Announce: X.509 certificates support in OpenSSH version 5.4
Roumen Petrov
openssh at roumenpetrov.info
Fri Apr 28 04:38:09 EST 2006
Hi All,
The version 5.4 of "X.509 certificates support in OpenSSH" is ready for download.
On download page http://roumenpetrov.info.localhost/openssh/download.html#get_-5.4
you can found diffs for OpenSSH versions 4.2p1 and 4.3p2.
What's new:
* given up support for "x509v3-sign-rsa-sha1" and "x509v3-sign-dss-sha1"
The implementation realised in previous version 5.3 is not fully in conformance
with "draft-ietf-secsh-x509-02.txt"
* correct nid for OCSP responder location
All version before 5.4 search for nid "id-pkix-ocsp-service-locator"
instead for correct one "id-ad-ocsp" to find location of OCSP responder.
* public key permit X.509 certificate for authentication
Now the public key listed in authorized keys file permit too a X.509 certificate
with public key that match it to be used in "public key authentication".
* client option "PubkeyAlgorithms"
This new clent option specifies the protocol version 2 algorithms used in
"publickey" authentication allowed to sent to the host.
* server option "KeyAllowSelfIssued"
This new server option specifies whether only public key or certificate blob
listed in authorized keys file can allow self-issued(self-signed) X.509
certificate to be used for user authentication.
Please visit "http://roumenpetrov.info/openssh/" for more information
about "X.509 certificates support in OpenSSH".
Regards,
Roumen Petrov
More information about the openssh-unix-dev
mailing list