Release Notes for SSH Tectia ConnectSecure 6.0.2
------------------------------------------------

30 June 2008


(C) 2008 SSH Communications Security Corp.
This software is protected by international copyright laws.
All Rights Reserved.


Table of Contents

1.   About This Release
2.   New Features
3.   Bug Fixes and Minor Features
4.   Known Issues
5.   Further Information



1.   About This Release
----------------------

  The SSH Tectia client/server solution 6.0 is an end-to-end 
  communications security solution for multi-platform environments. 
  It is based on the Secure Shell technology from the original developers. 
  The SSH Tectia client/server solution consists of four base products:
  
  * SSH Tectia Client
  * SSH Tectia ConnectSecure
  * SSH Tectia Server
  * SSH Tectia Server for IBM z/OS

  SSH Tectia Client provides a conventional and powerful secure terminal  
  and secure file transfer client to be used in conjunction with SSH Tectia 
  Server or other Secure Shell servers to enable secure connectivity and 
  file transfers in heterogeneous enterprise environments.

  SSH Tectia ConnectSecure provides additional powerful features to 
  transparently secure FTP file transfers and server connectivity.
  SSH Tectia ConnectSecure is designed especially for server-to-server
  file transfer security and it introduces new features enabling enhanced, 
  high-performance file transfers in conjunction with SSH Tectia Servers,
  third-party or OpenSSH servers in heterogeneous enterprise environments.
  
  SSH Tectia ConnectSecure replaces the EFT expansion packs for SSH Tectia 
  Client and Server that were available in SSH Tectia version 5.x.

  We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x
  products, before installing SSH Tectia ConnectSecure 6.0.

  SSH Tectia ConnectSecure 6.0.2 introduces several features from earlier 
  SSH Tectia 4.4.x implementations to the new G3 architecture, easing the 
  migration process to the latest 6.0.x version. It also includes other new 
  minor features and fixes.



2.   New Features
-----------------

  The following list includes the new features implemented in SSH Tectia 
  Client and SSH Tectia ConnectSecure.

New features in 6.0.2:
----------------------

- All platforms: The host-key option 'accept-unknown-host-keys' has been 
  modified to more closely match the behavior of SSH Tectia Client 4.4.x:

    * For a host with no existing key it
         1. Emits an audit log message (if auditing has been enabled)
         2. Prints a message on screen
         3. Saves the key on disk
         4. Proceeds with the connection 

    * For a host with an existing key that is different from the offered 
  key it
         1. Emits an audit log message (if auditing has been enabled)
         2. Prints a visible warning message on screen
         3. Proceeds with the connection 

  This should be equivalent to the behavior of SSH Tectia Client 4.4.x 
  with StrictHostKeyChecking=no. 

- All platforms: New option 'authentication-success-message' exists for 
  configuring whether the success messages are output. 

- All platforms: Usage of user name variables has been enabled in the 
  keystore configurations, such as:
  <key-store type="software" 
  init="key_files(/u/exa/%U/keys/enigma.pub,/u/exa/%U/keys/enigma)" />
  <key-store type="software" init="directory(path(/u/exa/keys/%U))" /> 

- New platform support: Added support for VMware ESX Server 3.5. 

- Unix: SSH Tectia ConnectSecure now supports Transparent TCP Tunneling 
  also on Unix platforms. 

    * The ssh-tectia-ftp-conversion-* installation packages have been 
      renamed ssh-tectia-capture-*. 

    * The ssh-convert-ftp command has been renamed ssh-capture and it is 
      used also for Transparent TCP Tunneling in addition to Transparent 
      FTP Tunneling and FTP-SFTP Conversion. 

- All platforms: The following new 6.0.x command-line options have been 
  added to scpg3 and sftpg3:
    -C
    +C
    -c, --compression
    -i file
    -K, --identity-key-file=file
    --ciphers=cipher-list
    --exclusive
    --identity=id
    --identity-key-id=id
    --identity-key-hash=id 
    --keep-alive
    --macs=mac-list
    --tcp-connect-timeout 

- Unix: The '-f, --fork-into-background' option of sshg3 now works as in 
  SSH Tectia Client 4.x. 

- All platforms: A client-side keep-alive option has been implemented for 
  automatically sending a keep-alive message to the server at configurable 
  regular intervals. This enables connections in environments where the 
  firewall is set to disconnect the connection after a certain idle timeout 
  period. 
  <keepalive-interval time="xx" /> 

- All platforms: sftpg3 now reads the 
  <sftpg3-mode compatibility-mode="xxx"/> option from the Connection Broker 
  configuration file. 
  Possible values are:
  tectia:  The default behavior, which copies directories recursively
  ftp:     get/put commands are executed as sget/sput, and 
           mget/mput commands have recursion depth set to 1.
  openssh: get/put/mget/mput are the same, with recursion depth set to 1.

  The mode set via the Connection Broker configuration can be 
  overridden with environment variable 'SSH_SFTP_CMD_GETPUT_MODE'. The 
  recursion depth can be overridden by adding option '--max-depth=yyy' to 
  commands get/put/mget/mput on the command line. 

- All platforms: Warnings about a hostkey being changed or not found are 
  now logged via syslog. 

- All platforms: Agent forwarding compatibility has been implemented 
  between SSH Tectia Client and OpenSSH (where the Connection Broker of SSH 
  Tectia Client serves as the authentication agent for subsequent connections 
  by the OpenSSH client). All SSH Tectia products involved need to be at 
  version 6.0.2 for this to work. 

- All platforms: New option 'tcp-connect-timeout' exists for timing out the 
  TCP connection when the target host is unreachable.
  <tcp-connect-timeout time="xx" /> 


New features in 6.0.0:
----------------------

- New platform support:
  o HP-UX 11i v3 (PA-RISC, IA64) 
  o SUSE Linux Enterprise Server 10 (x86, x86-64)
  o SUSE Linux Enterprise Desktop 10 (x86, x86-64) 
  o Red Hat Enterprise Linux 5.1 (x86, x86-64)

- Windows: NEW Transparent TCP Tunneling functionality. 
  SSH Tectia Client and ConnectSecure on Windows can transparently secure 
  several essential software applications used by administrators for remote 
  administration of business-critical hosts running on Windows, Unix, Linux 
  and IBM mainframe systems. This includes remote desktop software such as 
  VNC and RDP. SSH Tectia Client can also be used to secure any existing 
  Telnet-based terminal connections to enterprise applications, as well as 
  remote access to business email or corporate intranet. This feature is 
  supported on Windows XP and 2000 by SSH Tectia Client and also on Windows 
  Server 2003 by SSH Tectia ConnectSecure.

- All platforms: Added '-K' option to 'sshg3' to select a specific key 
  for authentication.

- All platforms: Added option '--identity' for SSH Tectia Client and 
  SSH Tectia ConnectSecure so that it is possible to specify a key 
  from the key store to use (identified either by the key ID or public 
  key hash).
  Syntax: 
  sshg3: [OPTION]... PROFILE|[USER@]HOST[#PORT] [COMMAND]
   --identity=<id>   Use private key 'id' as user identification.
      The 'id' can be either key id, key hash or a key file name.
   --identity-key-id=<id>    Use key id as a user identification.
   --identity-key-hash=<id>  Use key hash as a user identification.

- All platforms: The ssh '-c' command-line option in SSH Tectia Client 4.x, 
  where you used to supply the name of the cipher that you were using is 
  now recognized in 6.0.
  Syntax:
   -c, --ciphers=<ciphers>
      Allow only selected ciphers to be used. 
      Giving value 'help' lists available ciphers.
   -m, --macs=<macs>
      Allow only selected MACs to be used. 
      Giving value 'help' lists available MACs.

- All platforms: Added option '-K' to 'sshg3' to select a specific 
  key for authentication.
  Syntax: 
  sshg3 -K, --identity-key-file=<file>     
     Use key file as a user identification.

- All platforms: In SSH Tectia Client 4.x, the ssh-add2 command has option 
  '-p' that makes the agent read the passphrase from stdin. This 
  functionality is now available in the Connection Broker in SSH Tectia 6.0.

- All platforms: Added time stamps to debug the output of 
  SSH Tectia Client/Server/ConnectSecure 6.0.

- All platforms: Support for shell command ! added into sftpg3. 
  Syntax: 
  sftp> help ! 
    ! [<command> [<args>]] 
    Invoke an interactive shell on the local machine. 
    If <command> is given, it is used as the command to be executed. 
    Optional <args> are used as arguments to the command.

- All platforms: Added option '-i' to use selected private keys 
  with the sshg3 command line tool.
  Syntax: 
  sshg3 -i <file> 
    Use private keys defined in the identification file to authenticate 
    with the public-key method.

- All platforms: A new command-line tool 'ssh-broker-ctl' is available
  for managing and monitoring the Connection Broker.   
  The Connection Broker is part of SSH Tectia Client and SSH Tectia 
  ConnectSecure and is responsible for managing all connections 
  (including authentication).
  The ssh-broker-ctl command-line parsing is separated to specific 
  commands, such as status or list-keys. Most command-line options are 
  command-specific although there are generic options which work on all 
  or on multiple commands. 
  Syntax: ssh-broker-ctl <command> [options]
  Examples of available commands:
    status           Print status and statistics for running Broker.
    list-connections List of open connections.
    list-channels    List of open connection channels. 
  (for a full list, enter: ssh-broker-ctl --help)

- Windows: SSH Tectia Client / ConnectSecure Broker GUI improvements: 
   - Fallback and pseudo IP options are disabled for direct and 
     block filter
   - Filter rule editing has been improved in the SSH Tectia 
     Configurator for:
      1. Any ports
      2. Single Port <option>
      3. Port range <port range>-<port range>
   - The FTP-SFTP Conversion and tunneling rules are now applied properly 
     when filtering by port; before the filter rules were not evaluated 
     in the expected order

- Windows: New options are available from SSH Tectia Status Window for:
	- Disconnecting a Connection
  - Terminating a channel for a selected Connection
  - Viewing information for individual user keys
  - Clearing cached PIN
  
- Windows: Adding a new profile with the SSH Tectia Terminal GUI now makes 
  the initial window of the profile to be of the same type as the current 
  GUI client window. That means that now it is possible to save connection 
  profiles that will default to the File Transfer GUI when initiated.

- All platforms: NEW Product SSH Tectia ConnectSecure.
  SSH Tectia ConnectSecure is designed for server-to-server file transfer 
  security. SSH Tectia ConnectSecure is able to automatically convert FTP 
  to SFTP and/or to tunnel FTP transparently. In addition, SSH Tectia 
  ConnectSecure includes Java and C APIs to integrate SFTP to third-party 
  applications. For more information on the ConnectSecure functionality, 
  refer to the SSH Tectia ConnectSecure Administrator Manual.

- Windows: SSH Tectia ConnectSecure can also be used on a Windows
  machine to transparently secure essential application connections with
  automatic secure connection setup. SSH Tectia ConnectSecure can
  automatically open and secure the connection based on the information
  provided by the software that needs to be secured, thus eliminating the
  need to generate complicated configurations for connecting to a large 
  amount of different servers.
  
- Windows: NEW Transparent TCP Tunneling functionality on Windows Server 
  2003 by SSH Tectia ConnectSecure.  SSH Tectia ConnectSecure on Windows 
  can transparently secure several essential software applications used by 
  administrators for remote administration of business-critical hosts
  running on Windows, Unix, Linux and IBM mainframe systems. This includes
  remote desktop software such as VNC and RDP. SSH Tectia ConnectSecure
  can also be used to secure any existing Telnet-based terminal connections 
  to enterprise applications, as well as remote access to business email or 
  corporate intranet.

- FTP-SFTP conversion is now supported also on the following platforms:
  o AIX 5.3
  o HP-UX (IA64)
  o Red Hat and SUSE Linux (x86-64)
  o Microsoft Windows Server 2003 (32-bit)

- Windows: Added a new FTP-SFTP conversion setting: 'Filter @ signs'. 
  The new option can be used with FTP-SFTP conversion when specially 
  formatted FTP scripts are used to open connections directly to the SFTP 
  servers, bypassing any proxies. When enabled, the FTP server name, 
  user name, and password are extracted from the scripts and used for the 
  SFTP connections.



3.   Bug Fixes
--------------

Bug Fixes in 6.0.2: 
--------------------

- Solaris: Implemented compatibility fix for utilizing CAC cards on Solaris 
  via ActivCard middleware. 

- Unix: The ssh-tectia-ftp-conversion packages have been renamed 
  to ssh-tectia-capture.  The old ftp-conversion package must be uninstalled 
  before installing the new capture package. 

- All platforms: Setting the compression level via  
  <compression name="zlib" level="x" /> now works. 

- All platforms: CRL download now works also for certificates in which the 
  CRL Distribution Point URL contains %20 signs. 

- All platforms: The sshg3 command no longer closes the standard input and 
  output file descriptors at exit.  When running sshg3 in the system() call 
  of a perl script, reading from standard input now works also after 
  executing sshg3. 

- Linux: Fixed uninstall script so that all symlinks are now removed. 

- Windows: Fixed the context-sensitive help for some elements in the SSH 
  Tectia Configuration GUI. 

- Unix: ssh-scepclient-g3 is now included in the common packages. 

- Windows: Improved the memory utilization when performing transparent TCP 
  tunneling. 

- SUSE Linux: The stability of ssh-capture (previously ssh-convert-ftp) has 
  been improved. 

- All platforms: Nested X11 tunneling now works. 


Bug Fixes in 6.0.1:
-------------------

- All platforms: The sftpg3 client no longer fails if the server does not 
  support streaming. 

- Windows: Using transparent TCP tunneling with the default settings no 
  longer causes SSH Tectia Client 6.0 and SSH Tectia ConnectSecure to fail. 


Bug Fixes in 6.0.0:
-------------------

- Windows: Modifying the SSH Tectia Connection Broker configuration no 
  longer interrupts the data communications of currently tunneled 
  applications. 

- All Unix: ASCII conversion is now working properly when used in FTP-SFTP 
  conversion. 

- Windows: SSH Tectia ConnectSecure on Windows no longer prompts for a 
  passphrase for pkcs12 certificate with null-passphrase private key. 

- All Unix platforms: SSH Tectia ConnectSecure no longer fails when using   
  certificates with no passphrase for authentication. 

- Windows: SSH Tectia ConnectSecure does no longer ask to enter the 
  passphrase for all the imported keys and certificates every time the 
  configuration has been modified with the GUI apply button. 

- Unix: sshg3 and scpg3 now return value 1 as expected, if they are used 
  with invalid options. 

- Windows and Solaris: Pressing CTRL-C in 'sshg3' during authentication now 
  works also when using keyboard-interactive authentication. 

- Solaris: SSH Tectia Client / Server / ConnectSecure installation packages 
  now detect the underlying Solaris architecture and prevent installation of 
  the x86 packages on the x86-64 architecture. 

- Linux: File transfer does no longer hang on Linux when using more than   
  1024 file descriptors. 
  
- All Unix: An issue was fixed where unclear error messages were shown if 
  trying to upload a file to a folder where the user did not have the 
  correct permission when using FTP-SFTP conversion. 
  
- Windows: X-forwarding to Sun Solaris now works.

- All Unix: Faster file transfers are now possible when using FTP-SFTP 
  conversion by setting streaming via the environment variable 
  SSH_SFTP_STREAMING_MODE. See ConnectSecure documentation for more 
  information. 

- Unix: It is now possible to use pkcs#11 and static tunnels with 
  passphrase-protected keys on Unix. This fix applies also to software keys. 

- All platforms: Fixed a variety of problems that could result in hangs or 
  disconnections when using FTP Tunneling. 

- All platforms: Using multiple site options with scpg3 now works so that   
  all options are respected and not only the last one (Mainframe specific). 

- Windows: Fixed 'ssh-broker-g3 --console' so that it now allows to see the 
  debug output of SSH Tectia Client and SSH Tectia ConnectSecure directly on 
  the console where it was run or redirect it to a file very easily. Example: 
  Running 'ssh-broker-g3 --console -D 5 -l log' will start GUI broker and log 
  the debug messages to a log file. 

- Windows: It is now possible to create Connection Profile shortcuts to the 
  user's Windows Desktop directly from SSH Tectia Client and SSH Tectia 
  ConnectSecure configuration window. In the SSH Tectia Configuration GUI, 
  select 'Connection Profiles' and press the 'Create Shortcut' button. 

- Windows: The FTP-SFTP conversion and transparent tunneling rules are now 
  applied properly when filtering by port.
  
- Windows: It is now possible to import the license file from SSH Tectia 
  Client and SSH Tectia ConnectSecure GUI menu: Help / Import License File. 

- All platforms: The Connection Broker does not forget the passphrase for 
  decoded keys after a new configuration is applied unless key provider 
  configuration was changed. 



4.   Known Issues
-----------------

- Windows: Uploading the public key functionality in the SSH Tectia Broker 
  Configuration GUI fails if a connection to the server does not exist.
  Workaround: First create a connection to the server using password 
  authentication and then use the upload public key functionality in the 
  Configuration GUI. 

- Unix: All installed SSH Tectia products must be upgraded to 6.0.2 at the 
  same time. If some packages are left to 6.0.1 or older version, they will 
  stop working when the 6.0.2 common package is installed. 

- Solaris 8: Use bash version later than 2.0.3 to avoid high CPU usage with 
  SSH Tectia Client on Solaris 8. 

- All platforms: Transparent FTP tunneling is not working in passive mode. 
  FTP tunneling supports only active mode. Alternative is to use FTP 
  conversion which supports both active and passive mode. 

- All platforms: When creating a filter for transparent tunneling or FTP 
  Conversion based on a hostname, applications that connect with an IP 
  address will not be tunneled and vice versa. 

- Linux: mget* cannot be used with the default FTP client included in 
  RedHat Linux releases when there are hidden directories are in the 
  specified tree. 

- Windows: If the "Transparent tunneling" component of SSH Tectia Client or 
  SSH Tectia ConnectSecure is installed on a Windows XP computer in a domain 
  where firewall exceptions are managed by a group policy, the exceptions get 
  changed so that the computer becomes inaccessible from the network. 
  Workaround: Edit the exceptions manually so that, for example, the server 
  port becomes accessible. 

- Windows: SFTP GUI might cause the existing local copy of a file to be 
  partially overwritten in ASCII mode, when downloading the file from the 
  remote server fails due to missing file permissions. 
  
- All platforms: 'scpg3' shows the transfer time wrong if 
  "--statistics=simple" is set. 

- Windows: FTP-SFTP conversion against localhost is currently not supported 
  on Windows. 

- All platforms: When trying to connect to an SSH server that is not 
  available (i.e. the server is not running), the error message returned by 
  'sshg3' is "Unable to connect to Broker". 
  It should return "Unable to connect to Server". 

- Windows, FTP tunneling or FTP-SFTP conversion: Wrong host information is 
  printed to the FTP client if the FTP tunneling or FTP-SFTP conversion 
  filter rule uses a profile which specifies a host name. When FTP tunneling 
  or FTP-SFTP conversion uses a predefined profile, but a different host is 
  specified for ftp.exe on the command line, the connection is done 
  correctly to the host specified in the profile, but the host given to 
  ftp.exe is printed instead of the real host obtained from the profile. 
  
- Windows: Reconnecting to the previously used Connection Profile by 
  pressing Enter in the SSH Tectia Terminal or File Transfer GUI may fail in 
  some cases. 
  Workaround: Select the profile from the menu. 
  
- Windows: The FTP client on Windows may display a "failed to unlink 
  workfile" message when using FTP-SFTP conversion. This message can be 
  safely ignored. Please refer to: 
  http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ 
  w2000Msgs/3606.mspx?mfr=true 

- Windows: Removing a token while it is being read could in some cases 
  result in SSH Tectia Connection Broker failure. 

- Windows: Opening multiple remote tunnels in a profile against OpenSSH 
  servers can cause SSH Tectia Connection Broker to fail. 

- Solaris: Installation packages do not detect the underlying Solaris 
  architecture to prevent installation of the x86-64 packages on x86 
  architecture. The packages can be installed but they will not work.

- All platforms, SSH Tectia API: Multiple authentications from the same 
  process do not work; e.g. multi-threaded clients in which two or more 
  threads want to connect simultaneously to different servers using different 
  authentication callbacks and relying on the callback data. 
  Workaround: Use serial authentication phase. 

- All platforms: Running the SSH Tectia Connection Broker in daemon mode 
  might be unreliable if sshg3/scpg3/sftpg3 is run immediately after 
  ssh-broker-g3 is started. 
  Workaround: After the Connection Broker starts, wait a few seconds before 
  issuing any commands. 

- Windows: SFTP chmod command against SSH Tectia Server running on Windows 
  is not supported. 

- Unix: Script that executes sftpg3 in batch mode gets stopped when put to 
  background (Stopped (tty output)). 

- Some HP-UX platforms: Transparent FTP tunneling or FTP-SFTP conversion 
  may fail to get the proper FTP client name. Workaround: Change the filter 
  rule to match all applications or have an empty value. 

- Unix: If scpg3 is used to copy a file to itself, the file will be 
  truncated and the scpg3 command hangs. 

- Windows 2003: When using FTP-SFTP conversion on Windows 2003 server, 
  fallback to plain FTP is not working. 

- Windows: After the optional Transparent TCP Tunneling feature is 
  installed, it might interfere with third-party Bluetooth and IR network 
  drivers and prevent their usage. 

- Unix: The 'finger' command does not show the idle time correctly when 
  logged in using SFTP. 

- All platforms: When FTP-SFTP conversion falls back to plain mode, it 
  gives a confusing message: 
  Login successful. 
  *** FALLBACK TO PLAIN FTP: Unable to connect to server *** 

- Windows: In FTP-SFTP conversion, when using a filter based on the host 
  name, the FTP client will fail to connect to the FTP server if using an IP 
  address. Workaround: Use the same host name or IP address in the filter 
  rules that is used on the command line with the FTP client. 

- Windows: When using FTP-SFTP conversion with the "fallback to plain" 
  option enabled, active mode FTP will not work. 

- Windows: When creating FTP-SFTP conversion filter rules, always specify 
  the port unambiguously if fallback mode is set. Filter only the port that 
  your application is listening to. 

- Linux on Cygwin: when using Tectia Client with Cygwin X Windows server, 
  Oracle 'runinstaller' does not open. 

- Solaris 10: SSH Tectia Server and the FTP-SFTP conversion component of 
  SSH Tectia ConnectSecure need to be uninstalled separately from each local 
  zone, if they got installed to all zones by installing into the global 
  zone. 

- HP-UX: Starting sshg3, scpg3, and sftpg3 fails if getting the current 
  working directory fails. 

- Windows: When running sftpg3 in batch mode, the Connection Broker may log 
  the Broker_channel_process_exit_failed messages with status "Operation 
  failed". These are system internal events and do not indicate any failure 
  in the file transfer operation. 

- All platforms: Trying to transfer a file to a Sun SSH 1.0.1 server fails 
  and returns a protocol error. Connections against Sun SSH 1.1 servers do 
  not have this problem. 

- Windows: The exit values for scpg3 do not match the values mentioned in 
  the documentation in these error situations: connection lost, interrupting 
  a file transfer using Ctrl+C, trying to copy to a directory, but the 
  destination is not a directory. Nevertheless, in all these cases the return 
  value is non-zero. 

- All platforms: When trying to save a host key to a location without write 
  permissions, the connection fails and a non-informative error message is 
  shown. 

- All platforms: When DSA and RSA host keys are available from an OpenSSH 
  server, SSH Tectia Client and ConnectSecure only allow DSA keys. 
  
- All platforms: The FTP-SFTP conversion does not show the SSH Tectia 
  Server banner message. 

- All platforms: scpg3 does not warn about the existence of directories 
  when shell globbing is used, for example: 
  scpg3 "/tmp/testdir/*" user@server:/tmp 
  However, the correct warning is displayed if the scpg3 command is used 
  without globbing: 
  scpg3 /tmp/testdir/* user@server:/tmp 

- All platforms: Certificate validation path construction from LDAP fails, 
  if the LDAP server requires suffix ';binary' for the PKI binary blob 
  attribute names. 

- Windows: If the Connection Broker is started for another userID using the 
  'runas' command, the user dialogs are shown for the user who started the 
  process. 

- All platforms: Server creates empty files if the user tries to transfer 
  files without correct server-side permissions. The correct error message is 
  displayed. 

- All platforms: API function ssh_secsh_broker_channel_close() might fail 
  in some cases. 

- Windows: Local TCP tunneling using listener port 0 does not work. 

- Windows: When running a remote command against a Windows server, the 
  output from standard out and standard error might overlap. 

- Windows: SSH Tectia API for Windows currently contains dynamic libraries 
  without any debugging information. 

- Windows: The Connection Broker might crash on exit after a long-duration 
  file transfer session. 

- Windows: When trying to remotely access Unix files that contain illegal 
  Windows characters (for example: *, ? and ~) those files cannot be 
  transferred or accessed if using relative paths.
  Workaround: Use absolute paths for accessing the files on the remote 
  server after escaping the illegal characters. 

- Windows: Under certain circumstances, reconfiguration of the Connection 
  Broker can take up to 10 seconds. 

- All platforms: It is possible to generate all lengths of RSA/DSA keys in 
  FIPS mode, although the SSH Tectia Client/Server software will only accept 
  keys compliant with FIPS. 

- Windows: If trying to connect from a Windows GUI client to an OpenSSH 
  server with a public key and option command="ls", the client hangs. When 
  performed with the Windows command-line client (sshg3) it works properly. 

- Windows: When using regular expressions in filter rules the dot character 
  '.' does not work as expected. For example, when using a filter rule for 
  tunneling of telnet.exe using regular expression: '.*.ssh.com' the 
  connection will not be tunneled even if the regular expression matched the 
  host address. 
  Workaround: Add a '\' in front of the '.' For example, the previous 
  regular expression should be:  '.*\.ssh\.com' 

- Windows: When the user creates a filter rule for certain applications 
  (e.g firefox.exe), and later decides to filter another application  (e.g. 
  telnet.exe ), both applications will use the same filters unless the first 
  application is restarted. 

- All platforms: If a wrong passphrase is provided several times for a key, 
  the Connection Broker skips it and proceeds to the next key. If it is an 
  OpenSSH key, once it has been skipped because of a decoding failure, the 
  Connection Broker makes no further attempts to use the key on next login 
  attempts. The Connection Broker must be reloaded or restarted in order to 
  use that OpenSSH key for authentication. 

- Windows/Unix: On Windows, the OpenSSH key's GUI prompt cannot be 
  canceled. On OpenSSH, the key passphrase prompting loops if no passphrase 
  is given. Ctrl+C can be used to get rid of the prompt, but that cancels the 
  whole Secure Shell connection. 

- Windows: Secure file transfer speed may be slower against SSH Tectia 
  Server on Windows than against SSH Tectia Server on Linux. 

- Windows: PKCS#12 certificates cannot currently be imported via the GUI. 

- Windows: If multiple concurrent terminal services sessions are opened for 
  the same user, the services sessions share the same Connection Broker 
  session. This can cause that the user banner and dialog boxes may be 
  displayed to the wrong session. Opening several concurrent terminal 
  services sessions for the same user does not provide secure separation of 
  sessions. 

- All platforms: After changing the password on a Secure Shell server, but 
  before logging in with the new password, the Connection Broker must be 
  restarted to close the previous connection, or the user must wait for the 
  connection to time out (by default 5 seconds). If this is not done, login 
  with the new password will not succeed. 



5.   Further Information
------------------------

  More information can be found from the man pages and from the SSH Tectia 
  manuals that are also available at http://www.ssh.com/support/.

  Additional licenses can be purchased from our online store at: 
  http://www.ssh.com/buy/online/.