Release Notes for SSH Tectia Server 6.0.3
-----------------------------------------
11 August 2008
(C) 2008 SSH Communications Security Corp.
This software is protected by international copyright laws.
All Rights Reserved.
Table of Contents
1. About This Release
2. New Features
3. Bug Fixes
4. Known Issues
5. Further Information
1. About This Release
----------------------
The SSH Tectia client/server solution 6.0 is an end-to-end
communications security solution for multi-platform environments.
It is based on the Secure Shell technology from the original developers.
The SSH Tectia client/server solution consists of four base products:
* SSH Tectia Client
* SSH Tectia ConnectSecure
* SSH Tectia Server
* SSH Tectia Server for IBM z/OS
SSH Tectia Client provides a conventional and powerful secure terminal
and secure file transfer client to be used in conjunction with SSH Tectia
Server or other Secure Shell servers to enable secure connectivity and
file transfers in heterogeneous enterprise environments.
SSH Tectia ConnectSecure provides additional powerful features to
transparently secure FTP file transfers and server connectivity.
SSH Tectia ConnectSecure is designed especially for server-to-server
file transfer security and it introduces new features enabling enhanced,
high-performance file transfers in conjunction with SSH Tectia Servers,
third-party or OpenSSH servers in heterogeneous enterprise environments.
SSH Tectia ConnectSecure replaces the EFT expansion packs for SSH Tectia
Client and Server that were available in SSH Tectia version 5.x.
SSH Tectia Server provides secure terminal, secure file transfer, and
tunneling server functionality for system administrators and other users
of SSH Tectia Client and ConnectSecure.
We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x
products, before installing SSH Tectia Server 6.0.
SSH Tectia Client/Server/ConnectSecure 6.0.3 is a Windows only release.
2. New Features
-----------------
The following list includes the new features implemented in SSH Tectia
Server.
New features in 6.0.2:
----------------------
- Windows: Introduced support for a shorthand syntax for connecting to a
server with local accounts in a Windows domain. The syntax allows you to
specify a local account by prefixing it with a back or forward slash
without the need to specify the machine name before the slash.
For example, connecting to a server named "myserverwithaverylongname"
using: \user@myserverwithaverylongname would be equivalent to:
myserverwithaverylongname\user@myserverwithaverylongname and means that
"user" is a local account on the server.
- New platform support: Added support for VMware ESX Server 3.5.
- All platforms: Introduced support for using configurable globbing
patterns (e.g. [A-Z]) in selectors.
- Windows: Added support for allowing connections for users without the
"Logon locally" access right.
- Unix: Added paths to default locations of PAM libraries on all platforms
supporting PAM.
- Windows: Added a configuration option for handling accounts without
prefixes.
- Unix: Added a configuration option for setting the default path.
- Unix: Optimized NIS+ lookups to minimize lookups in slow environments.
- All platforms: Public-key forced command handling has been enhanced so
that it enables the use of secure file transfer in setups where the
defined public-key forced command effectively allows executing the
sftp-subsystem.
- Unix: Re-introduced the following 4.x configuration options:
AlwaysUsePAMSessionLogging
AlwaysUsePAMAccountManagement
ForcedPAMAccountManagementPasswordChange
- Unix: User login permissions are now rechecked after the
keyboard-interactive PAM authentication phase to comply with
possible changes made by PAM.
- Unix: Added configuration option 'ignore-nisplus-no-permission'. It
specifies whether the server should ignore a failure to obtain the user's
shadow information when using NIS+ and the effective uid root receives
*NP*, indicating no permission to read the password information. If this
option is enabled, means other than *LK* in the passwd field of
NIS++passwd.org_dir must be used to lock a NIS+ account.
- Unix: NIS+ support added for all Unix platforms.
- All platforms: Added public key authentication log message that has both
user and host information in one entry.
- All platforms: Agent forwarding compatibility has been implemented
between SSH Tectia Client and OpenSSH (where the Connection Broker of SSH
Tectia Client serves as the authentication agent for subsequent
connections by the OpenSSH client). All SSH Tectia products involved need
to be at version 6.0.2 for this to work.
New features in 6.0.0:
----------------------
- New platform support:
o HP-UX 11i v3 (PA-RISC, IA64)
o SUSE Linux Enterprise Server 10 (x86, x86-64)
o SUSE Linux Enterprise Desktop 10 (x86, x86-64)
o Red Hat Enterprise Linux 5.1 (x86, x86-64)
- Windows: SSH Tectia Server 6.0 Windows configuration GUI now shows
the server's host-key fingerprints.
- Windows: SSH Tectia Server 6.0 Windows configuration GUI enables
sorting of virtual folders.
3. Bug Fixes
--------------
Bug Fixes in 6.0.3:
--------------------
- Windows: When exiting the shell in interactive session the connection
is now closed after the initial shell exits and its output is sent
upstream.
Bug Fixes in 6.0.2:
--------------------
- Unix: Newlines in the /etc/environment file are now handled properly.
- Linux: Server config setting 'xauth-path' can now take a comma separated
list of possible xauth binary locations.
- All platforms: Fixed a bug causing stability issues during certificate
validation.
- Solaris: ssh-user-fileio now gets run as the user who logs in instead of
as root.
- All platforms: CRL download now works also for certificates in which the
CRL Distribution Point URL contains %20 signs.
- All platforms: Enabled the LDAP idle timeouts so that LDAP connections do
not stay open forever.
- All platforms: Server no longer generates unnecessary error messages
when an sftpg3 or scpg3 client checks if the server supports extended
streaming.
- Linux: Fixed uninstall script so that all symlinks are now removed.
- All platforms: OpenSSH 'sftp' no longer hangs when transferring files to
SSH Tectia Server 6.0.
- Windows: Fixed an issue that prevented retrieving of nested user groups
in some cases.
- Unix: When using sftpg3 against the server, the server reports a
misleading "Error: No suitable license found". This message can be safely
ignored.
- Windows 2000: Fixed a problem where getting local group information when
using group selectors would fail on Windows 2000 hosts in a Windows 2000
domain controller environment. This would cause the authentication to
fail. Now the group information is obtained correctly.
- Unix: Running remote commands from the user's home directory with (for
example, "sshg3 server ./command.sh") now works. SSH Tectia Server
executes the user processes in the user's home directory, if available,
otherwise the process will be executed in the root directory.
- Windows: Administrator selector now works also for trusted domain users
in a nested group.
- Linux: Server config setting 'xauth-path' can now take a comma-separated
list of possible xauth binary locations.
- Unix: Servant is no longer exiting when using SafeWord with PAM
authentication.
- Solaris: The LOCK_AFTER_RETRIES=YES option in file
/etc/security/policy.conf is only supported through the
Keyboard-Interactive PAM submethod.
Bug Fixes in 6.0.1:
-------------------
- All platforms: OpenSSH 'sftp' no longer hangs when transferring files to
SSH Tectia Server 6.0.
Bug Fixes in 6.0.0:
-------------------
- Windows: Fixed a problem where the server would fail to authenticate
users when using a group selector if there were groups in the system that
were not mapped, such as when the SID for the group is still present on
the system but is no longer mapped to a group name.
- Windows: Fixed a problem where the server would fail to authenticate a
domain user and cause a reboot of the system if the user belonged to
groups which have unicode characters in their name.
- All platforms: Servant process is not leaking as before when capture.dll
is installed on the machine.
- HP-UX: PAM Kerberos authentication now works. HP-UX requires Kerberos
Client Version D.1.6.2 to use the pam_krb5 PAM module.
- HP-UX: Fixed an issue that prevented updates to /etc/utmp. Now user logon
status is shown correctly.
- All platforms: When receiving connections with compression was enabled,
ssh-servant-g3 leaked memory. This is now fixed.
- Solaris: SSH Tectia Client / Server / ConnectSecure installation packages
now detect the underlying Solaris architecture and prevent installation
of the x86 packages on the x86-64 architecture.
- Unix/Linux: Audit message fix, "Sft_server_upload_end" will now be logged
when finishing uploading a file if the file had been opened "for read".
"Sft_server_close_file" will be logged when closing the file after having
been transferred.
- All platforms: Some third-party SFTP clients do not handle properly
messages sent to stderr. We believe that it is a bug in their system as
the latest draft specifies. As a workaround, they can use our server
without debug messages.
- Windows: Now the default SFT folders include all folders and not just
the fixed drives. Virtual folders using mapped drive letters will also
show in the list.
- Windows: When the host is attached to a domain and the domain controller
is not reachable, SSH Tectia Server now reports that the Domain Controller
is not reachable instead of reporting that the "User Does Not Exist".
The information is also logged correctly into the Event Viewer.
- Windows: The virtual folder now works properly if the parent folder does
not have "List Folder Contents" permissions allowed. For instance, if you
have the following configuration: .
The SFTP transfers now work without list rights to the parent
folder. And with the command line client (sshg3), the user is now able to
cd to the virtual directory.
- Windows: It is now possible to browse trusted domains (users/groups) from
SSH Tectia Server configuration GUI for setting up Selector parameters.
- HP-UX Itanium: FIPS mode is now supported.
- All platforms: Fixed a variety of problems that could result in hangs or
disconnections when using FTP Tunneling.
- AIX: Connections can hang on AIX 5.3 due to an AIX issue. Upgrade to
maintenance level 6 to resolve the problem.
- Windows: ssh-server-g3 service now starts successfully regardless of
the environment variables settings.
4. Known Issues
-----------------
The following issues are currently known to exist in SSH Tectia Server:
- Unix: Connections from Tumbleweed SFTP clients are not closed properly.
- Windows: Disabling the SFTP user home directory is not working properly
when you navigate to another page and come back.
- HP-UX: PAM authentication is not supported in trusted mode.
- Solaris: RBAC privileges do not get set when logging in through SSH
Tectia Server and using PAM authentication.
- RHEL 64-bit: RHEL 3 64-bit not supported.
- HP-UX Itanium: FIPS mode is not supported.
- Windows: On Windows, SSH Tectia Server does not support GW mode for
connecting to other Secure Shell servers.
- All platforms: Files larger then 4GB cannot be transferred to or from SSH
Tectia Server when using OpenSSH scp command. Workaround: The files can be
transferred using scpg3 or sftpg3.
- Solaris x86-64: RSA SecurID cannot be used with SSH Tectia Server on
Solaris x86-64, because RSA SecurID offers only a 32-bit PAM library. SSH
Tectia Server expects a 64-bit pam_securid.so.
- Solaris: Installation packages do not detect the underlying Solaris
architecture to prevent installation of the x86-64 packages on x86
architecture. The packages can be installed but they will not work.
- Windows: SFTP chmod command is not supported against SSH Tectia Server
running on Windows.
- Windows: Mapped drives are not accessible when using SFTP.
- All platforms: The re-key operations fail on SSH Tectia Client, Server
and ConnectSecure.
- Unix: xauth is not working correctly. When users use su to change from
one account to another account, in order to open an X11 application, they
need to copy over the users Xauthority information.
- Solaris 10: SSH Tectia Server and the FTP-SFTP conversion component of
SSH Tectia ConnectSecure need to be uninstalled separately from each local
zone, if they got installed to all zones by installing into the global
zone.
- All platforms: OpenSSH keys are not accepted as host keys, when running
the server in FIPS mode.
- AIX: When trying to log in to an AIX server using an account which has an
expired password, the client returns the following error message:
"Request exec channel error: Disconnected by application." The reason
for the disconnection is, however, logged correctly in the server's log.
- Unix: When using sftpg3 against the server, the server reports a
misleading "Error: No suitable license found". This message can be safely
ignored.
- Windows: SSH Tectia Server displays the previous login time incorrectly,
if the time received from the domain controller differs from the servers
time.
- 64-bit Linux: FIPS mode is not supported by the native 64-bit Linux
packages.
- Windows: The Server reports a "Wrong password" message to the event log
even though the correct password is given, but the account has expired.
- Windows: Users without administrator rights can not use file transfer
with the default Windows 2003 ACL settings.
- All platforms: Certificate validation path construction from LDAP fails,
if the LDAP server requires suffix ';binary' for the PKI binary blob
attribute names.
- Linux: If a user account has expired, the Server incorrectly asks the
user to change the password and then denies login.
- Solaris: Quality checks for password changes (e.g. password length,
characters etc.) enforced by PAM will only be enforced when using PAM
authentication. When changing passwords via forced commands (i.e. when
using authentication methods other than keyboard-interactive PAM), the SSH
Tectia Server will not enforce PAM-related password quality checks.
- Windows: When running a remote command against a Windows server, the
output from standard out and standard error might overlap.
- Windows: If a non-admin user tries to start the server, the server
reports error message "Failed to access service manager".
- Windows: All well-known security identifiers ('Everyone' and
'Authenticated Users', for instance) are not shown in the SSH Tectia
Server Configuration GUI's directory object picker when browsing groups
for a selector.
- Unix: Currently it is not possible to allow X11 forwarding when terminal
connections are denied.
- Windows: Currently, ssh-server-config-tool cannot be run over Remote
Desktop connection.
- Windows: Installing PGP Desktop 9.5.2 and SSH Tectia Server on the same
Windows machine will cause the one installed earlier not to work.
- All platforms: File transfers of files larger than 4kb using Net:SFTP and
Net::SSH::Perl fail against SSH Tectia Server.
- HP-UX: Shadow passwords are not supported on HP-UX when using the
password authentication method. Shadow passwords can be used on HP-UX only
with keyboard-interactive PAM authentication, with the appropriate PAM
configuration.
- Windows: The Server reports "Wrong password" message to the event log
even though the correct password is given, if the account is locked.
- Windows: Currently it is not possible to see and select Active Directory
universal groups in the User Group Selector dialog of the configuration
tool GUI. However, universal groups can be used as selectors if those are
entered manually to the user group selector name field.
- All platforms: It is possible to generate all lengths of RSA/DSA keys in
FIPS mode, although the SSH Tectia Client/Server software will only accept
keys compliant with FIPS.
- AIX: The Server hangs after a few authentication tries when the following
value is set in the /etc/security/user file:
SYSTEM='KRB5Files or compat'
The Server does not hang when the value is set to: SYSTEM='compat'
- All platforms: SSH Tectia Server accepts both RSA and DSA host keys
even in FIPS mode.
- Windows: OpenSSH host keys are not accepted for use by the Server if it
is in FIPS mode.
Workaround: Convert the OpenSSH key to SSH Tectia format using command:
ssh-keygen-g3 --import-private-key
- Windows: Using rsync with Cygwin OpenSSH against SSH Tectia Server fails
when using public-key authentication.
- All platforms: If the server configuration has one or more selectors in
the block listing specific ciphers, and the client does not
match the selector, it is still allowed the default ciphers. This is
because there is no implicit deny-rule in the block (the
behavior is different from the block).
- Unix: On some server hosts, shutting down the server process may leave
servant processes hanging, and they need to be shut down separately.
- Windows: Using a 4.4.0 ssh2 command-line client on Windows, the command
line gets garbled when connecting to Windows 5.x servers. When typing, the
characters are displayed to the left from the prompt. This does not happen
when using a 5.x command-line client.
- HP-UX 11.11: Attempting GSSAPI authentication can cause the
auths-gssapi-userproc-krb process to consume CPU and not exit after the
client disconnects. The GSSAPI authentication will be enabled if no
configuration file is found or if specifically enabled in the server
configuration. The HP-UX patch PHSS_35381 fixes this issue. GSSAPI needs to
be disabled in the server configuration, if installing the patch is not an
option.
- Unix: Canceling user authentication when the Server has been configured
with keyboard-interactive authentication method, causes authentication to
fail with "Server responded 'Unexpected response packet'".
- Unix: The startup script does not report an error upon failure (e.g. no
license or port already taken). However, an error is entered into the
syslog.
- All platforms: After changing the password on a Secure Shell server, but
before logging in with the new password, the Connection Broker must be
restarted to close the previous connection, or the user must wait for the
connection to time out (by default 5 seconds). If this is not done, login
with the new password will not succeed.
5. Further Information
----------------------
More information can be found from the man pages and from the SSH
Tectia manuals, which are also available at http://www.ssh.com/support/.
Additional licenses can be purchased from our online store at
http://www.ssh.com/buy/online/.