecdsa-sha2-nistp384
- x509v3-ecdsa-sha2-nistp521
- x509v3-sign-rsa
- x509v3-ssh-rsa
- x509v3-rsa2048-sha256
- x509v3-sign-dss
- x509v3-ssh-dss
- x509v3-ssh-ed25519
ECDSA, RSA, Ed25519 or DSA X.509 certificates could be used as
"user identity" and/or "host key" in SSH
"Public Key" and "Host-Based" authentications.
- different "x509v3-sign-rsa" signatures
As support for SHA-1 and MD5 signature format PKIX-SSH is interoperable
with implementations from multiple vendors.
Both formats are supported because "SSH Transport Layer Protocol"
internet drafts does not specify signature format in case of
X.509 certificate for RSA key.
- different packing of "x509v3-sign-dss" signature
PKIX-SSH is interoperable with implementations from multiple vendors.
It support DSA signatures packed in format as is described in
[RFC2459] and "dss_signature_blob" format as
is specified in "SecSH Transport" draft and [RFC4253].
Note "SSH Transport Layer Protocol" internet draft before
version 12 specify "x509v3-sign-dss" public key algorithm
to use signature format as is described in [RFC2459], i.e.
r and s packed in ASN.1 SEQUENCE.
Some vendors pack DSA signature values in "dss_signature_blob"
as is specified in "SecSH transport" draft for
"ssh-dss" signature.
- use key and certificate stored in "external devices"
Implementation requires working OpenSSL loadable module(engine).
The identity used in client authentication could refer to external
key and/or certificate in two formats:
- store:[SCHEME:][URI],
where [SCHEME] is specify OpenSSL STORE provider and [URI] is specific to that provider.
Note by default is assumed file: scheme.
This format allows load of user identify from unsupported file formats like PKCS#12.
- engine:[ENGINE_NAME]:[CERT_CRITERIA],
where [ENGINE_NAME] is name of OpenSSL engine
and [CERT_CRITERIA] is specific to engine search criteria to find the
key and certicate.
For instance you could use "friendly name" to access key and certificate
stored in "Network Security Services (NSS)" database with
e_nss engine.
Remark: NSS is used in programs(web-browser. e-mail client) like Firefox,
SeaMonkey, Thunderbird.
- "PKCS#11"module
As second option PKIX-SSH could use PKCS#11 shared library(module) to use
ECDSA or RSA X.509 certificates and private key provided by PKCS#11 tokens.
- Key based only public-key algorithms:
- ssh-rsa
- rsa-sha2-256
- rsa-sha2-512
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- ssh-ed25519
- ssh-dss
- verification (default feature)
By default server(sshd) and clients(ssh,scp,sftp) always verify signatures and validity
of certificates in chain when a X.509 certificate based public-key algorithm
is used in authentication process.
When verification fail that public-key is disallowed.
In additional client is able to verify remote key using DNS with
CERT RR (resource record).
- validation
- CRL (default feature)
When a X.509 certificate is used in authentication, server and client
always verify signatures and validity of existing CRLs issued by
authorities in certificate chain.
Certificate is allowed only when no one of certificates in the
chain is revoked.
- OCSP (default feature)
Additional validation is performed
when PKIX-SSH is configured to use OCSP
and a X.509 certificate is used in authentication.
- CERT RR
ssh can verify host identification using CERT Resource Record published in DNS.
- PKIX-SSH Agent (ssh-agent and ssh-add programs)
Authentication agent can hold X.509 certificates.
- ssh-keyscan
This tools can gather all above listed public-key algorithms including those with X.509 certificate as host key:
- x509v3-ecdsa-sha2-nistp256
- x509v3-ecdsa-sha2-nistp384
- x509v3-ecdsa-sha2-nistp521
- x509v3-sign-rsa
- x509v3-ssh-rsa
- x509v3-rsa2048-sha256
- x509v3-sign-dss
- x509v3-ssh-dss
- x509v3-ssh-ed25519
- ssh-keysign
This tools used in "Host-Based Authentication" can sign
"host keys" containing either X.509 certificate (ECDSA, RSA, Ed25519 or DSA)
or "plain keys".
- ssh-keygen
when user identity contain a X.509 certificate, command:
- creates public key and proposed "SECSH Public Key File Format"
for that certificate.
- shows fingerprint of certificate.
- prints CERT RR (resource record) for specified hostname.
- regression tests
Strong.
- manual pages
Detailed.
- README.x509v3
Brief description of server and client configuration, regression tests, troubleshooting and FAQ.
Get your version from download pages.
Todo:
- to implement wildcards(patterns) for DN in
"authorized keys" and "known hosts" files;
- to extend "time limits" with specified time
for given revoked certificates.
History:
- Initial
Initial support began from 4 Apr 2002 with version "a".
Version "b" issued on 11 Jun 2002 add "X509 store".
The store is in use in verification process
when a certificate is used as user's identity is ssh session.
The store allow use of "distinguished name" in authorized keys file.
- Second stage
In this phase certificate support is implemented in other PKIX-SSH executables.
For first ssh-keygen support certificates since version "c" (20 Jun 2002).
This version introduce regression tests.
Later in version "d" (30 Jul 2002) support is added to ssh agent.
As result PKIX-SSH support certificates as user identity entirely.
- Complete support
Since version "e" (21 Nov 2002) manual pages are updated with
information about X.509 certificate support.
As well support for certificates as host key in introduced.
As version "f" (30 Jan 2003) CRL are supported.
Because certificate support is complete as version "f"
client prefer algorithms with certificates for host key.
- Compatibility
Compatibility phase begin with version "g" (3 Feb 2003).
In version "g1" (30 Apr 2003) regression test scripts are updated to work well with various shells.
Since version "g2" (12 Jun 2003) public key algorithm "x509v3-sign-rsa"
accept "sha1" signatures in addition to "md5" and
now PKIX-SSH is interoperable with all major ssh implementations.
This version work fine with OpenSSL 0.9.7+.
Later in versions "g3" (25 Feb 2004) and "g4" (9 Maj 2004)
code, documentation and regression test are cleaned up.
- Validator
Fifth phase began with OCSP (Online Certificate Status Protocol) support
added in version "h" (6 Apr 2004).
Later version schema is changed to more common format with numbers N.N{.N} and next version is 5.1.
In version 5.3 compatibility is enhanced to support (in addition to [RFC3279] DSA signatures) format defined for "ssh-dss" signature.
Self issued certificates can be permitted by "autorized keys" file since version 5.4 if configuration allow this.
Correction for OCSP responder location obtained from certificate is added in version 5.4 and OCSP SSL support is enabled in 5.5.
- International
Since version 6.0 (7 Aug 2007) PKIX-SSH can deal with "distinguished name" stored in autorized keys file as UTF-8 string or escaped.
Before to compare printable attributes are converted to utf-8.
- Integration
Starting from version 7.0 (22 Aug 2011) PKIX-SSH can communicate
with other applications by using OpenSSL engines.
For instance client could use certificates and keys stored in external devices.
Version 7.1 (15 Jan. 2012) support build with FIPS enabled OpenSSL library and
adds direct support of X.509 certificates(RSA) from PKCS11 module.
Since this version sha1 is preferred algorithm and programs start to identify
as PKIX in comment from ssh identification string.
Build for android host is supported since version 7.2 (22 Apr. 2012).
With version 7.5(19 May 2013) "known hosts" file may contain distinguished name
of host X.509 certificate.
- Elliptic
Version 8.0 (11 Aug.2014) is first secure shell implementation that
support X.509 ECDSA algorithm as defined in [RFC6187] - initially for client and server.
It is first version that provides complete tar archive for download.
With version 8.2 (23 Nov. 2014) adds support of X.509 ECDSA algorithm in agent.
From version 8.4 (1 Jul 2015) EC keys or X.509 certificates stored on external device
could be used with loadable cryptographic modules - OpenSSL engines.
Support for FIPS environments is enhanced in version 8.1 (29 Sep. 2014) with fipscheck
for "Red Hat" FIPS validated environment.
Version 8.2 (23 Nov. 2014) is successfully tested with Solaris 11.2 FIPS validated OpenSSL module.
Lists with allowed algorithms support patterns since version 8.3 (18 Mart 2015).
Support for EC keys and certificates stored in PKCS#11 tokens is added in version 8.8 (29 Feb 2016).
- New OpenSSL API
Starting with version 9.0 code that uses OpenSSL is updated to use OpenSSL API introduced with version 1.1.0.
Local accessor functions ensure compatibility with previous versions of cryptographic library.
- True RFC6187
Version 10.0 (25 Feb 2017) correctly implements ecdsa X.509 algorithms according RFC6187.
This is reason daemon to start to advertise PKIX-SSH release in connections.
Also version adds rsa and dss algorithms according RFC6187 as well.
In 10.1 (25 Mar 2017) is implemented adaptive public key algorithm selection functionality.
It uses server extension "publickey-algorithms@roumenpetrov.info" (preferred)
or "server-sig-algs" to find most suitable algorithm for user identity.
With 10.2 (21 May 2017) Android port is considered complete and is packaged as application -
SecureBox.
- Prefer RFC6187
Version 11.0 (8 Oct 2017) prefer X.509 algorithms a described in RFC6187 over legacy one described in draft-ietf-secsh-transport-12.txt.
Release starts to use more advanced adaptive algorithm selection based on extension "publickey-algorithms@roumenpetrov" with fail-back to "server-sig-algs".
In addition daemon for each hostkey offers all supported public key algorithms based on key material.
- Modern
Version 12.0 (18 Apr 2019) increase default RSA key size to 3072 bits,
removes "insecure" key exchange methods from defaults and
adds a post-quantum cryptography key exchange method.
In 12.1 (29 Apr 2019) is added algorithm x509v3-rsa2048-sha256 (RFC 6187).
Release 12.2 (26 Sep 2019) is prepared for packaging according Android 10 (API Level 29) requirements.
Since 12.3 (13 Oct 2019) keys are stored using industrial standard PKCS#8 and use aes256 algorithm.
News archives:
Miscellaneous:
- Cryptography
-
Recommended cryptographic library is
OpenSSL.
Before to use PKIX-SSH please read
OpenSSL security advisories.
In addition to cryptographic algorithms library allows to be used externally managed user identities(keys).
Access is based on engine or store functionality.
Fully supported releases start from ancient 0.9.7 up to recent stable 1.1.1.
Note: PKIX-SSH builds with OpenSSL releases 3.0* and 3.1* and pass regression tests.
It does not support "provider" interface as is not considered stable enough.
Also use of such builds is not yet recommended due to overall issues.
|