Release Notes for SSH Tectia Server 5.3.2
-----------------------------------------
15 August 2007
(C) 2007 SSH Communications Security Corp.
This software is protected by international copyright laws.
All Rights Reserved.
Table of Contents
1. About This Release
2. New Features
3. Bug Fixes
4. Known Issues
5. Further Information
1. About This Release
----------------------
The SSH Tectia client/server solution 5.3 is an end-to-end
communications security solution for multi-platform environments.
It is based on the Secure Shell technology from the original developers.
The SSH Tectia client/server solution consists of four base products:
* SSH Tectia Server
* SSH Tectia Server for IBM z/OS
* SSH Tectia Client
* SSH Tectia Connector
The base products are expandable with the following add-on products:
* EFT Expansion Pack for SSH Tectia Server
* EFT Expansion Pack for SSH Tectia Client
* Tunneling Expansion Pack for SSH Tectia Server
SSH Tectia Server 5.3 provides secure terminal, secure file
transfer, and tunneling server functionality for system administrators
and other users of SSH Tectia Client.
SSH Tectia Server 5.3 with EFT Expansion Pack provides a secure file
transfer server to be used in conjunction with SSH Tectia Client with
EFT Expansion Pack to enable enhanced, high-performance file transfers in
heterogeneous enterprise environments.
SSH Tectia Server 5.3 with Tunneling Expansion Pack provides tunneling
server functionality for users of SSH Tectia Connector and secure terminal
and secure file transfer functionality for users of SSH Tectia Client.
We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x
products, before installing SSH Tectia Server 5.3.
2. New Features
-----------------
In 5.3.2:
---------
- SSH Tectia Server will not allow modifying the configuration from the
SSH Tectia Server configuration GUI if the configuration is under SSH
Tectia Manager management. The administrator will be able to start and
stop the SSH Tectia Server from the GUI, but will not be able to press
the Apply, OK or Restore Default Settings buttons. Those buttons will
be disabled, and the SSH Tectia Server will give a warning message when
the Server Configuration GUI is opened.
In 5.3.0:
---------
- Support for installing the SSH Tectia software into Sun Solaris 10 zones.
- New supported platforms:
- Native 64-bit (x86-64) packages for Red Hat Enterprise Linux 3, 4, and 5
- Sun Solaris 10 64-bit (x86-64)
- Dropped platform support:
- Sun Solaris 2.6, 7
- HP-UX 11.0, 11.22
- AIX 5.1
- Two new user documents:
- SSH Tectia Client/Server (Unix) Quick Start Guide
- SSH Tectia Client/Server (Windows) Quick Start Guide
3. Bug Fixes and Minor Features
---------------------------------
In 5.3.2:
---------
- Unix: Fixed an interoperability issue with public key authentication
when using OpenSSH keys.
In 5.3.1:
---------
- Windows: Fixed a race condition in the server that could lead to failing
connections when under stress and using public key authentication.
- Windows: The GUI troubleshooting log now includes log entries on sshdap
authentication.
- All platforms: Now the Server sends always times in UTC in file attributes,
preventing erroneous file access/modify/create times from being displayed.
- All platforms: It is now possible to disable sft-server-g3 auditing by
setting "audit=no" in the subsystem configuration as follows:
- Windows: Fixed an issue causing sshdap.dll installation to fail on some
hosts.
- Linux: The SFTP connections using public-key authentication can now be
enabled even when the shell access is disabled. This can be done by
specifying the new configuration attribute "exec-directly" to the
subsystem tag of the SFT subsystem as follows:
- Solaris: Fixed a problem where the last login time displayed during login
was incorrect (one hour behind) on some Solaris hosts during DST.
- Windows: The Server configuration GUI now allows defining the
authentication methods also if the action is to deny authentication.
Denying authentication or connection will now switch the configuration
to advanced mode.
In 5.3.0:
---------
- Windows: Reduced the likelyhood of an error, which causes the server to
deny connection attempts with error message "Account is locked or login
administratively denied". The error now occurs rarely under very heavy
stress, and is due to the Windows Domain Controller's inability to handle
large numbers of concurrent requests.
4. Known Issues
-----------------
The following issues are currently known to exist in SSH Tectia Server:
- HP-UX Itanium: FIPS mode is not supported in this release.
- Linux 64-bit packages cannot be deployed using SSH Tectia Manager 2.4.0
or earlier.
- AIX 5.3: A bug in AIX 5.3 may cause a servant process to hang. Upgrade
to Maintenance Level 6 to resolve this issue.
- Unix: The 'finger' command does not show the idle time correctly when
logged in using SFTP.
- Windows: When using OpenSSH scp clients to download files from the server,
using wildcards will result in an error.
- Solaris 10: SSH Tectia Server and the FTP/SFTP conversion component of
SSH Tectia Client with EFT Expansion Pack need to be uninstalled
separately from each local zone, if they have been installed to all
zones by installing into the global zone.
- Windows Server 2003: csrss.exe may leak memory when SSH Tectia Server
is under heavy stress. Upgrade Windows Server 2003 to SP2 to fix this
issue.
- All platforms: OpenSSH keys are not accepted as host keys, when
running the Server in FIPS mode.
- AIX: When trying to log in to an AIX server using an account which has
an expired password, the Client returns the following error message:
"Request exec channel error: Disconnected by application." The reason for
the disconnection is, however, logged correctly in the server's log.
- Windows: The Server shows incorrect last login time.
- Unix: Safeword PAM authentication is not supported on this version.
- 64-bit Linux: FIPS mode is not supported with the native x86-64 Linux
packages.
- Windows: The Server reports "Wrong password" message to the event log
even though the correct password is given, but the account has expired.
- Windows 2003 Server: After a period of heavy server use, new connections
may start to take a longer time to authenticate. The issue is under
investigation.
- Windows: Users without administrator rights cannot use file transfer
with default Windows 2003 ACL settings. Enabling file transfer access
requires ACL changes. See Server Administrator Manual, Chapter 5.9.1.2
for more information.
- All platforms: The certificate validation path construction from LDAP
fails, if the LDAP server requires the ";binary" suffix for the PKI binary
blob attribute names.
- Linux: If a user account has expired, the Server incorrectly asks the
user to change the password and then denies login.
- Windows: If a non-admin user tries to start the Server, the Server
reports error message "Failed to access service manager".
- Windows: All well-known security principles ('Everyone' and
'Authenticated Users', for instance) are not shown in the Server
configuration GUI's directory object picker when browsing groups for a
selector.
- Solaris 9: A servant might fail when transfering files, if the Server
is not at the latest patch level. The recommended patch level is Patch
Cluster dated Jun/05/06 or newer.
- Windows: The Windows Server does not echo the command output correctly
if the Client stdin is not a terminal.
- Unix: Currently it is not possible to allow X11 forwarding when terminal
connections are denied.
- Solaris: The LOCK_AFTER_RETRIES=YES option is not supported in file
/etc/security/policy.conf.
- Windows: Currently, ssh-server-config-tool cannot be run over a remote
desktop connection.
- Windows: Installing PGP Desktop 9.5.2 and SSH Tectia Server on the same
Windows machine will cause the one installed earlier not to work.
- All platforms: File transfers of files larger than 4kb using Net:SFTP
and Net::SSH::Perl fail against SSH Tectia Server.
- HP-UX: Shadow passwords are not supported on HP-UX platforms when using
the password authentication method. Shadow passwords can be used on HP-UX
only with keyboard-interactive PAM authentication, with the appropriate
PAM configuration.
- Windows: The Server reports "Wrong password" message to the event log
even though the correct password is given, but the account is locked.
- Windows: Currently it is not possible to see and select Active Directory
universal groups in the User Group Selector dialog of the configuration
tool GUI. However, universal groups can be used as selectors if those are
entered manually to the user group selector name field.
- All platforms: It is possible to generate all lengths of RSA/DSA keys in
FIPS mode, although the SSH Tectia Client/Server software will only accept
keys compliant with FIPS.
- HP-UX: Support for streaming has been disabled on SSH Tectia Server for
HP-UX. It is expected to have slower SFT on high latency and on high
bandwidth networks when transfering files to HP-UX.
- AIX: The Server hangs after a few authentication tries when the
following value is set in the /etc/security/user file:
SYSTEM='KRB5Files or compat'
The Server does not hang when the value is set to:
SYSTEM='compat'
- All platforms: SSH Tectia Server accepts both RSA and DSA host keys even
in FIPS mode.
- Windows: OpenSSH host keys are not accepted for use by the Server if it
is in FIPS mode. As a workaround you can convert the OpenSSH key to SSH
Tectia format using command:
ssh-keygen-g3 --import-private-key
- Windows: Using rsync with Cygwin OpenSSH against SSH Tectia Server fails
when using public-key authentication.
- All platforms: If the server configuration has one or more selectors in
the block listing specific ciphers, and the client does not
match the selector, it is still allowed the default ciphers. This is
because there is no implicit deny-rule in the block (the
behavior is different from the block).
- Unix: On some server hosts, shutting down the server process may leave
servant processes hanging, and they need to be shut down separately.
- All platforms: Crypticore cipher and/or MAC are available also in
FIPS mode.
- Windows: Using a 4.4.0 ssh2 command-line client on Windows, the command
line gets garbled when connecting to 5.x Servers on Windows. When typing,
the characters are displayed to the left from the prompt. This does not
happen when using a 5.x command-line client.
- All platforms: Port forwarding from Putty versions 0.58 and earlier to
SSH Tectia Server 5.x does not work, as Putty violates the IETF draft on
the ssh2 protocol. This has been fixed in Putty version 0.59.
- Windows: SSH Tectia Server cannot be installed on file systems that do
not support permissions (e.g. FAT, FAT32).
- HP-UX 11.11: Attempting GSSAPI authentication can cause the
auths-gssapi-userproc-krb process to consume CPU and not exit after the
client disconnects. The GSSAPI authentication will be enabled if no
configuration file is found or if specifically enabled in the server
configuration. The HP-UX patch PHSS_35381 fixes this issue. GSSAPI needs
to be disabled in the server configuration, if installing the patch is
not an option.
- Unix: Canceling user authentication when the Server has been configured
with keyboard-interactive authentication method, causes authentication to
fail with "Server responded 'Unexpected response packet'".
- Unix: The startup script does not report an error upon failure (e.g. no
license or port already taken). However, an error is entered into the
syslog.
- All platforms: After changing the password on a Secure Shell server, but
before logging in with the new password, the Connection Broker must be
restarted in order to close the previous connection, or the user must
wait for the connection to time out (by default 5 seconds).
If this is not done, login with the new password will not succeed.
5. Further Information
----------------------
More information can be found from the man pages and from the SSH
Tectia manuals, which are also available at http://www.ssh.com/support/.
Additional licenses can be purchased from our online store at
http://www.ssh.com/buy/online/.
For additional Expansion Pack licenses, please contact local SSH Office
or a Partner for Enterprise Sales:
http://www.ssh.com/buy/contact/.