Announce: X.509 certificates support in OpenSSH version 5.4

Roumen Petrov openssh at
Fri Apr 28 04:38:09 EST 2006

Hi All,

The version 5.4 of "X.509 certificates support in OpenSSH" is ready for download.
On download page
you can found diffs for OpenSSH versions 4.2p1 and 4.3p2.

What's new:
* given up support for "x509v3-sign-rsa-sha1" and "x509v3-sign-dss-sha1"
     The implementation realised in previous version 5.3 is not fully in conformance
   with "draft-ietf-secsh-x509-02.txt"

* correct nid for OCSP responder location
     All version before 5.4 search for nid "id-pkix-ocsp-service-locator"
   instead for correct one "id-ad-ocsp" to find location of OCSP responder.

* public key permit X.509 certificate for authentication
     Now the public key listed in authorized keys file permit too a X.509 certificate
   with public key that match it to be used in "public key authentication".

* client option "PubkeyAlgorithms"
     This new clent option specifies the protocol version 2 algorithms used in
   "publickey" authentication allowed to sent to the host.

* server option "KeyAllowSelfIssued"
     This new server option specifies whether only public key or certificate blob
   listed in authorized keys file can allow self-issued(self-signed) X.509
   certificate to be used for user authentication.

Please visit "" for more information
about "X.509 certificates support in OpenSSH".

Roumen Petrov

More information about the openssh-unix-dev mailing list