Release Notes for Tectia Server 6.4.6 & Tectia Server 6.4.6 for Linux on IBM System z ---------------------------------------------- 24 January 2014 (C) 2014 SSH Communications Security Corporation This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 2. New Features 3. Bug Fixes 4. Known Issues 5. Further Information 1. About This Release ----------------------- The 6.4 release for Tectia Server is declared Feature Release, and it is supported for 2 years from the release date of 6.4.0 (24 January 2013). The final goal of the Feature Release is to become the next Long Term Supported release (LTS), by adding all required features during the multiple maintenance releases. Once this version is considered feature complete, the second digit from its version will change and it will be declared as LTS. Once the version is tagged as LTS, its maintenance releases will only contain fixes to critical bugs, and it will be supported for 3 years, with the possibility to extend that support for 2 more years. This release is based on Tectia Server 6.4.0. Items addressed in this release are listed under the "6.4.6" section. Special items for this release are: . Added support for Windows 2012 R2 for Tectia Client and Server . Implemented Load Control in Tectia Server: a connection flood DoS attack mitigation feature that uses a white list of IP addresses. We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products before installing Tectia 6.4 products. For the installation instructions, refer to the Tectia Server Administrator Manual. 2. New Features ----------------- The following new features have been implemented in Tectia Server: New Features in 6.4.6 --------------------- - Windows: Updated the certificate used for signing the Windows packages. Note that the new certificate uses SHA-2 to verify its signature. Microsoft XP with Service Pack 2 does not support SHA-2 and therefore cannot guarantee the integrity of the certificate (KB968730). For Microsoft Windows Server 2003 with Service Pack 2, to validate the certificate, apply the hotfix to KB968730. - All platforms: Implemented "load control", a connection flood DoS attack mitigation feature that uses a white list of IP addresses. The feature attempts to keep Tectia Server up and running in the face of a Denial of Service attack that tries to use so much of the server's resources that normal service would be disrupted. - Windows: Local tunneling constraints obtained via an external application can now be configured using the Tectia Server Configuration GUI. - Windows: Added support for Windows 2012 R2 for Tectia Client and Server. New Features in 6.4.5 --------------------- - All Platforms: Added the Tectia Mapper Protocol to Tectia Server. This provides the tools for communication between Tectia Server and an external application to match local tunneling constraints with external data. - All Platforms: In Tectia Server, added the possibility to define local tunneling constraints obtained via an external application that uses the Tectia Mapper protocol. - Windows: Tectia Server can now authenticate domain users when there is a one-way trust relationship between the domain of the host and the domain of the user. - Windows: Added a new option to ssh-server-ctl, "add-pwd-cache-user". This command adds the specified user and entered password to the server password cache database. - Windows: Added support for Windows 8 for Tectia Client and Server. New Features in 6.4.2 --------------------- - AIX: Tectia Server on AIX will always be started using the "startsrc -s ssh-tectia-server" command. That will start two ssh-server-g3 processes. One will be a service launcher, which will communicate with the AIX System Resource Controller, and the other one will be the normal ssh-server-g3 process handling connections. Now the case of stopping the Tectia Server when the server still has open connections will be transparent to the AIX System Resource Controller, as it will believe that the Tectia Server is stopped, but will still have the existing connections active. - Windows: Added support for Windows 2012 for SSH Tectia Client and Server. - Solaris 11 SPARC: New installation packages available for Oracle Solaris 11 (SPARC). - Solaris 11 x86-64: New installation packages available for Oracle Solaris 11 (x86-64). - All Platforms: Implemented passphrase support in init string in the Tectia Server communicating via PKCS#11. 3. Bug Fixes -------------- The following fixes have been implemented in Tectia Server: Bug Fixes in 6.4.6 ------------------ - Windows: Improved error handling related to domain user authentication when there is a one-way trust relationship between the domain of the host and the domain of the user. - Windows: Fixed the display of certain incorrect error messages. - All Platforms: Fixed a deadlock that occurred in Tectia Server under stress when using the Tectia Mapper Protocol. - Documentation: Corrected the Tectia Server Registry Keys location on Windows. - Windows: RSA SecurID authentication no longer fails when aceclnt.dll is specified in the Tectia Server configuration file, but not in the system's path. - Windows: GSSAPI authentication no longer fails in certain conditions when the security authentication package is too large. - Windows: Users are now able to authenticate via GSSAPI when using the host name, the fully qualified domain name or an IP address to define the destination server. - Windows: Fixed a memory leak that occurred in Tectia Server under certain conditions when authenticating domain users. - All platforms: Fixed a bug in Tectia Server that was causing the ssh-servant-g3 process to crash under stress. - Windows: Fixed a bug in Tectia Server that was causing the ssh-servant-g3 process to crash when authenticating domain users. - Unix: When configuring GSSAPI authentication, the dll-path parameter is no longer ignored. - All Platforms: Improved Tectia Server's stability under stress. Bug Fixes in 6.4.5 ------------------ - All Platforms: If a version exchange failure occurs, Tectia Server now logs a disconnect message and sends a binary message to the client. This is a change of behavior to any previous releases. Bug Fixes in 6.4.4 ------------------ - Windows: Tectia Server Configuration GUI now allows more than 1000 rules on the pages Connections and Encryption, Authentication, and Services. - AIX, HPUX: If a connection is disconnected because the authentication failed, Tectia Server will now report one failure. This concerns only PAM, LAM and/or public-key authentication. The behavior has not changed when using password or keyboard interactive with password sub-method: Tectia Server reports one failure per failed password. Bug Fixes in 6.4.3 ------------------ - Windows: In Tectia SSH Server, fixed a crash that occurred when GSSAPI was used. Bug Fixes in 6.4.2 ------------------ - All Platforms: Fixed a memory leak in ssh-broker-g3 and in ssh-servant-g3. The memory leak occurred in certain cases when GSSAPI authentication was used. - Windows: Viewing Troubleshooting Log has been reactivated and improved performance and reliability. - AIX: When upgrading a Tectia Server that has active connections, the server will not restart if the fix for APAR IV07310 is installed on the AIX host. - All Platforms: Improved documentation and removed inconsistencies in parsing the Regular expressions used in the Allow/Deny-from options of the authorization's file. - Windows: Fixed the Troubleshooting Log from the server, as it was slowing down too much plus was missing some trace messages when the Tectia Server was under stress. - All Platforms: The End-user license agreement (EULA) has been updated to reflect the new company name. - All Platforms: Tectia Client, Server and ConnectSecure executables no longer fail to start when using relative path ./. - Unix: Fixed the behavior when an ssh terminal connection has processes in the background and requests to exit. Previously, when it was executed via remote command without terminal or with an interactive session, the ssh terminal connection hanged. Now, in the case of a remote command, it will kill the background process and will exit, and in the case of an interactive session, the ssh terminal connection will exit and will leave the background processes running. - All Platforms: There is no longer different behavior in terminal action when Tectia Server is started with ssh-server-config-default.xml configuration file or without any configuration file. - All Platforms: Reloading the configuration on Tectia Server no longer hangs if a forced command specified in an authorization file has been executed. - Windows: There is no longer different behavior in terminal action when Tectia Server is started without any configuration file or when it is started with the configuration file generated by the Tectia Server Configuration GUI. Bug Fixes in 6.4.1 ------------------ - All Platforms: In file transfer clients, ASCII and character set conversion related site commands to Tectia SSH Server for IBM z/OS now work against all versions of Tectia SSH Server for IBM z/OS. Bug Fixes in 6.4.0 ------------------ - Windows: Password cache is again configurable by using GUI on displays with vertical resolution of 768 pixels. - Windows: When executing remote commands and external programs, the standard error of the command is no longer redirected to standard output. - Unix: Changed the way the server identifies the ptyless sessions when needed to be logged. Previously we used ssh-, but that proved to increase badly the size of utmp file in AIX, for instance. Now the server emulates the behavior of the pty sessions, and always identifies them with ssh-. This causes those identifiers to be reused, limiting the unwanted growth of the utmp file. - All Platforms: The End-user license agreement (EULA) has been updated to reflect the new company name. - All Platforms: Tectia Client, Server and ConnectSecure executables no longer fail to be started by relative path ./. 4. Known Issues ----------------- The following issues are currently known to exist in Tectia Server: - AIX: Upgrading from version 6.2.x or 6.3.x will not restart the server automatically after installing the upgrade packages. Upgrading from versions 6.1.x (or earlier), and versions 6.4.2 (or later) will work normally and restart the server after upgrade. - Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable. - All Platforms: The usage of IPv6 addresses in certificates is not yet supported. - Linux: SSH Tectia Server must be stopped before upgrading from 6.2.0 as the newer ssh-server-ctl will not be able to stop the 6.2.0 server. Upgrades from any other version than 6.2.0 do not experience this issue. - Windows: When installing Tectia Server on a platform that has more than 30 CPUs running Windows 2003 SP2, make sure that you have the proper Microsoft patches installed to not hit a Microsoft bug which will make your host unusable. For more information, see: http://support.microsoft.com/kb/2539164 - Unix: if OpenSSL 0.9.8 is installed on the host where Tectia Server is installed, it may fail when using PAM with software that uses that OpenSSL library. Workaround if FIPS is not used: Rename the libcrypto.so.0.9.8 existent under /opt/tectia/sshlib to another name (note that this will make FIPS mode unusable). - Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0- D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates. - AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit versions. - AIX: Entrust certificates are no longer supported on AIX platforms. - All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS cryptographic library health check. This will lead to a noticeable delay in the start of the process on slow machines. - Windows: Users authenticated with a public key cannot access Network DFS shares that are in a different box than where the Tectia server is running. Workaround: Use password cache. - AIX: Due to IBM's bug IZ02631, a servant may deadlock under heavy stress. IBM has a fix for AIX 5.3 and AIX 6.1. - Linux SE: If the common package is installed with SElinux disabled, the following warning message will be given during the installation: /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicudata.so.40 /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicuuc.so.40 This can be safely ignored. However, if the SElinux enforcing is enabled after the installation, the following command needs to be executed: /usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so - Linux RedHat 3: The pam_krb5 module supplied with Red Hat Linux 3 will not work with Tectia Server when configured with pam-calls-with-commands=yes as pam_krb5 requires pam_authenticate() to be called before pam_setcred(). - AIX: Authentication may fail for LDAP accounts when verifying login permissions. This is caused by an error in AIX system libraries when trying to retrieve password expiration information for an LDAP user and is addressed by IBM APAR IZ46727 (registration required): http://www-01.ibm.com/support/docview.wss?uid=isg1IZ46727 - Windows XP: Connections may fail when receiving more than 10 concurrent connections. This is a known limitation in Windows XP. More information available in the following Microsoft knowledge base article: http://support.microsoft.com/kb/314882. Windows XP is a client operating system not intended for server purposes. For best performance and availability we recommend running Tectia Server on Windows Server editions. - Linux on IBM System z: FIPS 140-2 compliant cryptographic library is not included in the installation package. For FIPS compliant AES, 3DES and SHA encryption algorithms, use the cryptographic hardware provided by the System z architecture. Cryptographic acceleration is enabled on Tectia by default. - Windows: Tectia Server doesn't support other than ISO Latin 1 character sets in folder names for storing troubleshooting logs. - Linux on IBM System z: Due to a system problem in older s390 Linux kernels, probing for the cryptographic hardware produces the "Illegal instruction" signal, if no cryptographic hardware is present. In that case, the servant or Connection Broker is not able to start. Workaround: Remove the cryptographic hardware plug-ins (*cpacf.so) from the plug-in directory. - All platforms: The file transfer with WinSCP 3.6 might fail when the file transfer is resumed. - All platforms: If the server configuration has one or more selectors in the block listing specific ciphers, and the client does not match the selector, it is still allowed the default ciphers. This is because there is no implicit deny-rule in the block (the behavior is different from the block). - Unix: All installed Tectia products must be upgraded to 6.0.2 at the same time. If some packages are left to 6.0.1 or older version, they will stop working when the 6.0.2 common package is installed. - Windows: On Windows, Tectia Server does not support GW mode for connecting to other Secure Shell servers. - All platforms: Files larger then 4GB cannot be transferred to or from Tectia Server when using the OpenSSH 'scp' command. Workaround: The files can be transferred using scpg3 or sftpg3. - Solaris x86-64: RSA SecurID cannot be used with Tectia Server on Solaris x86-64, because RSA SecurID offers only a 32-bit PAM library. Tectia Server expects a 64-bit pam_securid.so. - Solaris 10: Tectia Server and the FTP/SFTP conversion component of Tectia Client with EFT Expansion Pack need to be uninstalled separately from each local zone, if they have been installed to all zones by installing into the global zone. - Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work. - Windows: SFTP 'chmod' command is not supported against Tectia Server running on Windows. - Solaris 10: Tectia Server and the FTP-SFTP conversion component of Tectia ConnectSecure need to be uninstalled separately from each local zone, if they got installed to all zones by installing into the global zone. - All platforms: OpenSSH keys are not accepted as host keys, when running the server in FIPS mode. - AIX: When trying to log in to an AIX server using an account which has an expired password, the client returns the following error message: "Request exec channel error: Disconnected by application." The reason for the disconnection is, however, logged correctly in the server's log. - Windows: The Server reports a "Wrong password" message to the event log even though the correct password is given, but the account has expired. - Windows: Users without administrator rights cannot use file transfer with the default Windows 2003 ACL settings. - All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names. - Linux: If a user account has expired, the Server incorrectly asks the user to change the password and then denies login. - Solaris: Quality checks for password changes (e.g. password length, characters etc.) enforced by PAM will only be enforced when using PAM authentication. When changing passwords via forced commands (i.e. when using authentication methods other than keyboard-interactive PAM), the Tectia Server will not enforce PAM-related password quality checks. - Windows: If a non-admin user tries to start the server, the server reports error message "Failed to access service manager". - Windows: All well-known security identifiers ('Everyone' and 'Authenticated Users', for instance) are not shown in the Tectia Server Configuration GUI's directory object picker when browsing groups for a selector. - Unix: Currently it is not possible to allow X11 forwarding when terminal connections are denied. - Windows: Installing PGP Desktop 9.5.2 and Tectia Server on the same Windows machine will cause the one installed earlier not to work. - All platforms: File transfers of files larger than 4kb using Net:SFTP and Net::SSH::Perl fail against Tectia Server. Workaround is documented at http://www.cpanforum.com/threads/2092. The workaround involves lowering the value of COPY_SIZE in the SFTP.pm perl module from 8192 to 4063 or lower. - HP-UX: Shadow passwords are not supported on HP-UX when using the password authentication method. Shadow passwords can be used on HP-UX only with keyboard-interactive PAM authentication, with the appropriate PAM configuration. - Windows: The Server reports "Wrong password" message to the event log even though the correct password is given, if the account is locked. - Windows: Currently it is not possible to see and select Active Directory universal groups in the User Group Selector dialog of the configuration tool GUI. However, universal groups can be used as selectors if those are entered manually to the user group selector name field. - All platforms: It is possible to generate all lengths of RSA/DSA keys in FIPS mode, although the Tectia Client/Server software will only accept keys compliant with FIPS. - AIX: The Server hangs after a few authentication tries when the following value is set in the /etc/security/user file: SYSTEM='KRB5Files or compat' The Server does not hang when the value is set to: SYSTEM='compat' - Windows: OpenSSH host keys are not accepted for use by the Server if it is in FIPS mode. Workaround: Convert the OpenSSH key to Tectia format using command: ssh-keygen-g3 --import-private-key - Windows: Using rsync with Cygwin OpenSSH against Tectia Server fails when using public-key authentication. - HP-UX 11.11: Attempting GSSAPI authentication can cause the auths-gssapi-userproc-krb process to consume CPU and not exit after the client disconnects. The GSSAPI authentication will be enabled if no configuration file is found or if specifically enabled in the server configuration. The HP-UX patch PHSS_35381 fixes this issue. GSSAPI needs to be disabled in the server configuration, if installing the patch is not an option. - Unix: Canceling user authentication when Tectia Server has been configured with keyboard-interactive authentication method, causes authentication to fail with "Server responded 'Unexpected response packet'". - All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, either the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed. 5. Further Information ------------------------ More information can be found on the man pages and in the Tectia manuals that are also available at http://www.ssh.com/index.php/support-overview/product-documentation.html Additional licenses can be purchased from our online store at: http://www.ssh.com/.