Release Notes for SSH Tectia Server 6.0.1
-----------------------------------------

1 April 2008


(C) 2008 SSH Communications Security Corp.
This software is protected by international copyright laws.
All Rights Reserved.


Table of Contents

1.   About This Release
2.   New Features
3.   Bug Fixes  
4.   Known Issues
5.   Further Information



1.   About This Release
----------------------

  The SSH Tectia client/server solution 6.0 is an end-to-end 
  communications security solution for multi-platform environments. 
  It is based on the Secure Shell technology from the original developers. 
  The SSH Tectia client/server solution consists of four base products:
  
  * SSH Tectia Client
  * SSH Tectia ConnectSecure
  * SSH Tectia Server
  * SSH Tectia Server for IBM z/OS

  SSH Tectia Client provides a conventional and powerful secure terminal 
  and secure file transfer client to be used in conjunction with SSH Tectia 
  Server or other Secure Shell servers to enable secure connectivity and 
  file transfers in heterogeneous enterprise environments.

  SSH Tectia ConnectSecure provides additional powerful features to 
  transparently secure FTP file transfers and server connectivity.
  SSH Tectia ConnectSecure is designed especially for server-to-server
  file transfer security and it introduces new features enabling enhanced, 
  high-performance file transfers in conjunction with SSH Tectia Servers,
  third-party or OpenSSH servers in heterogeneous enterprise environments.

  SSH Tectia ConnectSecure replaces the EFT expansion packs for SSH Tectia 
  Client and Server that were available in SSH Tectia version 5.x.

  SSH Tectia Server provides secure terminal, secure file transfer, and 
  tunneling server functionality for system administrators and other users 
  of SSH Tectia Client and ConnectSecure.
  
  We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x
  products, before installing SSH Tectia Server 6.0.

 
  
2.   New Features
-----------------

The following list includes the new features implemented in SSH Tectia 
Server.

In 6.0.0:
---------

- New platform support:
  o HP-UX 11i v3 (PA-RISC, IA64) 
  o SUSE Linux Enterprise Server 10 (x86, x86-64)
  o SUSE Linux Enterprise Desktop 10 (x86, x86-64) 
  o Red Hat Enterprise Linux 5.1 (x86, x86-64)

- Windows: SSH Tectia Server 6.0 Windows configuration GUI now shows 
  the server's host-key fingerprints.

- Windows: SSH Tectia Server 6.0 Windows configuration GUI enables 
  sorting of virtual folders.



3.   Bug Fixes and Minor Features
---------------------------------

In 6.0.1:
---------

- All platforms: OpenSSH 'sftp' no longer hangs when transferring files to 
  SSH Tectia Server 6.0. 

In 6.0.0:
---------
- Windows: Fixed a problem where the server would fail to authenticate 
  users when using a group selector if there were groups in the system that 
  were not mapped, such as when the SID for the group is still present on 
  the system but is no longer mapped to a group name. 

- Windows: Fixed a problem where the server would fail to authenticate a 
  domain user and cause a reboot of the system if the user belonged to 
  groups which have unicode characters in their name. 

- All platforms: Servant process is not leaking as before when capture.dll 
  is installed on the machine. 

- HP-UX: PAM Kerberos authentication now works. HP-UX requires Kerberos 
  Client Version D.1.6.2 to use the pam_krb5 PAM module. 

- HP-UX: Fixed an issue that prevented updates to /etc/utmp. Now user logon 
  status is shown correctly. 

- All platforms: When receiving connections with compression was enabled,   
  ssh-servant-g3 leaked memory. This is now fixed. 

- Solaris: SSH Tectia Client / Server / ConnectSecure installation packages 
  now detect the underlying Solaris architecture and prevent installation 
  of the x86 packages on the x86-64 architecture. 

- Unix/Linux: Audit message fix, "Sft_server_upload_end" will now be logged 
  when finishing uploading a file if the file had been opened "for read". 
  "Sft_server_close_file" will be logged when closing the file after having 
  been transferred. 

- All platforms: Some third-party SFTP clients do not handle properly 
  messages sent to stderr. We believe that it is a bug in their system as 
  the latest draft specifies. As a workaround, they can use our server 
  without debug messages. 

- Windows: Now the default SFT folders include all folders and not just 
  the fixed drives. Virtual folders using mapped drive letters will also 
  show in the list. 

- Windows: When the host is attached to a domain and the domain controller 
  is not reachable, SSH Tectia Server now reports that the Domain Controller 
  is not reachable instead of reporting that the "User Does Not Exist". 
  The information is also logged correctly into the Event Viewer. 

- Windows: The virtual folder now works properly if the parent folder does 
  not have "List Folder Contents" permissions allowed. For instance, if you 
  have the following configuration:  <attribute name="virtual-folder" 
  value="test-%username-without-domain%=D:/Home$/%username-without-domain%" 
  />. 
  The SFTP transfers now work without list rights to the parent 
  folder. And with the command line client (sshg3), the user is now able to 
  cd to the virtual directory. 

- Windows: It is now possible to browse trusted domains (users/groups) from 
  SSH Tectia Server configuration GUI for setting up Selector parameters. 

- HP-UX Itanium: FIPS mode is now supported. 

- All platforms: Fixed a variety of problems that could result in hangs or 
  disconnections when using FTP Tunneling. 

- AIX: Connections can hang on AIX 5.3 due to an AIX issue. Upgrade to   
  maintenance level 6 to resolve the problem. 

- Windows: ssh-server-g3 service now starts successfully regardless of   
  the environment variables settings. 



4.   Known Issues
-----------------

The following issues are currently known to exist in SSH Tectia Server:

- All platforms: Files larger then 4 GB cannot be transferred to or from SSH 
  Tectia Server when using OpenSSH 'scp' command. 
  Workaround: The files can be transferred using 'scpg3' or 'sftpg3'. 

- RHEL 5: On Linux RH5 hosts, correct xauth path needs to be set for X11 
  forwarding to work. 

- Solaris x86-64: RSA SecurID cannot be used with SSH Tectia Server on 
  Solaris x86-64, because RSA SecurID offers only a 32-bit PAM library. 
  SSH Tectia Server expects a 64-bit pam_securid.so. 

- Windows: SFTP 'chmod' command against SSH Tectia Server running on 
  Windows is not supported. 

- All platforms: The re-key operations fail on SSH Tectia Client, Server 
  and ConnectSecure. 

- Unix: xauth is not working correctly. When users use su to change from 
  one account to another account, in order to open an X11 application, 
  they need to copy over the users Xauthority information. 

- Solaris 10: SSH Tectia Server and the FTP-SFTP conversion component of 
  SSH Tectia ConnectSecure need to be uninstalled separately from each 
  local zone, if they have got installed to all zones by installing into 
  the global zone. 

- All platforms: OpenSSH keys are not accepted as host keys, when running 
  the server in FIPS mode. 

- AIX: When trying to log in to an AIX server using an account which has an 
  expired password, the client returns the following error message: "Request 
  exec channel error: Disconnected by application." The reason for the 
  disconnection is, however, logged correctly in the server's log. 

- Unix: When using 'sftpg3' against the Server, the server reports a 
  misleading "Error: No suitable license found". This message can be safely 
  ignored. 

- Windows: The Server shows incorrect last login time. 

- Unix: SafeWord PAM authentication is not supported in this version. 

- 64-bit Linux: FIPS mode is not supported by the native 64-bit Linux 
  packages. 

- Windows: The Server reports a "Wrong password" message to the event log   
  even though the correct password is given, but the account has expired. 

- Windows: Users without administrator rights cannot use file transfer with 
  the default Windows 2003 ACL settings. Enabling file transfer access 
  requires ACL changes. See Server Administrator Manual, Chapter 5.9.1.2 for 
  more information. 

- All platforms: Certificate validation path construction from LDAP fails, 
  if the LDAP server requires suffix ';binary' for the PKI binary blob 
  attribute names. 

- Linux: If a user account has expired, the Server incorrectly asks the 
  user to change the password and then denies login. 

- Windows: When running a remote command against a Windows server, the 
  output from standard out and standard error might overlap. 

- Windows: If a non-admin user tries to start the server, the server 
  reports error message "Failed to access service manager". 

- Windows: All well-known security principles ('Everyone' and 
  'Authenticated Users', for instance) are not shown in the Server 
  configuration GUI's directory object picker when browsing groups for a 
  selector. 

- Unix: Currently it is not possible to allow X11 forwarding when terminal  
  connections are denied. 

- Solaris: The LOCK_AFTER_RETRIES=YES option in file 
  /etc/security/policy.conf is supported through the Keyboard-Interactive 
  PAM submethod. 

- Windows: Currently, ssh-server-config-tool cannot be run over Remote 
  Desktop connection. 

- Windows: Installing PGP Desktop 9.5.2 and SSH Tectia Server on the same   
  Windows machine will cause the one installed earlier not to work. 

- All platforms: File transfers of files larger than 4kb using Net:SFTP and 
  Net::SSH::Perl fail against SSH Tectia Server. 

- HP-UX: Shadow passwords are not supported on HP-UX when using the 
  password authentication method. Shadow passwords can be used on HP-UX only 
  with keyboard-interactive PAM authentication, with the appropriate PAM 
  configuration. 

- Windows: The Server reports "Wrong password" message to the event log 
  even though the correct password is given, if the account is locked. 

- Windows: Currently it is not possible to see and select Active Directory  
  universal groups in the User Group Selector dialog of the configuration 
  tool GUI. However, universal groups can be used as selectors if those are 
  entered manually to the user group selector name field. 

- All platforms: It is possible to generate all lengths of RSA/DSA keys in 
  FIPS mode, although the SSH Tectia Client/Server software will only accept 
  keys compliant with FIPS. 

- AIX: The Server hangs after a few authentication tries when the following 
  value is set in the /etc/security/user file: SYSTEM='KRB5Files or 
  compat'
The Server does not hang when the value is set to: SYSTEM='compat' 

- All platforms: SSH Tectia Server accepts both RSA and DSA host keys even 
  in FIPS mode. 

- Windows: OpenSSH host keys are not accepted for use by the Server if it 
  is in FIPS mode. As a workaround you can convert the OpenSSH key to SSH 
  Tectia format using command:     ssh-keygen-g3 --import-private-key 

- Windows: Using rsync with Cygwin OpenSSH against SSH Tectia Server fails 
  when using public-key authentication. 

- All platforms: If the server configuration has one or more selectors in 
  the <connections> block listing specific ciphers, and the client does not 
  match the selector, it is still allowed the default ciphers. This is 
  because there is no implicit deny-rule in the <connections> block (the 
  behavior is different from the <authentication-methods> block). 

- Unix: On some server hosts, shutting down the server process may leave   
  servant processes hanging, and they need to be shut down separately. 

- Windows: Using a 4.4.0 ssh2 command-line client on Windows, the command 
  line gets garbled when connecting to Windows 5.x servers. When typing, the 
  characters are displayed to the left from the prompt. This does not happen 
  when using a 5.x command-line client. 

- HP-UX 11.11: Attempting GSSAPI authentication can cause the 
  auths-gssapi-userproc-krb process to consume CPU and not exit after the 
  client disconnects. The GSSAPI authentication will be enabled if no 
  configuration file is found or if specifically enabled in the server 
  configuration. The HP-UX patch PHSS_35381 fixes this issue. GSSAPI needs 
  to be disabled in the server configuration, if installing the patch is not 
  an option. 

- Unix: Canceling user authentication when the Server has been configured 
  with keyboard-interactive authentication method, causes authentication to 
  fail with "Server responded 'Unexpected response packet'". 

- Unix: The startup script does not report an error upon failure (e.g. no  
  license or port already taken). However, an error is entered into the 
  syslog. 

- All platforms: After changing the password on a Secure Shell server, but 
  before logging in with the new password, the Connection Broker must be 
  restarted to close the previous connection, or the user must wait for the 
  connection to time out (by default 5 seconds). If this is not done, login 
  with the new password will not succeed. 



5.    Further Information
----------------------

  More information can be found from the man pages and from the SSH 
  Tectia manuals, which are also available at http://www.ssh.com/support/.
  
  Additional licenses can be purchased from our online store at 
  http://www.ssh.com/buy/online/.