Release Notes for SSH Tectia Client/Server 4.4.11 24 April 2008 (C) 2008 SSH Communications Security Corp. This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 2. CD Contents 2.1. SSH Tectia Server (A) 2.2. SSH Tectia Server (T) 2.3. SSH Tectia Client 3. Unix Client and Server 3.1. Bug Fixes and Minor Features 3.2. Known Issues 1. About This Release Please note that this maintenance release (4.4.11) is only for AIX platform. The SSH Tectia client/server solution 4.4 is an end-to-end communications security solution for multi-platform environments. It is based on the Secure Shell technology from the original developers. The SSH Tectia client/server solution consists of three product modules: SSH Tectia Server 4.4, SSH Tectia Client 4.4, and SSH Tectia Connector 4.4. Furthermore, SSH Tectia Server 4.4 has been divided into two separate product packages, SSH Tectia Server (A) 4.4 and SSH Tectia Server (T) 4.4. SSH Tectia Server (A) 4.4 is designed for secure system administration, enabling system administrators to remotely administer application servers and other resources using a secure connection. With this system, IT Security Administrators can manage dispersed resources without the fear that the system administration infrastructure itself will become compromised. SSH Tectia Server (T) 4.4 allows large enterprises to begin securing their corporate business applications using SSH Tectia with minimum desktop software investments. SSH Tectia Server (T) combines the SSH Tectia Server (A) functionality with transparent application tunneling through SSH Tectia Connector, the client software that is completely transparent to the user and enables secure application connectivity without any user intervention. Additional new features that have been incorporated in this version include: * Support for OpenSSH keys in both SSH Tectia Client and SSH Tectia Server. * Support for OpenSSH scp for connecting to SSH Tectia Server running on Unix and Windows. * Support for configuring custom locations for authorized key file (server), identity key file (client), and user configuration directory (client). * Support for the SUN Solaris 10 platform. * Support for Windows Server 2003 Enterprise x64 Edition in 32-bit compatibility mode. * Support for redirecting stdin, stdout and stderr of the command line client in order to link processes between Windows and Unix. * System-wide configuration support in Windows command-line client. We recommend uninstalling any SSH Secure Shell products before installing SSH Tectia Client or Server. Note: SSH Tectia client/server supports SPARC V8 and later. SPARC V7 CPU architecture is no longer supported since SSH Tectia client/server release 4.3.4. 2. CD Contents The XML files on the CD are package descriptions for the SSH Tectia Manager product (available separately), used for centralized management of SSH Tectia environments. Use the import tool: # ssh-mgmt-package-import /package-info-.xml for importing all the supported binaries to the Management Server. Package-specific files can be used for importing individual packages. Only packages supported for centralized management have the package- specific description file located in the installation directory. Please refer to SSH Tectia Manager Administrator's Guide for details on importing installation packages to the Management Server. 2.1. SSH Tectia Server (A) 2.1.1. Binaries The latest binaries are version 4.4.11. install/aix/ Installation packages for AIX (4.3 and 5.x). See README.AIX in this directory for more details. 2.1.2. Documentation index.html The CD contents front page. license.html, license.txt The license agreement in HTML and text formats. releasenotes.txt This file. doc/SSHTectiaClientServer_ProductDescription.pdf, doc/SSHTectiaClientServer_ProductDescription_html/index.html Product Description for the SSH Tectia client/server solution in PDF and HTML formats. doc/SSHTectiaServer_Unix_AdminGuide.pdf, doc/SSHTectiaServer_Unix_AdminGuide_html/index.html Administrator's Guide for SSH Tectia Server (Unix) in PDF and HTML formats. doc/SSHTectiaServer_Windows_AdminGuide.pdf, doc/SSHTectiaServer_Windows_AdminGuide_html/index.html Administrator's Guide for SSH Tectia Server (Windows) in PDF and HTML formats. 2.2. SSH Tectia Server (T) 2.2.1. Binaries The latest binaries are version 4.4.11. install/aix/ Installation packages for AIX (4.3 and 5.x). See README.AIX in this directory for more details. 2.2.2. Documentation index.html The CD contents front page. license.html, license.txt The license agreement in HTML and text formats. releasenotes.txt This file. doc/SSHTectiaClientServer_ProductDescription.pdf, doc/SSHTectiaClientServer_ProductDescription_html/index.html Product Description for the SSH Tectia client/server solution in PDF and HTML formats. doc/SSHTectiaServer_Unix_AdminGuide.pdf, doc/SSHTectiaServer_Unix_AdminGuide_html/index.html Administrator's Guide for SSH Tectia Server (Unix) in PDF and HTML formats. doc/SSHTectiaServer_Windows_AdminGuide.pdf, doc/SSHTectiaServer_Windows_AdminGuide_html/index.html Administrator's Guide for SSH Tectia Server (Windows) in PDF and HTML formats. 2.3. SSH Tectia Client 2.3.1. Binaries The latest binaries are version 4.4.11. install/aix/ Installation packages for AIX (4.3 and 5.x). See README.AIX in this directory for more details. 2.3.2. Documentation index.html The CD contents front page. license.html, license.txt The license agreement in HTML and text formats. releasenotes.txt This file. doc/SSHTectiaClientServer_ProductDescription.pdf, doc/SSHTectiaClientServer_ProductDescription_html/index.html Product Description for the SSH Tectia client/server solution in PDF and HTML formats. doc/SSHTectiaClient_UserManual.pdf, doc/SSHTectiaClient_UserManual_html/index.html User Manual for SSH Tectia Client (Windows) in PDF and HTML formats. doc/SSHTectiaServer_Unix_AdminGuide.pdf, doc/SSHTectiaServer_Unix_AdminGuide_html/index.html Administrator's Guide for SSH Tectia Server (Unix) in PDF and HTML formats. 3. Unix Client and Server 3.1. Bug Fixes and Minor Features In 4.4.11 o Using external mapper for certificate authentication will no longer crash the ssh-certd process. In 4.4.10 o Fixed an interoperability issue with public key authentication when using OpenSSH keys. In 4.4.8 o The HP-UX server daemons and scripts now have "/" instead of "//" in front of them. o The init.d/sshd script on HP-UX has been modified so that it executes the rc.config script (for example, reads the etc/rc.config.d/sshd2 file, in which the PIDFILE, ARGS and START parameters can be defined according to man rc.config.d). o TRUNCATE incompatibility issue with some SFTP server implementations (e.g. Tumbleweed SFTP server) is now fixed. o Adjusted Solaris password expiration. o Improved locked password detection on some Linux variants. o Inactivity field in /etc/shadow on Linux is now handled correctly. o Password expiration message on HP-UX is now shown correctly. o -K command line option is now documented correctly. o ssh-certd-listener is now automatically removed during ssh-certd start. o scp2 now handles directories correctly when -r option is not defined. o If the programs that use ssh2, scp2 or sftp2 do not have stdin, stdout or stderr, any info to write or read stdin, stdout or stderr is now redirected to dev/null. o ssh2 has now the TcpConnectionTimeout feature to set the timeout for the initiated connection. o Server has now a configuration option for finger command compatibility. o The last log information on Solaris, AIX and HP-UX is now displayed correctly when using the daylight saving time settings. In 4.4.7 o Fixed RSA Signature Forgery Vulnerability in SSH Tectia Client, Connector, Server and Manager products. CERT reference number VU#845620. o SSH Tectia Server now reports user login to the system also when no tty is allocated (e.g. scp/sftp only users). o LDAP connection to port 65535 is no longer attempted if no port has been configured in the LDAP URL or CRL distribution point. The default port 389 is tried instead. o Ssh-certd no longer occasionally fails if it has several expired CRL's in its cert/CRL cache file and the auto-update mechanism is enabled. o Documentation fixes: corrected information on ssh2_config location for GUI client and removing the software on hp-ux. o CRL check no longer loops when http CRL distribution point is blocked by firewall. o AIX Server can now be updated even if certd has not been stopped. In 4.4.6 o Certificate handling no longer occasionally fails with certificates containg policy OIDs of certain formats. o Fixed an issue which caused each public key to inherit all the options of the keys preceding it. o Optimized NIS+ lookups for slow NIS+ environments. NIS+ group information is requested now only if one or more of the following options have been used in the server configuration: Allow/DenyGroups Allow/DenyTcpForwardingForGroups ChRootUsers ForwardACLs UserSpecificConfig o Added support for multiple public key entires in the authorized_keys2 file for hosts with multiple IP interfaces. o Added new optional argument to -f for the client: -f[o|p] Fork into background after authentication. With new optional 'p' argument, prints output from remote. o /usr/sbin has been added to the default PATH set by SSH Tectia Server (if no PATH is set by the user. The full default PATH is now: /bin:/usr/bin:/usr/ucb:/usr/bin/X11:/usr/local/bin:/usr/sbin In 4.4.4 o The Client can now connect from scheduled batch jobs without having a Hostkey when 'StrictHostkeyChecking' is set to 'no' o Server host key permission check is now always performed even if StrictModes has been disabled. o Compatibility with AIX System Resource Controller (SRC) has been added. o Support for ~ in file paths has been added. o Permissions of /etc/ are now left in their correct state after installation on AIX. o Public-key forced command handling has been changed so that when scp2 or sftp2 requests for the sftp subsystem, the environment variable $SSH2_ORIGINAL_COMMAND will receive the sftp-subsystem configured in sshd2_config as its value (instead of "sftp"). This enables the use of secure file transfer in setups where the defined public-key forced command effectively allows executing the sftp-subsystem. In 4.4.2 o Fixed sshd2 and ssh-certd startup script error. When passing the scripts the "start" parameter the logic now checks the return value of //usr/local/sbin/sshd2. o HP-UX 11.x PA-RISC and Itanium packages have been renamed according to the supported processor architecture. o SSH Tectia Server now logs local port forwarding activities. In 4.4.1 o Improved SFTP logging. In 4.4.0 o Password expiration notification is now shown on HP-UX and AIX. o Unix last command now captures the event when a user logs to the SSH Tectia Server (HP-UX). o scp2 exit code fixed (on some HP-UX platforms scp2 returned exit code 0 when destination host name couldn't be resolved). o import-ssh1-authorized-keys now supports public key options. o ssh2 and ssh-keygen2 now create the .ssh2 directory with mask 077 instead of user's umask. o ssh2 no longer fails if .ssh2 does not exist and cannot be created. o The client warning message "public key does not exist" is now only displayed in verbose mode. 3.2 Known Issues o On some hosts, scp2 returns exit code 0 when the destination hostname cannot be resolved. o sftp2 returns exit value 0 when SIGINT is received in batch mode. o Upgrading the Server on HP-UX overwrites the user defined config file with the default values. o SSH Tectia Client/Server packages clash with OpenSSH packages on SUSE Linux. Uninstall OpenSSH on SUSE before proceeding with the SSH Tectia installation. o OpenSSH SCP with the option '-r' and the asterisk (*) does not work against SSH Tectia Windows Server. o Packages for Linux on POWER and Linux on z/Series are not included in this release. o Using /etc/init.d/sshd2 stop may fail to stop sshd on Solaris, if it is running in a port other than 22. o Uploading files to a Linux Server on IBM iSeries may fail in some circumstances. o If PAM forces a password change on UNIX during keyboard-interactive PAM authentication, and the new password does not meet the required quality settings (e.g. consists only of lower caps alphabetic characters), the PAM message informing the user about this is truncated after the first line. o Host authentication using Entrust certificates does not work on HP-UX 11.11 platform. o libCstd.so is now required on Sun Solaris 8. libCstd.so is included in patch 108434-06 which can be found from http://sunsolve.sun.com/. o ssh-dummy-shell does not recognize sftp-server with a full path, for example, /usr/local/libexec/sftp-server. In a chrooted environment, the server executes the sftp-server without the full path so that the setup works. o Relocation support on Solaris creates /etc/ssh2 and /sbin/init.d entries under the relocated directory. You will need to create a symlink to the actual directory and init scripts if you need this kind of a setup. o Some data sent to stderr might get lost just before ssh exits when executing commands. If you rely on that information (you have a script that sends data to stderr, which you want to capture), you can add a "sync" command to your script. o Directories created with a very restrictive umask during installation are inaccessible for normal users (for example, umask of 027 will cause /usr/local/lib/sshsecsh to be inaccessible). Please install the software with a default umask (for example, 022). o Login with an empty password fails on Linux 2.4 with shadow passwords. o If LDAP is down, certificate authentication using that LDAP server will appear to hang (it will timeout after a very long time). o Uninstalling may leave files behind. o Changing a password for a user with multiple UIDs (for example, a root account), the password will only be changed for the user listed first in /etc/passwd. o There are problems with user authentication on AIX when LDAP is used as user database. o ssh-keygen2 cannot extract certificates from PKCS#12 files when the FIPS crypto library is used. This is because the RC2 cipher is required, and it is not FIPS-approved. o Entrust support: on HP-UX 11, you may need the following (or later) patches to get Entrust libraries working: PHSS_16587 (run-time patch) PHSS_19866 (dld.sl(5) Cumulative patch) PHCO_19666 (libpthreads cumulative patch) PHCO_20765 (libc cumulative patch) The following compiler patches are probably not necessary, as Entrust support is only available in the binaries. Nevertheless, they are listed as required by Entrust documentation, so they are repeated here: PHSS_21223 (ANSI C Compiler cumulative patch) PHSS_20975 (HP aC++ (A.03.15) The following super-patches to ld and linker tools may also help (these patch sets have fixes also to the runtime dynamic linker): PHSS_30048 (for HP-UX 11.00) PHSS_30049 (for HP-UX 11.11) o If you have previously installed the ssh-ace-plugins package, you need to uninstall it before installing the ssh packages. Otherwise you will get conflicts with the two packages. See the ssh-ace-plugins package documentation for information about uninstalling. o IPv6 link-local addresses do not work. o Linux binaries require termcap libraries. These are not installed by default on SUSE, so you need to install the 'libtermcap' package to satisfy this dependency.