Release Notes for SSH Tectia Server 5.3.8
-----------------------------------------
10 July 2008
(C) 2008 SSH Communications Security Corp.
This software is protected by international copyright laws.
All Rights Reserved.
Table of Contents
1. About This Release
2. New Features
3. Bug Fixes
4. Known Issues
5. Further Information
1. About This Release
-----------------------
The SSH Tectia client/server solution 5.3 is an end-to-end
communications security solution for multi-platform environments.
It is based on the Secure Shell technology from the original developers.
The SSH Tectia client/server solution consists of four base products:
* SSH Tectia Server
* SSH Tectia Server for IBM z/OS
* SSH Tectia Client
* SSH Tectia Connector
The base products are expandable with the following add-on products:
* EFT Expansion Pack for SSH Tectia Server
* EFT Expansion Pack for SSH Tectia Client
* Tunneling Expansion Pack for SSH Tectia Server
SSH Tectia Server 5.3 provides secure terminal, secure file
transfer, and tunneling server functionality for system administrators
and other users of SSH Tectia Client.
SSH Tectia Server 5.3 with EFT Expansion Pack provides a secure file
transfer server to be used in conjunction with SSH Tectia Client with
EFT Expansion Pack to enable enhanced, high-performance file transfers in
heterogeneous enterprise environments.
SSH Tectia Server 5.3 with Tunneling Expansion Pack provides tunneling
server functionality for users of SSH Tectia Connector and secure terminal
and secure file transfer functionality for users of SSH Tectia Client.
We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x
products, before installing SSH Tectia Server 5.3.
2. New Features
-----------------
In 5.3.4:
---------
- All platforms: When configuring certificate authentication, the selectors
can now be set to ignore the prefix and/or suffix of the given pattern.
This simplifies the configuration of selectors for example in cases where
the used certificates have many different formats for the subject name
field. You can find some configuration examples in the SSH Tectia Server
5.3.4 Administrator Manual (page 63).
In 5.3.3:
---------
- All platforms: Server includes now ssh-scepclient-g3, a command for
enrolling certificates using the SCEP protocol.
- All platforms: SSH Tectia Server is now able to fetch CRLs also from a
file, in addition to LDAP and HTTP.
In 5.3.2:
---------
- SSH Tectia Server will not allow modifying the configuration from the
SSH Tectia Server configuration GUI if the configuration is under SSH
Tectia Manager management. The administrator will be able to start and
stop the SSH Tectia Server from the GUI, but will not be able to press
the Apply, OK or Restore Default Settings buttons. Those buttons will
be disabled, and the SSH Tectia Server will give a warning message when
the Server Configuration GUI is opened.
In 5.3.0:
---------
- Support for installing the SSH Tectia software into Sun Solaris 10 zones.
- New supported platforms:
- Native 64-bit (x86-64) packages for Red Hat Enterprise Linux 3, 4, and 5
- Sun Solaris 10 64-bit (x86-64)
- Dropped platform support:
- Sun Solaris 2.6, 7
- HP-UX 11.0, 11.22
- AIX 5.1
- Two new user documents:
- SSH Tectia Client/Server (Unix) Quick Start Guide
- SSH Tectia Client/Server (Windows) Quick Start Guide
3. Bug Fixes and Minor Features
---------------------------------
In 5.3.8:
---------
- All platforms: Using crl-prefetch element in configuration no longer cause
server to hang during initial configuration read.
- Unix: Connections from Tumbleweed SFTP clients are now closed
properly.
- Unix: Added support for serializing the access to HP-UX PAM library by
setting the SSH_PAM_POLICY environment variable prior to starting the
server. The supported values are:
* None (or not set), behaviour is unchanged from previous 5.3 versions
* Partial, only one thread at a time can execute code in the PAM library
* Full, the previous PAM authentication sequence has to finish before
another one can start.
- HP-UX: The SHLIB_PATH environment variable is now passed on to the
servant processes, if set. This enables the usage of alternative
dynamically loaded libraries on HP-UX.
- HP-UX: Added support for turning on internal mutex error checking in
libpthread by setting environment variable:
"SSH_ENABLE_MUTEX_ERRORCHECK=Yes" prior to starting the server.
This may help in troubleshooting situations.
- Unix/Linux: Corrected an SFTP audit message to state
"Sft_server_upload_end" instead of "Sft_server_download_end"
when the file upload ends.
- All platforms: Enabled LDAP idle timeouts so that LDAP connections do not
stay open forever.
- HP-UX: Improved stability when running for long periods under heavy use.
SIGBUS, SIGSEGV, SIGPIPE and SIGPOLL are no longer blocked.
- Unix: Improved stability under stress when performing file transfers with
--streaming=force.
- Solaris: ssh-user-fileio no longer gets run as root instead of as the
user, which caused public key authentication to fail in environments where
home directories were mounted via NFS, and the NFS server was set not to
trust the remote root.
- HP-UX 11.11 (PA-RISC): Entries to utmp from login to SSH Tectia Server
no longer get occasionally stuck.
In 5.3.7:
---------
- Unix: SSH Tectia Server reconfiguration now retains correctly the HTTP
proxy settings for certificate validations.
- Windows: Improved the overall performance and reliability of the
SSH Tectia Server on Windows.
In 5.3.4:
---------
- Unix: Fixed an issue related to PAM authentication which occurred in
5.3.3.
- Windows: Now it is possible to define and use sftp shares via drive
letters.
- Windows: Removed a false log message related to logging with OpenSSH
sftp to SSH Tectia Server running on Windows.
- Windows: Allowed commands containing spaces may now be defined without
quotes in the SSH Tectia Server configuration GUI.
- Windows: Added a synchronization mechanism that allows copying only one
file to the same destination file at a time. This fix will prevent
issues related to copying files from Unix/Linux to Windows OS with
identical names but with different case sensitivity (Example: File.txt,
File.TXT, FiLE.txt,...).
- Solaris: Fixed an issue related to LDAP operations.
- Windows: It is now possible to install SSH Tectia Server on non-system
partition disks.
- HP-UX: Support for streaming has been enabled on SSH Tectia Server for
HP-UX. It is expected to increase SFT performance on high latency and on
high bandwidth networks when transferring files to HP-UX.
In 5.3.3:
---------
- Linux: Optimized virtual memory utilization when under heavy load.
- Windows 2003 Server: Shared folders are now accessible when using
public-key authentication.
- Windows: Browsing of Trusted Domain accounts for selector configuration
works now.
- HP-UX: Password expiration and changing now works also in trusted mode.
- Solaris: Password expiration now forces password change also for SFTP
connections.
- Windows: The Server now uses the correct domain for authenticating
Trusted Domain users.
- Windows: Fixed a bug that could lead to failing connections when under
stress and using public-key authentication.
- Unix: Fixed a bug causing some shells (e.g. ksh) not to close all user
processes properly.
- Windows: When using OpenSSH scp clients to download files from the server
using wildcards will no longer result in an error.
In 5.3.2:
---------
- Unix: Fixed an interoperability issue with public key authentication
when using OpenSSH keys.
In 5.3.1:
---------
- Windows: Fixed a race condition in the server that could lead to failing
connections when under stress and using public key authentication.
- Windows: The GUI troubleshooting log now includes log entries on sshdap
authentication.
- All platforms: Now the Server sends always times in UTC in file attributes,
preventing erroneous file access/modify/create times from being displayed.
- All platforms: It is now possible to disable sft-server-g3 auditing by
setting "audit=no" in the subsystem configuration as follows:
- Windows: Fixed an issue causing sshdap.dll installation to fail on some
hosts.
- Linux: The SFTP connections using public-key authentication can now be
enabled even when the shell access is disabled. This can be done by
specifying the new configuration attribute "exec-directly" to the
subsystem tag of the SFT subsystem as follows:
- Solaris: Fixed a problem where the last login time displayed during login
was incorrect (one hour behind) on some Solaris hosts during DST.
- Windows: The Server configuration GUI now allows defining the
authentication methods also if the action is to deny authentication.
Denying authentication or connection will now switch the configuration
to advanced mode.
In 5.3.0:
---------
- Windows: Reduced the likelyhood of an error, which causes the server to
deny connection attempts with error message "Account is locked or login
administratively denied". The error now occurs rarely under very heavy
stress, and is due to the Windows Domain Controller's inability to handle
large numbers of concurrent requests.
4. Known Issues
-----------------
The following issues are currently known to exist in SSH Tectia Server:
- RHEL 5: On Red Hat Enterprise Linux 5 hosts, correct xauth path needs to
be set for X11 forwarding to work.
- All platforms: Files larger than 4GB cannot be transferred to or from
SSH Tectia Server when using OpenSSH scp command.
Workaround: The files can be transferred using scpg3 or sftpg3.
- HP-UX Itanium: FIPS mode is not supported.
- Windows: Globbing characters (*, ?) might not work with selectors when
setting rules for certificate-based authentication.
- Windows: SSH Tectia Server does not support GW mode for connecting
to other Secure Shell servers.
- All platforms: When copying a file to a destination already containing
a file of the same name, file transfer may fail with exit code
'8: Undetermined error from sshfilexfer', if the source or destination
file gets truncated (e.g. by another application) during checksum
computation.
- All platforms: When the source or destination file is modified (e.g. by
another application) during file transfer, the resulting destination file
contents depend on the environment and on the parameters of the file
transfer (e.g. streaming mode, checksum mode, buffer size).
A selected example:
File 'service.log' gets elongated after the copy starts.
Command
> scpg3 service.log dst-server
transfers the shorter (original sized) version of the file, while command
> scpg3 --streaming=ext service.log dst-server
transfers the elongated version, provided that both the client and the
server support streaming. A Knowledge Base article outlining the result
matrix based on these parameters, will be published in the SSH Knowledge
Base.
- Linux: 64-bit packages cannot be deployed using SSH Tectia Manager 2.4.0
or earlier.
- AIX 5.3: A bug in AIX 5.3 may cause a servant process to hang. Upgrade
to Maintenance Level 6 to resolve this issue.
- Unix: The 'finger' command does not show the idle time correctly when
logged in using SFTP.
- Solaris 10: SSH Tectia Server and the FTP/SFTP conversion component of
SSH Tectia Client with EFT Expansion Pack need to be uninstalled
separately from each local zone, if they have been installed to all
zones by installing into the global zone.
- Windows Server 2003: csrss.exe may leak memory when SSH Tectia Server
is under heavy stress. Upgrade Windows Server 2003 to SP2 to fix this
issue.
- All platforms: OpenSSH keys are not accepted as host keys, when
running the Server in FIPS mode.
- AIX: When trying to log in to an AIX server using an account which has
an expired password, the Client returns the following error message:
"Request exec channel error: Disconnected by application." The reason for
the disconnection is, however, logged correctly in the server's log.
- Windows: The Server shows incorrect last login time.
- Unix: Safeword PAM authentication is not supported on this version.
- 64-bit Linux: FIPS mode is not supported with the native x86-64 Linux
packages.
- Windows: The Server reports "Wrong password" message to the event log
even though the correct password is given, but the account has expired.
- Windows: Users without administrator rights cannot use file transfer
with default Windows 2003 ACL settings. Enabling file transfer access
requires ACL changes. See Server Administrator Manual, Chapter 5.9.1.2
for more information.
- All platforms: The certificate validation path construction from LDAP
fails, if the LDAP server requires the ";binary" suffix for the PKI binary
blob attribute names.
- Linux: If a user account has expired, the Server incorrectly asks the
user to change the password and then denies login.
- Windows: When running a remote command against a Windows server, the
outputs from standard out and standard error might overlap.
- Windows: If a non-admin user tries to start the Server, the Server
reports error message "Failed to access service manager".
- Windows: All well-known security principles ('Everyone' and
'Authenticated Users', for instance) are not shown in the Server
configuration GUI's directory object picker when browsing groups for a
selector.
- Solaris 9: A servant might fail when transfering files, if the Server
is not at the latest patch level. The recommended patch level is Patch
Cluster dated Jun/05/06 or newer.
- Unix: Currently it is not possible to allow X11 forwarding when terminal
connections are denied.
- Solaris: The LOCK_AFTER_RETRIES=YES option is not supported in file
/etc/security/policy.conf.
- Windows: Currently, ssh-server-config-tool cannot be run over a remote
desktop connection.
- Windows: Installing PGP Desktop 9.5.2 and SSH Tectia Server on the same
Windows machine will cause the one installed earlier not to work.
- All platforms: File transfers of files larger than 4kb using Net:SFTP
and Net::SSH::Perl fail against SSH Tectia Server.
- HP-UX: Shadow passwords are not supported on HP-UX platforms when using
the password authentication method. Shadow passwords can be used on HP-UX
only with keyboard-interactive PAM authentication, with the appropriate
PAM configuration.
- Windows: The Server reports "Wrong password" message to the event log
even though the correct password is given, but the account is locked.
- Windows: Currently it is not possible to see and select Active Directory
universal groups in the User Group Selector dialog of the configuration
tool GUI. However, universal groups can be used as selectors if those are
entered manually to the user group selector name field.
- All platforms: It is possible to generate all lengths of RSA/DSA keys in
FIPS mode, although the SSH Tectia Client/Server software will only accept
keys compliant with FIPS.
- AIX: The Server hangs after a few authentication tries when the
following value is set in the /etc/security/user file:
SYSTEM='KRB5Files or compat'
The Server does not hang when the value is set to:
SYSTEM='compat'
- All platforms: SSH Tectia Server accepts both RSA and DSA host keys even
in FIPS mode.
- Windows: OpenSSH host keys are not accepted for use by the Server if it
is in FIPS mode. As a workaround you can convert the OpenSSH key to SSH
Tectia format using command:
ssh-keygen-g3 --import-private-key
- Windows: Using rsync with Cygwin OpenSSH against SSH Tectia Server fails
when using public-key authentication.
- All platforms: If the server configuration has one or more selectors in
the block listing specific ciphers, and the client does not
match the selector, it is still allowed the default ciphers. This is
because there is no implicit deny-rule in the block (the
behavior is different from the block).
- Unix: On some server hosts, shutting down the server process may leave
servant processes hanging, and they need to be shut down separately.
- All platforms: Crypticore cipher and/or MAC are available also in
FIPS mode.
- Windows: Using a 4.4.0 ssh2 command-line client on Windows, the command
line gets garbled when connecting to 5.x Servers on Windows. When typing,
the characters are displayed to the left from the prompt. This does not
happen when using a 5.x command-line client.
- All platforms: Port forwarding from Putty versions 0.58 and earlier to
SSH Tectia Server 5.x does not work, as Putty violates the IETF draft on
the ssh2 protocol. This has been fixed in Putty version 0.59.
- Windows: SSH Tectia Server cannot be installed on file systems that do
not support permissions (e.g. FAT, FAT32).
- HP-UX 11.11: Attempting GSSAPI authentication can cause the
auths-gssapi-userproc-krb process to consume CPU and not exit after the
client disconnects. The GSSAPI authentication will be enabled if no
configuration file is found or if specifically enabled in the server
configuration. The HP-UX patch PHSS_35381 fixes this issue. GSSAPI needs
to be disabled in the server configuration, if installing the patch is
not an option.
- Unix: Canceling user authentication when the Server has been configured
with keyboard-interactive authentication method, causes authentication to
fail with "Server responded 'Unexpected response packet'".
- Unix: The startup script does not report an error upon failure (e.g. no
license or port already taken). However, an error is entered into the
syslog.
- All platforms: After changing the password on a Secure Shell server, but
before logging in with the new password, the Connection Broker must be
restarted in order to close the previous connection, or the user must
wait for the connection to time out (by default 5 seconds).
If this is not done, login with the new password will not succeed.
5. Further Information
----------------------
More information can be found from the man pages and from the SSH
Tectia manuals, which are also available at http://www.ssh.com/support/.
Additional licenses can be purchased from our online store at
http://www.ssh.com/buy/online/.
For additional Expansion Pack licenses, please contact local SSH Office
or a Partner for Enterprise Sales:
http://www.ssh.com/buy/contact/.