Release Notes for SSH Tectia Client 6.0.2
-----------------------------------------

30 June 2008


(C) 2008 SSH Communications Security Corp.
This software is protected by international copyright laws.
All Rights Reserved.


Table of Contents

1.   About This Release
2.   New Features
3.   Bug Fixes and Minor Features
4.   Known Issues
5.   Further Information



1.   About This Release
----------------------

  The SSH Tectia client/server solution 6.0 is an end-to-end 
  communications security solution for multi-platform environments. 
  It is based on the Secure Shell technology from the original developers. 
  The SSH Tectia client/server solution consists of four base products:
  
  * SSH Tectia Client
  * SSH Tectia ConnectSecure
  * SSH Tectia Server
  * SSH Tectia Server for IBM z/OS

  SSH Tectia Client provides a conventional and powerful secure terminal  
  and secure file transfer client to be used in conjunction with SSH Tectia 
  Server or other Secure Shell servers to enable secure connectivity and 
  file transfers in heterogeneous enterprise environments.

  SSH Tectia ConnectSecure provides additional powerful features to 
  transparently secure FTP file transfers and server connectivity.
  SSH Tectia ConnectSecure is designed especially for server-to-server
  file transfer security and it introduces new features enabling enhanced, 
  high-performance file transfers in conjunction with SSH Tectia Servers,
  third-party or OpenSSH servers in heterogeneous enterprise environments.

  SSH Tectia ConnectSecure replaces the EFT expansion packs for SSH Tectia 
  Client and Server that were available in SSH Tectia version 5.x.

  We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x
  products, before installing SSH Tectia Client 6.0.
 
  SSH Tectia Client 6.0.2 introduces several features from earlier SSH 
  Tectia 4.4.x implementations to the new G3 architecture, easing the 
  migration process to the latest 6.0.x version. It also includes other new 
  minor features and fixes.



2.   New Features
-----------------

  The following list includes the new features implemented in SSH Tectia 
  Client.

New features in 6.0.2:
----------------------

- All platforms: The host-key option 'accept-unknown-host-keys' has been 
  modified to more closely match the behavior of SSH Tectia Client 4.4.x:

    * For a host with no existing key it
         1. Emits an audit log message (if auditing has been enabled)
         2. Prints a message on screen
         3. Saves the key on disk
         4. Proceeds with the connection 

    * For a host with an existing key that is different from the offered 
      key it
         1. Emits an audit log message (if auditing has been enabled)
         2. Prints a visible warning message on screen
         3. Proceeds with the connection 

  This should be equivalent to the behavior of SSH Tectia Client 4.4.x 
  with StrictHostKeyChecking=no. 

- All platforms: New option 'authentication-success-message' exists for 
  configuring whether the success messages are output. 

- All platforms: Usage of user name variables has been enabled in the 
  keystore configurations, such as:
  <key-store type="software" 
  init="key_files(/u/exa/%U/keys/enigma.pub,/u/exa/%U/keys/enigma)" />
  <key-store type="software" init="directory(path(/u/exa/keys/%U))" /> 

- New platform support: Added support for VMware ESX Server 3.5. 

- All platforms: The following new 6.0.x command-line options have been 
  added to scpg3 and sftpg3:
    -C
    +C
    -c, --compression
    -i file
    -K, --identity-key-file=file
    --ciphers=cipher-list
    --exclusive
    --identity=id
    --identity-key-id=id
    --identity-key-hash=id 
    --keep-alive
    --macs=mac-list
    --tcp-connect-timeout 

- Unix: The '-f, --fork-into-background' option of sshg3 now works as in 
  SSH Tectia Client 4.x. 

- All platforms: A client-side keep-alive option has been implemented for 
  automatically sending a keep-alive message to the server at configurable 
  regular intervals. This enables connections in environments where the 
  firewall is set to disconnect the connection after a certain idle timeout 
  period. 
  The feature can be enabled via a configuration option in default 
  settings and profiles:
    <keepalive-interval time="1d" />
  as well as a new command-line option to sshg3, scpg3, and sftpg3:
    --keep-alive=2h 

- All platforms: sftpg3 now reads the 
  <sftpg3-mode compatibility-mode="xxx"/> option from the Connection Broker 
  configuration file. 
  Possible values are:
  tectia:  The default behavior, which copies directories recursively
  ftp:     get/put commands are executed as sget/sput, and 
           mget/mput commands have recursion depth set to 1.
  openssh: get/put/mget/mput are the same, with recursion depth set to 1.

  The mode set via the Connection Broker configuration can be 
  overridden with environment variable 'SSH_SFTP_CMD_GETPUT_MODE'. The 
  recursion depth can be overridden by adding option '--max-depth=yyy' to 
  commands get/put/mget/mput on the command line. 

- All platforms: Warnings about a hostkey being changed or not found are 
  now logged via syslog. 

- All platforms: Agent forwarding compatibility has been implemented 
  between SSH Tectia Client and OpenSSH (where the Connection Broker of SSH 
  Tectia Client serves as the authentication agent for subsequent connections 
  by the OpenSSH client). All SSH Tectia products involved need to be at 
  version 6.0.2 for this to work. 

- All platforms: New option 'tcp-connect-timeout' exists for timing out the 
  TCP connection when the target host is unreachable.
  <tcp-connect-timeout time="xx" /> 


New features in 6.0.0:
----------------------

- New platform support:
  o HP-UX 11i v3 (PA-RISC, IA64) 
  o SUSE Linux Enterprise Server 10 (x86, x86-64)
  o SUSE Linux Enterprise Desktop 10 (x86, x86-64) 
  o Red Hat Enterprise Linux 5.1 (x86, x86-64)

- Windows: NEW Transparent TCP Tunneling functionality. 
  SSH Tectia Client and ConnectSecure on Windows can transparently secure 
  several essential software applications used by administrators for remote 
  administration of business-critical hosts running on Windows, Unix, Linux 
  and IBM mainframe systems. This includes remote desktop software such as 
  VNC and RDP. SSH Tectia Client can also be used to secure any existing 
  Telnet-based terminal connections to enterprise applications, as well as 
  remote access to business email or corporate intranet. This feature is 
  supported on Windows XP and 2000 by SSH Tectia Client and also on Windows 
  Server 2003 by SSH Tectia ConnectSecure.

- Windows: SSH Tectia Client and SSH Tectia ConnectSecure can also 
  be used on a Windows machine to transparently secure essential 
  application connections with automatic secure connection setup. 
  SSH Tectia Client and ConnectSecure can automatically open and 
  secure the connection based on the information provided by the 
  software that needs to be secured, thus eliminating the need to 
  generate complicated configurations for connecting to a large 
  amount of different servers.

- All platforms: Added '-K' option to 'sshg3' to select 
  a specific key for authentication.

- All platforms: Added option '--identity' for SSH Tectia Client and 
  SSH Tectia ConnectSecure so that it is possible to specify a key 
  from the key store to use (identified either by the key ID or public 
  key hash).
  Syntax: 
  sshg3: [OPTION]... PROFILE|[USER@]HOST[#PORT] [COMMAND]
   --identity=<id>   Use private key 'id' as user identification.
      The 'id' can be either key id, key hash or a key file name.
   --identity-key-id=<id>    Use key id as a user identification.
   --identity-key-hash=<id>  Use key hash as a user identification.

- All platforms: The ssh '-c' command-line option in SSH Tectia Client 4.x, 
  where you used to supply the name of the cipher that you were using is 
  now recognized in 6.0. 
  Syntax:
   -c, --ciphers=<ciphers>
      Allow only selected ciphers to be used. 
      Giving value 'help' lists available ciphers.
   -m, --macs=<macs>
      Allow only selected MACs to be used. 
      Giving value 'help' lists available MACs.

- All platforms: Added option '-K' to 'sshg3' to select a specific 
  key for authentication. 
  Syntax:
  sshg3 -K, --identity-key-file=<file>     
     Use key file as a user identification.

- All platforms: In SSH Tectia Client 4.x, the ssh-add2 command has option 
  '-p' that makes the agent read the passphrase from stdin. This 
  functionality is now available in the Connection Broker in SSH Tectia 6.0.

- All platforms: Added time stamps to debug the output of 
  SSH Tectia Client/Server/ConnectSecure 6.0.

- All platforms: Support for shell command ! added into sftpg3.
  Syntax: 
  sftp> help ! 
    ! [<command> [<args>]] 
    Invoke an interactive shell on the local machine. 
    If <command> is given, it is used as the command to be executed. 
    Optional <args> are used as arguments to the command.

- All platforms: Added option '-i' to use selected private keys 
  with the sshg3 command line tool.
  Syntax: 
  sshg3 -i <file> 
    Use private keys defined in the identification file to authenticate 
    with the public-key method.

- All platforms: A new command-line tool 'ssh-broker-ctl' is available
  for managing and monitoring the Connection Broker.   
  The Connection Broker is part of SSH Tectia Client and SSH Tectia 
  ConnectSecure and is responsible for managing all connections 
  (including authentication).
  The ssh-broker-ctl command-line parsing is separated to specific 
  commands, such as status or list-keys. Most command-line options are 
  command-specific although there are generic options which work on all 
  or on multiple commands. 
  Syntax: 
  ssh-broker-ctl <command> [options]
  Examples of available commands:
    status           Print status and statistics for running Broker.
    list-connections List of open connections.
    list-channels    List of open connection channels. 
  (for a full list, enter: ssh-broker-ctl --help)

- Windows: SSH Tectia Client / ConnectSecure Broker GUI improvements: 
   - Fallback and pseudo IP options are disabled for direct and 
     block filter
   - Filter rule editing has been improved in the SSH Tectia 
     Configurator for:
      1. Any ports
      2. Single Port <option>
      3. Port range <port range>-<port range>
   - The FTP-SFTP Conversion and tunneling rules are now applied properly 
     when filtering by port; before the filter rules were not evaluated 
     in the expected order

- Windows: New options are available from SSH Tectia Status Window for:
	- Disconnecting a Connection
        - Terminating a channel for a selected Connection
        - Viewing information for individual user keys
        - Clearing cached PIN
  
- Windows: Adding a new profile with the SSH Tectia Terminal GUI now makes 
  the initial window of the profile to be of the same type as the current 
  GUI client window. That means that now it is possible to save connection 
  profiles that will default to the File Transfer GUI when initiated.



3.   Bug Fixes
--------------

Bug Fixes in 6.0.2: 
--------------------

- Solaris: Implemented compatibility fix for utilizing CAC cards on Solaris 
  via ActivCard middleware. 

- Unix: The ssh-tectia-ftp-conversion packages have been renamed to 
  ssh-tectia-capture.  The old ftp-conversion package must be uninstalled 
  before installing the new capture package. 

- All platforms: Setting the compression level via  
  <compression name="zlib" level="x" /> now works. 

- All platforms: CRL download now works also for certificates in which the 
  CRL Distribution Point URL contains %20 signs. 

- All platforms: The sshg3 command no longer closes the standard input and 
  output file descriptors at exit.  When running sshg3 in the system() call 
  of a perl script, reading from standard input now works also after 
  executing sshg3. 

- Linux: Fixed uninstall script so that all symlinks are now removed. 

- Windows: Fixed the context-sensitive help for some elements in the SSH 
  Tectia Configuration GUI. 

- Unix: ssh-scepclient-g3 is now included in the common packages. 

- Windows: Improved the memory utilization when performing transparent TCP 
  tunneling. 

- SUSE Linux: The stability of ssh-capture (previously ssh-convert-ftp) has 
  been improved. 

- All platforms: Nested X11 tunneling now works. 


Bug Fixes in 6.0.1:
-------------------

- All platforms: The sftpg3 client no longer fails if the server does not 
  support streaming. 

- Windows: Using transparent TCP tunneling with the default settings no 
  longer causes SSH Tectia Client 6.0 and SSH Tectia ConnectSecure to fail. 


Bug Fixes in 6.0.0:
-------------------

- Windows: Modifying the SSH Tectia Client configuration does no longer   
  interrupt the data communications of currently tunneled applications. 

- Windows: SSH Tectia Client on Windows no longer prompts for a passphrase 
  for pkcs12 certificate with null-passphrase private key. 

- All Unix platforms: SSH Tectia Client no longer fails when using   
  certificates with no passphrase for authentication. 

- Windows: SSH Tectia Client does no longer ask to enter the passphrase for 
  all the imported keys and certificates every time the configuration has 
  been modified with the GUI apply button. 

- Unix: sshg3 and scpg3 now return value 1 as expected, if they are used 
  with invalid options. 

- Windows and Solaris: Pressing CTRL-C in 'sshg3' during authentication now 
  works also when using keyboard-interactive authentication. 

- Linux: File transfer does no longer hang on Linux when using more than   
  1024 file descriptors. 

- Windows: X-forwarding to Sun Solaris now works. 

- Unix: It is now possible to use pkcs#11 and static tunnels with 
  passphrase-protected keys on Unix. This fix applies also to software keys. 

- All platforms: Fixed a variety of problems that could result in hangs or 
  disconnections when using FTP Tunneling. 

- All platforms: Using multiple site options with scpg3 now works so that   
  all options are respected and not only the last one (Mainframe specific). 

- Windows: Fixed 'ssh-broker-g3 --console' so that it now allows to see the 
  debug output of SSH Tectia Client and SSH Tectia ConnectSecure directly on 
  the console where it was run or redirect it to a file very easily. 
  Example: Running 'ssh-broker-g3 --console -D 5 -l log' will start GUI 
  broker and log the debug messages to a log file. 

- Windows: It is now possible to create Connection Profile shortcuts to the 
  user's Windows Desktop directly from SSH Tectia Client and SSH Tectia 
  ConnectSecure configuration window. In the SSH Tectia Configuration GUI, 
  select 'Connection Profiles' and press the 'Create Shortcut' button. 

- Windows: It is now possible to import the license file from SSH Tectia 
  Client and SSH Tectia ConnectSecure GUI menu: Help / Import License File. 

- All platforms: The Connection Broker does not forget the passphrase for 
  decoded keys after a new configuration is applied unless key provider 
  configuration was changed. 



4.   Known Issues
-----------------

- Windows: Uploading the public key functionality in the SSH Tectia Broker 
  Configuration GUI fails if a connection to the server does not exist.
  Workaround: First create a connection to the server using password 
  authentication and then use the upload public key functionality in the 
  Configuration GUI. 

- Solaris 8: Use bash version later than 2.0.3 to avoid high CPU usage with 
  SSH Tectia Client on Solaris 8. 

- Windows: If the "Transparent tunneling" component of SSH Tectia Client or 
  SSH Tectia ConnectSecure is installed on a Windows XP computer in a domain 
  where firewall exceptions are managed by a group policy, the exceptions get 
  changed so that the computer becomes inaccessible from the network. 
  Workaround: Edit the exceptions manually so that, for example, the server 
  port becomes accessible. 

- Windows: SFTP GUI might cause the existing local copy of a file to be 
  partially overwritten in ASCII mode, when downloading of the file from the 
  remote server fails due to missing file permissions. 

- All platforms: scpg3 shows the transfer time wrong if 
  "--statistics=simple" is set. 

- All platforms: When trying to connect to an SSH server that is not 
  available (i.e. the server is not running), the error message returned by 
  sshg3 is "Unable to connect to Broker". It should return "Unable to connect 
  to Server". 

- Windows: Reconnecting to the previously used Connection Profile by 
  pressing Enter in the SSH Tectia Terminal or File Transfer GUI may fail in 
  some cases. 
  Workaround: Select the profile from the menu. 

- Windows: Removing a token while it is being read could in some cases 
  result in SSH Tectia Connection Broker failure. 

- Windows: Opening multiple remote tunnels in a profile against OpenSSH 
  servers can cause SSH Tectia Connection Broker to fail. 

- Solaris: Installation packages do not detect the underlying Solaris 
  architecture to prevent installation of the x86-64 packages on x86 
  architecture. The packages can be installed but they will not work. 

- All platforms: Running the SSH Tectia Connection Broker in daemon mode 
  might be unreliable if sshg3/scpg3/sftpg3 is run immediately after 
  ssh-broker-g3 is started. 
  Workaround: After the Connection Broker starts, wait a few seconds before 
  issuing any commands. 

- Windows: SFTP chmod command is not supported against SSH Tectia Server 
  running on Windows. 

- Unix: Scripts that execute sftpg3 in batch mode get stopped when put to 
  background (Stopped (tty output)). 

- Unix: If scpg3 is used to copy a file to itself, the file will be 
  truncated and the scpg3 command hangs. 

- Windows: After the optional Transparent TCP Tunneling feature is 
  installed, it might interfere with third-party Bluetooth and IR network 
  drivers and prevent their usage. 

- Unix: The 'finger' command does not show the idle time correctly when 
  logged in using SFTP. 

- Linux on Cygwin: When using SSh Tectia Client with Cygwin X Windows 
  server, Oracle 'runinstaller' does not open. 

- HP-UX: Starting sshg3, scpg3, and sftpg3 fails if getting the current 
  working directory fails. 

- Windows: When running sftpg3 in batch mode, the Connection Broker may log 
  the Broker_channel_process_exit_failed messages with status "Operation 
  failed". These are system internal events and do not indicate any failure 
  in the file transfer operation. 

- All platforms: Trying to transfer a file to a Sun SSH 1.0.1 server fails 
  and returns a protocol error. Connections against Sun SSH 1.1 servers do 
  not have this problem. 

- Windows: The exit values for scpg3 do not match the values mentioned in 
  the documentation in these error situations: connection lost, interrupting 
  a file transfer using Ctrl+C, trying to copy to a directory, but the 
  destination is not a directory. Nevertheless, in all these cases the return 
  value is non-zero. 

- All platforms: When trying to save a host key to a location without write 
  permissions, the connection fails and a non-informative error message is 
  shown. 

- All platforms: When DSA and RSA host keys are available from an OpenSSH 
  server, SSH Tectia Client and ConnectSecure only allow DSA keys. 

- All platforms: scpg3 does not warn about the existence of directories 
  when shell globbing is used, for example: 
  scpg3 "/tmp/testdir/*" user@server:/tmp 
  However, the correct warning is displayed if the scpg3 command is used 
  without globbing: 
  scpg3 /tmp/testdir/* user@server:/tmp 

- All platforms: Certificate validation path construction from LDAP fails, 
  if the LDAP server requires suffix ';binary' for the PKI binary blob 
  attribute names. 

- Windows: If the Connection Broker is started for another userID using the 
  'runas' command, the user dialogs are shown for the user who started the 
  process. 

- All platforms: Server creates empty files if the user tries to transfer 
  files without correct server-side permissions. The correct error message is 
  displayed. 

- All platforms: API function ssh_secsh_broker_channel_close() might fail 
  in some cases. 

- Windows: Local TCP tunneling using listener port 0 does not work. 

- Windows: When running a remote command against a Windows server, the 
  output from standard out and standard error might overlap. 

- Windows: The Connection Broker might crash on exit after a long-duration 
  file transfer session. 

- Windows: When trying to remotely access Unix files that contain illegal 
  Windows characters (for example: *, ? and ~) those files cannot be 
  transferred or accessed if using relative paths.
  Workaround: Use absolute paths for accessing the files on the remote 
  server after escaping the illegal characters. 

- Windows: Under certain circumstances, reconfiguration of the Connection 
  Broker can take up to 10 seconds. 

- All platforms: It is possible to generate all lengths of RSA/DSA keys in 
  FIPS mode, although the SSH Tectia Client/Server software will only accept 
  keys compliant with FIPS. 

- Windows: If trying to connect from a Windows GUI client to an OpenSSH 
  server with a public key and option command="ls", the client hangs. When 
  performed with the Windows command-line client (sshg3) it works properly. 

- Windows: When using regular expressions in filter rules the dot character 
  '.' does not work as expected. For example, when using a filter rule for 
  tunneling of telnet.exe using regular expression: '.*.ssh.com' the 
  connection will not be tunneled even if the regular expression matched the 
  host address. 
  Workaround: Add a '\' in front of the '.' For example, the previous 
  regular expression should be:  '.*\.ssh\.com' 

- Windows: When the user creates a filter rule for certain applications 
  (e.g firefox.exe), and later decides to filter another application  (e.g. 
  telnet.exe ), both applications will use the same filters unless the first 
  application is restarted. 

- All platforms: If a wrong passphrase is provided several times for a key, 
  the Connection Broker skips it and proceeds to the next key. If it is an 
  OpenSSH key, once it has been skipped because of a decoding failure, the 
  Connection Broker makes no further attempts to use the key on next login 
  attempts. The Connection Broker must be reloaded or restarted in order to 
  use that OpenSSH key for authentication. 

- Windows/Unix: On Windows, the OpenSSH key's GUI prompt cannot be 
  canceled. On OpenSSH, the key passphrase prompting loops if no passphrase 
  is given. Ctrl+C can be used to get rid of the prompt, but that cancels the 
  whole Secure Shell connection. 

- Windows: Secure file transfer speed may be slower against SSH Tectia 
  Server on Windows than against SSH Tectia Server on Linux. 

- Windows: PKCS#12 certificates cannot currently be imported via the GUI. 

- Windows: If multiple concurrent terminal services sessions are opened for 
  the same user, the services sessions share the same Connection Broker 
  session. This can cause that the user banner and dialog boxes may be 
  displayed to the wrong session. Opening several concurrent terminal 
  services sessions for the same user does not provide secure separation of 
  sessions. 

- All platforms: After changing the password on a Secure Shell server, but 
  before logging in with the new password, the Connection Broker must be 
  restarted to close the previous connection, or the user must wait for the 
  connection to time out (by default 5 seconds). If this is not done, login 
  with the new password will not succeed. 
  


5.   Further Information
----------------------

  More information can be found from the man pages and from the SSH Tectia 
  manuals that are also available at http://www.ssh.com/support/.

  Additional licenses can be purchased from our online store at: 
  http://www.ssh.com/buy/online/.