Release Notes for Tectia Client 6.3.10 & Tectia Server 6.3.10 for Linux on IBM System z --------------------------------------------- 28 February 2014 (C) 2014 SSH Communications Security Corporation This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 2. New Features 3. Bug Fixes and Minor Features 4. Known Issues 5. Further Information 1. About This Release ----------------------- The 6.3 release for Tectia Client is declared feature complete and Long Term Supported (LTS). Therefore, it is supported for 3 years from the release date of 6.3.0 (25 June 2012). It is possible to further extend that support for 2 more years. There will be 6.3 maintenance releases which will fix critical bugs, but no new features will be added to any 6.3 release. Items addressed in this release are listed under the section "New Features in 6.3.10" and "Bug Fixes in 6.3.10". Special items for this release are: - Added support for Windows 2012 R2 for Tectia Client and Server. - Fixed critical bugs. We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products before installing Tectia 6.3. For the installation instructions, refer to the Tectia Server Administrator Manual. 2. New Features ----------------- The following new features have been implemented in Tectia Client: New Features in 6.3.10 ---------------------- - Windows: Added support for Windows 2012 R2 for Tectia Client and Server. New Features in 6.3.9 --------------------- - Windows: Added support for Windows 8 for Tectia Client and Server. - Windows: Updated the certificate used for signing the Windows packages. Note that the new certificate uses SHA-2 to verify its signature. Microsoft XP with Service Pack 2 does not support SHA-2 and therefore cannot guarantee the integrity of the certificate (KB968730). For Microsoft Windows Server 2003 with Service Pack 2, to validate the certificate, apply the hotfix to KB968730. New Features in 6.3.6 --------------------- - Windows: Added support for Windows 2012 for SSH Tectia Client and Server. New Features in 6.3.5 --------------------- - Solaris 11 SPARC: New installation packages available for Oracle Solaris 11 (SPARC). - Solaris 11 x86-64: New installation packages available for Oracle Solaris 11 (x86-64). New Features in 6.3.4 --------------------- - All platforms: ssh-keygen-g3 is now able to export private keys in OpenSSH format. New Features in 6.3.2 --------------------- - Solaris: SSH Tectia Client, Server and ConnectSecure support now Oracle Solaris 11 (x86-64). New Features in 6.3.0 --------------------- - All Platforms: Added remote FTP Tunnel IPv6 support. - All Platforms: SSH Tectia Client and Server now support IPv6 ZoneIDs. 3. Bug Fixes -------------- The following fixes have been implemented in Tectia Client: Bug Fixes in 6.3.10 ------------------- - Windows: GSSAPI authentication no longer fails in certain conditions when the security authentication package is too large. - Windows: Users are now able to authenticate via GSSAPI when using the host name, the fully qualified domain name or an IP address to define the destination server. - All Platforms: Authentication no longer fails when using CAC cards from a manufacturer whose name contains an "&". - Windows: The C runtime libraries and MFC libraries in the Tectia Client, Server, ConnectSecure and MFT Events MSI package have been updated to version 9.00.30729.6161. - Windows: Fixed a bug in sshg3 which caused occasional hangs when run on Windows 8. Bug Fixes in 6.3.9 ------------------ - Documentation: Documented the sshg3 option "--hostkey-policy". - Documentation: Documented the sshg3 option "--kip". - Documentation: Fixed some inconsistencies in the site commands and in the file advice strings. - All Platforms: Newline conversions in Tectia file transfer clients no longer fail to work when transferring files to a VShell Server (VanDyke). - All Platforms: Defining "summary-format" to print the file transfer progress percentage no longer fails when connected to an OpenSSH server. - All Platforms: File transfers from Tectia Clients no longer crash when transferring files in ASCII mode to a VShell Server (VanDyke). Bug Fixes in 6.3.8 ------------------ - All Platforms: Fixed the ssh-keygen-g3 option -m/--generate-moduli-file. - All platforms: Fixed a problem that caused Tectia Client applications (e.g. sshg3/sftpg3/scpg3) to fail intermittently when ssh-broker-g3 was used in the run-on-demand mode. - All Platforms: Fixed a problem in agent forwarding with certificates. When multiple sessions were open to a remote server and in those sessions connections to other remote server(s) were initiated, agent forwarding would forward certificates only for one of the connections. - Windows: Fixed Tectia command-line clients to assume default window size if they cannot obtain a proper value from the system. - Windows: Fixed Tectia command-line clients to properly show authentication prompts in nested connections. Previously, when a user had a terminal session to Tectia Server on Windows running in terminal mode "Stream" and within that session the user started a new Tectia Client connection (from the host running Tectia Server), the authentication prompts were not shown properly. Bug Fixes in 6.3.7 ------------------ - Windows: Enabled compatibility against third-party, non-standard implementations of GSSAPI authentication. Bug Fixes in 6.3.5 ------------------ - All Platforms: SSH_SFTP_CMD_GETPUT_MODE environment variable works again. - All Platforms: The End-user license agreement (EULA) has been updated to reflect the new company name. - All Platforms: Tectia Client, Server and ConnectSecure executables no longer fail to start when using relative path ./. - All Platforms: scpg3 option "-a" no longer fails to do ASCII conversion. - All Platforms: Broker acting as socks proxy no longer leaves connections in close_wait state. Bug Fixes in 6.3.4 ------------------ - All Platforms: Files no longer fail to be transferred to local destinations by using UNC paths. - All Platforms: SSH Tectia Broker no longer crashes when connection to the socks listener gets disconnected right after establishing the connection. - All Platforms: SSH Tectia Broker is now able to read the newly OpenSSH keys using the new AES encryption format. - Documentation: The company name changed from Tectia Corporation to SSH Communications Security Corporation. This has been updated to the documentation. - Documentation: Specified that ssh-keygen-g3, when generating keys in FIPS mode, the RSA key length should be between 1024 and 16384 bits. - All platforms: Sftpg3 no longer stops executing if reading ssh_sftp_batch_file fails in some situations. - All platforms: Rewrote the way the real path is found for a given relative path. Previously, if the user did not have permissions to access the current directory it was not possible to start the Tectia applications. - All Platforms: Tectia server no longer busyloops when trying to access a certificate via pkcs#11 version 2.30 interface. - All platforms: Fixed the -i option from ssh-keygen-g3. Now, when the key specified by the -i option does not exist, the command reports the error properly. Bug Fixes in 6.3.2 ------------------ - All Platforms: Fixed a deadlock when tunneling multiple requests in transparent FTP tunnel, static tunnels, and running Broker as a socks proxy. - All Platforms: SSH Tectia Broker no longer crashes when it operates in 'socks-proxy' mode and the FTP client disconnects while falling back to plain. - All Platforms: Broker stability improved in cases where the client disconnects due to connecting to a host whose name does not resolve. Bug Fixes in 6.3.1 ------------------ - Documentation: Instructions to rename a folders in SSH Tectia Connections Configuration GUI have been updated. - Documentation: Tectia Client and ConnectSecure troubleshooting instructions have been improved in the User's Manual. - Documentation: In FIPS mode, the RSA key length is at least 1024 bits. - All platforms: X11 forwarding no longer fails to work on SSH Tectia Client and ConnectSecure. - Windows: Broker no longer busyloops under certain conditions when TCP connect timeout is reached. - All platforms: During file transfer, when streaming is supported, but fails, the client will now try to do the file transfer using traditional SFTP protocol. - All platforms: Tectia file transfer clients will no longer send type and streaming proves if the file transfer server is not from Tectia. That was causing dropping of the connection on some 3th party file transfer servers. - All platforms: Added the existing option in sshg3 --user=USERNAME to scpg3 and sftpg3. Bug Fixes in 6.3.0 ------------------ - Documentation: SSH Tectia Client does not contain C and JAVA API's. - Windows: Local and transparent TCP tunneling no longer fail to work on hosts with IPv4 addresses only enabled. - Windows: Broker will no longer deadlock when trying to connect to an unresponsive server. - Windows: SSH GUI Client will no longer crash when closing the window. - Windows: SSH GUI Client will no longer deadlock or hang when closing the window. - Windows: The option "Use Alt as meta key (send Escape)" no longer fails to work. - Windows: Persistent network resource connections are no longer leaked in some cases when logging in to SSH Tectia Server. 4. Known Issues ----------------- The following issues are currently known to exist in Tectia Client: - Solaris 11 x86-64: Dropped support for installing the product on Solaris 11 (x86-64) using Solaris 10 (x86-64) installation packages. Installation packages for Solaris 11 (x86-64) must be used instead. - Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable. - All Platforms: The usage of IPv6 addresses in certificates is not yet supported. - All Platforms: The usage of IPv6 addresses in Radius authentication is not yet supported. - z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error. - Windows: If a client application is accessing protected items from Microsoft Certificate Storage during authentication, the ssh-broker-g3 hangs. Workaround is to close the existing ssh-broker-gui-g3 application and start ssh-broker-g3.exe with the parameter '--console' and after that any client application, such as Tectia - SSH Terminal. - Unix: if OpenSSL 0.9.8 is installed in the host where Tectia Server is installed, it may fail when using PAM with software that uses that OpenSSL library. Workaround if FIPS is not used: to rename the libcrypto.so.0.9.8 existent under /opt/tectia/sshlib to another name (note that this will make FIPS mode unusable). - Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details. - Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0- D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates. - All platforms: The interactive key/certificate chooser will incorrectly prompt the user for PIN/passphrase for each instance of tokens, smartcards, PCKS#12 blobs and encrypted private keys without the matching public key before displaying the key selection dialog. - Windows: Upgrade of ConnectSecure or Client with Transparent TCP Tunneling will fail to install the capture component. Workaround: To uninstall the previous version, reboot, install the new version and reboot. - All platforms: In FIPS mode, the speed in handling the connections is slower than in standard mode, specially in slow hosts. - AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit version. - All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS crypto library health check. This will lead to a noticeable delay in the start of the process on slow machines. - Windows: --summary-format newline option '\n' does not work on Windows. - All platforms: The Tectia Configuration Editor and the Terminal GUI on Windows always use the default location of the UserConfigDirectory for loading the .ssh2 files (containing the color and other Windows GUI specific parameters). - All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified. - Linux SE: If the common package is installed with SElinux disabled, the following warning message will be given during the installation: /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicudata.so.40 /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicuuc.so.40 This can be safely ignored. However, if the SElinux enforcing is enabled after the installation, the following command needs to be executed: /usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so - Windows: Password cannot be specified in a file with --password command-line option. - Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'. Workaround: Enable file extentions. This issue will be fixed in an upcoming maintenance release. - Linux on IBM System z: FIPS 140-2 compliant cryptographic library is not included in the installation package. For FIPS compliant AES, 3DES and SHA encryption algorithms, use the cryptographic hardware provided by the System z architecture. Cryptographic acceleration is enabled on Tectia by default. - Windows Vista: When using an evaluation version of Tectia Client and trying to import a commercial license on Windows Vista, the operation will fail. Workaround: Manually copy the license file to the licenses directory under "%ProgramFiles%\SSH Communications Security\SSH Tectia\SSH Tectia AUX\licenses" - All platforms: In scpg3 and sftpg3, the command line options +C and -C for enabling/disabling compression do not work. Compression must be enabled/disabled globally or on a profile basis. The command line options work with sshg3. - Linux on IBM System z: Due to a system problem in older s390 Linux kernels, probing for the cryptographic hardware produces the "Illegal instruction" signal, if no crypto-HW is present. In that case, the servant or Connection Broker is not able to start. Workaround: Remove the cryptographic HW plugins (*cpacf.so) from the plugin directory. - Windows: When upgrading from a 4.x client, the connection profiles that were migrated did not show up in the profile's dropdown menu on the terminal client. However, after restarting the Connection Broker the migrated profiles will be shown on the client. - Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network. Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible. - Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions. - All platforms: The scpg3 command shows the transfer time wrong if "--statistics=simple" is set. - All platforms: When trying to connect to an server that is not available (i.e. the server is not running), the error message returned by sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server". - Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in some cases. Workaround: Select the profile from the menu. - Windows: Removing a token while it is being read could in some cases result in Tectia Connection Broker failure. - Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail. - Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work. - Windows: SFTP chmod command is not supported against Tectia Server running on Windows. - Unix: Scripts that execute sftpg3 in batch mode get stopped when put into background (Stopped (tty output)). - Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs. - Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP. - HP-UX: Starting sshg3, scpg3, and sftpg3 fails if getting the current working directory fails. - Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation. - Windows: The exit values for scpg3 do not match the values mentioned in the documentation in these error situations: connection lost, interrupting a file transfer using Ctrl+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero. - All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example: scpg3 "/tmp/testdir/*" user@server:/tmp However, the correct warning is displayed if the scpg3 command is used without globbing: scpg3 /tmp/testdir/* user@server:/tmp - All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names. - Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process. - All platforms: The server creates empty files if a user tries to transfer files without correct server-side permissions. The correct error message is displayed. - Windows: Local TCP tunneling using listener port 0 does not work. - Windows: When accessing a Unix host using scpg3 or sftpg3, files with file names that contain characters that are illegal in Windows file names (for example: *, ? and ~) cannot be transferred or accessed if relative paths are used. Workaround: Use absolute paths for accessing the files on the Unix host and escape the illegal characters (with the tilde character ~). Note also that the files with illegal characters need to be renamed when transferred to Windows. For example, to copy a file "file*name.txt" from user's Unix home directory to Windows: C:\> scpg3.exe user@server:/home/user/file~*name.txt filename.txt - Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly. - Windows: When using regular expressions in filter rules the dot character '.' does not work as expected. For example, when using a filter rule for tunneling of telnet.exe using regular expression: '.*.ssh.com' the connection will not be tunneled even if the regular expression matched the host address. Workaround: Add a '\' in front of the '.' For example, the previous regular expression should be: '.*\.ssh\.com' - All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key on next login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication. - Windows: Secure file transfer speed may be slower against Tectia Server on Windows than against Tectia Server on Linux. - Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause that the user banner and dialog boxes may be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide secure separation of sessions. - All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed. 5. Further Information ------------------------ More information can be found on the man pages and in the Tectia manuals that are also available at http://www.ssh.com/index.php/support-overview/product-documentation.html Additional licenses can be purchased from our online store at http://www.ssh.com/.