Release Notes for Tectia Server 6.3.10 & Tectia Server 6.3.10 for Linux on IBM System z ---------------------------------------------- 28 February 2014 (C) 2014 SSH Communications Security Corporation This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 2. New Features 3. Bug Fixes and Minor Features 4. Known Issues 5. Further Information 1. About This Release ----------------------- The 6.3 release for Tectia Server is declared feature complete and Long Term Supported (LTS). Therefore, it is supported for 3 years from the release date of 6.3.0 (25 June 2012). It is possible to further extend that support for 2 more years. There will be 6.3 maintenance releases which will fix critical bugs, but no new features will be added to any 6.3 release. Items addressed in this release are listed under the section "New Features in 6.3.10" and "Bug Fixes in 6.3.10". Special items for this release are: - Added support for Windows 2012 R2 for Tectia Client and Server. - Fixed critical bugs. We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products before installing Tectia 6.3. For the installation instructions, refer to the Tectia Server Administrator Manual. 2. New Features ----------------- The following new features have been implemented in Tectia Server: New Features in 6.3.10 --------------------- - Windows: Added support for Windows 2012 R2 for Tectia Client and Server. New Features in 6.3.9 --------------------- - Windows: Added support for Windows 8 for Tectia Client and Server. - Windows: Updated the certificate used for signing the Windows packages. Note that the new certificate uses SHA-2 to verify its signature. Microsoft XP with Service Pack 2 does not support SHA-2 and therefore cannot guarantee the integrity of the certificate (KB968730). For Microsoft Windows Server 2003 with Service Pack 2, to validate the certificate, apply the hotfix to KB968730. New Features in 6.3.6 --------------------- - Windows: Added support for Windows 2012 for SSH Tectia Client and Server. New Features in 6.3.5 --------------------- - Solaris 11 SPARC: New installation packages available for Oracle Solaris 11 (SPARC). - Solaris 11 x86-64: New installation packages available for Oracle Solaris 11 (x86-64). New Features in 6.3.4 --------------------- - All platforms: ssh-keygen-g3 is now able to export private keys in OpenSSH format. New Features in 6.3.2 --------------------- - Solaris: SSH Tectia Client, Server and ConnectSecure support now Oracle Solaris 11 (x86-64). New Features in 6.3.1 --------------------- - Windows: SecurID authentication will now use the Password Cache feature if enabled. - Windows: GSSAPI authentication will now use the Password Cache feature if enabled. - Windows: Host-based authentication will now use Password Cache feature if enabled. - Windows: Keyboard interactive will now use Password Cache feature if enabled. New Features in 6.3.0 --------------------- - Windows: Added new authorization method in SSH Tectia server for Windows called Password Caching. Used with non-interactive authentication methods only. When enabled, after the non-interactive authentication method has successfully granted access to the user, it uses a cached password to obtain the Access Token in which the user's session will start. The reason for this is that the Access Token provided by Windows when granting access without a Password has less privileges than the Access Token provided by Windows with Password. - All Platforms: SSH Tectia Client and Server now support IPv6 ZoneIDs. - All Platforms: Added remote FTP Tunnel IPv6 support. 3. Bug Fixes -------------- The following fixes have been implemented in Tectia Server: Bug Fixes in 6.3.10 ------------------- - Documentation: Corrected the Tectia Server Registry Keys location on Windows. - Windows: RSA SecurID authentication no longer fails when aceclnt.dll is specified in the Tectia Server configuration file, but not in the system's path. - Windows: GSSAPI authentication no longer fails in certain conditions when the security authentication package is too large. - Windows: Users are now able to authenticate via GSSAPI when using the host name, the fully qualified domain name or an IP address to define the destination server. - Windows: Fixed a memory leak that occurred in Tectia Server under certain conditions when authenticating domain users. - All Platforms: Tectia Server no longer leaves listeners open when transparent FTP tunneling in active mode is used. - Windows: The C runtime libraries and MFC libraries in the Tectia Client, Server, ConnectSecure and MFT Events MSI package have been updated to version 9.00.30729.6161. - All Platforms: Fixed a crash that occurred in Tectia Server under stress when using keyboard interactive with radius authentication. - Windows: Removed "SEED (Tectia)" from the default ciphers in the Tectia Server Configuration GUI, as it is not one of the default ciphers. Also rearranged the list of supported ciphers. - Windows: Tectia Server Configuration GUI no longer crashes if the SFTP custom directory is selected but left empty. - Windows: Tectia server no longer fails to match windows local users to selector rules under certain conditions. Bug Fixes in 6.3.9 ------------------ - All Platforms: Improved Tectia Server's stability under stress. Bug Fixes in 6.3.8 ------------------ - All Platforms: Fixed the ssh-keygen-g3 option -m/--generate-moduli-file. - All Platforms: In the past, when a version exchange failure occurred, Tectia Server only generated audit message '403 Version_exchange_failure'. Now it also generates audit message '402 Disconnect' (if allowed by the server configuration). Additionally, a new field 'Session-Id' was added to audit message 403. - Windows: Tectia Server Configuration GUI now allows more than 1000 rules on pages Connections and Encryption, Authentication, and Services. Bug Fixes in 6.3.7 ------------------ - Windows: In Tectia SSH Server, fixed a crash that occurred when GSSAPI was used. - AIX, HPUX: If a connection is disconnected because the authentication failed, Tectia SSH Server will now report one failure. This concerns only PAM, LAM and/or public-key authentication. The behavior has not changed when using password or keyboard interactive with password sub-method: Tectia SSH Server reports one failure per failed password. - All Platforms: Improved the performance in accepting large number of simultaneous new connections. Bug Fixes in 6.3.6 ------------------ - AIX: When upgrading a Tectia Server that has active connections, the server will not restart if the fix for APAR IV07310 is installed on the AIX host. - All Platforms: Improved documentation and removed inconsistencies in parsing the Regular expressions used in the Allow/Deny-from options of the authorization's file. - Windows: Fixed the Troubleshooting Log from the server, as it was slowing down too much plus was missing some trace messages when the Tectia Server was under stress. Bug Fixes in 6.3.5 ------------------ - All Platforms: The End-user license agreement (EULA) has been updated to reflect the new company name. - All Platforms: Tectia Client, Server and ConnectSecure executables no longer fail to start when using relative path ./. - AIX: Upgrading the Tectia Server no longer fails to restart the server, but some extra steps are needed when upgrading from a version earlier than 6.2.1. Please, check those steps in the Tectia Server Administration Manual. - Unix: Fixed the behavior when a ssh terminal connection has processes in the background and requests to exit. Previously, when it was executed via remote command without terminal or with an interactive session, the ssh terminal connection hanged. Now, in the case of remote command, it will kill the background process and will exit, and in the case of interactive session, the ssh terminal connection will exit and will leave the background processes running. - All Platforms: There is no longer different behavior in terminal action when Tectia Server is started with ssh-server-config-default.xml configuration file or without any configuration file. - All Platforms: Reloading the configuration on Tectia Server no longer hangs if a forced command specified in an authorization file has been executed. - Windows: There is no longer different behavior in terminal action when Tectia Server is started without any configuration file or when it is started with the configuration file generated by the Tectia Server Configuration GUI. Bug Fixes in 6.3.4 ------------------ - AIX: Reloading the configuration in SSH Tectia Server will no longer hang. - Windows: Rewrote the code in the "Old-style" password authentication plugin when handling local accounts without password. SSH Tectia Server denies the login of those users, but if the account is forced to change password, SSH Tectia Server will allow to change the password. - Solaris 11: Disabled BSM Audits in Solaris 11, because the auditing API has changed in Solaris 11. BSM Audits in Solaris 11 will be enabled in a newer maintenance release. - All Platforms: Server authentication no longer fails when a client is configured to use certificates and a plain host key of the same server is already stored in the repository. - Windows: The Windows SSH Tectia Server process "ssh-shell.exe", which is used in ssh terminal access, will no longer crash when the SSH Tectia Server terminal mode is Stream and that specific terminal connection is heavily stressed generating lots of output. - Windows: When the state of the "Enable password cache" checkbox is changed in the first authentication element of the Tectia Server Configuration GUI, the other checkboxes of the possible other profiles are no longer changed. - Documentation: Tectia Client/Server Product Description has corrections in sections Tectia Solution Components, Secure File Transfer Protocol (SFTP), and in chapter Authentication. - Documentation: The company name changed from Tectia Corporation to SSH Communications Security Corporation. This has been updated to the documentation. - Documentation: Corrected a release notes entry from Tectia Server 6.3.1, which was stating that the permissions required for the following files: .i18n_icu.dll .icudt40.dll .icuuc40.dll were "read and write". The correct permissions are "read and execute". - Documentation: Specified that ssh-keygen-g3, when generating keys in FIPS mode, the RSA key length should be between 1024 and 16384 bits. - Documentation: Tectia Client/Server Product Description has corrections in sections Tectia Solution Components, Secure File Transfer Protocol (SFTP), and in chapter Authentication. - All platforms: Rewrote the way the real path is found for a given relative path. Previously, if the user did not have permissions to access the current directory it was not possible to start the Tectia applications. - Windows: Added IPv6 support for RADIUS authentication. - All Platforms: Tectia server no longer busyloops when trying to access a certificate via pkcs#11 version 2.30 interface. - Windows: Password cache is again configurable via GUI on screens with vertical resolution of 768 pixels. - All platforms: Fixed the -i option from ssh-keygen-g3. Now, when the key specified by the -i option does not exist, the command reports the error properly. Bug Fixes in 6.3.3 ------------------ - Unix/Linux: Fixed a vulnerability that affected the current Unix/Linux versions of Tectia SSH Server "old-style" password authentication. Bug Fixes in 6.3.2 ------------------ - All platforms: Corrected the case that when no ssh-server-config.xml file was present, or when no element was present in the ssh-server-config.xml file, the default value of record-ptyless-sessions=yes was not honored. Bug Fixes in 6.3.1 ------------------ - All platforms: When transferring files to SSH Tectia Server using certain third party file transfer clients, if the file already existed, it was always truncated if it was chosen not to overwrite the file. - All platforms: When SSH Tectia Server fails to reconfigure, it will no longer fail to report it. - Documentation: Removed the remark of Tectia Server for Windows not being supported on systems with more than 30 CPU's, as this restriction is no longer valid. - Documentation: Added Windows Server 2003 R2 as an officially supported platform. - Documentation: In FIPS mode, the RSA key length is at least 1024 bits. - Windows: The servants from SSH Tectia Server will no longer corrupt memory potentially causing a hung or a crash under certain conditions when under stress. - Documentation: Specified that in Windows, the following libraries must have read and execute permissions for any user that logs in to the SSH Server: .i18n_icu.dll .icudt40.dll .icuuc40.dll - All platforms: When no ssh-server-config.xml file was present, or when no element was present in the ssh-server-config.xml file, the default value of record-ptyless-sessions=yes was not honored. Corrected that. Bug Fixes in 6.3.0 ------------------ - Windows: Server is now able to connect network drives that contain Unicode characters in their resource names. - Windows: Logon sessions are no longer leaked when connecting to SSH Tectia Server which has virtual folders defined to Windows network shares. - Windows: Now it is possible again to use forced commands with the option "interactive=yes" and not specify a remote command when establishing the connection. - Windows: Persistent network resource connections are no longer leaked in some cases when logging in to SSH Tectia Server. - Windows: Network drives no longer fail to be mapped on 64-bit Windows under certain conditions. 4. Known Issues ----------------- The following issues are currently known to exist in Tectia Server: - Solaris 11 x86-64: Dropped support for installing the product on Solaris 11 (x86-64) using Solaris 10 (x86-64) installation packages. Installation packages for Solaris 11 (x86-64) must be used instead. - AIX: When upgrading Tectia Server that has active connections, the server will not restart if the fix for APAR IV07310 is installed on the AIX host. - Solaris 11 x86-64: Dropped support for installing the product on Solaris 11 (x86-64) using Solaris 10 (x86-64) installation packages. New 6.3.5 installation packages for Solaris 11 (x86-64) will be released soon. - AIX: Extra steps are needed when upgrading to Tectia Server on AIX from a version earlier than 6.2.1. Please, check those steps in the Tectia Server Administration Manual. - Solaris 11: SSH Tectia Server 6.3.2 and 6.3.3 on Solaris 11 x86 do not write correct data in BSM Audits. BSM Auditing has been disabled in SSH Tectia Server 6.3.4 and will be re-enabled in a future maintenance release once it is fixed. - Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable. - Unix: utmp file may grow exceptionally because of the way ptyless sessions are logged. Ptyless sessions are file transfer sessions and remote commands. To disable logging of ptyless sessions, set the record-ptyless-sessions="no" parameter in the SSH server config file. - All Platforms: The usage of IPv6 addresses in certificates is not yet supported. - All Platforms: The usage of IPv6 addresses in Radius authentication is not yet supported - Linux: SSH Tectia Server must be stopped before upgrading from 6.2.0 as the newer ssh-server-ctl will not be able to stop the 6.2.0 server. Upgrades from any other version than 6.2.0 do not experience this issue. - All Platforms: When modifying the cryptographic mode of operation without rebooting Tectia Server (fips or standard mode), "ssh-server-ctl status" reports the change, but the actual change will become effective after Tectia Server is restarted. - Windows: When installing Tectia Server on a platform that has more than 30 CPUs running Windows 2003 SP2, make sure that you have the proper Microsoft patches installed to not hit a Microsoft bug which will make your host unusable. For more information, see: http://support.microsoft.com/kb/2539164 - Unix: if OpenSSL 0.9.8 is installed in the host where Tectia Server is installed, it may fail when using PAM with software that uses that OpenSSL library. Workaround if FIPS is not used: to rename the libcrypto.so.0.9.8 existent under /opt/tectia/sshlib to another name (note that this will make FIPS mode unusable). - Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0- D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates. - All platforms: In FIPS mode, the speed in handling the connections is slower than in standard mode, specially in slow hosts. - AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit version. - AIX: Entrust certificates are no longer supported on AIX platforms. - All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS crypto library health check. This will lead to a noticeable delay in the start of the process on slow machines. - Windows: Users authenticated with a public key cannot access Network DFS shares that are in a different box than where the Tectia server is running. - AIX: Due to IBM's bug IZ02631, a servant may deadlock under heavy stress. IBM has a fix for AIX 5.3 and AIX 6.1. - Linux SE: If the common package is installed with SElinux disabled, the following warning message will be given during the installation: /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicudata.so.40 /usr/bin/chcon: can't apply partial context to unlabeled file /opt/tectia/lib/shlib/libicuuc.so.40 This can be safely ignored. However, if the SElinux enforcing is enabled after the installation, the following command needs to be executed: /usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so - Linux RedHat 3: The pam_krb5 module supplied with Red Hat Linux 3 will not work with Tectia Server when configured with pam-calls-with-commands=yes as pam_krb5 requires pam_authenticate() to be called before pam_setcred(). - AIX: Authentication may fail for LDAP accounts when verifying login permissions. This is caused by an error in AIX system libraries when trying to retrieve password expiration information for an LDAP user and is addressed by IBM APAR IZ46727 (registration required): http://www-01.ibm.com/support/docview.wss?uid=isg1IZ46727 - Windows XP: Connections may fail when receiving more than 10 concurrent connections. This is a known limitation in Windows XP. More information available from the following Microsoft knowledge base article http://support.microsoft.com/kb/314882. Windows XP is a client operating system not intended for server purposes. For best performance and availability we recommend running Tectia Server on server editions of Windows. - Linux on IBM System z: FIPS 140-2 compliant cryptographic library is not included in the installation package. For FIPS compliant AES, 3DES and SHA encryption algorithms, use the cryptographic hardware provided by the System z architecture. Cryptographic acceleration is enabled on Tectia by default. - Windows: Tectia Server doesn't support other than ISO Latin 1 character sets in folder names for storing troubleshooting logs. - Linux on IBM System z: Due to a system problem in older s390 Linux kernels, probing for the cryptographic hardware produces the "Illegal instruction" signal, if no crypto-HW is present. In that case, the servant or Connection Broker is not able to start. Workaround: Remove the cryptographic HW plugins (*cpacf.so) from the plugin directory. - All platforms: The file transfer with WinSCP 3.6 might fail when the file transfer is resumed. - All platforms: If the server configuration has one or more selectors in the block listing specific ciphers, and the client does not match the selector, it is still allowed the default ciphers. This is because there is no implicit deny-rule in the block (the behavior is different from the block). - Unix: All installed Tectia products must be upgraded to 6.0.2 at the same time. If some packages are left to 6.0.1 or older version, they will stop working when the 6.0.2 common package is installed. - Windows: On Windows, Tectia Server does not support GW mode for connecting to other Secure Shell servers. - All platforms: Files larger then 4GB cannot be transferred to or from Tectia Server when using the OpenSSH scp command. Workaround: The files can be transferred using scpg3 or sftpg3. - Solaris x86-64: RSA SecurID cannot be used with Tectia Server on Solaris x86-64, because RSA SecurID offers only a 32-bit PAM library. Tectia Server expects a 64-bit pam_securid.so. - Solaris 10: Tectia Server and the FTP/SFTP conversion component of Tectia Client with EFT Expansion Pack need to be uninstalled separately from each local zone, if they have been installed to all zones by installing into the global zone. - Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work. - Windows: SFTP chmod command is not supported against Tectia Server running on Windows. - Solaris 10: Tectia Server and the FTP-SFTP conversion component of Tectia ConnectSecure need to be uninstalled separately from each local zone, if they got installed to all zones by installing into the global zone. - All platforms: OpenSSH keys are not accepted as host keys, when running the server in FIPS mode. - AIX: When trying to log in to an AIX server using an account which has an expired password, the client returns the following error message: "Request exec channel error: Disconnected by application." The reason for the disconnection is, however, logged correctly in the server's log. - Windows: The Server reports a "Wrong password" message to the event log even though the correct password is given, but the account has expired. - Windows: Users without administrator rights can not use file transfer with the default Windows 2003 ACL settings. - All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names. - Linux: If a user account has expired, the Server incorrectly asks the user to change the password and then denies login. - Solaris: Quality checks for password changes (e.g. password length, characters etc.) enforced by PAM will only be enforced when using PAM authentication. When changing passwords via forced commands (i.e. when using authentication methods other than keyboard-interactive PAM), the Tectia Server will not enforce PAM-related password quality checks. - Windows: If a non-admin user tries to start the server, the server reports error message "Failed to access service manager". - Windows: All well-known security identifiers ('Everyone' and 'Authenticated Users', for instance) are not shown in the Tectia Server Configuration GUI's directory object picker when browsing groups for a selector. - Unix: Currently it is not possible to allow X11 forwarding when terminal connections are denied. - Windows: Installing PGP Desktop 9.5.2 and Tectia Server on the same Windows machine will cause the one installed earlier not to work. - All platforms: File transfers of files larger than 4kb using Net:SFTP and Net::SSH::Perl fail against Tectia Server. Workaround is documented at http://www.cpanforum.com/threads/2092. The workaround involves lowering the value of COPY_SIZE in the SFTP.pm perl module from 8192 to 4063 or lower. - HP-UX: Shadow passwords are not supported on HP-UX when using the password authentication method. Shadow passwords can be used on HP-UX only with keyboard-interactive PAM authentication, with the appropriate PAM configuration. - Windows: The Server reports "Wrong password" message to the event log even though the correct password is given, if the account is locked. - Windows: Currently it is not possible to see and select Active Directory universal groups in the User Group Selector dialog of the configuration tool GUI. However, universal groups can be used as selectors if those are entered manually to the user group selector name field. - All platforms: It is possible to generate all lengths of RSA/DSA keys in FIPS mode, although the Tectia Client/Server software will only accept keys compliant with FIPS. - AIX: The Server hangs after a few authentication tries when the following value is set in the /etc/security/user file: SYSTEM='KRB5Files or compat' The Server does not hang when the value is set to: SYSTEM='compat' - Windows: OpenSSH host keys are not accepted for use by the Server if it is in FIPS mode. Workaround: Convert the OpenSSH key to Tectia format using command: ssh-keygen-g3 --import-private-key - Windows: Using rsync with Cygwin OpenSSH against Tectia Server fails when using public-key authentication. - HP-UX 11.11: Attempting GSSAPI authentication can cause the auths-gssapi-userproc-krb process to consume CPU and not exit after the client disconnects. The GSSAPI authentication will be enabled if no configuration file is found or if specifically enabled in the server configuration. The HP-UX patch PHSS_35381 fixes this issue. GSSAPI needs to be disabled in the server configuration, if installing the patch is not an option. - Unix: Canceling user authentication when Tectia Server has been configured with keyboard-interactive authentication method, causes authentication to fail with "Server responded 'Unexpected response packet'". - All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed. 5. Further Information ------------------------ More information can be found on the man pages and in the Tectia manuals that are also available at http://www.ssh.com/index.php/support-overview/product-documentation.html Additional licenses can be purchased from our online store at http://www.ssh.com/.