Release Notes for Tectia Client 6.4.6 & Tectia Server 6.4.6 for Linux on IBM System z ---------------------------------------------- 24 January 2014 (C) 2014 SSH Communications Security Corporation This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 2. New Features 3. Bug Fixes 4. Known Issues 5. Further Information 1. About This Release ----------------------- The 6.4 release for Tectia Client is declared Feature Release, and it is supported for 2 years from the release date of 6.4.0 (24 January 2013). The final goal of the Feature Release is to become the next Long Term Supported release (LTS), by adding all required features during the multiple maintenance releases. Once this version is considered feature complete, the second digit from its version will change and it will be declared as LTS. Once the version is tagged as LTS, its maintenance releases will only contain fixes to critical bugs, and it will be supported for 3 years, with the possibility to extend that support for 2 more years. This release is based on Tectia Client 6.4.0. Items addressed in this release are listed under the "6.4.6" section. Special items for this release are: . Added support for Windows 2012 R2 for Tectia Client and Server . Implemented Load Control in Tectia Server: a connection flood DoS attack mitigation feature that uses a white list of IP addresses. We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products before installing Tectia 6.4 products. For the installation instructions, refer to the Tectia Server Administrator Manual. 2. New Features ----------------- The following new features have been implemented in Tectia Client: New Features in 6.4.6 --------------------- - Windows: Updated the certificate used for signing the Windows packages. Note that the new certificate uses SHA-2 to verify its signature. Microsoft XP with Service Pack 2 does not support SHA-2 and therefore cannot guarantee the integrity of the certificate (KB968730). For Microsoft Windows Server 2003 with Service Pack 2, to validate the certificate, apply the hotfix to KB968730. - Windows: Added support for Windows 2012 R2 for Tectia Client and Server. New Features in 6.4.5 --------------------- - All Platforms: When the standard output of sftpg3/scpg3 is redirected to a file, it will now contain the file transfer progress percentage. - Windows: Added support for Windows 8 for Tectia Client and Server. New Features in 6.4.2 --------------------- - All Platforms: Added to Server authentication CA Certificate an option "endpoint identity check". Moreover, included options to ask, deny or accept a certificate if the host name does not match the certificate’s host name. - Windows: Added support for Windows 2012 for SSH Tectia Client and Server. - Solaris 11 SPARC: New installation packages available for Oracle Solaris 11 (SPARC). - Solaris 11 x86-64: New installation packages available for Oracle Solaris 11 (x86-64). New Features in 6.4.0 --------------------- - All platforms: Added support for agent protocol versions 1 and 2 in client side - server side already supported it. - All Platforms: scpg3, sftpg3 and FTP Conversion will now notify the JOBID when dealing with SITE Filetype=JES. Please, refer to documentation to obtain those JOBID with older Tectia clients or with third-party clients. 3. Bug Fixes -------------- The following fixes have been implemented in Tectia Client: Bug Fixes in 6.4.6 ------------------ - All Platforms: Newline conversions in Tectia file transfer clients no longer fail to work when transferring files to a VShell Server (VanDyke). - All Platforms: File transfers from Tectia Clients no longer crash when transferring files in ASCII mode to a VShell Server (VanDyke). - Windows: Fixed the display of certain incorrect error messages. - Windows: GSSAPI authentication no longer fails in certain conditions when the security authentication package is too large. - Windows: Users are now able to authenticate via GSSAPI when using the host name, the fully qualified domain name or an IP address to define the destination server. - All platforms: Fixed a potential memory corruption when transferring files recursively and using a configuration file to specify the file transfer advice strings. - Windows: Fixed a bug in sshg3 which caused occasional hangs when run on Windows 8. - Windows: It is now possible to set GSSAPI ticket forwarding using the Tectia Connections Configuration GUI. Bug Fixes in 6.4.5 ------------------ - All Platforms: Defining "summary-format" to print the file transfer progress percentage no longer fails when connected to an OpenSSH server. Bug Fixes in 6.4.4 ------------------ - Windows: Fixed Tectia command-line clients to assume default window size if they cannot obtain a proper value from the system. - Windows: Fixed Tectia command-line clients to properly show authentication prompts in nested connections. When a user had a terminal session to Tectia Server on Windows running in terminal mode "Stream" and within that session the user started a new Tectia Client connection (from the host running Tectia Server), the authentication prompts were not shown properly. Bug Fixes in 6.4.3 ------------------ - Windows: Enabled compatibility against third-party, non-standard implementations of GSSAPI authentication. Bug Fixes in 6.4.2 ------------------ - All Platforms: In file transfer clients, ASCII and character set conversion related site commands to Tectia SSH Server for IBM z/OS now work against all versions of Tectia SSH Server for IBM z/OS. - All Platforms: Fixed a memory leak in ssh-broker-g3 and in ssh-servant-g3. The memory leak occurred in certain cases when GSSAPI authentication was used. - All Platforms: SSH_SFTP_CMD_GETPUT_MODE environment variable works again. - All Platforms: The End-user license agreement (EULA) has been updated to reflect the new company name. - All Platforms: Tectia Client, Server and ConnectSecure executables no longer fail to start when using relative path ./. - All Platforms: scpg3 option "-a" no longer fails to do ASCII conversion. - All Platforms: Broker acting as socks proxy no longer leaves connections in close_wait state. Bug Fixes in 6.4.1 ------------------ - All Platforms: In file transfer clients, ASCII and character set conversion related site commands to Tectia SSH Server for IBM z/OS now work against all versions of Tectia SSH Server for IBM z/OS. Bug Fixes in 6.4.0 ------------------ - All platforms: Added support for agent protocol versions 1 and 2 in client side - server side already supported it. - All platforms: Broker no longer crashes when running in SOCKS proxy mode and falling back to plain. - Windows: Tectia Client on Windows Command Prompt no longer ignores errors when sending terminal data to the server. Therefore, characters will no longer be lost for this reason. - Windows: Improved the efficiency of typing commands to the Tectia Client on Windows Command Prompt. - All Platforms: SSH_SFTP_CMD_GETPUT_MODE environment variable works again. - All Platforms: The End-user license agreement (EULA) has been updated to reflect the new company name. - All Platforms: Tectia Client, Server and ConnectSecure executables no longer fail to be started by relative path ./. 4. Known Issues ----------------- The following issues are currently known to exist in Tectia Client: - Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable. - All Platforms: The usage of IPv6 addresses in certificates is not yet supported. - z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error. - Unix: if OpenSSL 0.9.8 is installed on the host where Tectia Server is installed, it may fail when using PAM with software that uses that OpenSSL library. Workaround if FIPS is not used: Rename the libcrypto.so.0.9.8 existent under /opt/tectia/sshlib to another name (note that this will make FIPS mode unusable). - Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details. - Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0- D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates. - AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit versions. - All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS cryptographic library health check. This will lead to a noticeable delay in the start of the process on slow machines. - Windows: --summary-format newline option '\n' does not work on Windows. - All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified. - Linux SE: If the common package is installed with SElinux disabled, the following warning message will be given during the installation: /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicudata.so.40 /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicuuc.so.40 This can be safely ignored. However, if the SElinux enforcing is enabled after the installation, the following command needs to be executed: /usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so - Windows: Password cannot be specified in a file with --password command-line option. - Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'. Workaround: Enable file extensions. This issue will be fixed in an upcoming maintenance release. - Linux on IBM System z: FIPS 140-2 compliant cryptographic library is not included in the installation package. For FIPS compliant AES, 3DES and SHA encryption algorithms, use the cryptographic hardware provided by the System z architecture. Cryptographic acceleration is enabled on Tectia by default. - Windows Vista: When using an evaluation version of Tectia Client and trying to import a commercial license on Windows Vista, the operation will fail. Workaround: Manually copy the license file to the licenses directory under "%ProgramFiles%\SSH Communications Security\SSH Tectia\SSH Tectia AUX\licenses". - Linux on IBM System z: Due to a system problem in older s390 Linux kernels, probing for the cryptographic hardware produces the "Illegal instruction" signal, if no cryptographic hardware is present. In that case, the servant or Connection Broker is not able to start. Workaround: Remove the cryptographic hardware plug-ins (*cpacf.so) from the plug-in directory. - Windows: When upgrading from a 4.x client, the connection profiles that were migrated did not show up in the profile's drop-down menu on the terminal client. However, after restarting the Connection Broker the migrated profiles will be shown on the client. - Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network. Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible. - Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions. - All platforms: The scpg3 command shows the transfer time incorrectly if "--statistics=simple" is set. - All platforms: When trying to connect to a server that is not available (i.e. the server is not running), the error message returned by sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server". - Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in some cases. Workaround: Select the profile from the menu. - Windows: Removing a token while it is being read could in some cases result in a Tectia Connection Broker failure. - Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail. - Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work. - Windows: SFTP 'chmod' command is not supported against Tectia Server running on Windows. - Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs. - Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP. - Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation. - Windows: The exit values for scpg3 do not match the values mentioned in the documentation in the following error situations: connection lost, interrupting a file transfer using CTRL+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero. - All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example: scpg3 "/tmp/testdir/*" user@server:/tmp However, the correct warning is displayed if the scpg3 command is used without globbing: scpg3 /tmp/testdir/* user@server:/tmp - All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names. - Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process. - All platforms: The server creates empty files if a user tries to transfer files without correct server-side permissions. The correct error message is displayed. - Windows: Local TCP tunneling using listener port 0 does not work. - Windows: When accessing a Unix host using scpg3 or sftpg3, files with file names that contain characters that are illegal in Windows file names (for example: *, ? and ~) cannot be transferred or accessed if relative paths are used. Workaround: Use absolute paths for accessing the files on the Unix host and escape the illegal characters with the tilde character '~'. Note also that the files with illegal characters need to be renamed when transferred to Windows. For example, to copy a file "file*name.txt" from user's Unix home directory to Windows: C:\> scpg3.exe user@server:/home/user/file~*name.txt filename.txt - Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly. - Windows: When using regular expressions in filter rules the dot character '.' does not work as expected. For example, when using a filter rule for tunneling of telnet.exe using regular expression: '.*.ssh.com' the connection will not be tunneled even if the regular expression matched the host address. Workaround: Add a '\' in front of the '.' For example, the previous regular expression should be: '.*\.ssh\.com' - All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key on subsequent login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication. - Windows: Secure file transfer speed may be slower against Tectia Server on Windows than against Tectia Server on Linux. - Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause the user banner and dialog boxes to be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide secure separation of sessions. - All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, either the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed. 5. Further Information ------------------------ More information can be found on the man pages and in the Tectia manuals that are also available at http://www.ssh.com/index.php/support-overview/product-documentation.html Additional licenses can be purchased from our online store at: http://www.ssh.com/.