Archive-Date: Fri, 10 Sep 2004 11:01:37 -0400 Date: Fri, 10 Sep 2004 11:01:03 -0400 From: bryant@PROCESS.COM Reply-To: Info-TCPware@process.com To: TCPware-Announce@PROCESS.COM Message-ID: <00A37AAD.ED4E1F24.183@triton.process.com> Subject: TCPware ECO kit available: DRIVERS_V562P051 TCPware ECO kit announcement The following ECO kit is now available for TCPware: ECO: DRIVERS_V562P051 Description: Assorted fixes for Kerberos V5, Python, and Apache (SWS) Release date: 10-SEP-2004 Ranking: 3 Max ranking: 0 Versions: 5.6-2 ftp://ftp.process.com/support/56_2/drivers_v562p051.zip To search the TCPware ECO database, please visit the following URL: http://vms.process.com/eco.html For more information, contact Process Software via: E-mail: support@process.com Phone: 1-800-394-8700 The ECO kit README contents are below. ----------------------------------------------------------- DRIVERS patch kit revision 5.1 for TCPware Version 5.6-2 2-Sep-2004 Copyright (c) 2002-2004 Process Software, LLC Highest ECO Rank 0 (Version 2.0) Version 5.1 Rank 3 - Corrects a specific problem, install if needed ********************* PLEASE NOTE ******************************* Support for Kerberos 5 requires the HP Kerberos V5 for OpenVMS Release 2.0 or later. TCPware support for Kerberos 5 is restricted to the platforms and VMS versions supported by the HP kit. DRIVERS_V562P030 (or later) must be installed prior to configuring the HP Kerberos product. Once this ECO has been applied, Kerberos may be installed and configured. For more details, see the product information page at: http://h71000.www7.hp.com/openvms/products/kerberos ***************************************************************** This patch kit provides new versions of the following drivers for TCPware Version 5.6-2: DRIVERS_V562P051 - ECO rank: 3 - Corrects a specific problem ------------------ UCX$IPC_SHR - Update the entry points for VAX to match TCP/IP Services to support Kerberos V5 kits from HP. (DE 9109) Modification to getnameinfo to allow Python to work (DE 9591) UCX$ACCESS_SHR - Provide image to support VAX Kerberos V5 kits from STARTNET.COM HP. (DE 9109) SHUTNET.COM TCPDRIVER - Correct status returned on end of file to resolve problems with SWS 2.0 (Apache) and cgi (DE 9645) This kit also includes the following changes from previous ECO kits: DRIVERS_V562P040 - ECO rank: 3 - Corrects a specific problem ------------------ BGDRIVER - Add support for ioctl calls for SIOCGIFINDEX INETDRIVER SIOCGIFNUM, and NSIOCGIFCONF which are required IPDRIVER for Java v1.4.0 or later. (D/E 8939) TCPDRIVER UDPDRIVER UCX$IPC_SHR - Add support for getaddrinfo and getnameinfo routines required by DECwindows. (D/E 9087) DRIVERS_V562P030 - ECO rank: 3 - Corrects a specific problem ------------------ UCX$IPC_SHR - Entry points have been added to support Kerberos V5 release 2 on OpenVMS for Alpha V7.2-2 and later. (D/E 8986) NTDRIVER - Allows TELNETD_FLAGS to have bit 2 set (OR with 4) causing NT devices to not be marked mounted/foreign. This causes problems for some customer applications, but setting this bit will restore the problem reported in DE 1095 whereby if a user enables the terminal as an operator terminal, but doesn't specify it as temporary, another user may later telnet into the system and be using an operator terminal. (D/E 8745) DRIVERS_V562P020 - ECO rank: 0 - Mandatory for AXP V7 systems ------------------ BGDRIVER - A defect was present in an error path that would cause a system crash in 64-bit environments. (D/E 8746) DRIVERS_V562P010 - ECO rank: 3 ------------------ UCX$IPC_SHR - BSD 4.4 entry points have been added for OpenVMS Alpha V7.1 and later. This allows code compiled for these entry points to run. An example is Mozilla. (D/E 8245) NOTE: You must reboot your system after installing this patch in order to load the new driver(s). The old versions of the driver(s) will be renamed to *.EXE_OLD. Once installed, you may undo this patch by renaming the file(s) back to: TCPWARE_COMMON:[TCPWARE]UCX$IPC_SHR.EXE_OLD to TCPWARE_COMMON:[TCPWARE]UCX$IPC_SHR.EXE TCPWARE_COMMON:[TCPWARE]BGDRIVER.EXE_OLD to TCPWARE_COMMON:[TCPWARE]BGDRIVER.EXE TCPWARE_COMMON:[TCPWARE]INETDRIVER.EXE_OLD to TCPWARE_COMMON:[TCPWARE]INETDRIVER.EXE TCPWARE_COMMON:[TCPWARE]TCPDRIVER.EXE_OLD to TCPWARE_COMMON:[TCPWARE]TCPDRIVER.EXE TCPWARE_COMMON:[TCPWARE]UDPDRIVER.EXE_OLD to TCPWARE_COMMON:[TCPWARE]UDPDRIVER.EXE TCPWARE_COMMON:[TCPWARE]IPDRIVER.EXE_OLD to TCPWARE_COMMON:[TCPWARE]IPDRIVER.EXE TCPWARE_COMMON:[TCPWARE]NTDRIVER.EXE_OLD to TCPWARE_COMMON:[TCPWARE]NTDRIVER.EXE TCPWARE_COMMON:[TCPWARE]STARTNET.COM_OLD to TCPWARE_COMMON:[TCPWARE]STARTNET.COM TCPWARE_COMMON:[TCPWARE]SHUTNET.COM_OLD to TCPWARE_COMMON:[TCPWARE]SHUTNET.COM [End of ECO announcement] ================================================================================ Archive-Date: Fri, 10 Sep 2004 11:03:07 -0400 Date: Fri, 10 Sep 2004 09:48:47 -0500 (EST) From: bryant@process.com Reply-To: Info-TCPware@process.com Subject: TCPware ECO kit available: SSH_V562P040 To: TCPware-Announce@TRITON.PROCESS.COM Message-ID: <01LEP4Y0UK82003JTL@DELTA.PROCESS.COM> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-Transfer-Encoding: 7BIT TCPware ECO kit announcement The following ECO kit is now available for TCPware: ECO: SSH_V562P040 Description: Assorted fixes Release date: 9-SEP-2004 Ranking: 2 Max ranking: 2 Versions: 5.6-2 Requisites: DRIVERS_V562P051 ftp://ftp.process.com/support/56_2/ssh_v562p040.zip To search the TCPware ECO database, please visit the following URL: http://vms.process.com/eco.html For more information, contact Process Software via: E-mail: support@process.com Phone: 1-800-394-8700 The ECO kit README contents are below. ----------------------------------------------------------- ----------------------------------------------------------------------- SSH patch kit (revision 4.0) for TCPware 5.6 6-Sep-2004 Copyright (c) 2002-2004 by Process Software This VMSinstallable saveset provides a new version of the following SSH components: - SSH client (SSH2.EXE) - SSH1 server (SSHD.EXE) - SSH2 server (SSHD2.EXE) - SSH master control program (SSHD_MASTER.EXE) - SSH identity agent program (SSH-AGENT2.EXE) - SSH key generators (SSH-KEYGEN.EXE and SSH-KEYGEN2.EXE) - SSH key signer (SSH-SIGNER2.EXE) - SSH loadable executive image (SSHLEI.EXE, LOAD_SSHLEI.EXE, UNLOAD_SSHLEI.EXE) - SSH agent identity manipulation program (SSH-ADD2.EXE) - SSH file copy client (SCP2.EXE) - SSH SFTP client (SFTP2.EXE) - SSH file copy servers (SFTP-SERVER2.EXE and SCP-SERVER1.EXE) - A dummy Kerberos 5 shared library (KRB$RTL32.EXE - AXP V7.x) - SSH certificate enrollment program (SSH-CERTENROLL2.EXE) - SSH server configuration template file (SSHD2_CONFIG.TEMPLATE) - SSH configuration procedure (SSH_CONTROL.COM) - The SSH HELP (either in a standalone library or as part of SYS$HELP:HELPLIB.HLB, as determined by the original TCPware install) - The TCPware command definitions (TCPWARE_COMMANDS.COM and TCPWARE.CLD) The following new SSH components are provided: - SSH Public Key Assistant (PUBLICKEY_ASSISTANT.EXE) - SSH Public Key Server (PUBLICKEY-SERVER.EXE) - SSH client configuration template (SSH2_CONFIG.TEMPLATE) - A dummy Kerberos 5 shared library for VAX V7 (KRB$RTL.EXE) A new version of the following common TCPware utilities are provided: - NETCU utility (NETCU.EXE) - TCPware command definitions (TCPWARE_COMMANDS.COM) This patch is applicable to TCPware SSH on all supported versions of OpenVMS VAX and OpenVMS Alpha. NOTE: The TCPware ECO DRIVERS_V562P051 or later is required and must be installed in order to run SSH after installing the SSH_V562P040 ECO. A system reboot is requred after installing this ECO, to load the new software features. This ECO has a ranking of 2 - Recommended; individual component may fail. --------------------------------------------------------------------------- New Features Public Key Client/Server ------------------------ This ECO kit provides a public-key subsystem and assistant that can be used to add, remove and list public keys stored on a remote server. The public key assistant and server are based upon a recent IETF draft, so other implementations of SSH may not yet offer this functionality. The Publickey assistant can be started with: $ SSHPKA [qualifiers] [[user@]host[#port[] Publickey Assistant Commands ADD key file_name - Transfers the key file_name to the remote system. The file name specified is expected to be in the SSH2_CONFIG directory from the user's login directory. e.g., ADD ID_DSA_1024_A.PUB will transfer the public key in ID_DSA_1024_A.PUB to the remote system and updates the AUTHORIZATION. file on the remote system to include this key name. CLOSE - Closes the connection to the remote system DEBUG {no | debug_level} - Sets debug level (like in SFTP2) DELETE key finger-print - Deletes the key that matches the fingerprint specified. It is necessary to do a LIST command before this to get a list of the finger prints (and for the program to build its internal database mapping fingerprints to keys). EXIT - Exits the program. HELP - Displays a summary of the commands available LIST - Displays the fingerprint and attributes of keys stored on the remote system. The attributes that are listed will vary with key. OPEN [user@]host[#port] - Opens a connection to a remote publickey subsystem. QUIT - Quits the program. UPLOAD key file name - Synonym for "ADD" VERSION [protocol version] - Displays or sets the protocol version to use. The protocol version can only be set before the OPEN command is used. The default version is 1. * Publickey Assistant Qualifiers /BATCHFILE - Provides file with publickey assistant commands to be executed. Starts SSH2 in batch mode. Authentication must not require user interaction. /CIPHER - Selects encryption algorithm(s). /COMPRESS - Enables SSH data compression. /DEBUG - Sets debug level (0-99). /HELP - Displays a summary of the qualifiers available. /MAC - Selects MAC algorithm(s). /MAC=(mac-1,...,mac-n) /PORT - Tells the Public Key Assistant which port sshd2 listens to on the remote machine. /VERBOSE - Enables verbose mode debugging messages. Equal to "/debug=2". You can disable verbose mode by using "debug disable." /VERSION - Displays version number only. * Other Implementations VanDyke includes this in their SecureFX and VShell products. VanDyke also has a patch available for a server for OpenSSH. New SSHKEYGEN warning --------------------- A new qualifier has been added to SSHKEYGEN. That qualifer is /[NO]WARN. This qualifier is used to warn the system administrator if an SSH2 host key already exists and asks if the file should be overwritten. Using /NOWARN will not announce the file's existance and will overwrite the file. The default behavior now is to warn the system administrator and ask if the existing file should be replaced. SSHKEYGEN in earlier versions of TCPware would overwrite the existing SSH2 host key file. LOGIN/LOGOUT audits ------------------- Login/logout events are now logged via the VMS audit server. The user will see a login record created by TCPware, plus login & logout records for a detached session (the interactive login session). VAX Kerberos 5 Support ---------------------- Support for using Kerberos5 for user authentication for VMS VAX V7 has been added. *** Notes for Kerberos 5 Support *** Support for Kerberos 5 is based on the HP Kerberos V5 for OpenVMS Release 2.0 (http://h71000.www7.hp.com/openvms/products/kerberos/). This kit restricts support for Kerberos to OpenVMS Alpha 7.2-2 and higher, and to OpenVMS VAX 7.2-2 and higher. Prior to installing and configuring the HP Kerberos product, the following TCPware ECO must be installed: - DRIVERS_V562P030 Once the above ECO has been applied, Kerberos may be installed and configured. SSH may be configured and used at any time, either with or without Kerberos; however, Kerberos is required to perform Kerberos authentication in the SSH server. If Kerberos is installed at some later time after SSH is started, restarting SSH will allow it to use Kerberos. --------------------------------------------------------------------------- This ECO kit provides fixes for the following DE's: - [DE 9661] If a client system disconnects with a malformed SSH_MSG_DISCONNECT protocol message, the server process may enter a loop, exiting after serveral minutes. This scenario can typically occur when a PC system is infected with the MYDOOM virus (it attempts to break into SSH-enabled systems). - [DE 9672] The CERT Vulnerability Note VU#333980 is addressed by this ECO. This addresses a possible DOS vulnerability when decoding digital certificates using BER or DER encoding. - [DE 9690] Attempting to use SCP1 to copy the contents of a directory results in a failure. - [DE 9216] If the SYSTEM account is disabled, the server will incorrectly report the desired user account is disabled. - [DE 9258] If a user's [.SSH2] directory is in a search path SSH lookups in that directory may fail. For example: $ sho log sys$manager "SYS$MANAGER" ="SYS$SYSROOT:[SYSMGR]" (LNM$SYSTEM_TABLE) $ sho log sys$sysroot "SYS$SYSROOT" ="RAPTOR$DRA0:[SYS0.]" (LNM$SYSTEM_TABLE) = "SYS$COMMON:" 1 "SYS$COMMON" ="RAPTOR$DRA0:[SYS0.SYSCOMMON.]" (LNM$SYSTEM_TABLE) - [DE 8796] If a reverse address lookup fails, the server labels the client system as UNKNOWN in the TT_ACCPORNAM field, instead of loading it with the simple client IP address. - [DE 9286] AllowGroups/DenyGroups may occasionally fail to work properly. - [DE 9291] If the logical name TCPWARE_SSH_ACCESS_USE_LOCAL is defined, the LOCAL field in SYSUAF for the user rather than the REMOTE field will be used to determine if a user may log in. - [DE 9262] Captive accounts are incorrectly allowed to execute remote SSH commands. - [DE 9460] If the argument to BannerMessageFile in the SSHD2_CONFIG file contains lowercase characters, it might not be displayed at login time. - [DE 9386] ASCII (text) file creates are now done such that the version number is maximized. This will allow a specific version of a file to be transferred, and for it to always end up as the most recent version of the file. - [DE 9373] Improved logical name handling to correct some problems with translating the logical name on the client rather than the server. - Improved identification methods for regular files/directories to fix some problems caused by errors. - [DE 9289] Put a limit (5) on the number of devices returned for the LSROOTS command. This limit can be adjusted via the logical TCPWARE_SFTP_MAXIMUM_DEVICES. The number has been limited due to startup hangs, and the information that is causing it having limited use. - [DE 9162] Correct a problem with computing the file size that prevented files greater than 4GB from being copied. - [DE 9114] Correct a parsing problems that resulted if a directory name started with a period ("."). - [DE 9104] Correct some potential ACCVIOs due to lack of an error callback routine where one was expected. - [DE 9097] A problem with the SFTP client that would cause it to not fully close the mailbox that is used to SSH and hence consume process resources when there are successive OPEN commands has been fixed. - Security Express for Windows by ByteFusion no longer has problems getting directories with our SFTP server. --------------------------------------------------------------------------- Post Installation Notes If you have NOT previously installed a TCPware 5.6 SSH patch kit, or are not sure if one was previously installed, you must perform the following procedure: - Save your old SSH2_DIR:SSHD2_CONFIG. file and create a new one from the new SSH2_DIR:SSHD2_CONFIG.TEMPLATE file: $ COPY SSH2_DIR:SSHD2_CONFIG. SSH2_DIR:SSHD2_CONFIG.OLD $ COPY SSH2_DIR:SSHD2_CONFIG.TEMPLATE SSH2_DIR:SSHD2_CONFIG. - If you previously customized your SSH2_DIR:SSHD2_CONFIG file (now renamed to ".OLD"), you must edit the new SSH2_DIR:SSHD2_CONFIG file and add your customizations to it. You MUST use the new file created from the new SSH2_DIR:SSHD2_CONFIG.TEMPLATE file for this. - Note that if you are in a clustered environment with a shared system disk, you must copy the SSH2_DIR:SSHD2_CONFIG.TEMPLATE from the node where the ECO was initially installed to the SSH2_DIR: directory on each of the other nodes in the cluster before making the new SSHD2_CONFIG file and making any changes as noted above. The old version of the replaced SSH components will be renamed to TCPWARE_COMMON:[TCPWARE]SSH2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSHD.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSHD2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSHD_MASTER.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-ADD2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-AGENT2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SCP2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-KEYGEN.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-KEYGEN2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-SIGNER2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SCP-SERVER1.EXE_OLD TCPWARE_COMMON:[TCPWARE]SFTP-SERVER2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSHD2_CONFIG.TEMPLATE_OLD TCPWARE_COMMON:[TCPWARE]SSHLEI.EXE_OLD TCPWARE_COMMON:[TCPWARE]LOAD_SSHLEI.EXE_OLD TCPWARE_COMMON:[TCPWARE]UNLOAD_SSHLEI.EXE_OLD TCPWARE_COMMON:[TCPWARE]NETCU.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH_CONTROL.COM_OLD TCPWARE_COMMON:[TCPWARE]TCPWARE_COMMANDS.COM_OLD Once installed, you may undo this patch by renaming the files back to their original names, and restarting the SSH component. NOTE: You must reboot your system after installing this ECO, to load the new software features. [End of ECO announcement]