SSH for OpenVMS V2.0 Release Notes July 2003 This document contains a list of new features and bug fixes that have been made since SSH for Open- VMS V1.0. Revision/Update Information: This document super- sedes the SSH for Open- VMS V1.0 Release Notes Software Version: 2.0 Operating System and Version: OpenVMS VAX V5.5-2, 6.2, 7.0, 7.1, 7.2, 7.3 OpenVMS Alpha V6.2, 7.0, 7.1, 7.2, 7.2-1, 7.2-2, 7.3, 7.3-1 UCX Version: V4.0 ECO5 and later TCP/IP Services Version: V5.0 and later __________ Copyright (c)2003 Process Software, LLC. Unpublished - all rights reserved under the copyright laws of the United States No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval sys- tem, or translated into any language or computer language, in any form or by any means electronic, mechanical, magnetic, optical, or otherwise with- out the prior written permission of: Process Software, LLC 959 Concord Street Framingham, MA 01701-4682 USA Voice: +1 508 879 6994; FAX: +1 508 879 0042 info@process.com Process Software, LLC ("Process") makes no rep- resentations or warranties with respect to the con- tents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. Alpha AXP, AXP, MicroVAX, OpenVMS, VAX, VAX Notes, VMScluster, and VMS are registered trademarks of Hewlett-Packard Corporation. Kerberos. Copyright (c) 1989, DES.C and PCBC_ENCRYPT.C Copyright (c) 1985, 1986, 1987, 1988 by Massachusetts Institute of Technology. Export of this soft- ware from the United States of America is as- sumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, mod- ify, and distribute this software and its doc- umentation for any purpose and without fee is hereby granted, provided that the above copy- right notice appear in all copies and that both that copyright notice and this permission no- tice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior per- mission. M.I.T. makes no representations about the suitability of this software for any pur- pose. It is provided "as is" without express or implied warranty. MultiNet is a registered trademark of Process Software. Secure Shell (SSH). Copyright (c)2000. This Li- cense agreement, including the Exhibits (Agree- ment), effective as of the latter date of ex- ecution (Effective Date), is hereby made by and between Data Fellows, Inc., a California cor- poration, having principal offices at 675 N. First Street, 8th floor, San Jose, CA 95112170 (Data Fellows) and Process Software, LLC, having a place of business at 959 Concord Street, Framingham, MA 01701 (OEM). TCPware is a registered trademark of Process Soft- ware. iii UNIX is a trademark of UNIX System Laboratories, Inc. All other trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their re- spective holders. Copyright (c)1997, 1998, 1999, 2000 Process Soft- ware Corporation. All rights reserved. Printed in USA. Copyright (c)2000, 2001, 2002, 2003 Process Soft- ware, LLC. All rights reserved. Printed in USA. If the examples of URLs, domain names, inter- net addresses, and web sites we use in this doc- umentation reflect any that actually exist, it is not intentional and should not to be consid- ered an endorsement, approval, or recommenda- tion of the actual site, or any products or ser- vices located at any such site by Process Soft- ware. Any resemblance or duplication is strictly coincidental. iv _______________________________________________________ Contents _______________________________________________________ CHAPTER 1 INTRODUCTION 1-1 1.1 TYPOGRAPHICAL CONVENTIONS 1-1 1.2 OBTAINING TECHNICAL SUPPORT 1-2 1.2.1 Before Calling Technical Support _______________________ 1-3 1.2.2 Sending Electronic Mail _______ 1-3 1.2.3 Calling Technical Support _____ 1-4 1.3 INFORMATIONAL NOTE CONCERNING DOCUMENTATION 1-5 1.3.1 HTML Format ___________________ 1-5 1.3.2 PDF Format ____________________ 1-6 1.3.3 Documentation Comments ________ 1-6 1.4 GETTING HELP 1-6 1.5 RELEASE NOTES LOCATION 1-7 1.6 OBTAINING ECO KITS 1-7 _______________________________________________________ CHAPTER 2 SSH FOR OPENVMS FEATURES, KNOWN PROBLEMS AND FIXED PROBLEMS 2-1 2.1 SSH FOR OPENVMS FEATURES 2-1 2.2 KERBEROS V5 SUPPORT 2-2 2.3 KNOWN PROBLEMS 2-3 2.3.1 Secure Shell (SSH) Known Problems ______________________ 2-3 2.3.2 SFTP/SCP Known Problems _______ 2-4 2.4 CHANGES IN DEFAULT BEHAVIOR 2-5 2.5 FIXED PROBLEMS 2-7 iii _______________________________________________________ 1 Introduction These Release Notes describe SSH for OpenVMS version 2.0. This set of Release Notes describes conventions used in the SSH for OpenVMS documentation set and the various meth- ods to contact and receive technical support. __________________________________________________________________ 1.1 Typographical Conventions Examples in these Release Notes use the following conven- tions: _______________________________________________ Convention_____Example________Meaning__________ Angle Represents a key brackets on your keyboard. Angle Indicates that brackets you hold down with a slash the key labeled Control or Ctrl while simultaneously pressing another key; in this example, the "A" key. 1-1 Introduction Typographical Conventions _______________________________________________ Convention_____Example________Meaning__________ Square [FULL] Indicates brackets optional choices; you can enter none of the choices, or as many as you like. When shown as part of an example, square brackets are actual characters you should type. Underscore file_name or Between words or hyphen file-name in commands, indicates the item is a single ______________________________element._________ __________________________________________________________________ 1.2 Obtaining Technical Support Process Software provides technical support if you have a current Maintenance Service Agreement. If you obtained SSH for OpenVMS from an authorized distributor or part- ner, you receive your technical support directly from them. You can contact Technical Support by: o Sending electronic mail o Calling Technical Support 1-2 Introduction Obtaining Technical Support ___________________________ 1.2.1 Before Calling Technical Support Before you call or send e-mail: 1. Verify that your Maintenance Service Agreement is current. 2. Have the following information available: Your name Your company name Your e-mail address Your voice and fax telephone numbers Your Maintenance Contract Number OpenVMS architecture OpenVMS version TCP/IP Services for OpenVMS version 3. Have complete information about your configu- ration, error messages that appeared, and prob- lem specifics. 4. Be prepared to let Technical Support connect to your system, either with TELNET or by dialing in using a modem. Be prepared to give Techni- cal Support access to a privileged account to diagnose your problem. ___________________________ 1.2.2 Sending Electronic Mail For many questions, electronic mail is the preferred communication method. Technical support via elec- tronic mail is available to customers with a cur- rent support contract. Send electronic mail to sup- port@process.com. At the beginning of your mail message, include the information listed in the section "Before Contact- ing Technical Support." Continue with the description of your situation and 1-3 Introduction Obtaining Technical Support problem specifics. Include all relevant informa- tion to help Technical Support process and track your electronic support request. Electronic mail is generally responded to within two hours, during our normal business hours, Mon- day through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. ___________________________ 1.2.3 Calling Technical Support For regular support issues, call 800-394-8700 or 508-628-5074 for support Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. For our customers in North America with critical problems, an option for support 7 days per week, 24 hours per day is available at an additional charge. Please contact your Account Representative for fur- ther details. Before calling, be sure to have the information avail- able that is described in the section "Before Con- tacting Technical Support." When you call, you will be directly connected to Technical Support. Be prepared to discuss problem specifics with Tech- nical Support and to allow that person to connect to your system (if needed). If our Support Specialists are assisting other cus- tomers and you are put on hold, please stay on the line. Most calls are answered in less than five minutes. If you cannot wait for a Specialist to take your call, please take advantage of our au- tomatic call logging feature by sending mail to sup- port@process.com. 1-4 Introduction Informational Note Concerning Documentation __________________________________________________________________ 1.3 Informational Note Concerning Documentation The documentation for SSH for OpenVMS version 2.0 includes HTML and PDF files. ___________________________ 1.3.1 HTML Format The SSH for OpenVMS beta documentation has the fol- lowing HTML files: o frontmr.htm o ssh_pre.htm o httoc.htm o ch1.htm o ch2.htm o ch3.htm o ch4.htm o ch5.htm o ch6.htm o ch7.htm o ch8.htm o AppA.htm o htindex.htm o index o ssh_rc.htm Note: httoc.htm is the Table of Contents file and htindex is the Index file. 1-5 Introduction Informational Note Concerning Documentation ___________________________ 1.3.2 PDF Format The SSH for OpenVMS beta documentation has the following PDF file: o SSH_OPENVMS.PDF-contains the SSH for OpenVMS Administration and User's Guide ___________________________ 1.3.3 Documentation Comments Your comments about the information in these Release Notes can help us improve the documentation. If you have cor- rections or suggestions for improvement, please let us know. Be as specific as possible with your comments: include the exact title of the document, version, date, and page references as appropriate. You can send your comments by e-mail to: Process Software 959 Concord Street Framingham, MA 01701-4682 Attention: Marketing Manager You can also fax your comments to us at 508-879-0042. Your comments about our documentation are appreciated. __________________________________________________________________ 1.4 Getting Help Contact your SSH for OpenVMS distributor or Process Soft- ware if you need assistance or have questions concerning the installation or configuration of SSH for OpenVMS. Pro- cess Software provides technical support if you have a cur- rent Maintenance Service Agreement [support@process.com; 800-394-8700 or 508-628-5074]. If you obtained SSH for OpenVMS from an authorized distributor or partner, you re- ceive your technical support directly from them. Timely notices, pointers to new SSH for OpenVMS images, and other product-related news of interest may also be found at the Process Software web site, www.process.com. 1-6 Introduction Release Notes Location __________________________________________________________________ 1.5 Release Notes Location These release notes in text format, are located on the SSH for OpenVMS V2.0 CD-ROM in the documentation directory tree. They can be obtained from the kit using the command: $ @SYS$UPDATE:VMSINSTAL MULTINET044 DEVICE:[DIRECTORY]OPTIONS N __________________________________________________________________ 1.6 Obtaining ECO Kits ECOs may be obtained from the anonymous FTP account on ftp.multinet.process.com; use FTP to connect to the host ftp.multinet.process.com and login as the user anonymous. Use your e-mail address as the login password. Using ftp.multinet.process.com, move to the ssh020 patches subdirectory: ftp> cd patches ftp> cd ssh020 1-7 _______________________________________________________ 2 SSH for OpenVMS Features, Known Problems and Fixed Problems This chapter includes information pertaining to new fea- tures, known problems, and V1.0 reported problems that have been fixed. __________________________________________________________________ 2.1 SSH for OpenVMS Features This section describes the features provided in SSH for OpenVMS V2.0. o Secure Copy Protocol - A Secure Copy (SCP) client and server are provided. ASCII and BINARY trans- fers can be performed with the default being BI- NARY. ASCII transfers require the systems or user to specify the newline sequence to work reli- ably. Process Software has used the defined extensions in the protocol to transfer information about the VMS file header characteristics such that when a file is transferred between two VMS sys- tems running SSH for OpenVMS, TCPware 5.6, or MultiNet 4.4 (or later), the file header infor- mation will also be transferred and the file will have the same format on the destination system as it had on the source system. Also, when a file is transferred to a non-VMS system, a method has been provided to translate those files that can be translated into a format that will be us- able on the remote system. Files that are trans- ferred from non-VMS systems are stored as stream files on the VMS system, which provides compat- ibility for text files from those systems. 2-1 SSH for OpenVMS Features, Known Problems and Fixed Problems SSH for OpenVMS Features o SCP2 consists of the client program SCP2, which includes an embedded SFTP server for local file access, and SFTP-SERVER2, which runs on the re- mote system to access the file. SCP2 communi- cates with SSH2 for authentication and trans- port (which includes encryption) to remote sys- tems, SFTP-SERVER2 communicates with SSH2 for data transport. o SFTP server and client that provide secure file transfer with an FTP-like command set, using au- thentication and encryption. o Secure Shell (SSH)- A single SSH client is pro- vided that supports both the SSH1 and SSH2 pro- tocols on remote systems. Independent servers to support both the SSH1 and SSH2 protocols are provided. o Better interoperability with updated SSH and SCP server and client code, including: native sup- port for text file transfers and support for the IETF SSH file transfer protocol V4 draft. o Single sign-on support allows use of existing PKI certificates and Kerberos infrastructure. o More extensive reporting provides detailed er- ror information on remote systems. __________________________________________________________________ 2.2 Kerberos V5 Support Single sign-on support via Kerberos V5 is now sup- ported with this release. In order to enable this feature, the HP OpenVMS Kerberos V5 T2.0 (or later) kit must be installed (see http://h71000.www7.hp.com/openvms/products/kerberos/). This kit restricts support for Kerberos (and hence, Kerberos V5 support in SSH for OpenVMS) to Open- VMS Alpha 7.2-2 and higher. As newer field test and/or production versions of HP OpenVMS Kerberos V5 become available, Process Software will ensure 2-2 SSH for OpenVMS Features, Known Problems and Fixed Problems Kerberos V5 Support SSH for OpenVMS changes as necessary to accommo- date the newer Kerberos V5 versions. Kerberos V5 must be installed, configured and started prior to starting SSH for OpenVMS. When Kerberos V5 support is enabled, authentica- tion may be done via Kerberos password, Kerberos credentials, forwardable TGT, and passing TGT to remote hosts for single sign-on support. __________________________________________________________________ 2.3 Known Problems This section describes the known problems in SSH for OpenVMS version 2.0. ___________________________ 2.3.1 Secure Shell (SSH) Known Problems o Under some (as yet unknown) rare circumstances, SSHD2 server processes (SSHD nnnnn) may enter an in- finite loop, consuming a lot of CPU resources. o In some cases, FTP over SSH doesn't work properly. File transfers in FTP passive mode will work. (D/E 8872) 2-3 SSH for OpenVMS Features, Known Problems and Fixed Problems Known Problems ___________________________ 2.3.2 SFTP/SCP Known Problems o SFTP2 assumes that filenames that do not have a period (.) in them are references to directory files for file operations unless the file attributes state that it is not a directory. This may cause some files to be created as .DIR. o The VMS recursive directory notation ([...]) is not supported, as it cannot be translated to a UNIX equivalent. o Security Express for Windows by ByteFusion has problems getting directories with our SFTP server. o ls -R does not return all occurrences of the spec- ified file if there is more than one. o If OpenSSH SFTP is being used and the filename is being specified as part of starting SFTP (i.e., sftp user@host:file file), then the source (first) filename must not contain wildcards. o When using case-sensitive filenames on ODS-5 disks (without SRI encoding) there are different re- sults from OpenSSH SCP (which uses the RCP pro- tocol) and SCP that uses the SSH File Transfer Protocol for binary and ASCII transfers. A workaround for this problem is: $ DEFINE/SYSTEM DECC$EFS_CASE_PRESERVE ENABLE so that the C RTL preserves the case of the filename as specified. o Successive [l]open statements in SFTP2 may cause a hang due to a resource consumption problem. This can be avoided by exiting and restarting SFTP2 instead of closing the current connection and opening another. o SFTP2 may ACCVIO if a LS -R is done when set de- fault to a logical name that is a search list. o Files copied (with either SFTP2 or SCP2) in VMS mode to an ODS-5 disk from an ODS-2 disk will be created in lowercase. This is due to the SRI 2-4 SSH for OpenVMS Features, Known Problems and Fixed Problems Known Problems encoding being used on ODS-2 and not (by default) being used on ODS-5 and the default case for SRI encoding being lowercase. o Attempts to rename directories with SFTP2 may fail due to protection problems. o An error in opening a connection from SFTP2 will result in exiting to DCL. o ASCII transfers of small files may sometimes display 0 Bytes transferred when done, even though the file has been successfully transferred. o When using SFTP2 in VMS mode with the default of FALSE for the MULTINET_SFTP_VMS_ALL_VERSIONS logical using a wildcard for version numbers does not work, but specifying specific version num- bers does work. o Using "rm" (remove) from SFTP2 on a directory may give a misleading error message. o Directory names that start with "." (or $5N when viewed from VMS) cannot be accessed. __________________________________________________________________ 2.4 Changes in Default Behavior o The default value for MULTINET_SFTP_TRANSLATE_ VMS_FILE_TYPES has changed from 0 to 7. This will cause transfer of text files that are ini- tiated from non-VMS systems to be automatically translated into stream-LF format. o The MULTINET_SFTP_USE_SRI_ENCODING_ON_ODS5 has a default value of FALSE. This can cause files copied to ODS5 disks to have slight differences in the name from previous versions. 2-5 SSH for OpenVMS Features, Known Problems and Fixed Problems Changes in Default Behavior o When an account in the SYSUAF has an expired pass- word AND the system sylogin.com or user's lo- gin.com has a SET TERM command, a warning mes- sage will be displayed prior to prompting to change the password as follows: Your password has expired; you must set a new password to log in %SET-W-NOTSET, error modifying DKA0: -SET-E-INVDEV, device is invalid for requested operation Old password: The way to suppress these warning messages would be to check for the appropriate login flag and skip around any SET TERM commands: $ flags = f$getjpi("", "LOGIN_FLAGS") $ new_flags = (flags/2)*2 $ if new_flags .eq. 4 then goto skip_the_inquiry o The following SSHKEYGEN switches have been changed as follows: From /CONVERT_PKCS to /PKCS_CONVERT From /CONVERT_SSH1 to /SSH1_CONVERT From /CONVERT_X509 to /X509_CONVERT o For SCP2 and SFTP2 transfers, if the user only desires to match a particular case of file on ODS-5 disks, and they are using OpenVMS 7.3-1 or later, then the following command must be executed in the user's login.com: $ SET PROCESS/CASE_LOOKUP=SENSITIVE 2-6 SSH for OpenVMS Features, Known Problems and Fixed Problems Fixed Problems __________________________________________________________________ 2.5 Fixed Problems o Fixed a problem with the UserConfigDirectory key- word being ignored by SSH-KEYGEN2. (D/E 8147) o Fixed SCP to work with files larger than 2GB. (D/E 8177) o Fixed a problem with $ MU SSHKEYGEN commands in SSH_CONTROL conflicting with MUMPS commands. (D/E 8262) o Fixed a problem with the SSH server locking up. It now times out when waiting for an identify string. (D/E 8305) o Fixed a problem with TryEmptyPassword causing the SSH2 client to exit. (D/E 8312) o Fixed a problem with a DCL procedure distinguish- ing SSH sessions from non-SSH sesssions. (D/E 8315) o Fixed a problem that caused a "Restarting protocol" error to occur when a file copy was initiated from an OpenSSH system. (D/E 8316) o Fixed a problem with the MULTINET_SSH_SCP_SERVER_DEBUG logical not causing the debug log file to be written. (D/E 8317) o Fixed an SSH problem that occurred when using the QUIT command with SFTP. (D/E 8333) o Fixed a problem with SCP2 and translating large files. (D/E 8411) o Fixed a problem using an SSH 3.2.0 SCP client with SSH for OpenVMS. (D/E 8422) o Fixed a problem turning off VERIFY when executing the remote command. (D/E 8423) 2-7 SSH for OpenVMS Features, Known Problems and Fixed Problems Fixed Problems o Fixed a problem with the SSH server hanging if the child process terminates prematurely. (D/E 8431) o Password authentication of the user system no longer fails. (D/E 8435) o Fixed a problem that occurred when forwarding a local privileged port to another system. (D/E 8443) o Fixed a problem using SCP2 with VanDyke's SecureFX. (D/E 8521) o Fixed a problem with captive accounts not being prompted to change their password. (D/E 8526) o Fixed a problem with SCP2 hanging when the destination host did not exist. (D/E 8642) o Fixed a problem using an OpenSSH client to SCP a VMS file that had $ in its name. (D/E 8649) o Fixed potential security leaks that could occur with SSH implementations. (CERT Advisory CA-2002-36) (D/E 8680) o SSH is now included in accounting information. (D/E 8683) o Fixed problems that occurred when logging on to the system when the user is limited to a single log in. (D/E 8694) o Fixed a problem with an OpenVMS access viola- tion that occurred when using the /TRANSLATE qualifier with SCP. (D/E 8805) o Fixed a problem with SSH client compression. D/E 8738) o Fixed an SSH2 problem with public key authentication. (D/E 8748) 2-8 SSH for OpenVMS Features, Known Problems and Fixed Problems Fixed Problems o Fixed a problem with the SSH2 server not notifying the client if logins are disabled. (D/E 8779) 2-9