PKIX-SSH
secure shell with
X.509 v3 certificate support
Content:
News:
- 5 Oct 2023 : Offical version 14.3
- What's new:
- Features:
- generate Ed25519 key by default
Ed25519 public keys are very convenient due to their small size.
- run separate pkcs11 helper per module
Allows easily to reload keys from a pkcs11 module.
- allow override of subsystem directives in match blocks of daemon configuration
- Bugs:
- correct checks for ClientAliveInterval
Fix regression from "correct server loop "client alive probing" logic" that caused the probes to be sent less frequently.
- set interactive mode for ControlPersist sessions if they originally requested a tty
- recursive secure copy in SFTP mode with symbolic links to other directories
In SCP mode, the links are followed, but in SFTP mode they were not.
So, fix experimental SFTP mode of secure copy recursive download and upload of directories that contain symbolic links to other directories.
- close socket pair if cannot fork for pkcs11 helper
Avoid handle leak on error path.
- Misc:
- log invalid secsh identification string with debug level
Minimises pre-authentication "log spam".
- preserve quoting of subsystem commands and arguments
Potentially incompatible change.
- do not exit on duplicate duplicate Subsystem directives
- do not delay at all for the "none" authentication mechanism
Also limit login delay to a reasonable maximum (5s).
- pkcs11 helper messages
Improve logging functionality.
- 20 Aug 2023 : Offical version 14.2.1
- What's new:
- Bugs:
- timeout to multiplexing local socket
Rewrite as previous implementation replace poll() with waitrfd().
Modification adds regression - signals are ignored.
So, rewrite waitfd do take into account signals and to accept "mux termination" flag as parameter.
- Misc:
- portability
Properly detect zlib 1.3 and use *ifaddrs* related configuration defines.
- 13 Aug 2023 : Offical version 14.2
- What's new:
- Security:
- pkcs#11 module misuse
Do not allow pkcs11 providers by default. Fixes finally CVE-2016-10009 and mitigates CVE-2023-38408.
- Features:
- connection tupple
Add new daemon token - connection tupple(%C).
- forward unix domain socket
Experimental support for unix domain sockets to client forward request.
- match localnetwork
Add "localnetwork" case to match criteria.
- configuration tags
Support tags in client configuration.
- android failback path
Drop obsolete "failback path" management from Android packaging.
- "command" based path model
"command" based path model for Android application. Reserved for future.
- Bugs:
- fix public key serialisation if key contain only X.509 distinguished name
- print correctly some PKCS#11 information
- fork after authentication
Ensure that fork after authentication work properly in multiplexed cases.
- timeout in multiplexing
Apply connection timeout to multiplexing local socket connections.
- hostname canonicalization
Do not disable hostname canonicalization if ProxyJump=none is used.
- "no comment" for keys
Resolved issue with missing "no comment" when keys without comment is processed after key with comment.
- paraller sftp
Try to fix crappy OpenBSD sftp client in parallel cases.
- Misc:
- remote terminal
Do not open terminal when is requested do not execute command on remote.
- scp in sftp
Check in advance for source file when secure copy in sftp mode copy local to remote files.
- correct a number of memory leaks
- added checks for OpenSSL 3.0 releases
- avoid matchpathcon
Use selabel_lookup instead deprecated selinux matchpathcon function.
- stop printing of "scanned" key information on output error
- update ssh-copy-id script
- 16 Mar 2023 : Offical version 14.1.1
- What's new:
- Security:
- bounds checking in getrrsetbyname() compatibility implementation
A specifically crafted response from domain name server could cause function to perform an out-of-bounds reads
Does not appear to be exploitable beyond denial-of-service to the ssh(1) client.
This function is called only if client option VerifyHostKeyDNS is set and is used to check CERT or SSHFP resource records.
Compatibility implementation is used only if is not provided by system resolver library.
- Features:
- hash algorithms in SSHFP RR
Allow to specify hash algorithms used to generate SSHFP RR records for domain name servers.
- print daemon configuration file
Added daemon option -G that parses and prints the effective configuration without attempting to load private keys and perform other checks.
- use sha256 when testing usability of rsa private key
- rewrite checks for Kerberos 5 implementations
Simplify, unify, and modernise configuration tests.
In addition is added pkg-config based rule.
- Bugs:
- non-ascii file name in progress meter
Rewrite progress meter to manage properly non-ascii file names.
- clean channel flags
Clean "file descriptors" flags when channel is closed.
Note functionality was added in PKIX-SSH 14.1.
- fix memory leak in sftp filename autocomplete
- fix memory leak in sftp ls command if file status is not available
- Misc:
- improved manual pages
- limit number of entries in "extension negotiation"
- minimise warnings raised by static analysers
- code clean-up - for instance remove unused secsh "compatibility" flags
- 4 Feb 2023 : Offical version 14.1
- What's new:
- Security:
- fix use after free memory fault
Compatibility KEX code introduced a double-free in PKIX-SSH 14.0. It is does not impact server side.
Client could be impacted but when server is specially crafted.
- Features:
- control channel inactivity
New daemon option ChannelTimeout automatically closes channels without traffic.
- control unused connections
New daemon option UnusedConnectionTimeout allows to terminate connections without open channels.
- daemon command line argument -V
Output version information like the client utility.
- remove copy/transfer argument -X
Add -X option to remove copy and file transfer programs.
Currently sets SFTP parameters are the copy buffer length and the number of inflight requests.
Obsoletes sftp argument -B/-R.
- Bugs:
- properly process client option PermitRemoteOpen
Allow any/none argument only in first position.
- default multi-string options
Properly dump multi-string configuration options.
- restrict sftp to reasonable values
Do not allow sftp server "limits" extension to set unacceptable buffer sizes and number of open handles.
- suggest system known-host file
Avoid NULL print if user known-host files are not used.
Note some C-library crash if printf function is called with NULL value for string format.
- Misc:
- allow writev in secure secure computing mode
- optimise read buffers
Use more suitable buffer size for main loops and channel
Default sizes could set at build time.
- no host-keys warning
Emit warning if no host-keys for host-based authentication can be loaded.
- use socketpair in remote copy utility
Synchronise remote copy utility communication to ssh sub-processes with file transfer program.
- dump original Host
Add original "Host" line to the output of client configuration test.
- import ed25519 code from SUPERCOP
Update to 20221122 release.
- unify and extend channel names
Prerequisite for new channel controls.
- rewrite some test to use multiplexed session
- 26 Dec 2022 : Offical version 14.0.3
- What's new:
- Bugs:
- put on hold "deffer seed_rng invocation in daemon"
Regression added in 14.0(14.0.1) release.
Note "reexec" functionality clobbers file descriptors opened after closefrom call.
- 19 Dec 2022 : Offical version 14.0.2
- What's new:
- Bugs:
- properly use EVP digest work-around for ECDSA keys
On some Linux releases "OpenSSL's curve secp521r1 is NOT functional". For instance RHEL 6.
- 18 Dec 2022 : Offical version 14.0.1
- What's new:
- Features:
- x509v3-ssh-ed25519
Implementation of x509v3-ssh-ed25519 public-key algorithm.
- scan by CIDR address ranges
Allow gather secure shell public keys utility to accept CIDR address ranges.
- prefer user's umask
Honour user's umask if it is more restrictive then the ssh default.
- warn if client cannot load public host-keys for host-based authentication
- Bugs:
- "globs" in sftp mode
Better match scp/rcp's handling of "globs" when secure copy utility runs in experimental sftp mode.
- handle remote forwarding in escape commandline's processing
- properly check for duplicate experimental host-key update
- Misc:
- use key descriptions
Describe keys into specific compilation with respective functional implementation.
- modernised signature operations
Unify sign and verify operations for RSA/DSA/EC keys and X.509 certificates and prefer EVP functions from OpenSSL 1.0+ API.
- deffer seed_rng invocation in daemon
Call after closefrom as work-around for random generator provided by an engine.
- improve disabled tracing on FreeBSD
- code clean-up, unification, readability, compatibility and portability
- spelling errors
Correct spelling errors in code and documentation including manual pages.
- improved logging errors
- check for valid canonical domain name when client resolves host-name
- do not ever try to write an invalid name to a known-hosts file
- add ECDSA on P-256 curve to X.509 "self-issued" test
- add new client option EnableEscapeCommandline
- more restrictive pledge(if supported) rules after session establishment
Support:
- Issue tracking
Development process is public hosted on GitLab.
For mode details see project repository page.
From project page you could monitor development process, propose enhancement or just report an issue.
- Mailing list
Project supports mailing list where you could share ideas,
discuss your problems, receive project news and etc.
The list is moderated, i.e. available only for list members.
For more information about list (subscription, list archives) please visit
this page.
Features (valid for latest version) :
- X.509 certificate based public-key algorithms:
- x509v3-ecdsa-sha2-nistp256
- x509v3-ecdsa-sha2-nistp384
- x509v3-ecdsa-sha2-nistp521
- x509v3-sign-rsa
- x509v3-ssh-rsa
- x509v3-rsa2048-sha256
- x509v3-sign-dss
- x509v3-ssh-dss
- x509v3-ssh-ed25519
ECDSA, RSA, Ed25519 or DSA X.509 certificates could be used as
"user identity" and/or "host key" in SSH
"Public Key" and "Host-Based" authentications.
- different "x509v3-sign-rsa" signatures
As support for SHA-1 and MD5 signature format PKIX-SSH is interoperable
with implementations from multiple vendors.
Both formats are supported because "SSH Transport Layer Protocol"
internet drafts does not specify signature format in case of
X.509 certificate for RSA key.
- different packing of "x509v3-sign-dss" signature
PKIX-SSH is interoperable with implementations from multiple vendors.
It support DSA signatures packed in format as is described in
[RFC2459] and "dss_signature_blob" format as
is specified in "SecSH Transport" draft and [RFC4253].
Note "SSH Transport Layer Protocol" internet draft before
version 12 specify "x509v3-sign-dss" public key algorithm
to use signature format as is described in [RFC2459], i.e.
r and s packed in ASN.1 SEQUENCE.
Some vendors pack DSA signature values in "dss_signature_blob"
as is specified in "SecSH transport" draft for
"ssh-dss" signature.
- use key and certificate stored in "external devices"
Implementation requires working OpenSSL loadable module(engine).
The identity used in client authentication could refer to external
key and/or certificate in two formats:
- store:[SCHEME:][URI],
where [SCHEME] is specify OpenSSL STORE provider and [URI] is specific to that provider.
Note by default is assumed file: scheme.
This format allows load of user identify from unsupported file formats like PKCS#12.
- engine:[ENGINE_NAME]:[CERT_CRITERIA],
where [ENGINE_NAME] is name of OpenSSL engine
and [CERT_CRITERIA] is specific to engine search criteria to find the
key and certicate.
For instance you could use "friendly name" to access key and certificate
stored in "Network Security Services (NSS)" database with
e_nss engine.
Remark: NSS is used in programs(web-browser. e-mail client) like Firefox,
SeaMonkey, Thunderbird.
- "PKCS#11"module
As second option PKIX-SSH could use PKCS#11 shared library(module) to use
ECDSA or RSA X.509 certificates and private key provided by PKCS#11 tokens.
- Key based only public-key algorithms:
- ssh-rsa
- rsa-sha2-256
- rsa-sha2-512
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- ssh-ed25519
- ssh-dss
- verification (default feature)
By default server(sshd) and clients(ssh,scp,sftp) always verify signatures and validity
of certificates in chain when a X.509 certificate based public-key algorithm
is used in authentication process.
When verification fail that public-key is disallowed.
In additional client is able to verify remote key using DNS with
CERT RR (resource record).
- validation
- CRL (default feature)
When a X.509 certificate is used in authentication, server and client
always verify signatures and validity of existing CRLs issued by
authorities in certificate chain.
Certificate is allowed only when no one of certificates in the
chain is revoked.
- OCSP (default feature)
Additional validation is performed
when PKIX-SSH is configured to use OCSP
and a X.509 certificate is used in authentication.
- CERT RR
ssh can verify host identification using CERT Resource Record published in DNS.
- PKIX-SSH Agent (ssh-agent and ssh-add programs)
Authentication agent can hold X.509 certificates.
- ssh-keyscan
This tools can gather all above listed public-key algorithms including those with X.509 certificate as host key:
- x509v3-ecdsa-sha2-nistp256
- x509v3-ecdsa-sha2-nistp384
- x509v3-ecdsa-sha2-nistp521
- x509v3-sign-rsa
- x509v3-ssh-rsa
- x509v3-rsa2048-sha256
- x509v3-sign-dss
- x509v3-ssh-dss
- x509v3-ssh-ed25519
- ssh-keysign
This tools used in "Host-Based Authentication" can sign
"host keys" containing either X.509 certificate (ECDSA, RSA, Ed25519 or DSA)
or "plain keys".
- ssh-keygen
when user identity contain a X.509 certificate, command:
- creates public key and proposed "SECSH Public Key File Format"
for that certificate.
- shows fingerprint of certificate.
- prints CERT RR (resource record) for specified hostname.
- regression tests
Strong.
- manual pages
Detailed.
- README.x509v3
Brief description of server and client configuration, regression tests, troubleshooting and FAQ.
Get your version from download pages.
Todo:
- to implement wildcards(patterns) for DN in
"authorized keys" and "known hosts" files;
- to extend "time limits" with specified time
for given revoked certificates.
History:
- Initial
Initial support began from 4 Apr 2002 with version "a".
Version "b" issued on 11 Jun 2002 add "X509 store".
The store is in use in verification process
when a certificate is used as user's identity is ssh session.
The store allow use of "distinguished name" in authorized keys file.
- Second stage
In this phase certificate support is implemented in other PKIX-SSH executables.
For first ssh-keygen support certificates since version "c" (20 Jun 2002).
This version introduce regression tests.
Later in version "d" (30 Jul 2002) support is added to ssh agent.
As result PKIX-SSH support certificates as user identity entirely.
- Complete support
Since version "e" (21 Nov 2002) manual pages are updated with
information about X.509 certificate support.
As well support for certificates as host key in introduced.
As version "f" (30 Jan 2003) CRL are supported.
Because certificate support is complete as version "f"
client prefer algorithms with certificates for host key.
- Compatibility
Compatibility phase begin with version "g" (3 Feb 2003).
In version "g1" (30 Apr 2003) regression test scripts are updated to work well with various shells.
Since version "g2" (12 Jun 2003) public key algorithm "x509v3-sign-rsa"
accept "sha1" signatures in addition to "md5" and
now PKIX-SSH is interoperable with all major ssh implementations.
This version work fine with OpenSSL 0.9.7+.
Later in versions "g3" (25 Feb 2004) and "g4" (9 Maj 2004)
code, documentation and regression test are cleaned up.
- Validator
Fifth phase began with OCSP (Online Certificate Status Protocol) support
added in version "h" (6 Apr 2004).
Later version schema is changed to more common format with numbers N.N{.N} and next version is 5.1.
In version 5.3 compatibility is enhanced to support (in addition to [RFC3279] DSA signatures) format defined for "ssh-dss" signature.
Self issued certificates can be permitted by "autorized keys" file since version 5.4 if configuration allow this.
Correction for OCSP responder location obtained from certificate is added in version 5.4 and OCSP SSL support is enabled in 5.5.
- International
Since version 6.0 (7 Aug 2007) PKIX-SSH can deal with "distinguished name" stored in autorized keys file as UTF-8 string or escaped.
Before to compare printable attributes are converted to utf-8.
- Integration
Starting from version 7.0 (22 Aug 2011) PKIX-SSH can communicate
with other applications by using OpenSSL engines.
For instance client could use certificates and keys stored in external devices.
Version 7.1 (15 Jan. 2012) support build with FIPS enabled OpenSSL library and
adds direct support of X.509 certificates(RSA) from PKCS11 module.
Since this version sha1 is preferred algorithm and programs start to identify
as PKIX in comment from ssh identification string.
Build for android host is supported since version 7.2 (22 Apr. 2012).
With version 7.5(19 May 2013) "known hosts" file may contain distinguished name
of host X.509 certificate.
- Elliptic
Version 8.0 (11 Aug.2014) is first secure shell implementation that
support X.509 ECDSA algorithm as defined in [RFC6187] - initially for client and server.
It is first version that provides complete tar archive for download.
With version 8.2 (23 Nov. 2014) adds support of X.509 ECDSA algorithm in agent.
From version 8.4 (1 Jul 2015) EC keys or X.509 certificates stored on external device
could be used with loadable cryptographic modules - OpenSSL engines.
Support for FIPS environments is enhanced in version 8.1 (29 Sep. 2014) with fipscheck
for "Red Hat" FIPS validated environment.
Version 8.2 (23 Nov. 2014) is successfully tested with Solaris 11.2 FIPS validated OpenSSL module.
Lists with allowed algorithms support patterns since version 8.3 (18 Mart 2015).
Support for EC keys and certificates stored in PKCS#11 tokens is added in version 8.8 (29 Feb 2016).
- New OpenSSL API
Starting with version 9.0 code that uses OpenSSL is updated to use OpenSSL API introduced with version 1.1.0.
Local accessor functions ensure compatibility with previous versions of cryptographic library.
- True RFC6187
Version 10.0 (25 Feb 2017) correctly implements ecdsa X.509 algorithms according RFC6187.
This is reason daemon to start to advertise PKIX-SSH release in connections.
Also version adds rsa and dss algorithms according RFC6187 as well.
In 10.1 (25 Mar 2017) is implemented adaptive public key algorithm selection functionality.
It uses server extension "publickey-algorithms@roumenpetrov.info" (preferred)
or "server-sig-algs" to find most suitable algorithm for user identity.
With 10.2 (21 May 2017) Android port is considered complete and is packaged as application -
SecureBox.
- Prefer RFC6187
Version 11.0 (8 Oct 2017) prefer X.509 algorithms a described in RFC6187 over legacy one described in draft-ietf-secsh-transport-12.txt.
Release starts to use more advanced adaptive algorithm selection based on extension "publickey-algorithms@roumenpetrov" with fail-back to "server-sig-algs".
In addition daemon for each hostkey offers all supported public key algorithms based on key material.
- Modern
Version 12.0 (18 Apr 2019) increase default RSA key size to 3072 bits,
removes "insecure" key exchange methods from defaults and
adds a post-quantum cryptography key exchange method.
In 12.1 (29 Apr 2019) is added algorithm x509v3-rsa2048-sha256 (RFC 6187).
Release 12.2 (26 Sep 2019) is prepared for packaging according Android 10 (API Level 29) requirements.
Since 12.3 (13 Oct 2019) keys are stored using industrial standard PKCS#8 and use aes256 algorithm.
News archives:
Miscellaneous:
- Cryptography
-
Recommended cryptographic library is
OpenSSL.
Before to use PKIX-SSH please read
OpenSSL security advisories.
In addition to cryptographic algorithms library allows to be used externally managed user identities(keys).
Access is based on engine or store functionality.
Fully supported releases start from ancient 0.9.7 up to recent stable 1.1.1.
Note: PKIX-SSH builds with OpenSSL releases 3.0* and 3.1* and pass regression tests.
It does not support "provider" interface as is not considered stable enough.
Also use of such builds is not yet recommended due to overall issues.
|