Announce: X.509 certificates support in OpenSSH (version 6.1-International)

Roumen Petrov openssh at
Sat Oct 27 08:07:34 EST 2007

Hi All,

The version 6.1 of "X.509 certificates support in OpenSSH" is ready for 
download. On page you 
can found diffs for OpenSSH versions 4.5p1,4.6p1 and 4.7p1.

Details ( from ):
* distinguished name compare bug(security):
   The bug affect versions 6.0 and 6.0.1 only. The work around is to 
write in "authorized keys" or "known hosts" files certificates in "blob" 
format instead "distinguished name".

* uniform format for distinguished name output:
   Distinguished name print use common uniform format so that the name 
is same in all debug messages. The change also overcome existing prior 
limitation to print only first 512 characters form name.

* char to integer conversion bug:
   Problem with conversion of non-ascii characters to integers on some 
old systems is resolved. All versions prior 6.1 are affected. Work 
around is to write in "authorized keys" or "known hosts" files 
certificates in "blob" format. Linux is not affected and problem exist 
on some old Unix-es.

* OCSP support enabled by default:
   Now the OCSP support is build by default and users could configure 
theirs system to perform additional OCSP validation.

* use non-deprecated LDAP functions
   The "X509 store" (if ldap support is build and configured) can query 
directory services for certificates. This is implemented as OpenSSL 
X509_LOOKUP method. The implementation is changed to avoid use of 
functions marked as deprecated in OpenLDAP headers. As result of the 
change "X509 store" option CAldapURL should be escaped (see details in 
man pages).


More information about the openssh-unix-dev mailing list