ECO kit SSH_V592P041
----------------------------------------------------------------------------
SSH_V592P041 patch kit (revision 4.1) for TCPware 5.8/5.9 17-May-2012
Copyright (c) 2006, 2007, 2008, 2010, 2011, 2012 by Process Software
This VMSinstallable saveset provides a new version of the
following SSH components:
- SSH client (SSH2.EXE)
- SSH1 server (SSHD.EXE)
- SSH2 server (SSHD2.EXE)
- SSH master control program (SSHD_MASTER.EXE)
- SSH identity agent program (SSH-AGENT2.EXE)
- SSH key generators (SSH-KEYGEN.EXE and SSH-KEYGEN2.EXE)
- SSH key signer (SSH-SIGNER2.EXE)
- SSH loadable executive image (SSHLEI.EXE, LOAD_SSHLEI.EXE,
UNLOAD_SSHLEI.EXE)
- SSH agent identity manipulation program (SSH-ADD2.EXE)
- SSH file copy client (SCP2.EXE)
- SSH SFTP client (SFTP2.EXE)
- SSH file copy servers (SFTP-SERVER2.EXE and SCP-SERVER1.EXE)
- SSH server configuration template file (SSHD2_CONFIG.TEMPLATE)
- SSH certificate enrollment program (SSH-CMPCLIENT.EXE)
- SSH configuration procedure (SSH_CONTROL.COM)
- SSH Public Key Assistant (PUBLICKEY_ASSISTANT.EXE)
- SSH Certificate Viewer (SSH-CERTVIEW.EXE)
- SSH shared libraries (SSH_ZLIB.EXE, SSH_FSCLM.EXE)
- SSH Public Key Server (PUBLICKEY-SERVER.EXE)
- SSH Certificate Viewer (SSH-CERTVIEW.EXE)
- SSH client configuration template (SSH2_CONFIG.TEMPLATE)
- LDAP authentication plugin using the VMS Authentication Module
(LDAP-PLUGIN.EXE)
- SecurID authentication plugin using the VMS Authentication Module
(SECURID-PLUGIN.EXE)
- SSH X.509 certificate tool (SSH-CERTTOOL.EXE)
- SSH shareable image (SSHSHR.EXE)
A new version of the following common TCPware utilities are
provided for TCPware V5.8:
- TCPware command definitions (TCPWARE_COMMANDS.COM and
TCPware.CLD)
This ECO is dependent upon the following TCPware ECOs:
- NET_V592P080 for TCPware V5.9
- IPS_V592P050 for TCPware V5.9
- NET_V582P010 for TCPware V5.8
A system reboot is requred after installing this ECO, to load
the new software features.
This kit has an ECO ranking of 2.
This kit includes the following corrections:
o Corrected a problem with SFTP detecting whether or not a logical name
refers to a disk drive.
o Corrected a problem in SFTP-SERVER2 with detection of
TCPWARE_SFTP_NEWLINE_STYLE. [DE 11208]
o Corrected some problems in SFTP-SERVER2 with
TCPWARE_SFTP__ROOT [DE 11207]
o Made TCPWARE_SFTP_STAT_DESTINATION_FILE control whether or not file
the characteristics are requested for a file after it has been
transferred as well as before. [DE 11199]
o Added the following configuration parameters to SSH2_DIR:SSHD2_CONFIG.
UserCommandDirectory %D[.SSH_CMD]
UserSpecificCommandDirectory username directory_specification
These parameters allow for control of the directory in which SSHD2
creates command files in order to execute remote commands or to start
subsystems (e.g. SFTP-SERVER).
UserCommandDirectory allows for specification of a globally used
directory, with %D representing the user's default login directory.
UserSpecificCommandDirectory allows for the alternate directory to be
specified for specific usernames. Note that username is case
sensitive, so it will most likely have to be in all uppercase on VMS.
For the username DILBERT example the specification would be something like:
UserSpecificCommandDirectory DILBERT DISK$USERS:[USERS.DILBERT.SSH_CMD]
If neither of these parameters are specified the files will continue
to be created in the [.SSH2] subdirectory in the user's login
directory. [DE 11156]
o Improved compatibility with CerberusFTPServer_5.0 to recognize that
the key exchange guessing mechanism does not arrive at the correct
algorithm and make it such that it is not necessary to have:
SendKexGuess No
in the user's SSH2_CONFIG. file. [PSC134918]
o Add bounds checking when supplying auditing parameters to VMS to
prevent possible buffer overflows.
---------------------------------------------------------------------------
Post Installation Notes
The old version of the replaced SSH components will be renamed to
TCPWARE_COMMON:[TCPWARE]SSH2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD_MASTER.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-ADD2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-AGENT2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SCP2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-KEYGEN.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-KEYGEN2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-SIGNER2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-CERTVIEW.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-CERTENROLL2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SCP-SERVER1.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SFTP-SERVER2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD2_CONFIG.TEMPLATE_OLD
TCPWARE_COMMON:[TCPWARE]SSHLEI.EXE_OLD
TCPWARE_COMMON:[TCPWARE]LOAD_SSHLEI.EXE_OLD
TCPWARE_COMMON:[TCPWARE]UNLOAD_SSHLEI.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH_FSCLM.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH_ZLIB.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH_CONTROL.COM_OLD
TCPWARE_COMMON:[TCPWARE]TCPWARE_COMMANDS.COM_OLD
Once installed, you may undo this patch by renaming the files
back to their original names, and restarting the SSH component.
NOTE: You must reboot your system after installing this ECO,
to load the new software features.
---------------------------------------------------------------------------
This ECO also addresses all of the same problems from the
previous SSH ECOs:
SSH_V592P030
------------
o For TCPware V5.9 only, the SSHD MASTER process would
not re-register with IPS when IPS was restarted.
[DE 11169]
o In prior versions of TCPware, the return status
codes from the SSH clients listed above were
based on UNIX-style status codes, causing problems
for many VMS users. Beginning with this ECO, a
logical name may be defined that will cause the SSH
clients listed above to use VMS-style return codes.
If the logical name isn't defined, the old-style
codes will still be used by default. Refer to table
6-1 in the MultiNet for OpenVMS Messages, Logicals
and DECnet Applications manual for a description of
the new status codes.
To enable the new status codes instead of using the
previous status codes, the logical name TCPWARE_
SSH_NEW_STATUS_CODES must be defined systemwide
o Changed the identification string sent by the client
and server to be "Process Software SSH". This change
will prevent erroneous alerts from security scanner
software when the scanner previously encountered
the string "ReflectionForSecureIT" in the identity
string.
o Updated the SSH version from 6.1.4.0 to 6.1.5.0.
o New configuration parameters have been added for the SSH service,
and can be set using TCPWARE:CNFNET.
- ipv4-disable - when set, SSHD MASTER will not
listen on an IPV4 socket.
- ipv6-disable - when set, SSHD MASTER will not
listen on an IPV6 socket.
To disable IPV4 and/or IPV6 listeners the following questions
have been added:
You may disable listening for server connections on an IPV4 socket or
on an IPV6 socket. The default is to listen on both IPV4 and IPV6
sockets.
NOTE: you must have either IPV4 or IPV6 (or both) listen sockets
enabled.
Do you want to disable listening on an IPV4 socket [NO]?
Do you want to disable listening on an IPV6 socket [NO]?
o RFC 4255, "Using DNS to Securely Publish Secure
Shell (SSH) Key Fingerprints", has been implemented
in the SSH2 client. This provides the ability
to look up host key fingerprints stored as SSHFP
records in a DNS RRSET using DNSSEC. This provides
additional protection against man-in-the-middle host
key spoofing attacks.
o The /DNS_DIGEST option has been added to SSH-KEYGEN2
for RFC 4255 support. This option causes SSH-KEYGEN2
to calculate and print the digest of the local SSH
host key in a format that allows it to be added to
the local TCPwarehosts file.
o The system-wide logical name TCPWARE_SSH_CMD_FILE_
DIR may be used to determine where the SSH2 server
will create the temporary command procedures it
creates to execute remote commands. If this logical
is not defined, the default behavior remains to
create the command procedures in the user's [.SSH2]
directory.
o Corrected SSHD MASTER access violation after many
sessions. [DE 11127]
o Optimized user information lookups on systems with
large UAF and RIGHTSLIST files. [DE 11122]
o A scenario wherein [.ssh2] directories in user
accounts may be corrected with incorrect protection
masks has been corrected. [DE 11156]
o If the logical MULTINET_SFTP_SET_VMS_PROTECTION is defined
to No, False or 0 (zero), then VMS transfers will not set
the protection of files that are copied between two systems
running Process Software's implementation of SFTP2. This
logical can be defined on either the client or server
and will have effect on both PUT and GET operations.
[DE 11084]
*** Notes for Kerberos 5 Support ***
Support for Kerberos 5 is based on HP Kerberos V5 for OpenVMS.
SSH may be configured and used at any time, either with or
without Kerberos; however, Kerberos is required to perform Kerberos
authentication in the SSH server. If Kerberos is installed at some
later time after SSH is started, restarting SSH will allow it to
use Kerberos.
Some chapters of the TCPware documentation having to do with SSH
have been updated for TCPware V5.8. New PDF files of these
are supplied in this ECO for those versions of TCPware, and are
copied to the TCPWARE_COMMON:[TCPWARE] directory.
These are:
TW_MANAGEMENT_SSH1_SERVER_CH25.PDF
TW_MANAGEMENT_SSH2_SERVER_CH26.PDF
TW_USER_GUIDE_SSH_CLIENT_CH16.PDF
TW_USER_GUIDE_FILE_XFER_CH17.PDF
SSH_V592P020
------------
o Correct a possible ACCVIO on SFTP [M]PUT commands.
[DE 11048/DE 11066]
o Correct problems with incomplete transfers in SFTP record mode.
[DE 11044]
o The SSH_LOG:SSHD.LOG file has an extra character at the
end of each line, which could make it difficult to parse
programatically. This has been changed such that if the
system-wide logical name TCPWARE_SSH2_SERVER_DEBUG_NOCR is
defined (the value doesn't matter), the trailing will
not appear on debug log lines. [DE 11103]
o On Integrity systems only, SSHLEI.EXE has been moved from
SYS$LOADABLE_IMAGES to the TCPWARE_COMMON:[TCPWARE]
directory. This fixes problems caused by the incorrect
version of SSHLEI.EXE existing in SyS$LOADABLE_IMAGES.
o Correct some file truncation problems. [DE 11079]
o Change SCP2 and SFTP2 to open destination files for write only
instead of read/write to provide interoperability with more
implementations.
o Restore SFTP2 & SCP2 password prompt to include a space after the
colon as it had in previous versions. [DE 11065]
SSH_V592P010
------------
o Correct problems with specifying a version number on a
source file and getting the file appropriately transferred
to the remote system. [DE 9852/10242]
o Errors from attempting to close a file that is already
closed are now ignored. Don't make call to set file
characteristics when there are no characteristics to be set.
[DE 10829]
o Improvements to FXP_REALPATH processing. [DE 10832]
o Remove hashing data structures from buffer management data
structures to reduce memory utilization. (TCPware SCP2 &
SFTP2 do not support file hashing to check to see if a file
is different before transferring.) [DE 10937]
o An assertion in SSHADT in the SSHD2 server could
fail, causing the server to abort. [10967]
o SSH OPCOM session accept and session reject messages
would sometimes display garbage at the end of the
message. [DE 10629]
o Corrected an ACCVIO when public key authentication
fails in batch mode. [DE 10675]
o When using the VMS Authentication Module and LDAP
for authentication, the LDAP_ALLOW_NULL_PASSSWORD
flag isn't honored properly.
o Problems with DCL passing arguments to SSH on Integrity
systems when using /PARSE_STYLE=EXTENDED. [DE 11002]
o When connecting to an Integrity management processor, the
key guess is incorrect. [DE 10979]
o The number of connection attempts and the timeout for each
attempt for the client needs to be configurable. The following
configuration keywords in SSH2_DIR:SSH2_CONFIG have been
added:
ConnectionTimeout (default zero seconds)
ConnectionAttempts (default 5)
[DE 9175]
o DSA host keys can't be generated. [DE 10972]
o VAX keys can't be generated on some versions of VAX/VMS.
o The user group in the UAF isn't used when doing group
comparisions (e.g., AllowGroups or DenyGroups). [DE 10958]
TCPware ECO,
Process Software