SSHB_V610P013 ECO kit rev 1.3 For TCPware 6.1 22-Apr-2024 Copyright (c) 2010-2022 Process Software LLC This ECO kit provides a new version of the following files for V6.1 and V6.0-2: LDAP-PLUGIN.EXE LOAD_SSHLEI.EXE PUBLICKEY-SERVER.EXE PUBLICKEY_ASSISTANT.EXE SCP-SERVER1.EXE SCP2.EXE SECURID-PLUGIN.EXE SFTP-SERVER2.EXE SFTP2.EXE SSH-ADD2.EXE SSH-AGENT2.EXE SSH-CERTTOOL.EXE SSH-CERTVIEW.EXE SSH-CMPCLIENT.EXE SSH-KEYGEN.EXE SSH-KEYGEN2.EXE SSH-SIGNER2.EXE SSH2.EXE SSHD.EXE SSHD2.EXE SSHD_MASTER.EXE SSHLEI.EXE SSH_FSCLM.EXE SSH_ZLIB.EXE UNLOAD_SSHLEI.EXE START_SSH.COM SSHSHR.EXE This patch is applicable to TCPware SSH on V6.1 and V6.0-2 on all supported versions of OpenVMS. Some functionality may not be present on VAX systems. NOTE: A system reboot is required after installing this kit. This kit has an ECO ranking of 3. This update to Process Software's implementation of SSH adds functionality to Alpha AXP and ia64 systems to support SSH Suite B (RFC 6329), which provides new key exchange mechanisms, new encryption methods and new hashes (MACS). Primary testing has been with OpenSSH, with additional testing with PuTTY, Core FTP and other applications that use SSH. Some of the applications had problems with older versions that were resolved when upgrading to a more recent version. Change details: - Correct a problem with TCPWARE_SFTP__ROOT. SSHB-V610P013 22-Apr-2024 - Correct some ACCVIOs and improve some error messages. SSHB_V610P012 2-Apr-2024 - Correct an ACCVIO that can happen with clients that open multiple sessions. SSHB_V610P011 25-Mar-2024 - Only offer Curve25519 for key exchange when the server can offer an ed25519 key. SSHB_V610P010 19-Mar-2024 - More work disabling ASTs when operating on lists so that lists aren't corrupted. SSHB-V610P010 19-Mar-2024 This kit also includes the following changes for TCPware 6.02: - Disable sending SSH_MSG_IGNORE during the initial key exchange to maintain compatibility with other implementations. SSHB-V602_076 12-Feb-2024 - Disable debugging in SSHADT modules. SSHB-V602_076 12-Feb-2024 - Add Group Exchange Key Exchange (RFC 4419) for VAX. SSHB-V602_075 12-Feb-2024 - Disable ASTs when operating on lists so that lists can't be corrupted. SSHB-V602-074 15-Nov-2023 - More work on ADT Priority Heap diagnostics. Recognize pointers in freed memory. SSHB-V602-073 3-Nov-2023 - More work on ADT Priority Heap diagnostics. SSHB-V602-072 1-Nov-2023 - More work on support for MAXJOBS and MAXACCTJOBS uaf parameters. SSHB-V602-071 5-Sep-2023 - Improve diagnostics in ADT Priority Heap so that we can understand the occasional errors that happen there. SSHB-V602-A070 27-Jul-2023 - Add support for maxjobs and maxacctjobs uaf parameters to limit the number of concurrent jobs a user may have. SSHB-V602-A070 27-Jul-2023 - Correct a problem with duplicate intrusion logging. SSHB-V602-A069 14-Jun-2023 - Correct a problem with password login being allowed when the user is marked as an INTRUDER. SSHB-V602_A068 13-Jun-2023 - Correct a problem with random number generation on older VMS systems. SSHB-V602P068 13-Jun-2023 - Change the way that public keys are stored in the user's host key directory and looked for to include the type of the key in the file extension. This allows multiple key types from a system to be stored and can help when migrating from one key type to another. Existing keys will be found as the lookup code falls back to the ".pub" extension if the ".pub_" extension. RSA keys will be .pub_rsa, DSA keys will be .pub_dsa, ECDSA keys will be .pub_ecdsa, ed25519 keys will be .pub_ed25519. SSHB-V602P068 13-Jun-2023 - Improve random number generation on very quiet systems. SSHB-V0602P067 31-May-2023 - Correct an error handling DSA keys that was introduced in SSHB-V602P063. SSHB-V602P066 17-May-2023 - More work on reporting name for attempted login when it isn't a username present on the system. SSHB-V602P066 17-May-2023 - Correct some problems with key exchanges in SSHB-V602P063. Note that it is possible for key exchange or algorithm negotion to fail due to configuration differences. The failures that were due to coding errors have been resolved. SSHB-V602P065 11-May-2023 - VAX systems will now display key fingerprints in SHA256 as well as SHA1, as Alpha and ia64 systems have. SSHB-V602P064 11-May-2023 - Attempts to login with non-existent usernames will now show the username tried in the OPCOM messages along with a status of "no such user". SSHB-V602P064 3-May-2023 - If user messages are enabled in accounting (SET ACCOUNTING/ENABLE=MESSAGE) the connecting client identification string will be written to the accounting file. This can be matched with other accounting records and OPCOM messages by using the PID to identify the remote node address. This can help identify what kind of system is attempting to connect. SSHB-V602P064 3-May-2023 - Correct an error in installation scripts which were causing the wrong images to be installed on Alpha systems running VMS versions between 7.0 and 7.2 SSHB-V602P063 19-Apr-2023 - Add support for diffie-hellman-group14-sha256 for VAX systems. This provides the RFC 8268 support that we can offer for VAX systems. SSHB-V602P063 19-Apr-2023 - Support for ED25519 public key algorithms (RFC 8709 and 8731) for Alpha ia64 systems. SSHKEYGEN/keytype will now recognize ED25519 and SSH2 can do key exchange and user authentication with these keys. SSHB-V602P063 19-Apr-2023 - More work on the exit handler that deletes the SSH_EXPIRED_PWD logicals. It is now called directly from the end of the main routine. SSHB-V602P062 17-Nov-2022 - Have the exit handler that deletes SSH_EXPIRED_PWD_ logical names make sure that it has sufficient privileges to do so. SSHB-V602P061 24-Oct-2022 - Change default version timeout to be 10 seconds (instead of 1 minute). The value can be controlled by define/system the logical TCPWARE_SSH_CONNECT_ID_TIMEOUT to a VMS differential time before starting SSH. SSHB-V602P060 14-Oct-2022 - Change when SSHD_MASTER_DEBUG is check to be at startup so that the value is available for error reporting when the cause of the error could also have a negative impact on the ability to check the logical. The SSHD_Master process now only checks for the logical SSHD_MASTER_DEBUG when it is started. SSHB-V602P059 20-Sep-2022 - Correct an error in an exit handler so that it can work as desired. SSHB-V602P058 16-Sep-2022 - Change error reporting in SSHD_MASTER to not use STRERROR, which appears to be causing compute and I/O bound in some circumstances. SSHB-V602P057 6-Sep-2022 - Add bounds checking to accesses of the global section. SSHB-V602P057 29-Aug-2022 - Correct an error in SELECT parameters in SSHD_MASTER. SSHB-V602P057 25-Aug-2022 - Correct an error in DUPLNAM handling in SSHD_MASTER. SSHB-V602P056 2-Aug-2022 - More work on exit handler to delete SSH_EXPIRED_PWD_ logical names. SSHB-V602P055 22-Jul-2022 - Work to handle ECDSA keys stored in the same format as DSA and RSA keys as some systems are changing towards that format. This maintains compatibility with other implementations. Prior ECDSA key formats continue to be handled. SSHB-V602P055 22-Jul-2022 - Correct an error path in SSHD_MASTER that could leave ASTs disabled. SSHB-V602P054 21-Jul-2022 - Add an exit handler to make sure that logical names of the format SSH_EXPIRED_PWD_ are deleted when SSHD2 exits. SSHB-V602P053 12-Jun-2022 - Have SCP2 and SFTP2 treat "file name syntax error" as "file not found" to avoid warnings about unexpected errors. SSHB-V602P052 14-Feb-2022 - Correct an error in /PRESERVE for SCP2. /PRESERVE[=all] is the default, even when not specified. SSHB-V602P051 9-Feb-2022 - Correct an error in SSH version number string format. Disable key exchange guesses, which are of questionable value. SSHB-V602P050 28-Jan-2022 - Correct a path in SFTP-SERVER2 that would not get the file type properly set. SSHB-V602P050 10-Jan-2022 - The qualifier /exit_on_error will cause SFTP to stop processing commands and exit on the first error encountered when in batch mode. The default is to NOT exit on error. SSHB-V602P050 BZ 6733 ECO Rank 3 3-Jan-2022 - The qualifier /noverify will disable the displaying of each command when in batch mode. The default is /verify. SSHB-V602P050 BZ 6729 ECO Rank 3 3-Jan-2022 - Add optional values (ALL, DATES, ATTRIBUTES) to the /PRESERVE qualifier. These values can be negated to choose what is preserved. The default is ALL. SSHB-V602P050 BZ 6724 ECO Rank 3 3-Jan-2022 - Add ip address to message that is logged to opcom when there is a timeout or bad format for the SSH id message that is exchanged at the beginning. SSHB-0050_A024 BZ 6742 ECO Rank 3 3-Jan-2022 - Correct a problem with "successful" intrusions being logged. SSHB-V602P050 ECO Rank 3 12-Oct-2021 - More work on memory growth problem with SSH-AGENT2. SSHB-V602P049 ECO Rank 3 1-Oct-2021 - Correct a memory leak in SSH-AGENT2. SSHB-V602P048 ECO Rank 3 17-Aug-2021 - Update SSHD_MASTER.EXE to correct a channel leak problem SSHB-V602P047 ECO Rank 3 30-Jul-2021 - Correct a problem with SSH-SIGNER2 that prevented hostbased authentication from working. Add support to allow Suite B keys for host based authentication on Alpha and ia64 systems. An ECDSA521 key will be named HOST_EXAMPLE_COM_ECDSA-SHA2-NISTP21.PUB SSHB-V602P046 ECO Rank 3 14-May-2021 - The updated images correct a problem with SSHKEYGEN/SSH2 on VAX processors. SSHB-V602P045 ECO Rank 3 23-Sep-2020 - If the logical TCPWARE_SSH_VMS_ONLY_STATUS is defined then the SSH exit status only reflects the status (success/failure) of the SSH command, and does not include any status from the remote system. SSHB-V602P045 ECO Rank 3 31-Aug-2020 - Set the symbol SSH_REMOTE_EXIT_STATUS to the value of "exit-status" provided by the remote system documented in RFC 4254 section 6.10. Interpretation of this value depends upon the remote system. SSHB_V602P045 ECO Rank 3 20-Aug-2020 - Correct an error in handling the use of TCPWARE_SSH_username_ROOT logical in some cases. SSHB_V602P044 ECO Rank 3 17-Jun-2020 - Correct an error in ECDH signing that can cause disconnects during key exchange. (AXP and ia64 only) SSHB_V602P044 ECO Rank 3 12-Jun-2020 - Correct a problem with exchanging files with FileZilla. SSH_V602P043 ECO Rank 3 21-Apr-2020 - Allow a default file size to be specified with the logical TCPWARE_SFTP_DEFAULT_SIZE for interacting with servers that don't return a file size. SSH_V602P042 ECO Rank 3 24-Sep-2019 - Recognize that WS_FTP-12.7 doesn't like IGNORE messages while doing Group Exchange Key Exchange. SSH_V602P041 ECO Rank 3 9-Sep-2019 - Correct an error in the input sensing code that could cause delays. SSH_V602P040 ECO Rank 3 8-Jul-2019 - If the logical SSH_STEP_THROUGH_RADIUS_ADDRESSES is defined to True/Yes/1 then each attempt to do authenication via the radius server will use a different returned address when the DNS lookup returns multiple addresses, instead of just trying the first address. This provides additional failover capability if the DNS lookup of the radius host always returns the addresses in the same order. If the DNS lookup does a round-robin of the addresses, then the traditional behavior will provide failover capability. SSHB_V602P040 ECO Rank 3 8-Jul-2019 - Correct an error in Group Exchange Key Exchange for group 18. SSHB_V602P040 ECO Rank 3 8-Jul-2019 - Change installation procedures such that the V7 SFTP2 and SCP2 Alpha AXP images are only used for system running VMS V7.2 and later. There have been some problems using the V7 images on earlier V7 VMS systems. The difference between the V6 and V7 images is large file and ODS-5 support, which is only in VMS V7.2 and later. SSHB_V602P040 ECO Rank 3 10-May-2019 - Correct a problem in SFTP2 with LCD to a logical name. SSHB-039_A024 ECO Rank 3 27-Mar-2019 - Correct a problem that can lead to dangling SFTP_SERVER processes. SSHB-038_A055 ECO Rank 3 7-Mar-2019 - Fix some parsing problems in SSH_FXP_REALPATH SSHB_038-A024 ECO Rank 3 17-Jan-2019 - Fix a channel leak in SSHD_MASTER. SSHB-038 ECO Rank 3 14-Jan-2019 - Add connection timeout routine to SSH-AGENT2 to deal with dangling connections that lead to consumption of bytlm. SSHB-V602P037 ECO Rank 3 14-Dec-2018 - Improve CD operations in VMS mode when a logical is used as the target. SSHB-V602P027 ECO Rank 3 7-Dec-2018 - Correct some memory leaks in SSH-AGENT2, which could cause problems with heavy usage. SSHB-V602P036 ECO Rank 3 21-Nov-2018 - Correct a problem with verifying an RSA host key with ECDH key exchange. SSHB-V602P035 ECO Rank 3 31-Oct-2018 - Correct a problem with passwords that are 32 characters long. SSHB-V602P034 ECO Rank 3 17-Sep-2018 - Updates to key exchange code to support diffie-hellman-group14-sha256 SSHB_V602P033 ECO Rank 3 10-Aug-2018 - Updates to certificate authentication code after testing with RSA2048-SHA256 certificates. SSHB_V602P033 ECO Rank 3 29-May-2018 - Added configuration variable RadiusTimeout to allow site configuration of Radius Timeout value. The default value is 3 seconds. SSH-029_A055 ECO Rank 3 12-Jul-2018 - Correct a data structure alignment issue in the I/O module to improve performance. This provides new images for SSH2, SSHD2, SFTP2, SCP2 and SFTP-SERVER2. SSH-019_A055 ECO Rank 3 25-Apr-2018 - Make SCP2, SFTP2 and SFTP-SERVER2 observe the setting of the TCPWARE_SFTP_DEFAULT_FILE_TYPE_REGULAR at all points that files could be accessed. SSH-018_A055 ECO Rank 3 30-Jan-2018 - When the logical TCPWARE_SSH_RADIUS_TRUNCATE_USERNAME is defined in the system logical name table, usernames will be truncated before any underscore (_) present in the name before attempting RADIUS password authentication. SSH-017_A055 ECO Rank 3 29-Jan-2018 - Correct attempts to open /dev/random and /dev/urandom that can cause problems on systems that have a logical for dev defined. SSH-017_A055 ECO Rank 3 29-Jan-2018 - Modification to SSHD2 and SSH2 to support SSH Group Exchange Key Exchange (RFC 4419), so the the correct minimum level of security can be maintained for RSA2048-SHA256 certificates. SSHB_V602P033 ECO Rank 3 21-Nov-2017 - Modification of SSHD2 to support of LOAD_PWD_POLICY and VMS$PASSWORD_POLICY callouts with PWDMIX on systems that support PWDMIX. Note that the VMS$PASSWORD_POLICY callouts must NOT write to SYS$OUTPUT or attempt to read from SYS$INPUT as these channels are used for network communication and doing so will cause problems. Writes to SYS$ERROR will appear in the SSH_LOG:SSHD.LOG for the session. SSH-016_A055 ECO Rank 3 8-Nov-2017 - Modification of SSHD2 to prevent CAPTIVE or RESTRICTED usernames from creating tunnels. SSH-016_A055 ECO Rank 3 8-Nov-2017 - Modification to SSHD2 and SSH2 to support X509v3-rsa2048-sha256 certificates for host key exchange. (RFC 6187) SSHB_V602P033 ECO Rank 3 31-Oct-2017 - Modification of SSHD_MASTER to allow for control of the timeout of the connection id with the logical TCPWARE_SSH_CONNECT_ID_TIMEOUT. This logical should be defined to a VMS delta time before SSH is started. Modification requires restarting of SSH to take effect. If the logical is not defined, or not a VMS delta time, then the default value of 1 minute (0 00:01:00.0) is used. SSH_V602P028 ECO Rank 3 - Modifications to SSHD2 such that it can read unencrypted certificate keys for system autentication with certificates without having to process the keys & certificates with the certificate utilities. - Elliptic curve Diffie-Hellman (ECDH) key agreement [RFC 5656] Curves: nistp256, nistp384, nistp521 The curve chosen will be sufficient to support the hash for the host keys involved. This means that if the host key is ECDSA-nistp521, only the nistp521 curve will be available, an ECDSA-nistp384 key will have nistp384 and nistp521 available, and ECDSA-nistp256 will have nistp256, nistp384 and nistp521 available. - Elliptic curve digital signature algorithm (ECDSA) [RFC 5656]. Public keys are written in a format close to what is used by OpenSSH and OpenSSH public keys can be read as is. The "Subject" and "Comment" lines in the key may need to be removed to make the keys readable by OpenSSH. The curves supported are: nistp256, nistp384, nistp521 - Advanced Encryption Standard running in Galois/Counter Mode (AES-GCM) [RFC 5647], as modified by OpenSSH to resolve a potential ambiguity as the encryption and message authentication are both provided by a single algorithm. In this case the ciphers are named: aes128-gcm@openssh.com, aes256-gcm@openssh.com - New MACs: SHA-256, SHA-384 and SHA-512 [RFC 6668]. These can be used with any ciphers, except the gcm ciphers, which provide both encryption and MAC functionality. - The implementations have been built with OpenSSL LIBCRYPTO 1.0.2j and have been tested with OpenSSH 7.2p2. The following problems are fixed by this ECO: o Fix problems in SFTP2 when transfering files from VMS to non-VMS when a transfer mode was not set. SSH-014_A055 ECO Rank 3 20-Jul-2017 o The format of the /ASCII qualifier on the SCP2 command line has been expanded to allow for the specification of separate source and destination newline sequences such as /ASCII=(SOURCE=VMS,DEST=UNIX). Old syntax (/ASCII=UNIX) is the same as /ASCII=(DEST=UNIX). This requires that the new USER.CLD be used to set the commands in the command tables. Use the following command line to save these as the system command tables: $ set command/table=sys$common:[syslib]dcltables.exe - /output=sys$common:[syslib]dcltables.exe tcpware:user.cld $ install replace sys$library:dcltables SSH-013_A055 ECO Rank 3 o Changes to SFTP2 and SFTP-SERVER2 to fix problems with CD and files named .; in the directory. SSH-012_A055 ECO Rank 3 o Changes to debugging output in SCP2 to make it more like earlier patches. SSH-011_A055 ECO rank 3 o Map two different status code groups used in SFTP2 into a single one to resolve problems with SFTP2 sometime returning unexpected completion status when operating in batch mode. SSH-010_A055 ECO rank 3 o Correct a potential memory leak in SFTP2. SSH-010_A055 ECO Rank 3 o Additional checks in SFTP2 to detect a freed data structure and reduce the chance of an ACCVIO. SSH-010_A055 ECO Rank 3 o Correct problems with waiting for connection to terminate from OpenSSH. SSH-061_A054 ECO Rank 3 o Add checking to a connection run-down routine to see if a data structure has been freed before using it. This corrects an error that could show up as STKOVF or ACCVIO. SSH-060_A054 ECO Rank 3 o Increase the number of sessions on ia64 systems to 5000. The system may encounter tuning or performance limitations before this number is reached. SSH-058_A054 ECO Rank 3 o Synchronize status returning with process termination when the logical TCPWARE_SSH_COMMAND_OLD_STYLE is defined so that the status of the executed command is returned. Note that this will make it such that the output includes the out of process termination as if "LOGOUT/FULL" had been done. Command termination may also be delayed, typically for 1 second. SSH-057_A054 ECO Rank 3 o Correct a build problem in SCP2, SFTP2, and SFTP-SERVER2 for AXP systems running OpenVMS V7 and V8 that are accessing large files. Improve end of transfer detection. SSH-057_A054 ECO Rank 3 Correct a potential looping problem in SSHD2. SSH-057_A054 ECO Rank 3 o Modify the requirements for a translatable file to include all files with variable and veriable-fixed control records, and not restrict it to just the files that have carriage-return carriage control as well. SSH-056_A054 ECO Rank 3 o Define the system wide logical TCPWARE_SSH_NO_LEADING_SPACE_NEWLINE to prevent an space & newline from being written out before the users command on remote command execution. SSH-055_A054 ECO Rank 3 o Correct a communication problem between SSH2 and SCP2/SFTP2. SSH-054_A054 ECO Rank 3 o Return correct success/fail status for SCP commands initiated from systems using OpenSSH and other implementations that do RCP over SSH for an SCP command. SSH-054_A054 ECO Rank 3 o Correct a problem with client (SCP/SFTP) processes hanging. SSH-053_A054 ECO Rank 3 o Correct a problem with processes hanging in RWMBX state. SSH-052_A054 ECO Rank 3 o Improve detection of data in mailbox. SSH-051_A054 ECO Rank 3 o Correct a coding error in SSH-049_A054. SSH-050_A054 ECO Rank 3 o Correct a problem when attempting to write to a mailbox that is full. SSH-049_A054 ECO Rank 3 o Improve reporting of EOF when translating VMS text files to stream-lf. SSH-048_A054 ECO Rank 3 o Don't return EOF for attempts to read zero bytes by SFTP-SERVER2. SSH-047_A054 ECO Rank 3 o Modify SCP2 and SFTP2 so that they do not post read requests that start after the end of file. SSH-046_A054 ECO Rank 3 o Correct a problem in SFTP2 where the path string is duplicated. SSH-046_A054 ECO Rank 3 o Increase SFTP-SERVER2 polling frequency for the parent so that it recognizes loss sooner and reduces the amount of time it can consume system resources. SSH-045_A054 ECO Rank 3 o Improve communication of shutdown request from SSHD2 to SFTP-SERVER2. SSH-045_a054 ECO Rank 3 o Correct a problem on Alpha/AXP systems with transferring files larger than 2GB. There are no changes for VAX or ia64 systems. SSH-044_A054 ECO rank 3 o Correct a potential deadlock condition between SSHD and subsystems. SSH-042_A054 ECO rank 2 ----------------------------------------------------------------------------- Post-Installation Instructions A system reboot is required after applying this ECO.