Announce: X.509 certificates support in OpenSSH (version 6.1-International)
Roumen Petrov
openssh at roumenpetrov.info
Sat Oct 27 08:07:34 EST 2007
Hi All,
The version 6.1 of "X.509 certificates support in OpenSSH" is ready for
download. On page http://www.roumenpetrov.info/openssh/download.html you
can found diffs for OpenSSH versions 4.5p1,4.6p1 and 4.7p1.
Details ( from http://www.roumenpetrov.info/openssh ):
* distinguished name compare bug(security):
The bug affect versions 6.0 and 6.0.1 only. The work around is to
write in "authorized keys" or "known hosts" files certificates in "blob"
format instead "distinguished name".
* uniform format for distinguished name output:
Distinguished name print use common uniform format so that the name
is same in all debug messages. The change also overcome existing prior
limitation to print only first 512 characters form name.
* char to integer conversion bug:
Problem with conversion of non-ascii characters to integers on some
old systems is resolved. All versions prior 6.1 are affected. Work
around is to write in "authorized keys" or "known hosts" files
certificates in "blob" format. Linux is not affected and problem exist
on some old Unix-es.
* OCSP support enabled by default:
Now the OCSP support is build by default and users could configure
theirs system to perform additional OCSP validation.
* use non-deprecated LDAP functions
The "X509 store" (if ldap support is build and configured) can query
directory services for certificates. This is implemented as OpenSSL
X509_LOOKUP method. The implementation is changed to avoid use of
functions marked as deprecated in OpenLDAP headers. As result of the
change "X509 store" option CAldapURL should be escaped (see details in
man pages).
Roumen
More information about the openssh-unix-dev
mailing list