openssh unix dev - Oct 2007 - Announce: X.509 certificates support in OpenSSH (version 6.1-International)

Hi All,

The version 6.1 of "X.509 certificates support in OpenSSH" is ready
for
download. On page http://www.roumenpetrov.info/openssh/download.html you 
can found diffs for OpenSSH versions 4.5p1,4.6p1 and 4.7p1.


Details ( from http://www.roumenpetrov.info/openssh ):
* distinguished name compare bug(security):
   The bug affect versions 6.0 and 6.0.1 only. The work around is to 
write in "authorized keys" or "known hosts" files
certificates in "blob"
format instead "distinguished name".

* uniform format for distinguished name output:
   Distinguished name print use common uniform format so that the name 
is same in all debug messages. The change also overcome existing prior 
limitation to print only first 512 characters form name.

* char to integer conversion bug:
   Problem with conversion of non-ascii characters to integers on some 
old systems is resolved. All versions prior 6.1 are affected. Work 
around is to write in "authorized keys" or "known hosts"
files
certificates in "blob" format. Linux is not affected and problem exist
on some old Unix-es.

* OCSP support enabled by default:
   Now the OCSP support is build by default and users could configure 
theirs system to perform additional OCSP validation.

* use non-deprecated LDAP functions
   The "X509 store" (if ldap support is build and configured) can
query
directory services for certificates. This is implemented as OpenSSL 
X509_LOOKUP method. The implementation is changed to avoid use of 
functions marked as deprecated in OpenLDAP headers. As result of the 
change "X509 store" option CAldapURL should be escaped (see details in
man pages).


Roumen