ECO kit SSHB_V602P043

SSHB_V602P043 ECO kit rev 4.03 For TCPware 6.0-2	21-Apr-2020

    Copyright (c) 2010-2020 Process Software LLC

    This ECO kit provides a new version of the following files for
    V6.0-2:

	LDAP-PLUGIN.EXE     LOAD_SSHLEI.EXE     PUBLICKEY-SERVER.EXE
	PUBLICKEY_ASSISTANT.EXE                 SCP-SERVER1.EXE     
	SCP2.EXE            SECURID-PLUGIN.EXE  SFTP-SERVER2.EXE    
	SFTP2.EXE           SSH-ADD2.EXE       	SSH-AGENT2.EXE      
	SSH-CERTTOOL.EXE    SSH-CERTVIEW.EXE    SSH-CMPCLIENT.EXE  
	SSH-KEYGEN.EXE      SSH-KEYGEN2.EXE     SSH-SIGNER2.EXE     
	SSH2.EXE            SSHD.EXE            SSHD2.EXE           
	SSHD_MASTER.EXE     SSHLEI.EXE         	SSH_FSCLM.EXE       
	SSH_ZLIB.EXE        UNLOAD_SSHLEI.EXE   START_SSH.COM
	SSHSHR.EXE	    MULTINET.CLD


         This patch is applicable to TCPware SSH on V 6.0 on all supported
         versions of OpenVMS Alpha and OpenVMS I64.

    NOTE: A system reboot is required after installing this kit.

    This kit has an ECO ranking of 3.

    This update to Process Software's implementation of SSH adds functionality
    to Alpha AXP and ia64 systems to support SSH Suite B (RFC 6329), which
    provides new key exchange mechanisms, new encryption methods and new
    hashes (MACS).  Primary testing has been with OpenSSH, with additional
    testing with PuTTY, Core FTP and other applications that use SSH.  Some of
    the applications had problems with older versions that were resolved when
    upgrading to a more recent version.

    Change details:

	- Correct a problem with exchanging files with FileZilla.
	  SSH_V602P043 ECO Rank 3 21-Apr-2020

	- Allow a default file size to be specified with the logical
	  MULTINET_SFTP_DEFAULT_SIZE for interacting with servers that don't
	  return a file size.
	  SSH_V602P042 ECO Rank 3 24-Sep-2019

	- Recognize that WS_FTP-12.7 doesn't like IGNORE messages while doing
	  Group Exchange Key Exchange.
	  SSH_V602P041 ECO Rank 3 9-Sep-2019

	- Correct an error in the input sensing code that could cause delays.
	  SSH_V602P040 ECO Rank 3 8-Jul-2019

	- If the logical SSH_STEP_THROUGH_RADIUS_ADDRESSES is defined to
	  True/Yes/1 then each attempt to do authenication via the radius
	  server will use a different returned address when the DNS lookup
	  returns multiple addresses, instead of just trying the first
	  address. This provides additional failover capability if the DNS
	  lookup of the radius host always returns the addresses in the same
	  order.  If the DNS lookup does a round-robin of the addresses, then
	  the traditional behavior will provide failover capability.
	  SSHB_V602P040 ECO Rank 3 8-Jul-2019

	- Correct an error in Group Exchange Key Exchange for group 18.
	  SSHB_V602P040 ECO Rank 3 8-Jul-2019

	- Change installation procedures such that the V7 SFTP2 and SCP2
	  Alpha AXP images are only used for system running VMS V7.2 and later.
	  There have been some problems using the V7 images on earlier V7 VMS
	  systems. The difference between the V6 and V7 images is large
	  file and ODS-5 support, which is only in VMS V7.2 and later.
	  SSHB_V602P040 ECO Rank 3 10-May-2019

	- Correct a problem in SFTP2 with LCD to a logical name.
	  SSHB-039_A024 ECO Rank 3 27-Mar-2019

	- Correct a problem that can lead to dangling SFTP_SERVER processes.
	  SSHB-038_A055 ECO Rank 3 7-Mar-2019

	- Fix some parsing problems in SSH_FXP_REALPATH
	  SSHB_038-A024 ECO Rank 3 17-Jan-2019

	- Fix a channel leak in SSHD_MASTER.
	  SSHB-038 ECO Rank 3 14-Jan-2019

	- Add connection timeout routine to SSH-AGENT2 to deal with dangling
	  connections that lead to consumption of bytlm.
	  SSHB-V602P037 ECO Rank 3 14-Dec-2018

	- Improve CD operations in VMS mode when a logical is used as the target.
	  SSHB-V602P027 ECO Rank 3 7-Dec-2018

	- Correct some memory leaks in SSH-AGENT2, which could cause problems
	  with heavy usage. SSHB-V602P036 ECO Rank 3 21-Nov-2018

	- Correct a problem with verifying an RSA host key with ECDH
	  key exchange. SSHB-V602P035 ECO Rank 3 31-Oct-2018

	- Correct a problem with passwords that are 32 characters long.
	  SSHB-V602P034 ECO Rank 3 17-Sep-2018

	- Updates to key exchange code to support diffie-hellman-group14-sha256
	  SSHB_V602P033 ECO Rank 3 10-Aug-2018

	- Updates to certificate authentication code after testing with
	  RSA2048-SHA256 certificates.
	  SSHB_V602P033 ECO Rank 3 29-May-2018

	- Added configuration variable RadiusTimeout to allow site
	  configuration of Radius Timeout value.  The default value is 3
	  seconds. SSH-029_A055 ECO Rank 3 12-Jul-2018

	- Correct a data structure alignment issue in the I/O module to
	  improve performance. This provides new images for SSH2, SSHD2,
	  SFTP2, SCP2 and  SFTP-SERVER2. SSH-019_A055 ECO Rank 3 25-Apr-2018

	- Make SCP2, SFTP2 and SFTP-SERVER2 observe the setting of the
	  MULTINET_SFTP_DEFAULT_FILE_TYPE_REGULAR at all points that files
	  could be accessed. SSH-018_A055 ECO Rank 3 30-Jan-2018

	- When the logical MULTINET_SSH_RADIUS_TRUNCATE_USERNAME is defined in
	  the system logical name table, usernames will be truncated before
	  any underscore (_) present in the name before attempting RADIUS
	  password authentication. SSH-017_A055 ECO Rank 3 29-Jan-2018

	- Correct attempts to open /dev/random and /dev/urandom that can cause
	  problems on systems that have a logical for dev defined.
	  SSH-017_A055 ECO Rank 3 29-Jan-2018

	- Modification to SSHD2 and SSH2 to support SSH Group Exchange Key
	  Exchange (RFC 4419), so the the correct minimum level of security
	  can be maintained for RSA2048-SHA256 certificates.
	  SSHB_V602P033 ECO Rank 3 21-Nov-2017

	- Modification of SSHD2 to support of LOAD_PWD_POLICY and
	  VMS$PASSWORD_POLICY callouts with PWDMIX on systems that support
	  PWDMIX. Note that the VMS$PASSWORD_POLICY callouts must NOT write to
	  SYS$OUTPUT or attempt to read from SYS$INPUT as these channels are
	  used for network communication and doing so will cause problems.
	  Writes to SYS$ERROR will appear in the SSH_LOG:SSHD.LOG for the
	  session. SSH-016_A055 ECO Rank 3 8-Nov-2017

	- Modification of SSHD2 to prevent CAPTIVE or RESTRICTED usernames
	  from creating tunnels. SSH-016_A055 ECO Rank 3 8-Nov-2017

	- Modification to SSHD2 and SSH2 to support X509v3-rsa2048-sha256
          certificates for host key exchange. (RFC 6187)
	  SSHB_V602P033 ECO Rank 3  31-Oct-2017

	- Modification of SSHD_MASTER to allow for control of the timeout of
	  the connection id with the logical MULTINET_SSH_CONNECT_ID_TIMEOUT.
	  This logical should be defined to a VMS delta time before SSH is
	  started. Modification requires restarting of SSH to take effect.
	  If the logical is not defined, or not a VMS delta time, then the
	  default value of 1 minute (0 00:01:00.0) is used.
	  SSH_V602P028 ECO Rank 3

	- Modifications to SSHD2 such that it can read unencrypted certificate
	  keys for system autentication with certificates without having to
	  process the keys & certificates with the certificate utilities.

	- Elliptic curve Diffie-Hellman (ECDH) key agreement [RFC 5656]
		Curves: nistp256, nistp384, nistp521 

		The curve chosen will be sufficient to support the hash for
		the host keys involved. This means that if the host key is
		ECDSA-nistp521, only the nistp521 curve will be available, an
		ECDSA-nistp384 key will have nistp384 and nistp521 available,
		and ECDSA-nistp256 will have nistp256, nistp384 and nistp521
		available. 

	- Elliptic curve digital signature algorithm (ECDSA) [RFC 5656].
	  Public keys are written in a format close to what is used by OpenSSH
	  and OpenSSH public keys can be read as is. The "Subject" and
	  "Comment" lines in the key may need to be removed to make the keys 
	  readable by OpenSSH. The curves supported are: 
		nistp256, nistp384, nistp521

	- Advanced Encryption Standard running in Galois/Counter Mode
	  (AES-GCM) [RFC 5647], as modified by OpenSSH to resolve a
	  potential ambiguity as the encryption and message authentication are
	  both provided by a single algorithm. In this case the ciphers are
	  named: 
		aes128-gcm@openssh.com, aes256-gcm@openssh.com

	- New MACs: SHA-256, SHA-384 and SHA-512 [RFC 6668]. These can be used
	  with any ciphers, except the gcm ciphers, which provide both
	  encryption and MAC functionality. 

	- The implementations have been built with OpenSSL LIBCRYPTO 1.0.2j
	  and have been tested with OpenSSH 7.2p2.

    The following problems are fixed by this ECO:
     o  Fix problems in SFTP2 when transfering files from VMS to non-VMS when
        a transfer mode was not set.
	SSH-014_A055 ECO Rank 3 20-Jul-2017

     o  The format of the /ASCII qualifier on the SCP2 command line has been
	expanded to allow for the specification of separate source and
	destination newline sequences such as /ASCII=(SOURCE=VMS,DEST=UNIX).
	Old syntax (/ASCII=UNIX) is the same as /ASCII=(DEST=UNIX). This
	requires that the new USER.CLD be used to set the commands in the
	command tables. Use the following command line to save these as the
	system command tables:
		$ set command/table=sys$common:[syslib]dcltables.exe -
		  /output=sys$common:[syslib]dcltables.exe multinet:user.cld
		$ install replace sys$library:dcltables
	SSH-013_A055 ECO Rank 3

     o  Changes to SFTP2 and SFTP-SERVER2 to fix problems with CD and files
        named .; in the directory.  SSH-012_A055 ECO Rank 3

     o  Changes to debugging output in SCP2 to make it more like earlier
	patches. SSH-011_A055 ECO rank 3

     o  Map two different status code groups used in SFTP2 into a single one
	to resolve problems with SFTP2 sometime returning unexpected
	completion status when operating in batch mode.
	SSH-010_A055 ECO rank 3

     o  Correct a potential memory leak in SFTP2. SSH-010_A055 ECO Rank 3

     o  Additional checks in SFTP2 to detect a freed data structure and reduce
	the chance of an ACCVIO.  SSH-010_A055 ECO Rank 3

     o  Correct problems with waiting for connection to terminate from
	OpenSSH. SSH-061_A054 ECO Rank 3

     o  Add checking to a connection run-down routine to see if a data
	structure has been freed before using it. This corrects an error that
	could show up as STKOVF or ACCVIO. SSH-060_A054 ECO Rank 3

     o  Increase the number of sessions on ia64 systems to 5000. The system
        may encounter tuning or performance limitations before this number is
        reached. SSH-058_A054 ECO Rank 3

     o  Synchronize status returning with process termination when the logical
	MULTINET_SSH_COMMAND_OLD_STYLE is defined so that the status of the
	executed command is returned. Note that this will make it such that
	the output includes the out of process termination as if "LOGOUT/FULL"
	had been done. Command termination may also be delayed, typically for
	1 second.
	SSH-057_A054 ECO Rank 3

     o  Correct a build problem in SCP2, SFTP2, and SFTP-SERVER2 for AXP
	systems running OpenVMS V7 and V8 that are accessing large files.
	Improve end of transfer detection.
	SSH-057_A054 ECO Rank 3

	Correct a potential looping problem in SSHD2.
	SSH-057_A054 ECO Rank 3

     o  Modify the requirements for a translatable file to include all files
	with variable and veriable-fixed control records, and not restrict it
	to just the files that have carriage-return carriage control as well.
	SSH-056_A054 ECO Rank 3

     o  Define the system wide logical MULTINET_SSH_NO_LEADING_SPACE_NEWLINE
        to prevent an space & newline from being written out before the users
        command on remote command execution.
	SSH-055_A054 ECO Rank 3

     o  Correct a communication problem between SSH2 and SCP2/SFTP2.
	SSH-054_A054 ECO Rank 3

     o  Return correct success/fail status for SCP commands initiated from
	systems using OpenSSH and other implementations that do RCP over
	SSH for an SCP command.
	SSH-054_A054 ECO Rank 3

     o  Correct a problem with client (SCP/SFTP) processes hanging.
	SSH-053_A054 ECO Rank 3

     o  Correct a problem with processes hanging in RWMBX state.
	SSH-052_A054 ECO Rank 3

     o  Improve detection of data in mailbox.
	SSH-051_A054 ECO Rank 3

     o  Correct a coding error in SSH-049_A054.
	SSH-050_A054 ECO Rank 3

     o  Correct a problem when attempting to write to a mailbox that is full.
	SSH-049_A054 ECO Rank 3

     o  Improve reporting of EOF when translating VMS text files to stream-lf.
	SSH-048_A054 ECO Rank 3

     o  Don't return EOF for attempts to read zero bytes by SFTP-SERVER2.
        SSH-047_A054 ECO Rank 3

     o  Modify SCP2 and SFTP2 so that they do not post read requests that
	start after the end of file.
	SSH-046_A054 ECO Rank 3

     o  Correct a problem in SFTP2 where the path string is duplicated.
        SSH-046_A054 ECO Rank 3

     o  Increase SFTP-SERVER2 polling frequency for the parent so that it
	recognizes loss sooner and reduces the amount of time it can consume
	system resources.
	SSH-045_A054 ECO Rank 3

     o  Improve communication of shutdown request from SSHD2 to SFTP-SERVER2.
	SSH-045_a054 ECO Rank 3

     o  Correct a problem on Alpha/AXP systems with transferring files larger
        than 2GB. There are no changes for VAX or ia64 systems.
	SSH-044_A054 ECO rank 3

     o  Correct a potential deadlock condition between SSHD and subsystems.
        SSH-042_A054 ECO rank 2

    ----------------------------------------------------------------------
    This kit also includes the following changes from previous ECO kits:

     o  Correct a data corruption issue in VMS transfers introduced in
        SSH-032_A054. [SSH-033_A054]

     o  Performance improvments for MULTINET_SSH_ACCESS_AUTHORIZATION
        processing.  [SSH-033_A054]

     o  Provide the logical MULTINET_SFTP_OPEN_AS_BINARY, which can be
	defined to Yes, True or 1 to cause the SFTP server to open files in
	binary mode instead of Stream-LF. [SSH-032_A054]

     o	Correct an ACCVIO in SCP2 and SFTP2 that can be experienced when
	copying very small files to a VMS system. [SSH-031_A054, DE 11324]

     o	Provide more flexibility in how user access authorization is done
	for the various access modes. [SSH-031_A054, DE 11272]

	When the logical MULTINET_SSH_ACCESS_AUTHORIZATION is defined
	/system user authentication checking will take place separately
	from action authorization checking. The value of the logical will
	be used to determine whether or not the desire action is allowed at
	this time. The value of the logical should be a string of the format:

        SHELL=,EXEC=,SUBSYSTEM=

	where  is one of NETWORK, LOCAL, REMOTE. If one of SHELL,
	EXEC, or SUBSYSTEM is omitted, then that type of access will not be
	allowed at all.

     o  Correct a possible crash.
	[DE 11254]

     o  Correct an error in displaying the VMS format of the path in SFTP2.
	Note that this change requires both the client and the server to be
	running this patch for the correction to work. If the server is
	running an older patch a fallback method is used to format the path to
	VMS and it may result in errors.

     o  Correct an error when attempting to do a MKDIR or RMDIR in VMS mode.
	[DE 11249]

     o  Change a lock to be node specific as the resource that it is
        controlling is node specific. This will reduce the effect on one node
        in a cluster being busy from causing problems on connection startup on
        other members of the cluster. Also modify the process startup look to
        recognize when it hasn't found an open slot in the active process
        database and return an error instead of endlessly looping.
        [DE 11250]

     o  Make public key authentication work regardless of the case that
        the username is passed in.
	[DE 11252]

     o  Correct a problem with the possibility of a command issued from a Linux
	system causing a hang.
	[DE 11256]



-----------------------------------------------------------------------------

                        Post-Installation Instructions

    A system reboot is required after applying this ECO.

TCPware ECO, Process Software