Release Notes for SSH Tectia Client 6.0.1
-----------------------------------------

1 April 2008


(C) 2008 SSH Communications Security Corp.
This software is protected by international copyright laws.
All Rights Reserved.


Table of Contents

1.   About This Release
2.   New Features
3.   Bug Fixes and Minor Features
4.   Known Issues
5.   Further Information



1.   About This Release
----------------------

  The SSH Tectia client/server solution 6.0 is an end-to-end 
  communications security solution for multi-platform environments. 
  It is based on the Secure Shell technology from the original developers. 
  The SSH Tectia client/server solution consists of four base products:
  
  * SSH Tectia Client
  * SSH Tectia ConnectSecure
  * SSH Tectia Server
  * SSH Tectia Server for IBM z/OS

  SSH Tectia Client provides a conventional and powerful secure terminal  
  and secure file transfer client to be used in conjunction with SSH Tectia 
  Server or other Secure Shell servers to enable secure connectivity and 
  file transfers in heterogeneous enterprise environments.

  SSH Tectia ConnectSecure provides additional powerful features to 
  transparently secure FTP file transfers and server connectivity.
  SSH Tectia ConnectSecure is designed especially for server-to-server
  file transfer security and it introduces new features enabling enhanced, 
  high-performance file transfers in conjunction with SSH Tectia Servers,
  third-party or OpenSSH servers in heterogeneous enterprise environments.

  SSH Tectia ConnectSecure replaces the EFT expansion packs for SSH Tectia 
  Client and Server that were available in SSH Tectia version 5.x.

  We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x
  products, before installing SSH Tectia Client 6.0.



2.   New Features
-----------------

  The following list includes the new features implemented in SSH Tectia 
  Client.

In 6.0.0:
---------

- New platform support:
  o HP-UX 11i v3 (PA-RISC, IA64) 
  o SUSE Linux Enterprise Server 10 (x86, x86-64)
  o SUSE Linux Enterprise Desktop 10 (x86, x86-64) 
  o Red Hat Enterprise Linux 5.1 (x86, x86-64)

- Windows: NEW Transparent TCP Tunneling functionality. 
  SSH Tectia Client and ConnectSecure on Windows can transparently secure 
  several essential software applications used by administrators for remote 
  administration of business-critical hosts running on Windows, Unix, Linux 
  and IBM mainframe systems. This includes remote desktop software such as 
  VNC and RDP. SSH Tectia Client can also be used to secure any existing 
  Telnet-based terminal connections to enterprise applications, as well as 
  remote access to business email or corporate intranet. This feature is 
  supported on Windows XP and 2000 by SSH Tectia Client and also on Windows 
  Server 2003 by SSH Tectia ConnectSecure.

- Windows: SSH Tectia Client and SSH Tectia ConnectSecure can also 
  be used on a Windows machine to transparently secure essential 
  application connections with automatic secure connection setup. 
  SSH Tectia Client and ConnectSecure can automatically open and 
  secure the connection based on the information provided by the 
  software that needs to be secured, thus eliminating the need to 
  generate complicated configurations for connecting to a large 
  amount of different servers.

- All platforms: Added '-K' option to 'sshg3' to select 
  a specific key for authentication.

- All platforms: Added option '--identity' for SSH Tectia Client and 
  SSH Tectia ConnectSecure so that it is possible to specify a key 
  from the key store to use (identified either by the key ID or public 
  key hash).
  Syntax: 
  sshg3: [OPTION]... PROFILE|[USER@]HOST[#PORT] [COMMAND]
   --identity=<id>   Use private key 'id' as user identification.
      The 'id' can be either key id, key hash or a key file name.
   --identity-key-id=<id>    Use key id as a user identification.
   --identity-key-hash=<id>  Use key hash as a user identification.

- All platforms: The ssh '-c' command-line option in SSH Tectia Client 4.x, 
  where you used to supply the name of the cipher that you were using is 
  now recognized in 6.0. 
  Syntax:
   -c, --ciphers=<ciphers>
      Allow only selected ciphers to be used. 
      Giving value 'help' lists available ciphers.
   -m, --macs=<macs>
      Allow only selected MACs to be used. 
      Giving value 'help' lists available MACs.

- All platforms: Added option '-K' to 'sshg3' to select a specific 
  key for authentication. 
  Syntax:
  sshg3 -K, --identity-key-file=<file>     
     Use key file as a user identification.

- All platforms: In SSH Tectia Client 4.x, the ssh-add2 command has option 
  '-p' that makes the agent read the passphrase from stdin. This 
  functionality is now available in the Connection Broker in SSH Tectia 6.0.

- All platforms: Added time stamps to debug the output of 
  SSH Tectia Client/Server/ConnectSecure 6.0.

- All platforms: Support for shell command ! added into sftpg3.
  Syntax: 
  sftp> help ! 
    ! [<command> [<args>]] 
    Invoke an interactive shell on the local machine. 
    If <command> is given, it is used as the command to be executed. 
    Optional <args> are used as arguments to the command.

- All platforms: Added option '-i' to use selected private keys 
  with the sshg3 command line tool.
  Syntax: 
  sshg3 -i <file> 
    Use private keys defined in the identification file to authenticate 
    with the public-key method.

- All platforms: A new command-line tool 'ssh-broker-ctl' is available
  for managing and monitoring the Connection Broker.   
  The Connection Broker is part of SSH Tectia Client and SSH Tectia 
  ConnectSecure and is responsible for managing all connections 
  (including authentication).
  The ssh-broker-ctl command-line parsing is separated to specific 
  commands, such as status or list-keys. Most command-line options are 
  command-specific although there are generic options which work on all 
  or on multiple commands. 
  Syntax: 
  ssh-broker-ctl <command> [options]
  Examples of available commands:
    status           Print status and statistics for running Broker.
    list-connections List of open connections.
    list-channels    List of open connection channels. 
  (for a full list, enter: ssh-broker-ctl --help)

- Windows: SSH Tectia Client / ConnectSecure Broker GUI improvements: 
   - Fallback and pseudo IP options are disabled for direct and 
     block filter
   - Filter rule editing has been improved in the SSH Tectia 
     Configurator for:
      1. Any ports
      2. Single Port <option>
      3. Port range <port range>-<port range>
   - The FTP-SFTP Conversion and tunneling rules are now applied properly 
     when filtering by port; before the filter rules were not evaluated 
     in the expected order

- Windows: New options are available from SSH Tectia Status Window for:
	- Disconnecting a Connection
        - Terminating a channel for a selected Connection
        - Viewing information for individual user keys
        - Clearing cached PIN
  
- Windows: Adding a new profile with the SSH Tectia Terminal GUI now makes 
  the initial window of the profile to be of the same type as the current 
  GUI client window. That means that now it is possible to save connection 
  profiles that will default to the File Transfer GUI when initiated.



3.   Bug Fixes and Minor Features
---------------------------------

In 6.0.1:
---------

- All platforms: If the 'stat' function fails while checking for streaming, 
  streaming will not be supported with sftpg3. This failure can happen, for 
  example, when trying to connect with 'sftpg3' to an OpenSSH Server 3.8.1 
  that is based on old OS/2, called Flex O/S (OS4690). 

- Windows: Using transparent TCP tunneling with the default settings no 
  longer causes SSH Tectia Client 6.0 and SSH Tectia ConnectSecure to fail. 

In 6.0.0:
---------

- Windows: Modifying the SSH Tectia Client configuration does no longer   
  interrupt the data communications of currently tunneled applications. 

- Windows: SSH Tectia Client on Windows no longer prompts for a passphrase 
  for pkcs12 certificate with null-passphrase private key. 

- All Unix platforms: SSH Tectia Client no longer fails when using   
  certificates with no passphrase for authentication. 

- Windows: SSH Tectia Client does no longer ask to enter the passphrase for 
  all the imported keys and certificates every time the configuration has 
  been modified with the GUI apply button. 

- Unix: sshg3 and scpg3 now return value 1 as expected, if they are used 
  with invalid options. 

- Windows and Solaris: Pressing CTRL-C in 'sshg3' during authentication now 
  works also when using keyboard-interactive authentication. 

- Solaris: SSH Tectia Client / Server / ConnectSecure installation packages 
  now detect the underlying Solaris architecture and prevent installation of 
  the x86 packages on the x86-64 architecture. 

- Linux: File transfer does no longer hang on Linux when using more than   
  1024 file descriptors. 

- Windows: X-forwarding to Sun Solaris now works. 

- Unix: It is now possible to use pkcs#11 and static tunnels with 
  passphrase-protected keys on Unix. This fix applies also to software keys. 

- All platforms: Fixed a variety of problems that could result in hangs or 
  disconnections when using FTP Tunneling. 

- All platforms: Using multiple site options with scpg3 now works so that   
  all options are respected and not only the last one (Mainframe specific). 

- Windows: Fixed 'ssh-broker-g3 --console' so that it now allows to see the 
  debug output of SSH Tectia Client and SSH Tectia ConnectSecure directly on 
  the console where it was run or redirect it to a file very easily. 
  Example: Running 'ssh-broker-g3 --console -D 5 -l log' will start GUI 
  broker and log the debug messages to a log file. 

- Windows: It is now possible to create Connection Profile shortcuts to the 
  user's Windows Desktop directly from SSH Tectia Client and SSH Tectia 
  ConnectSecure configuration window. In the SSH Tectia Configuration GUI, 
  select 'Connection Profiles' and press the 'Create Shortcut' button. 

- Windows: It is now possible to import the license file from SSH Tectia 
  Client and SSH Tectia ConnectSecure GUI menu: Help / Import License File. 

- All platforms: The Connection Broker does not forget the passphrase for 
  decoded keys after a new configuration is applied unless key provider 
  configuration was changed. 



4.   Known Issues
-----------------

- Windows: Installing the "Transparent tunneling" component of SSH Tectia 
  Client or SSH Tectia ConnectSecure on a Windows XP computer in a domain 
  where firewall exceptions are managed by a group policy, modifies the 
  exceptions so that the computer becomes inaccessible from the 
  network. Workaround: Edit the exceptions manually so that, for example, the 
  server port becomes accessible. 

- All platforms: scpg3 shows transfer time wrong if "--statistics=simple" 
  is set. 

- All platforms: When trying to connect to an SSH server that is not 
  available (i.e. the server is not running), the error message returned by 
  sshg3 is "Unable to connect to Broker". 
  It should return "Unable to connect to Server". 

- Windows: Reconnecting to the same Connection Profile by pressing Enter 
  with SSH Tectia Client or SSH Tectia ConnectSecure from the GUI fails 
  in some cases. The workaround is to select the profile from the menu. 

- Windows: Removing a token while it's being read could in some cases 
  result in SSH Tectia Client or SSH Tectia ConnectSecure failure. 

- Windows: Opening multiple remote tunnels in a profile against OpenSSH 
  servers can cause Tectia Connection Broker to fail. 

- All platforms: Running the SSH Tectia Connection Broker in daemon mode 
  might be unreliable if sshg3/scpg3/sftpg3 is ran immediately after 
  ssh-broker-g3 is started. Workaround: After the Connection Broker starts, 
  wait a few seconds before issuing any commands. 

- Windows: SFTP chmod command against SSH Tectia Server running on Windows 
  is not supported. 

- Unix: If scpg3 is used to copy a file to itself, the file will be 
  truncated and the scpg3 hangs. 

- Windows: After installation of 'Transparent TCP Tunneling' feature 
  available within SSH Tectia Client and SSH Tectia ConnectSecure, 
  interfere with third-party Bluetooth and IR network drivers and prevent 
  and prevent their usage. 

- Unix: The 'finger' command does not show the idle time correctly when 
  logged in using SFTP. 

- HP-UX: Starting sshg3, scpg3 and sftpg3 fails if getting the current 
  working directory fails. 

- Windows: When running sftpg3 in batch mode, the Connection Broker may log 
  the Broker_channel_process_exit_failed messages with status "Operation 
  failed". These are system internal events and do not indicate any failure 
  in the file transfer operation. 

- All platforms: Trying to transfer a file to a Sun SSH 1.0.1 server fails 
  and returns a protocol error. Connections against Sun SSH 1.1 servers do 
  not have this problem. 

- Windows: The exit values for scpg3 do not match the values mentioned in 
  the documentation in these error situations: connection lost, interrupting 
  a file transfer using Ctrl+C, trying to copy to a directory, but the 
  destination is not a directory. Nevertheless, in all these cases the return 
  value is non-zero. 

- All platforms: When trying to save a host key to a location without write 
  permissions, the connection fails and a non-informative error message is 
  shown. 

- Windows: The Connection Broker user dialogs may be shown in a wrong 
  session if multiple remote desktop sessions have been established to 
  SSH Tectia Terminal on Windows using the same userID. 

- All platforms: scpg3 does not warn about the existence of directories 
  when shell globbing is used, for example:  
  scpg3 "/tmp/testdir/*" user@server:/tmp 
  However, the correct warning is displayed if the scpg3 
  command is used without globbing: 
  scpg3 /tmp/testdir/* user@server:/tmp 

- All platforms: Certificate validation path construction from LDAP fails, 
  if the LDAP server requires suffix ';binary' for the PKI binary blob 
  attribute names. 

- Windows: If the Connection Broker is started for another userID using the 
  'runas' command, the user dialogs are shown for the user who started the 
  process. 

- All platforms: Server creates empty files if the user tries to transfer 
  files without correct server-side permissions. The correct error message 
  is displayed. 

- All platforms: API function ssh_secsh_broker_channel_close() might fail 
  in some cases. 

- Windows: Local TCP tunneling using listener port 0 does not work. 

- Windows: When running a remote command against a Windows server, the 
  output from standard out and standard error might overlap. 

- Windows: The Connection Broker might crash on exit after a long-duration 
  file transfer session. 

- Windows: When trying to remotely access Unix files that contain illegal 
  Windows characters (for example: *, ? and ~) those files cannot be 
  transferred or accessed if using relative paths. Workaround: Use absolute 
  paths for accessing the files on the remote server after escaping the 
  illegal characters. 

- Windows: Under certain circumstances, reconfiguration of the Connection 
  Broker can take up to 10 seconds. 

- All platforms: It is possible to generate all lengths of RSA/DSA keys in 
  FIPS mode, although the SSH Tectia Client/Server software will only accept 
  keys compliant with FIPS. 

- Windows: If trying to connect from a Windows GUI client to an OpenSSH 
  server with a public key and option command="ls", the client hangs. When 
  performed with the Windows command-line client (sshg3) it works properly. 

- Windows: When using regular expressions in filter rules the dot character 
  '.' does not work as expected. For example, when using a filter rule for 
  tunneling of telnet.exe using regular expression: '.*.ssh.com' the 
  connection will not be tunneled even if the regular expression matched the 
  host address. Workaround: Add a '\' in front of the '.' For example, the 
  previous regular expression should be:  '.*\.ssh\.com' 

- Windows: When the user creates a filter rule for certain applications 
  (e.g firefox.exe), and later decides to filter another application  (e.g. 
  telnet.exe ), both applications will use the same filters unless the first 
  application is restarted. 

- All platforms: If a wrong passphrase is provided several times for a key, 
  the Connection Broker skips it and proceeds to the next key. If it is an 
  OpenSSH key, once it has been skipped because of a decoding failure, the 
  Connection Broker makes no further attempts to use the key on next login 
  attempts. The Connection Broker must be reloaded or restarted in order to 
  use that OpenSSH key for authentication. 

- Windows/Unix: On Windows, the OpenSSH key's GUI prompt cannot be 
  canceled. On OpenSSH, the key passphrase prompting loops if no passphrase 
  is given. Ctrl+C can be used to get rid of the prompt, but that cancels 
  the whole Secure Shell connection. 

- Windows: Secure file transfer speed may be slower against SSH Tectia 
  Server on Windows than against SSH Tectia Server on Linux. 

- Windows: PKCS#12 certificates cannot currently be imported via the GUI. 

- Windows: If multiple concurrent terminal services sessions are opened for 
  the same user, the services sessions share the same Connection Broker 
  session. This can cause that the user banner and dialog boxes may be 
  displayed to the wrong session. Opening several concurrent terminal 
  services sessions for the same user does not provide secure separation of 
  sessions. 

- All platforms: After changing the password on a Secure Shell server, but 
  before logging in with the new password, the Connection Broker must be 
  restarted to close the previous connection, or the user must wait for the 
  connection to time out (by default 5 seconds). If this is not done, login 
  with the new password will not succeed. 
  


5.   Further Information
----------------------

  More information can be found from the man pages and from the SSH Tectia 
  manuals that are also available at http://www.ssh.com/support/.

  Additional licenses can be purchased from our online store at: 
  http://www.ssh.com/buy/online/.