Tectia Client Product Update

1. About This Release

The 6.6 release of Tectia Client is declared Long Term Supported (LTS), and it is supported for 3 years from the release date of 6.6.2. The latest support end dates for Tectia Client/Server are available at: https://www.ssh.com/products/support/end-of-support

The 6.6.3 release is available for AIX (POWER), HP-UX (IA-64 and PA-RISC), Solaris (SPARC and x86-64), Linux (x86-64) and Windows (x86-64) platforms.

PQC algorithms supported only on AIX, Solaris, Linux and Windows.

Special items for 6.6 release are:

• Tectia Quantum Safe Edition with multiple PQC hybrid key exchange algorithms

• Added support for Ubuntu, Debian, Rocky (Linux) platforms

• Improvements to certificate validation

• FIPS module has been updated to OpenSSL 3.0.8 in Solaris, Linux and Windows

• Removed ETM MAC algorithms from the defaults

• Deprecation of DSA algorithms from the defaults

• Deprecation of SHA-1 algorithms from the defaults

We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products, and on Windows also SSH Tectia 6.0.x or older, before installing SSH Tectia 6.6 products.

For the installation instructions, refer to the Tectia Client User Manual.

2. Important Changes

Important changes in 6.6.3

(TECT-981) The hmac-sha2-256-etm@openssh.com and hmac-sha2-512-etm@openssh.com MAC algorithms are no longer included in the defaults.

Also the strict KEX mitigation to low impact CVE-2023-48795 has been implemented. Please note that also the Secure Shell server needs to support the strict KEX.

(TECT-740) FIPS module has been updated to OpenSSL 3.0.8 in Solaris, Linux and Windows.

(TECT-968) In FIPS mode diffie-hellman-group-exchange-sha256 (DH-GEX-SHA256) and other Group Exchange (GEX) methods are now disabled in Key Exchange (KEX) to comply with FIPS 140-2 NIST SP 800-56Ar3 requirement of using standard Modular Exponential (MODP) Diffie-Hellman groups such as diffie-hellman-group18-sha512.

Customers using FIPS should verify that their Tectia configurations do not contain Group Exchange (GEX) methods. Tectia Client in FIPS mode fails to connect with "KEX negotiation failed" error after upgrade if Secure Shell Server does not offer other methods or if only the diffie-hellman-group-exchange-* (DH-GEX-*) algorithms are enabled in ssh-broker-config.xml.

(TECT-892) AES-GCM is now preferred over AES-CTR in default configurations.

(TECT-824) Added official support for Rocky Linux (8 and 9), Ubuntu (18.04, 20.04 and 22.04) and Debian GNU/Linux (11 and 12) platforms.

3. New Features

The following new features have been implemented in Tectia Client:

New features in 6.6.3

(TECT-943) - ssh-keygen-g3 tool: Improved passphrase handling. Now if --random-pass option is used when generating a new key, the private key is protected with a BASE64 encoded passphrase and the path to <file>.pass is shown in the output.

(TECT-920) - Command-line clients sshg3, sftpg3 and scpg3 now have --any-alg option that allows all supported algorithms including the insecure ones to be used. Alternatively, all supported algorithms for a specific option can be allowed with --ciphers=any--macs=any --kexs=any --hostkey-algorithms=any or --publickey-algorithms=any. If an algorithm is explicitly specified on command line, it will be used instead of--any-alg.

(TECT-878) - Performance profiling for currently running broker. Intended for better problem diagnostics with the help of SSH support. Obtain performance measurements with  'ssh-broker-ctl performance show' command.

(TECT-865) - Added compatibility for Azure SFTP server due to lack of checksum support in AzureSSH_1.0.0.

(TECT-849) - New MVS filetypes IDC (Idcams), PDS (Partition Dataset), IBC (IEBCOPY) and DSS (ADRDSSU) can now be used in ftadv (file transfer advisory string).

(TECT-805) - Improved reporting of used signature algorithm if publickey authentication is used. Also added --auth-log option to 'ssh-broker-ctl connection-status ID --auth-log'

(TECT-780) - sftpg3 initial remote path can be now provided on the command-line. Also URL syntax is supported, for example sftp://user@host/path

(TECT-512) - Windows: Added support for directory symlinks in SFTP.

4. Bug Fixes

The following fixes have been implemented in Tectia Client:

Bug fixes in 6.6.3

(TECT-971) - Windows GUI: Fixed an issue with terminal emulation where end of lines were not always cleared correctly leaving old characters on screen when updating display.

(TECT-938) - Fixed an issue with broker running in daemon mode where simultaneous connections with authentication agent forwarding enabled might fail with 'Agent connection failed', which could lead to a broker crash.

(TECT-910) - Windows GUI: Fixed an issue using control characters to manipulate character set(s) during a single connection in GUI terminal. Using control characters should now correctly change the character set e.g. between line draw characters and defaults.

(TECT-898) - Windows GUI: Fixed an issue where reconnecting to same host after disconnecting during same the GUI session prevents files from being uploaded.

(TECT-897) - Windows GUI: Fixed issues with file Upload Dialogue.

(TECT-846) - Windows GUI: File transfer filter bar should now work as expected when "Remove view on left, local view on right" is selected.

(TECT-845) - Windows GUI: Add favorite remote folders are now added to the correct profile instead of the default.ssh2 profile.

(TECT-842) - Windows GUI: "Preserve original file time" setting is now honoured.

(TECT-841) - Windows GUI: Fixed an issue where file overwrite protection did not prompt the user when attempting to overwrite a file with the setting enabled.

(TECT-836) - Windows GUI: Fixed issues with how some of the ASCII transfer extensions were handled in GUI.

(TECT-835) - Windows GUI: Fixed set file permissions in GUI file transfer.

(TECT-809) - Fixed an issue with broker where connection would fail if "Signature operation failed", for example if SHA-1 was attempted in FIPS mode that does not allow it. Now Key_store_sign_failed causes just the particular key to fail, and next publickey(s) are tried if authorized on the server-side.

(TECT-729) - Fixed an issue in Configuration GUI where setting severity to debug goes against XML DTD definition resulting in an invalid configuration of the XML file.

(TECT-438) - Windows GUI: Client now cancels the authentication attempt and skips to next  method if empty passphrase or password is provided in the authentication prompt. Previously, GUI prompted for the passphrase repeatedly.

5. Known Issues

The following issues are currently known to exist in Tectia Client:

(FB #38886) - All Platforms: scpg3 and sftpg3 with --append overwrite the destination file when the server is OpenSSH 6.4 or older.

(FB #36224, FB #36221) - Windows: Connections Configuration GUI: Dots do not work correctly in profile names or profile folder names, because they are used internally for the profile folder feature.

(FB #36222) - Windows: Connections Configuration GUI: Empty connection profile folders are not saved in the Broker configuration.

(FB #36835) - All platforms: Remote translation tables only work when the site command X=BIN is used. Local translation tables work as intended.

(FB #19541) - Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable.

(FB #13818) - All Platforms: The usage of IPv6 addresses in certificates is not yet supported.

(FB #3882) - z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.

(FB #9840) - Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details.

(FB #9367) - Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0-D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates.

(FB #9106) - AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit versions.

(FB #9530) - All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS cryptographic library health check. This will lead to a noticeable delay in the start of the process on slow machines.

(FB #7726) - Windows: --summary-format newline option '\n' does not work on Windows.

(FB #4725) - All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified.

(RQ #18958) - Windows: Password cannot be specified in a file with --password command-line option.

(RQ #18674) - Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'. Workaround: Enable file extensions. This issue will be fixed in an upcoming maintenance release.

(RQ #17537) - Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network. Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible.

(RQ #17535) - Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions.

(RQ #17528) - All platforms: The scpg3 command shows the transfer time incorrectly if "--statistics=simple" is set.

(RQ #17482) - All platforms: When trying to connect to a server that is not available (i.e. the server is not running), the error message returned by sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server".

(RQ #17368) - Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in some cases. Workaround: Select the profile from the menu.

(RQ #17343) - Windows: Removing a token while it is being read could in some cases result in a Tectia Connection Broker failure.

(RQ #17215) - Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail.

(RQ #17055) - Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work.

(RQ #16986) - Windows: SFTP 'chmod' command is not supported against Tectia Server running on Windows.

(RQ #16902) - Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs.

(RQ #16573) - Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP.

(RQ #16276) - Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation.

(RQ #16270) - Windows: The exit values for scpg3 do not match the values mentioned in the documentation in the following error situations: connection lost, interrupting a file transfer using CTRL+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero.

(RQ #15996) - All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example: scpg3 "/tmp/testdir/*" user@server:/tmp However, the correct warning is displayed if the scpg3 command is used without globbing: scpg3 /tmp/testdir/* user@server:/tmp

(RQ #15973) - All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names.

(RQ #15948) - Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process.

(RQ #15921) - All platforms: The server creates empty files if a user tries to transfer files without correct server-side permissions. The correct error message is displayed.

(RQ #15846) - Windows: Local TCP tunneling using listener port 0 does not work.

(RQ #15006) - Windows: When accessing a Unix host using scpg3 or sftpg3, files with file names that contain characters that are illegal in Windows file names (for example: *, ? and ~) cannot be transferred or accessed if relative paths are used. Workaround: Use absolute paths for accessing the files on the Unix host and escape the illegal characters with the tilde character '~'. Note also that the files with illegal characters need to be renamed when transferred to Windows. For example, to copy a file "file*name.txt" from user's Unix home directory to Windows: C:\> scpg3.exe user@server:/home/user/file~*name.txt filename.txt

(RQ #14227) - Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly.

(RQ #14226) - Windows: When using regular expressions in filter rules the dot character '.' does not work as expected. For example, when using a filter rule for tunneling of telnet.exe using regular expression: '.*.ssh.com' the connection will not be tunneled even if the regular expression matched the host address. Workaround: Add a '\' in front of the '.' For example, the previous regular expression should be:  '.*\.ssh\.com'

(RQ #14222) - All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key on subsequent login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication.

(RQ #14109) - Windows: Secure file transfer speed may be slower against Tectia Server on Windows than against Tectia Server on Linux.

(RQ #13377) - Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause the user banner and dialog boxes to be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide secure separation of sessions.

(RQ #11836) - All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, either the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed.

6. Further Information

More information can be found on the Tectia man pages and manuals. Tectia manuals are also available from https://www.ssh.com/manuals/

Additional licenses can be purchased by contacting sales at https://www.ssh.com/ 

1. About This Release

The 6.6 release of Tectia Client is declared Long Term Supported (LTS), and it is supported for 3 years from the release date of 6.6.2.

The latest support end dates for Tectia Client/Server are available here.

The 6.6.2 release is available for AIX (POWER), HP-UX (IA-64 and PA-RISC), Solaris (SPARC and x86-64), Linux (x86-64) and Windows (x86-64) platforms.

PQC algorithms are supported only on AIX, Solaris, Linux, and Windows.

Special items for 6.6 release are:

• Tectia Quantum Safe Edition with multiple PQC hybrid key exchange algorithms
• Improvements to certificate validation
• FIPS module has been updated to OpenSSL 3.0 in Solaris, Linux, and Windows
• Deprecation of DSA algorithms from the defaults
• Deprecation of SHA-1 algorithms from the defaults

We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products, and on Windows, also SSH Tectia 6.0.x or older, before installing SSH Tectia 6.6 products.

For the installation instructions, refer to the Tectia Client User Manual.

2. Important Changes

(TECT-718) DSA has been deprecated and is no longer included in default values of host key algorithms nor public-key signature algorithms. We strongly recommend to use any other supported hostkey algorithm and signature algorithm instead for host keys and user keys.

CAUTION: Public key authentication with DSA keys fail on signature failure after upgrade. It is recommended to generate new RSA or Elliptic Curve Key (ECDSA or Edwards Curve) user key(s) and replace the authorized user public key(s) on the server-side.

Connections will fail with "Key exchange failed" and "Host key algorithm negotiation failed" errors after upgrade if Secure Shell Server has a DSA host key as the only identity and the ssh-broker-config.xml does not explicitly allow using deprecated DSA algoritm(s) such as ssh-dss-sha256@ssh.com.

It is recommended to create a server-specific connection profile or a generic legacy profile with deprecated DSA algorithms listed last when connecting to old servers if the DSA host key or authorized user public key cannot be changed on the server-side.

(TECT-566) Using OpenSSL 3.0 FIPS container inside Solaris, Linux, and Windows. RSA, ECDSA, and Ed25519 keys are supported in FIPS mode. New DSA keys cannot be generated with Client Configuration GUI when running in FIPS mode. If needed, 3072- or 2048-bit DSA keys can be generated with ssh-keygen-g3 --fips-mode.

(TECT-655) PQC algorithm support for Solaris as a part of the Tectia Quantum Safe Edition.

(TECT-663) Solaris installation packages are now 64-bit.

(TECT-721) Tectia Client now signs always with a SHA-2 algorithm in host-based authentication, and therefore it does not interoperate with old servers that have host-based authentication enabled as a user authentication method. It is recommended to upgrade both the client-side and server-side to the latest Tectia version if host-based authentication is used in the environment.

3. New Features

(TECT-743) Tectia Quantum Safe Edition: Added a new PQC hybrid KEX algorithm curve448-kyber1024-sha512@ssh.com that is supported when FIPS mode is enabled.

(TECT-591) Command-line clients sshg3, sftpg3 and scpg3 now support --template-profile option that can be used with a generic profile, specifying for example required algorithms, when connecting to servers instead of using default or server-specific profiles in ssh-broker-config.xml.

(TECT-710) Command-line clients sshg3, sftpg3 and scpg3 now support --publickey-algs option that specify signature algorithms in preferred order in user publickey authentication. Alternatively, signature-algorithms can be specified in ssh-broker-config.xml.

(TECT-677) Improved user certificate filtering to make it easier to offer the certificates that are more likely to be accepted by the server in user authentication when there are multiple certificates.

(TECT-793) Compatibility for OpenSSH 7.4 server that reports incorrect server-sig-algs extension so that ed25519 or ecdsa keys can be used.

4. Bug Fixes

(TECT-762) Fixed an issue with proxy ruleset so that IP range is no longer ignored in direct configuration. Previously configured proxy was always used for all client connections. 

(TECT-742) Ed25519 user keys can be now used via an authentication agent.

(TECT-746) Fixed an issue with nested authentication agent forwarding that could in some conditions result in signature failure with External key provider error after waiting for 5 minutes.

(TECT-704) Broker no longer crashes when “interactive-shy” is set as the key-selection policy under certain conditions.

(TECT-675) Currently, valid user certificates are now prioritized newest first by default.

(TECT-646) Broker no longer crashes when using multiple certificates and the user should choose the certificate when the option 'Prompt user to select the public key' has been selected.

(TECT-554) Broker no longer crashes under certain conditions with OpenSSH Agent.

5. Known Issues

The following issues are currently known to exist in Tectia Client:

(TECT-347) In Windows Server virtual folders are incorrectly resolved, if the users home directory is a virtual folder.

Workaround: Specify commands to use the real path to Windows directories instead of the virtual directories when home directory is a virtual folder.

(FB #38886) All Platforms: scpg3 and sftpg3 with --append overwrite the destination file when the server is OpenSSH 6.4 or older. 

(FB# 39847) AIX: Host-based authentication in FIPS mode requires copying or linking the libcrypto.a to /lib or /usr/lib.

(FB #36224, FB #36221) Windows: Connections Configuration GUI: Dots do not work correctly in profile names or profile folder names, because they are used internally for the profile folder feature.

(FB #36222) Windows: Connections Configuration GUI: Empty connection profile folders are not saved in the Broker configuration.

(FB #36835) All platforms: Remote translation tables only work when the site command X=BIN is used. Local translation tables work as intended.

(FB #19541) Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable.

(FB #13818) All Platforms: The usage of IPv6 addresses in certificates is not yet supported.

(FB #3882) z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.

(FB #10425) Unix: if OpenSSL 0.9.8 is installed on the host where Tectia Server is installed, it may fail when using PAM with software that uses that OpenSSL library.

Workaround if FIPS is not used: Rename the libcrypto.so.0.9.8 existent under /opt/tectia/sshlib to another name (note that this will make FIPS mode unusable).

(FB #9840) Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details.

(FB #9367) Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0-D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates. 

(FB #9106) AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit versions. 

(FB #9530) All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS cryptographic library health check. This will lead to a noticeable delay in the start of the process on slow machines.

(FB #7726) Windows: --summary-format newline option '\n' does not work on Windows.

(FB #4725) All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified.

(FB #4705) Linux SE: If the common package is installed with SElinux disabled, the following warning message will be given during the installation:

•    /usr/bin/chcon: can't apply partial context to unlabeled file
•    /opt/tectia/lib/shlib/libicudata.so.40
•    /usr/bin/chcon: can't apply partial context to unlabeled file
•    /opt/tectia/lib/shlib/libicuuc.so.40

This can be safely ignored. However, if the SElinux enforcing is enabled after the installation, the following command needs to be executed:

•    /usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so

(RQ #18958) Windows: Password cannot be specified in a file with --password command-line option.

(RQ #18674) Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'.

Workaround: Enable file extensions. This issue will be fixed in an upcoming maintenance release.

(RQ #17537) Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network.

Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible.

(RQ #17535) Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions. 

(RQ #17528) All platforms: The scpg3 command shows the transfer time incorrectly if "--statistics=simple" is set.

(RQ #17482) All platforms: When trying to connect to a server that is not available (i.e. the server is not running), the error message returned by sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server".

(RQ #17368) Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in some cases.

Workaround: Select the profile from the menu.

(RQ #17343) Windows: Removing a token while it is being read could in some cases result in a Tectia Connection Broker failure.

(RQ #17215) Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail.

(RQ #17055) Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work. 

(RQ #16986) Windows: SFTP 'chmod' command is not supported against Tectia Server running on Windows.

(RQ #16902) Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs.

(RQ #16573) Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP.

(RQ #16276) Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation.

(RQ #16270) Windows: The exit values for scpg3 do not match the values mentioned in the documentation in the following error situations: connection lost, interrupting a file transfer using CTRL+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero.

(RQ #15996) All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example: scpg3 "/tmp/testdir/*" user@server:/tmp However, the correct warning is displayed if the scpg3 command is used without globbing: scpg3 /tmp/testdir/* user@server:/tmp

(RQ #15973) All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names.

(RQ #15948) Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process.

(RQ #15921) All platforms: The server creates empty files if a user tries to transfer files without correct server-side permissions. The correct error message is displayed. 

(RQ #15846) Windows: Local TCP tunneling using listener port 0 does not work.

(RQ #15006) Windows: When accessing a Unix host using scpg3 or sftpg3, files with file names that contain characters that are illegal in Windows file names (for example: *, ? and ~) cannot be transferred or accessed if relative paths are used.

Workaround: Use absolute paths for accessing the files on the Unix host and escape the illegal characters with the tilde character '~'. Note also that the files with illegal characters need to be renamed when transferred to Windows. For example, to copy a file "file*name.txt" from user's Unix home directory to Windows: C:\> scpg3.exe user@server:/home/user/file~*name.txt filename.txt

(RQ #14227) Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly.

(RQ #14226) Windows: When using regular expressions in filter rules the dot character '.' does not work as expected. For example, when using a filter rule for tunneling of telnet.exe using regular expression: '.*.ssh.com' the connection will not be tunneled even if the regular expression matched the host address.

Workaround: Add a '\' in front of the '.' For example, the previous regular expression should be: '.*\.ssh\.com'

(RQ #14222) All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key on subsequent login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication.

(RQ #14109) Windows: Secure file transfer speed may be slower against Tectia Server on Windows than against Tectia Server on Linux.

(RQ #13377) Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause the user banner and dialog boxes to be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide secure separation of sessions.

(RQ #11836) All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, either the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed.

6. Further Information

More information can be found on the Tectia man pages and manuals. Tectia manuals are also available here.

Additional licenses can be purchased by contacting SSH sales.

1. Important Changes

(TECT-619) Increased default RSA and DSA key size from 2048 bits to 3072 bits and ECDSA from 256 bits to 384 bits. These changes reflect the new minimum values recommended by us for these authentication keys.

(TECT-614) NIST has chosen CRYSTALS-Kyber. Following this decision we have decided to remove SABER from the defaults. However, SABER still remains supported and the PQC hybrid KEX ecdh-nistp521-firesaber-sha512@ssh.com can be enabled in configuration.

You can find more information here.

The new PQC hybrid KEX defaults are:

• ecdh-nistp521-kyber1024-sha512@ssh.com
• curve25519-frodokem1344-sha512@ssh.com
• sntrup761x25519-sha512@openssh.com 

2. New Features

(TECT-611) Added Red Hat Enterprise Linux 9 as a supported installation platform.

(TECT-629) Added support for ncurses 6, which removes the previous dependency for libncurses compat libraries.

3. Bug Fixes

(TECT-609) Fixed a bug with Radius authentication in RHEL that prevented the use of said authentication method.

(TECT-606) User-defined password in connection profile is now only tried once. Previously an incorrect password in connection profile would make the client reattempt the connection until all attempts were exhausted.

(TECT-605) Client GUI connections will now honor passphrase-timeout config setting.

(TECT-587) Compatability improvements with OpenSSH Agent.