---------------------------------------------------------------------------- SSH_V592P041 patch kit (revision 4.1) for TCPware 5.8/5.9 17-May-2012 Copyright (c) 2006, 2007, 2008, 2010, 2011, 2012 by Process Software This VMSinstallable saveset provides a new version of the following SSH components: - SSH client (SSH2.EXE) - SSH1 server (SSHD.EXE) - SSH2 server (SSHD2.EXE) - SSH master control program (SSHD_MASTER.EXE) - SSH identity agent program (SSH-AGENT2.EXE) - SSH key generators (SSH-KEYGEN.EXE and SSH-KEYGEN2.EXE) - SSH key signer (SSH-SIGNER2.EXE) - SSH loadable executive image (SSHLEI.EXE, LOAD_SSHLEI.EXE, UNLOAD_SSHLEI.EXE) - SSH agent identity manipulation program (SSH-ADD2.EXE) - SSH file copy client (SCP2.EXE) - SSH SFTP client (SFTP2.EXE) - SSH file copy servers (SFTP-SERVER2.EXE and SCP-SERVER1.EXE) - SSH server configuration template file (SSHD2_CONFIG.TEMPLATE) - SSH certificate enrollment program (SSH-CMPCLIENT.EXE) - SSH configuration procedure (SSH_CONTROL.COM) - SSH Public Key Assistant (PUBLICKEY_ASSISTANT.EXE) - SSH Certificate Viewer (SSH-CERTVIEW.EXE) - SSH shared libraries (SSH_ZLIB.EXE, SSH_FSCLM.EXE) - SSH Public Key Server (PUBLICKEY-SERVER.EXE) - SSH Certificate Viewer (SSH-CERTVIEW.EXE) - SSH client configuration template (SSH2_CONFIG.TEMPLATE) - LDAP authentication plugin using the VMS Authentication Module (LDAP-PLUGIN.EXE) - SecurID authentication plugin using the VMS Authentication Module (SECURID-PLUGIN.EXE) - SSH X.509 certificate tool (SSH-CERTTOOL.EXE) - SSH shareable image (SSHSHR.EXE) A new version of the following common TCPware utilities are provided for TCPware V5.8: - TCPware command definitions (TCPWARE_COMMANDS.COM and TCPware.CLD) This ECO is dependent upon the following TCPware ECOs: - NET_V592P080 for TCPware V5.9 - IPS_V592P050 for TCPware V5.9 - NET_V582P010 for TCPware V5.8 A system reboot is requred after installing this ECO, to load the new software features. This kit has an ECO ranking of 2. This kit includes the following corrections: o Corrected a problem with SFTP detecting whether or not a logical name refers to a disk drive. o Corrected a problem in SFTP-SERVER2 with detection of TCPWARE_SFTP_NEWLINE_STYLE. [DE 11208] o Corrected some problems in SFTP-SERVER2 with TCPWARE_SFTP__ROOT [DE 11207] o Made TCPWARE_SFTP_STAT_DESTINATION_FILE control whether or not file the characteristics are requested for a file after it has been transferred as well as before. [DE 11199] o Added the following configuration parameters to SSH2_DIR:SSHD2_CONFIG. UserCommandDirectory %D[.SSH_CMD] UserSpecificCommandDirectory username directory_specification These parameters allow for control of the directory in which SSHD2 creates command files in order to execute remote commands or to start subsystems (e.g. SFTP-SERVER). UserCommandDirectory allows for specification of a globally used directory, with %D representing the user's default login directory. UserSpecificCommandDirectory allows for the alternate directory to be specified for specific usernames. Note that username is case sensitive, so it will most likely have to be in all uppercase on VMS. For the username DILBERT example the specification would be something like: UserSpecificCommandDirectory DILBERT DISK$USERS:[USERS.DILBERT.SSH_CMD] If neither of these parameters are specified the files will continue to be created in the [.SSH2] subdirectory in the user's login directory. [DE 11156] o Improved compatibility with CerberusFTPServer_5.0 to recognize that the key exchange guessing mechanism does not arrive at the correct algorithm and make it such that it is not necessary to have: SendKexGuess No in the user's SSH2_CONFIG. file. [PSC134918] o Add bounds checking when supplying auditing parameters to VMS to prevent possible buffer overflows. --------------------------------------------------------------------------- Post Installation Notes The old version of the replaced SSH components will be renamed to TCPWARE_COMMON:[TCPWARE]SSH2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSHD.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSHD2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSHD_MASTER.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-ADD2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-AGENT2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SCP2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-KEYGEN.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-KEYGEN2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-SIGNER2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-CERTVIEW.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH-CERTENROLL2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SCP-SERVER1.EXE_OLD TCPWARE_COMMON:[TCPWARE]SFTP-SERVER2.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSHD2_CONFIG.TEMPLATE_OLD TCPWARE_COMMON:[TCPWARE]SSHLEI.EXE_OLD TCPWARE_COMMON:[TCPWARE]LOAD_SSHLEI.EXE_OLD TCPWARE_COMMON:[TCPWARE]UNLOAD_SSHLEI.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH_FSCLM.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH_ZLIB.EXE_OLD TCPWARE_COMMON:[TCPWARE]SSH_CONTROL.COM_OLD TCPWARE_COMMON:[TCPWARE]TCPWARE_COMMANDS.COM_OLD Once installed, you may undo this patch by renaming the files back to their original names, and restarting the SSH component. NOTE: You must reboot your system after installing this ECO, to load the new software features. --------------------------------------------------------------------------- This ECO also addresses all of the same problems from the previous SSH ECOs: SSH_V592P030 ------------ o For TCPware V5.9 only, the SSHD MASTER process would not re-register with IPS when IPS was restarted. [DE 11169] o In prior versions of TCPware, the return status codes from the SSH clients listed above were based on UNIX-style status codes, causing problems for many VMS users. Beginning with this ECO, a logical name may be defined that will cause the SSH clients listed above to use VMS-style return codes. If the logical name isn't defined, the old-style codes will still be used by default. Refer to table 6-1 in the MultiNet for OpenVMS Messages, Logicals and DECnet Applications manual for a description of the new status codes. To enable the new status codes instead of using the previous status codes, the logical name TCPWARE_ SSH_NEW_STATUS_CODES must be defined systemwide o Changed the identification string sent by the client and server to be "Process Software SSH". This change will prevent erroneous alerts from security scanner software when the scanner previously encountered the string "ReflectionForSecureIT" in the identity string. o Updated the SSH version from 6.1.4.0 to 6.1.5.0. o New configuration parameters have been added for the SSH service, and can be set using TCPWARE:CNFNET. - ipv4-disable - when set, SSHD MASTER will not listen on an IPV4 socket. - ipv6-disable - when set, SSHD MASTER will not listen on an IPV6 socket. To disable IPV4 and/or IPV6 listeners the following questions have been added: You may disable listening for server connections on an IPV4 socket or on an IPV6 socket. The default is to listen on both IPV4 and IPV6 sockets. NOTE: you must have either IPV4 or IPV6 (or both) listen sockets enabled. Do you want to disable listening on an IPV4 socket [NO]? Do you want to disable listening on an IPV6 socket [NO]? o RFC 4255, "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints", has been implemented in the SSH2 client. This provides the ability to look up host key fingerprints stored as SSHFP records in a DNS RRSET using DNSSEC. This provides additional protection against man-in-the-middle host key spoofing attacks. o The /DNS_DIGEST option has been added to SSH-KEYGEN2 for RFC 4255 support. This option causes SSH-KEYGEN2 to calculate and print the digest of the local SSH host key in a format that allows it to be added to the local TCPwarehosts file. o The system-wide logical name TCPWARE_SSH_CMD_FILE_ DIR may be used to determine where the SSH2 server will create the temporary command procedures it creates to execute remote commands. If this logical is not defined, the default behavior remains to create the command procedures in the user's [.SSH2] directory. o Corrected SSHD MASTER access violation after many sessions. [DE 11127] o Optimized user information lookups on systems with large UAF and RIGHTSLIST files. [DE 11122] o A scenario wherein [.ssh2] directories in user accounts may be corrected with incorrect protection masks has been corrected. [DE 11156] o If the logical MULTINET_SFTP_SET_VMS_PROTECTION is defined to No, False or 0 (zero), then VMS transfers will not set the protection of files that are copied between two systems running Process Software's implementation of SFTP2. This logical can be defined on either the client or server and will have effect on both PUT and GET operations. [DE 11084] *** Notes for Kerberos 5 Support *** Support for Kerberos 5 is based on HP Kerberos V5 for OpenVMS. SSH may be configured and used at any time, either with or without Kerberos; however, Kerberos is required to perform Kerberos authentication in the SSH server. If Kerberos is installed at some later time after SSH is started, restarting SSH will allow it to use Kerberos. Some chapters of the TCPware documentation having to do with SSH have been updated for TCPware V5.8. New PDF files of these are supplied in this ECO for those versions of TCPware, and are copied to the TCPWARE_COMMON:[TCPWARE] directory. These are: TW_MANAGEMENT_SSH1_SERVER_CH25.PDF TW_MANAGEMENT_SSH2_SERVER_CH26.PDF TW_USER_GUIDE_SSH_CLIENT_CH16.PDF TW_USER_GUIDE_FILE_XFER_CH17.PDF SSH_V592P020 ------------ o Correct a possible ACCVIO on SFTP [M]PUT commands. [DE 11048/DE 11066] o Correct problems with incomplete transfers in SFTP record mode. [DE 11044] o The SSH_LOG:SSHD.LOG file has an extra character at the end of each line, which could make it difficult to parse programatically. This has been changed such that if the system-wide logical name TCPWARE_SSH2_SERVER_DEBUG_NOCR is defined (the value doesn't matter), the trailing will not appear on debug log lines. [DE 11103] o On Integrity systems only, SSHLEI.EXE has been moved from SYS$LOADABLE_IMAGES to the TCPWARE_COMMON:[TCPWARE] directory. This fixes problems caused by the incorrect version of SSHLEI.EXE existing in SyS$LOADABLE_IMAGES. o Correct some file truncation problems. [DE 11079] o Change SCP2 and SFTP2 to open destination files for write only instead of read/write to provide interoperability with more implementations. o Restore SFTP2 & SCP2 password prompt to include a space after the colon as it had in previous versions. [DE 11065] SSH_V592P010 ------------ o Correct problems with specifying a version number on a source file and getting the file appropriately transferred to the remote system. [DE 9852/10242] o Errors from attempting to close a file that is already closed are now ignored. Don't make call to set file characteristics when there are no characteristics to be set. [DE 10829] o Improvements to FXP_REALPATH processing. [DE 10832] o Remove hashing data structures from buffer management data structures to reduce memory utilization. (TCPware SCP2 & SFTP2 do not support file hashing to check to see if a file is different before transferring.) [DE 10937] o An assertion in SSHADT in the SSHD2 server could fail, causing the server to abort. [10967] o SSH OPCOM session accept and session reject messages would sometimes display garbage at the end of the message. [DE 10629] o Corrected an ACCVIO when public key authentication fails in batch mode. [DE 10675] o When using the VMS Authentication Module and LDAP for authentication, the LDAP_ALLOW_NULL_PASSSWORD flag isn't honored properly. o Problems with DCL passing arguments to SSH on Integrity systems when using /PARSE_STYLE=EXTENDED. [DE 11002] o When connecting to an Integrity management processor, the key guess is incorrect. [DE 10979] o The number of connection attempts and the timeout for each attempt for the client needs to be configurable. The following configuration keywords in SSH2_DIR:SSH2_CONFIG have been added: ConnectionTimeout (default zero seconds) ConnectionAttempts (default 5) [DE 9175] o DSA host keys can't be generated. [DE 10972] o VAX keys can't be generated on some versions of VAX/VMS. o The user group in the UAF isn't used when doing group comparisions (e.g., AllowGroups or DenyGroups). [DE 10958]