Release Notes for SSH Tectia Client 5.3.3 ----------------------------------------- 28 September 2007 (C) 2007 SSH Communications Security Corp. This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 2. New Features 3. Bug Fixes and Minor Features 4. Known Issues 5. Further Information 1. About This Release ---------------------- The SSH Tectia Client/Server solution 5.3 is an end-to-end communications security solution for multi-platform environments. It is based on the Secure Shell technology from the original developers. The SSH Tectia Client/Server solution consists of four base products: * SSH Tectia Server * SSH Tectia Server for IBM z/OS * SSH Tectia Client * SSH Tectia Connector The base products are expandable with the following add-on products: * EFT Expansion Pack for SSH Tectia Server * EFT Expansion Pack for SSH Tectia Client * Tunneling Expansion Pack for SSH Tectia Server SSH Tectia Client 5.3 with EFT Expansion Pack provides a secure file transfer client to be used in conjunction with SSH Tectia Server with EFT Expansion Pack to enable enhanced, high-performance file transfers in heterogeneous enterprise environments. We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products, before installing SSH Tectia Client 5.3. 2. New Features ----------------- In 5.3.3: --------- - Unix: The FTP-SFTP conversion can now transform the user name and password so that the conversion can be used as a drop-in replacement for plain FTP in an environment using Cisco or Checkpoint FTP proxying firewalls. - HP-UX Itanium: The FTP/SFTP conversion is now supported. - All platforms: Client includes now ssh-scepclient-g3, a command for enrolling certificates using the SCEP protocol. - All platforms: Support for the keyboard-interactive authentication method has been added to the FTP/SFTP capture. In 5.3.2: --------- - Microsoft Windows Server 2003: SSH Tectia Client with EFT Expansion Pack now supports also Microsoft Windows Server 2003. You can now fully enjoy the FTP-SFTP conversion functionality also on this platform. In 5.3.1: --------- - Support for passing remote environment variables to the Server from the Client side. In 5.3.0: --------- - Support for installing the SSH Tectia software into Sun Solaris 10 zones. - New supported platforms: - Native 64-bit (x86-64) packages for Red Hat Enterprise Linux 3, 4, and 5 - Sun Solaris 10 64-bit (x86-64) - Microsoft Windows Vista (on SSH Tectia Client only) - Dropped platform support: - Sun Solaris 2.6, 7 - HP-UX 11.0, 11.22 - AIX 5.1 - Two new user documents: - SSH Tectia Client/Server (Unix) Quick Start Guide - SSH Tectia Client/Server (Windows) Quick Start Guide 3. Bug Fixes and Minor Features --------------------------------- In 5.3.3: --------- - Unix: In an environment using Cisco or Checkpoint FTP proxy firewalls, the filter-at-sign information provided to the FTP proxy will overwrite settings from the SSH Tectia connection profile. It will use the server port number from the SSH Tectia connection profile and it will switch back to "connection profile mode" if the user does not provide a correct filter-at-sign format. - Windows: The FTP-SFTP conversion upload file transfer performance has been improved. - All platforms: If the client tried to upload a file to a prefix that already existed (that is: there exists a dataset with a name longer than the given prefix and the prefix is part of the dataset name), the source file name was always added to the destination dataset name. The prefix handling is now fixed. In order for the prefix handling to work correctly, the client must have z/OS file transfer options enabled, either by using environment variables or command line options. More information about enabling direct MVS dataset access for z/OS can be found in Client User Manual. - All platforms: The sftpg3 "rm" command now removes only empty directories. The removal of all directory structures (including sub-directories and files) can be requested with command-line argument "-r" or "--recursive". Changing the default remove action of sftpg3 to non-recursive mode also enables the "rm" command to be used on MVS datasets. - All platforms: MVS dataset rename in sftpg3 did not work with an existing prefix even though no such dataset existed. For example, if you had datasets //'A.B.C.D' and //'X.Y.Z' and you tried to rename //'X.Y.Z' to //'A.B.C', the renaming failed. In order for the new dataset rename functionality to work correctly, the client must have the z/OS file transfer-related environment variables enabled. More information about the z/OS file transfer options can be found in Client User Manual. - HP-UX: FTP-SFTP conversion: HP-UX Itanium server can now be reached also with hostname. - Windows: The FTP-SFTP conversion tool can now recognize local networks without DNS. - Unix: The FTP-SFTP conversion now supports ~, the tilde character, in cd commands. - Linux: Optimized virtual memory utilization when under heavy load. - Windows: The CA certificate view is now reformatted to accommodate certificates with lots of information. - Windows: The Connection Broker no longer fails when using PKCS#12 certificates in FIPS mode. In 5.3.2: --------- - Unix: Fixed an issue where using the exec-directly attribute for the SFTP subsystem would not place an SFTP user to their home directory. In 5.3.1: --------- - EFT Expansion Pack: FTP-SFTP Conversion can now be used as a drop-in replacement in environments which use non-transparent FTP proxies in Cisco or Checkpoint firewalls. When this feature is turned on, the username and password supplied by the FTP client are split at "@" signs to get the correct hostname, username, and password for the final destination, thus bypassing the old FTP proxy. - Linux 64-bit platforms: Fixed a problem where ssh-ftp-proxy was reporting each thread as a separate process. - All platforms: Now the Server sends always times in UTC in file attributes, preventing erroneous file access/modify/create times from being displayed. - All platforms: The plaintext FTP transfer in FallBack mode will only work in passive mode, by setting the port filter (i.e. ports = 0-1000) rule properly in the configuration file. - Linux 64-bit platforms and Solaris x86_64: Fixed a problem where the ls command did not work when using the FTP-SFTP conversion of the SSH Tectia Client with EFT Expansion Pack. - Solaris: The ssh-signer no longer fails to transmit the full hostname to the Server when using host-based user authentication. - Unix: SSH Tectia SFT API is now thread safe. Specifically, function call ssh_sft_open() can now be called from multiple threads at the same time. - Windows: The host key page in the configuration GUI now displays hashed host keys better. Now it is possible to check the existence and fingerprint of a hashed host key by specifying a host/port combination. Additionally, you can now delete host keys and add new ones. - Windows: The Connections Broker configuration GUI now shows a warning if a user configuration file does not exist yet and the default configuration is used instead. The MSCAPI, Entrust and PKCS#11 providers configured in the global configuration are now taken into account in the Connection Broker configuration GUI. - Unix: The --prefix option will now work with the scpg3 and sftpg3 commands. - Windows: The Connection Broker configuration GUI no longer allows attempting to generate keys with " or ? in their file name, or with too long filename. - Windows: If the key generation fails in the Connection Broker configuration GUI, the key is no longer added to the key list. - Windows: The File Transfer GUI (on Windows) now enables editing of text files with invalid characters in their name. In 5.3.0: --------- - Windows: The key generation process now warns the user, if a key with the same name already exists. 4. Known Issues ----------------- The following issues are currently known to exist in SSH Tectia Client or are affecting the SSH Tectia Client usability: - All platforms: Recursive file transfer with wildcards does not work as expected. - HP-UX: The SCP performance on HP-UX is not the best possible and we are planning to improve it in an upcoming release. - Windows Server 2003: The FTP-SFTP conversion is not able to support the fall-back to plain-text functionality on SSH Tectia Client with EFT Expansion Pack. The fall-back to plain-text works on all other SSH Tectia Client with EFT Expansion Pack supported platforms. - HP-UX Itanium: FIPS mode is not supported in this release. - HP-UX (Itanium): Environment variables cannot be set on the command line. Remote environment variables can still be set using profiles or default settings in the SSH Tectia Connection Broker's configuration. - Linux 64-bit packages cannot be deployed using SSH Tectia Manager 2.4.0 or earlier. - Solaris 10: SSH Tectia Server and the FTP-SFTP conversion component of SSH Tectia Client with EFT Expansion Pack need to be uninstalled separately from each local zone, if they have been installed to all zones by installing into the global zone. - Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP. - Windows and Solaris: Pressing CTRL-C in 'sshg3' during authentication phase has no effect. The workaround on Windows is to press CTRL-BREAK. - All platforms: When the FTP-SFTP conversion falls back to plain-ftp mode, it gives confusing messages. - All platforms: When defining the FTP-SFTP conversion, use the same hostname or ip-address in the filter rules that is used on the command- line with the FTP client. - All platforms: The active mode will not work with the fallback, using plain-text FTP. - All platforms: When creating a filter, always specify the port unambiguosly if the fallback mode is set. When the client is connected to a plain-text FTP server and tries to activate passive mode, it will try to open a new connection to a different port. The sshcapture will filter it when it shouldn't, because it should be passed through to the plain-text FTP server. Usually, unpriviliged ports (>1023) are used on this situation. - Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation. - Windows: Attempts to transfer files to a Sun SSH 1.0.1 server fail and return a protocol error. Connections to Sun SSH 1.1 servers do not have this problem. - Windows: The exit values for scpg3 do not match the values mentioned in the documentation in these error situations: - Connection lost - Interrupting a file transfer using Ctrl+C - Trying to copy to a directory, but the destination is not a directory. - All platforms: When trying to save a host key to a location without write permissions, the connection fails and a non-informative error message is shown. - Windows: The Connection Broker user dialogs may be shown in a wrong session if multiple remote desktop sessions have been established to a Windows Terminal Server using the same userID. - Windows Server 2003: SSH Tectia Client with EFT Expansion Pack cannot be installed on a Windows Server 2003 host by default. However, it can be installed without the FTP-SFTP capture with the following command: msiexec /i ssh-tectia-client-with-eft-5.2.1.144.msi SSHMSI_PREVENT_SSH_CAPTURE_INSTALL=1 - All platforms: The FTP-SFTP conversion does not show the SSH Tectia Server banner message. - All platforms: The FTP-SFTP conversion feature does not currently support the PAM authentication method. - Windows: The FIPS mode is not taken in use when a new configuration is deployed by SSH Tectia Manager. Restart of the Connection Broker is required before the FIPS mode becomes activated. - All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example: scpg3 "/tmp/testdir/*" user@server:/tmp The correct warning is displayed if the scpg3 command is used without globbing: scpg3 /tmp/testdir/* user@server:/tmp - Windows: SSH Tectia Configuration might hang when active file transfer scripts are running in the background. Workaround: Stop the scripts when the Configuration tool is needed. - Windows: The default settings for both agent and X11 forwarding have been changed to OFF. The default can be manually changed to ON, or the settings can be changed on a per profile basis. Documentation incorrectly states that agent and X11 forwarding would be ON by default. - All platforms: Cert validation path construction from LDAP fails, if the LDAP server requires ";binary" suffix for PKI binary blob attribute names. - Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process. - All platforms: Server creates empty files if the user tries to transfer files without correct server-side permissions. The correct error message is displayed. - All platforms: API function ssh_secsh_broker_channel_close() might fail in some cases. - Windows: Local TCP tunneling using listener port 0 does not work. - Windows: In the command-line tool, remote command outputs might be formatted incorrectly. - Windows: SSH Tectia SDK for Windows currently contains dynamic libraries without any debugging information. - Windows: The Connection Broker might crash on exit after a long-duration file transfer session. - Windows: Installing the Connection Broker or the SSH Tectia Client with EFT Expansion pack on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, modifies the exceptions so that the computer becomes inaccessible from the network. Workaround: Edit the exceptions manually so that, for example, the server port is accessible. - Windows: Unix files that contain illegal Windows characters (for example: *, ? and ~) cannot be transferred or accessed. - Windows: Under certain circumstances, reconfiguration of the Connection Broker can take up to 10 seconds. - All platforms: It is possible to generate all lengths of RSA/DSA keys in FIPS mode, although the SSH Tectia Client/Server software will only accept keys compliant with FIPS. - Windows: The FTP-Proxy and Connector rules are not applied properly when filtering by port. Workaround: If you have rules that specify 'any' as the host, place them last in the rule list. - Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with a Windows command line it works properly. - All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key in future login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication. - Windows/Unix: On Windows, the OpenSSH key's GUI prompt cannot be canceled. On OpenSSH, the key passphrase prompting loops if no passphrase is given. Ctrl+C can be used to get rid of the prompt, but that cancels the whole Secure Shell connection. - Windows: Secure file transfer speed may be slow against SSH Tectia Server on Windows. - Windows: PKCS#12 certificates cannot currently be imported via the GUI. - Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause that the user banner and dialog boxes may be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide a secure separation of sessions. - All platforms: Crypticore cipher and/or MAC are available also in FIPS mode. - Windows/Linux: After a new configuration is applied, the Connection Broker forgets the passphrase for previously decoded keys. - All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed. 5. Further Information ---------------------- More information can be found from the man pages and from the SSH Tectia manuals, which are also available at http://www.ssh.com/support/. Additional licenses can be purchased from our online store at: http://www.ssh.com/buy/online/.