Release Notes for Tectia Server 6.5.2
-------------------------------------
4 March 2022
Copyright (C) 2022 SSH Communications Security Corporation.
This software is protected by international copyright laws.
All Rights Reserved.
Table of Contents
1. About This Release
2. Important Changes
3. New Features
4. Bug Fixes
5. Known Issues
6. Further Information
1. About This Release
-----------------------
The 6.5 release of Tectia Server is declared Feature Release, and it is
supported for 2 years from the release date of 6.5.1. The latest support end
dates for Tectia Client/Server are available at:
https://www.ssh.com/products/support/end-of-support
The 6.5.2 release has the same end of support date as 6.5.1.
This release is a minor release addressing an upgrade issue from 6.4.x to
6.5.1 in SELinux enabled Linux operating systems. See Bug Fixes under 6.5.2.
There are no new features or other bug fixes in 6.5.2 and it is it is limited
to only Linux operating systems. New installations for Linux may opt to
install 6.5.1 and 6.5.2 should not be considered, if SELinux is not enabled.
This release is based on Tectia Server 6.4.20. Items addressed in this release
are same as the ones listed under the "6.5.1" section.
Special items for this release are:
- Zero Trust Authentication
- Improved Pluggable Authentication Modules (PAM) support on Linux
We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products,
and on Windows also SSH Tectia 6.0.x or older, before installing SSH Tectia
6.5 products.
For the installation instructions, refer to the Tectia Server Administrator
Manual.
2. Important Changes
----------------------
(TECT-458)
Disabled SHA1 algorithms from server defaults in lieu of previous deprecation warning.
These algorithms can still be manually enabled for legacy reasons. It is important to
understand that SHA-1 algorithms are deprecated due to security issues and should not
be enabled without a critical legacy dependency for them. Enabling SHA-1 algorithms is
not recommended by us.
* ssh-rsa (RSA/SHA1) is no longer included in public-key signature algorithms nor
host key algorithms default values. We recommended using SHA2 variants
(e.g. rsa-sha2-256, ssh-rsa-sha256@ssh.com) for existing RSA keys.
* ssh-dss (DSA/SHA1) is no longer included in public-key signature algorithms nor
host key algorithms. We recommend using SHA2 variants (e.g. ssh-dss-sha256@ssh.com)
for existing DSA keys and creating additional RSA, ED25519, or ECDSA key(s)
for better interoperability with third-party clients/servers.
* diffie-hellman-group-exchange-sha1 (DH-GEX-SHA1) and diffie-hellman-group14-sha1
are no longer included in key exchange default values. We recommend using SHA2
variants (e.g. diffie-hellman-group-exchange-sha256 and diffie-hellman-group14-sha256).
SHA2 variants @ssh.com algoritms have been supported in Tectia Client/Server since
version 6.2.0 released in 2011. Standardized SHA2 variants since version 6.4.18.
HMAC SHA1 algorithms still remain in server defaults. Although NIST has formally
deprecated use of SHA-1 for digital signatures, SHA-1 is still considered secure for
HMAC as the security of HMAC does not rely on the underlying hash function being
resistant to collisions.
CBC mode ciphers are no longer included in server defaults. Although there are no known
vulnerabilities for current versions, there are better counter modes available such as
GCM. CBC mode ciphers can still be manually enabled in the server configuration. This
change was made to alleviate false positives from security scanners. Our recommendation
is to use CTR mode and GCM mode over CBC mode whenever possible and use CBC mode only when
it is not possible to use the other two counter modes with ciphers.
3. New Features
-----------------
The following new features have been implemented in Tectia Server:
New Features in 6.5.2
---------------------
- There are no new features introduced in this release.
New Features in 6.5.1
---------------------
(TECT-325)
- Zero Trust certificate-based user authentication with short-lived X.509v3 or
OpenSSH certificates. Delegate access control to PrivX for Just-In-Time (JIT)
access management. PrivX version 22 and above is supported.
(TECT-462)
- Windows Server 2022 and SUSE Linux Enterprise Server 15 (x86-64) added as
supported installation platforms.
(TECT-484)
- Linux: Installation creates and modifies /etc/pam.d/ssh-server-g3 Pluggable
Authentication Modules (PAM) configuration and preserves original file to
/etc/pam.d/ssh-server-g3.orig. PAM is now required for successful password
authentication on RHEL.
(TECT-313)
- Added support for x509-certificate-chain for user and host certificates and
standardized X.509v3 signature algorithms defined in RFC6187.
Following signature-algorithms and hostkey-algorithm are supported:
* x509v3-rsa2048-sha256
* x509v3-ecdsa-sha2-nistp256
* x509v3-ecdsa-sha2-nistp384
* x509v3-ecdsa-sha2-nistp521
* x509v3-ssh-dss (DSA/SHA1 not enabled by default on server-side)
* x509v3-ssh-rsa (RSA/SHA1 not enabled by default on server-side)
(TECT-147)
- Added support for OpenSSH user and host certificates.
Following signature-algorithms and hostkey-algorithm are supported:
* ecdsa-sha2-nistp256-cert-v01@openssh.com
* ecdsa-sha2-nistp384-cert-v01@openssh.com
* ecdsa-sha2-nistp521-cert-v01@openssh.com
* ssh-ed25519-cert-v01@openssh.com
* rsa-sha2-256-cert-v01@openssh.com
* rsa-sha2-512-cert-v01@openssh.com
* ssh-rsa-cert-v01@openssh.com (RSA/SHA1 not enabled by default)
* ssh-dss-cert-v01@openssh.com (DSA/SHA1 not enabled by default)
(TECT-492)
- Added curve25519-sha256@libssh.org to client and server key exchange defaults
for better interoperability with 3rd party implementations that do not support
standardized curve25519-sha256.
(TECT-335)
- Tectia Server Configuration GUI supports extended-key-usage certificate
selector, for example secureShellClient (oid 1.3.6.1.5.5.7.3.21).
(TECT-61)
- Critical Microsoft custom policy OID 1.3.6.1.4.1.311.21.10 is now accepted if
it contains only extended key usage oids that are present in the actual e
xtended key usage extension in the X.509v3 certificate being validated.
(TECT-359)
- Tectia Server Configuration GUI can be used to configure OCSP trusted mode
(RFC5019, RFC6960) responder issuing CA certificate.
(TECT-367)
- Added new configuration option xauth-shell attribute that can be used specify
the shell used to run xauth binary instead of the user shell in X11 forwarding.
(TECT-426)
- Tectia Server Logging improvements Certificate_validation_success and
Certificate_validation_failure log also Subject name, Email and UPN Subject
Alternative Names for X.509v3 certificates and Key ID and principals for
OpenSSH certificates.
4. Bug Fixes
--------------
The following fixes have been implemented in Tectia Server:
Bug Fixes in 6.5.2
------------------
(TECT-536)
- SELinux enabled Linux: Fixed an issue with upgrading from 6.4.x version to
6.5.1. In 6.5.1 Upgrade would fail, if /tmp/ssh-server-g3 was not manually
removed.
Bug Fixes in 6.5.1
------------------
(TECT-108)
- Linux: Tectia Server ssh-server-ctl now uses systemd on RHEL 7, 8, SUSE 12 and
SUSE 15 for stopping and starting the service.
Recommended commands 'systemctl [start|stop|restart|status] ssh-server-g3'
For configuration update 'ssh-server-ctl reload' that validates the
ssh-server-config.xml configuration is recommended.
(TECT-347)
- Windows Server: Using relative paths to access virtual folders no longer fail
if home directory is configured as virtual root.
(TECT-199)
- Linux: Tectia Server is now confined to sshd SELinux context on RHEL.
(TECT-174)
- Tectia Server Configuration GUI now allows only service rule command
configurations that the server supports. If forced command is set, no other
commands can be added to the group. If a group contains multiple allowed
commands, forced commands can not be added or edited to the group.
(TECT-423)
- Tectia Server now checks file permissions of CA certificates configured as
trust anchors for user certificate authentication.
(TECT-433)
- Tectia Server Configuration GUI no longer overwrites public key
signature-algorithms in ssh-server-config.xml with default values.
(TECT-127)
- OpenSSL generated passphrase protected PKCS#8 key no longer fails to be decoded.
(TECT-310)
- Tectia Server Configuration GUI now supports name-regexp attribute for
example in authentication selector instead of overwriting manually configured
selectors like .
(TECT-401)
- Customized tunnel (port forwarding) restrictions are now enforced correctly.
* In tunnel-remote 'listen' will match only when listener is being opened. The
'src' is not matched when listener is opened but only when tunnel is opened.
* New tunnel-remote 'disable-privilege-check' attribute defaults to 'no'. If
not set, tunnel listener open will always perform privilege check, forbidding
listener open for ports under 1024 unless user is privileged admin/root user.
* New Tunnel endpoint 'tunnel-src' and 'tunnel-dst' added for tunnel-local and
tunnel-remote, conversely. These match the ssh client end IP address as seen
by the server based on the tcp connection. The 'src' in tunnel-local, that
matches the connection source as reported by the client, has not been changed.
(TECT-333)
- Tectia Server Configuration GUI no longer crashes if host certificate has
critical extension BasicConstraints CA = FALSE.
(TECT-353)
- Tectia Server user login with certificate no longer fails if user-group
attribute is defined in the same selector with certificate selectors.
(TECT-361)
- Tectia Server Logging Channel_outbound_statistics and
Channel_inbound_statistics no longer log username as uninitialized.
(TECT-382)
- Windows: ssh-shell in Tectia Server no longer ignores input bytes with highest
bit set. Multibyte characters are now shown correctly when logged in with
sshg3.
5. Known Issues
-----------------
The following issues are currently known to exist in Tectia SSH Server:
(FB #41772)
- Linux, RHEL6: ssh-servant-g3 processes can show large virtual memory
allocation, in excess of one GB per process. This is due to thread
arena allocation in libc 2.10 and later, included in RHEL 6.0, not
because of memory leaks.
(FB #39681)
- Solaris: With exec-directly="no", csh on Solaris closes auditing file
descriptors for sft-server-g3, effectively disabling logging with
sftp. The recommended solution here is to use exec-directly="yes".
(FB #41617)
- Windows: Upgrade only recognizes versions 6.1 onwards.
(FB #36835)
- All platforms: Remote translation tables only work when the site command
X=BIN is used. Local translation tables work as intended.
(FB #22991)
- AIX: Upgrading from version 6.2.x or 6.3.x will not restart the server
automatically after installing the upgrade packages. Upgrading from
versions 6.1.x (or earlier), and versions 6.4.2 (or later) will work
normally and restart the server after upgrade.
(FB #19541)
- Unix/Linux: When logged to the SSH Tectia Server, an executable will fail
to start if any parent of the current working directory is not readable
and relative paths are used to refer to the executable.
(FB #13818)
- All Platforms: The usage of IPv6 addresses in certificates is not yet
supported.
(FB #14973)
- Linux: SSH Tectia Server must be stopped before upgrading from 6.2.0 as the
newer ssh-server-ctl will not be able to stop the 6.2.0 server. Upgrades from
any other version than 6.2.0 do not experience this issue.
(FB #9145)
- Windows: When installing Tectia Server on a platform that has more than 30
CPUs running Windows 2003 SP2, make sure that you have the proper Microsoft
patches installed to not hit a Microsoft bug which will make your host
unusable.
For more information, see: http://support.microsoft.com/kb/2539164
(FB #10425)
- Unix: if OpenSSL 0.9.8 is installed on the host where Tectia Server is
installed, it may fail when using PAM with software that uses that OpenSSL
library.
Workaround if FIPS is not used: Rename the libcrypto.so.0.9.8 existent under
/opt/tectia/sshlib to another name (note that this will make FIPS mode
unusable).
(FB #9367)
- Windows: If the installation fails with error message "An error occurred
during the installation of assembly component {B708EB72-AA82-3EB7-8BB0-
D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install
required operating system updates.
(FB #9106)
- AIX: Executables are now compiled in 64 bit. For PAM to work, the operating
system should point to the 64-bit versions of PAM libraries instead of the
32-bit versions.
(FB #9530)
- All platforms: Extra checks are done when starting the Tectia Server and
Connection Broker in the FIPS mode due to the OpenSSL FIPS cryptographic
library health check. This will lead to a noticeable delay in the start of
the process on slow machines.
(FB #8826)
- Windows: Users authenticated with a public key cannot access Network
DFS shares that are in a different box than where the Tectia server is
running.
Workaround: Use password cache.
(FB #4699)
- AIX: Due to IBM's bug IZ02631, a servant may deadlock under heavy stress.
IBM has a fix for AIX 5.3 and AIX 6.1.
(FB #4705)
- Linux SE: If the common package is installed with SElinux disabled, the
following warning message will be given during the installation:
/usr/bin/chcon: can't apply partial context to unlabeled file
/opt/tectia/lib/shlib/libicudata.so.40
/usr/bin/chcon: can't apply partial context to unlabeled file
/opt/tectia/lib/shlib/libicuuc.so.40
This can be safely ignored. However, if the SElinux enforcing is enabled
after the installation, the following command needs to be executed:
/usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so
(RQ #19164)
- Linux RedHat 3: The pam_krb5 module supplied with Red Hat Linux 3 will
not work with Tectia Server when configured with
pam-calls-with-commands=yes as pam_krb5 requires pam_authenticate() to be
called before pam_setcred().
(RQ #19080)
- AIX: Authentication may fail for LDAP accounts when verifying login
permissions.
This is caused by an error in AIX system libraries when trying to retrieve
password expiration information for an LDAP user and is addressed by IBM APAR
IZ46727 (registration required):
http://www-01.ibm.com/support/docview.wss?uid=isg1IZ46727
(RQ #18437)
- Windows: Tectia Server doesn't support other than ISO Latin 1
character sets in folder names for storing troubleshooting logs.
(RQ #18307)
- All platforms: The file transfer with WinSCP 3.6 might fail when the file
transfer is resumed.
(RQ #18211)
- All platforms: If the server configuration has one or more selectors in
the block listing specific ciphers, and the client does not
match the selector, it is still allowed the default ciphers. This is
because there is no implicit deny-rule in the block (the
behavior is different from the block).
(RQ #18084)
- Unix: All installed Tectia products must be upgraded to 6.0.2 at the
same time. If some packages are left to 6.0.1 or older version, they will
stop working when the 6.0.2 common package is installed.
(RQ #17626)
- Windows: On Windows, Tectia Server does not support GW mode for
connecting to other Secure Shell servers.
(RQ #17604)
- All platforms: Files larger then 4GB cannot be transferred to or from
Tectia Server when using the old OpenSSH 'scp' command.
Workaround: The files can be transferred using scpg3 or sftpg3.
(RQ #17271)
- Solaris x86-64: RSA SecurID cannot be used with Tectia Server on
Solaris x86-64, because RSA SecurID offers only a 32-bit PAM library.
Tectia Server expects a 64-bit pam_securid.so.
(RQ #17170)
- Solaris 10: Tectia Server and the FTP/SFTP conversion component of
Tectia Client with EFT Expansion Pack need to be uninstalled separately
from each local zone, if they have been installed to all zones by
installing into the global zone.
(RQ #17055)
- Solaris: Installation packages do not detect the underlying Solaris
architecture to prevent installation of the x86-64 packages on x86
architecture. The packages can be installed but they will not work.
(RQ #16986)
- Windows: SFTP 'chmod' command is not supported against Tectia Server
running on Windows.
(RQ #16410)
- Solaris 10: Tectia Server and the FTP-SFTP conversion component of
Tectia ConnectSecure need to be uninstalled separately from each local
zone, if they got installed to all zones by installing into the global
zone.
(RQ #16342)
- All platforms: OpenSSH keys are not accepted as host keys, when running
the server in FIPS mode.
(RQ #16285)
- AIX: When trying to log in to an AIX server using an account which has an
expired password, the client returns the following error message:
"Request exec channel error: Disconnected by application." The reason
for the disconnection is, however, logged correctly in the server's log.
(RQ #16080)
- Windows: The Server reports a "Wrong password" message to the event log
even though the correct password is given, but the account has expired.
(RQ #15976)
- Windows: Users without administrator rights cannot use file transfer with
the default Windows 2003 ACL settings.
(RQ #15973)
- All platforms: The certificate validation path construction from LDAP
fails, if the LDAP server requires suffix ';binary' for the PKI binary blob
attribute names.
(RQ #15874)
- Linux: If a user account has expired, the Server incorrectly asks the
user to change the password and then denies login.
(RQ #15819)
- Solaris: Quality checks for password changes (e.g. password length,
characters etc.) enforced by PAM will only be enforced when using PAM
authentication. When changing passwords via forced commands (i.e. when
using authentication methods other than keyboard-interactive PAM), the
Tectia Server will not enforce PAM-related password quality checks.
(RQ #15807)
- Windows: If a non-admin user tries to start the server, the server
reports error message "Failed to access service manager".
(RQ #15711)
- Windows: All well-known security identifiers ('Everyone' and
'Authenticated Users', for instance) are not shown in the Tectia Server
Configuration GUI's directory object picker when browsing groups for a
selector.
(RQ #15627)
- Unix: Currently it is not possible to allow X11 forwarding when terminal
connections are denied.
(RQ #15393)
- Windows: Installing PGP Desktop 9.5.2 and Tectia Server on the same
Windows machine will cause the one installed earlier not to work.
(RQ #15228)
- All platforms: File transfers of files larger than 4kb using Net:SFTP and
Net::SSH::Perl fail against Tectia Server.
Workaround is documented at http://www.cpanforum.com/threads/2092.
The workaround involves lowering the value of COPY_SIZE in the SFTP.pm perl
module from 8192 to 4063 or lower.
(RQ #15016)
- HP-UX: Shadow passwords are not supported on HP-UX when using the
password authentication method. Shadow passwords can be used on HP-UX only
with keyboard-interactive PAM authentication, with the appropriate PAM
configuration.
(RQ #14973)
- Windows: The Server reports "Wrong password" message to the event log
even though the correct password is given, if the account is locked.
(RQ #14762)
- Windows: Currently it is not possible to see and select Active Directory
universal groups in the User Group Selector dialog of the configuration
tool GUI. However, universal groups can be used as selectors if those are
entered manually to the user group selector name field.
(RQ #14672)
- All platforms: It is possible to generate all lengths of RSA/DSA keys in
FIPS mode, although the Tectia Client/Server software will only accept
keys compliant with FIPS.
(RQ #14259)
- AIX: The Server hangs after a few authentication tries when the following
value is set in the /etc/security/user file:
SYSTEM='KRB5Files or compat'
The Server does not hang when the value is set to: SYSTEM='compat'
(RQ #14039)
- Windows: Using rsync with Cygwin OpenSSH against Tectia Server fails
when using public-key authentication.
(RQ #12576)
- HP-UX 11.11: Attempting GSSAPI authentication can cause the
auths-gssapi-userproc-krb process to consume CPU and not exit after the
client disconnects. The GSSAPI authentication will be enabled if no
configuration file is found or if specifically enabled in the server
configuration. The HP-UX patch PHSS_35381 fixes this issue. GSSAPI needs to
be disabled in the server configuration, if installing the patch is not an
option.
(RQ #12517)
- Unix: Canceling user authentication when Tectia Server has been
configured with keyboard-interactive authentication method, causes
authentication to fail with "Server responded 'Unexpected response
packet'".
(RQ #11836)
- All platforms: After changing the password on a Secure Shell server, but
before logging in with the new password, either the Connection Broker must be
restarted to close the previous connection, or the user must wait for the
connection to time out (by default 5 seconds). If this is not done, login
with the new password will not succeed.
6. Further Information
------------------------
More information can be found on the Tectia man pages and manuals.
Tectia manuals are also available from https://www.ssh.com/manuals/
Additional licenses can be purchased by contacting sales at
https://www.ssh.com/.