Release Notes for SSH Tectia Client 6.1.4
&
SSH Tectia Server 6.1.4 for Linux on IBM System z
-------------------------------------------------

27 November 2009


(C) 2009 SSH Communications Security Corp.
This software is protected by international copyright laws.
All Rights Reserved.


Table of Contents

1.   About This Release
2.   New Features
3.   Bug Fixes and Minor Features
4.   Known Issues
5.   Further Information


1.   About This Release
-----------------------

  The previous SSH Tectia Client release was 6.1.3. 

  This release contains the implementation of some new features and 
  fixes to bugs.

  Special items for this release are:  

  - Added Windows 7 as a supported platform.
  - A new configuration option for file access control on Unix.
  - Package renaming on Solaris Sparc platforms.
  - On Unixes, the binaries have been renamed to their pre-6.1.2
    names.
  - New troubleshooting tool included.
      
  This release also contains SSH Tectia MFT Events due to product 
  dependencies, but no new features have been added to that 
  product.
  
  SSH Tectia Server for Linux on IBM System z provides the SSH Tectia Client
  and Server functionalities for Linux on IBM System z platforms, and what
  is said here about SSH Tectia Client, applies also to SSH Tectia Server 
  for Linux on IBM System z.
  
  We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x
  products, before installing SSH Tectia 6.1.
  
  For the installation instructions, refer to the SSH Tectia Client Manual.


2.   New Features
-----------------

  The following new features have been implemented in SSH Tectia Client:


New Features in 6.1.4:
----------------------

- Unix: File access control option introduced, for checking access rights on
  keys and configuration files.

- All platforms: Added a new utility, ssh-keyfetch, for fetching host keys from
  remote hosts.

- All platforms: Added a new mode, 'advisory', for accepting host keys. This means 
  accepting all keys. The connection will be allowed also when a new key for 
  an existing host is received, but the event will be logged and is auditable.

- All platforms: In sftpg3, the 'site' command parameters can now be abbreviated 
  to the shortest unique value.

- All platforms: In sftpg3, with command 'set exit-value' it is now possible to 
  set the sftpg3 return value in case of an error occurs in batch mode.

- Windows 7: Added Windows 7 as a supported platform.

- All platforms: Compression can be turned on and off with command 
  "set compressions".

- All platforms: In file transfer, it is now possible to use translation 
  tables in all platforms.

- All platforms: In sftpg3 it is now possible to split batch file lines with
  '+' character at the end of the line.

- All platforms: A new tool has been added for collecting diagnostics 
  information to be sent to SSH Technical Support. More information is provided
  in  documentation.


New Features in 6.1.3:
----------------------

- All platforms: Added a new utility, ssh-keyfetch, to Unix/Windows side for
  fetching host keys from remote hosts.

- Linux: New supported platform, Red Hat Enterprise Linux 5.3 (x86, x86-64).

- All platforms: Introduced a new option for specifying the location of the
  Connection Broker configuration directory.


New Features in 6.1.2:
----------------------

- All platforms: The sftpg3 commands are now case-insensitive.

- z/OS: Added support for Large, Extended, and Compressed Format datasets.

- z/OS: Added support for reading and writing MVS tape and virtual tape 
  files.

- All platforms: The sftpg3 commands are now case-insensitive.


New Features in 6.1.0:
----------------------

- All platforms: Support for key exchange method diffie-hellman-group14-sha1.

- All platforms: Implemented a better file transfer and file operation logging
  system for improved auditing of all actions performed with files.


New Features in 6.1.0
---------------------
- Unix: Added graphical user interface for SSH Tectia Configuration.

- All platforms: New and improved public key authentication wizard, now
  supports key upload from tokens and to OpenSSH servers.

- All platforms: Added support for storing password in a profile.

- All platforms: Support for key exchange method diffie-hellman-group14-sha1.

- All platforms: Implemented a better file transfer and file operation logging
  system for improved auditing of all actions performed with files.


3.   Bug Fixes
--------------

  The following fixes have been implemented in SSH Tectia Client:

Bug Fixes in 6.1.4:
-------------------

- All platforms: Connections disconnected remotely are now processed 
  immediately.

- All platforms: Timed out authentication will no longer cause other
  connections to hang.

- All platforms: When using key/certificate chooser, if the chosen key fails to
  authenticate, a message will be risen.

- All platforms: Fixed incorrect X.509 certificate validation.

- All platforms: The sftpg3 commands 'digest' and 'ldigest' no longer return
  wrong data.

- Solaris Sparc: Package names have changed to:
  ssh-tectia-<component>-<version>-solaris-9-10-sparc.pkg.Z

- Unix: Removed the ".bin" extension added to the binary names in the last 
  release. With this fix, the names of the Tectia processes will be the same 
  as in the previous versions.

- All platforms: Configuration options for server-authentication will be written
  out only if specifically configured.  This affects options 
  'strict-host-key-checking', 'host-key-always-ask' and 
  'accept-unknown-host-keys'.

- All platforms: In the broker configuration file, USER_CONFIG_DIRECTORY 
  variable will point by default to:
   - On Windows: "%D\Application Data\SSH"
   - On Unix:    "%D/.ssh2
  And "%D" points to the user's home directory.

- All platforms: "Tectia Connections Configurator" allows the modification of 
  the server-authentication when there is a global configuration file set.

- Windows: While using the Windows Terminal GUI, and when the 'accept unknown 
  host keys' option is enabled, no pop-up will be used when an unknown host
  key is accepted. Instead, a message will appear in the Terminal.

- All platforms: File transfer actions will no longer fail with key-exchange
  when accept-unknown-hostkeys is set to yes.

- All platforms: Command line option "+C" did not work in sftpg3. 
  This is now fixed.

- Windows: Improved error reporting when accessing the Event log.


Bug Fixes in 6.1.3:
-------------------

- All platforms: Fixed printing checksums in batch mode in sftpg3.

- Unix: Reduced the size of 6.1 Product Packages, so that they have sizes 
  similar to 6.0.x releases. In order to decrease the size of the 
  installation packages, binaries were linked against shared ICU libraries. 
  To assure that the binaries use the correct library, a wrapper script has 
  been introduced to setup the environment prior to calling the actual 
  binary. For example '/opt/tectia/bin/sshg3' is now a script and the actual 
  executable is '/opt/tectia/libexec/sshg3.bin'.

- Windows: Fixed the command line tool ssh-keygen-g3 so that it no longer 
  fails to create keys.

- All platforms: An active passphrase or password prompt will no longer 
  block subsequent connections to different hosts. If the connection is to 
  the same host with the same user name, it will block the connection and 
  warn the user accordingly.  

- All platforms: Added two new attributes ('file' and 'directory') to the 
  'known-hosts' option in the Connection Broker configuration file. 
  The new attributes are used to specify to which the 'known-hosts' points to.
  In case of a directory, any previously non-existing directory will be 
  created. The behavior of the existing 'known-hosts' attribute 
  'filename-format' has been extended, as well.
  
- Windows: The Connection Broker GUI is now able to import also PKCS#12 
  certificates.  

- All platforms: When writing to GDG(+1), file transfer clients returned an
  error eventhough the file was successfully transferred. This is now fixed.


Bug Fixes in 6.1.2:
-------------------

- All platforms: The sftpg3 and scpg3 clients did not send extended file 
  attributes in STAT message to z/OS server. This caused some tape 
  operations to fail. This is now fixed.

- z/OS: Some common XML files were missing in installation package. 
  This is now fixed.

- z/OS: Reading and writing multivolume datasets failed. 
  This is now fixed.

- All platforms: In certain situations sftpg3 failed to upload file to z/OS 
  server dataset without "L=size" parameter. This is now fixed.

- z/OS: SOCKS proxy failed to connect to an unknown host, even though 
  "accept-unknown-hosts" is enabled in ssh-socks-proxy-config.xml. 
  This is now fixed.

- Unix platforms, z/OS: The sftpg3 printed extra ^M characters in batch mode 
  output. This is now fixed.

- All platforms: When writing to GDG(+1), file transfer clients returned 
  error even though file was successfully transferred. This is now fixed.

- Windows: PKCS#12 key could not be converted to SSH2 key using
  ssh-keygen-g3. This is now fixed.

- Unix platforms: If user's home directory was "/", host keys could not be 
  saved. This is now fixed.


Bug Fixes in 6.1.1:
-------------------

- Clients occasionally failed to start Broker into run-on-demand mode. This 
  is now fixed. 
  
- An error occurred in file transfer client while performing HFS tagging on 
  a network drive. This is now fixed. 
  
- Tectia for z/OS failed to read datasets that were larger than 65535 
  tracks. This is now fixed.     


Bug Fixes in 6.1.0:
-------------------
- All platforms: The scp2 sometimes exits with code 0, even though file transfer
  fails. This might happen if ssh2 fails to connect to ssh server.

- UNIX: SSH Tectia executables will not hang even if the process that started
  them decides to ignore signal SIGUSR2.

- All platforms: Files larger then 4GB can now be transfered to or from
  SSH Tectia Server using OpenSSH like scp command.

- All platforms: Transparent FTP tunneling now works on passive mode.

- All platforms: If prefix was used and file transfer was aborted, the resumed
  file transfer always started from the beginning. Now file transfer resumes
  from the point where it left.

- Unix: If the server host has RSA and DSS hostkeys, ssh-keydist now prefers
  DSS when fetching the server hostkey. The change was made to ensure
  compatibility with other Tectia components that prefer DSS keys.


4.   Known Issues
-----------------

The following issues are currently known to exist in SSH Tectia Client:

- All platforms: The Tectia Configuration Editor and the Terminal GUI on 
  Windows always use the default location of the UserConfigDirectory for 
  loading the .ssh2 files (containing the color and other Windows GUI 
  specific parameters).

- All platforms: The ssh-keygen will always use the default location of the
  UserConfigDirectory, if no path is specified.

- Linux SE: If the common package is installed with SElinux disabled, the
  following warning message will be given during the installation:
    /usr/bin/chcon: can't apply partial context to unlabeled file 
    /opt/tectia/lib/shlib/libicudata.so.40
    /usr/bin/chcon: can't apply partial context to unlabeled file 
    /opt/tectia/lib/shlib/libicuuc.so.40
  This can be safely ignored.  However, if the SElinux enforcing is enabled 
  after the installation, the following command needs to be executed:
    /usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so

- All platforms: If more than 25 connections are timed out at the 
  authentication phase (for example leaving the connection at the 
  password prompt and exceeding the login grace period) this will 
  cause other connection attempts with the same Connection Broker 
  to fail until that connection is cancelled. 
  
- Windows: Password cannot be specified in a file with --password 
  command-line option. 

- Windows: Uploading files from "Upload Dialog" of the GUI file transfer 
  tool does not work when "Hide extensions for known file types" of Windows 
  Explorer is set to 'yes'. 
  Workaround: Enable file extentions. This issue will be fixed in an 
  upcoming maintenance release. 

- Linux on IBM System z: FIPS 140-2 compliant cryptographic library is not 
  included in the installation package. For FIPS compliant AES, 3DES and SHA 
  encryption algorithms, use the cryptographic hardware provided by the 
  System z architecture. Cryptographic acceleration is enabled on SSH Tectia 
  by default. 

- Windows Vista: When using an evaluation version of SSH Tectia Client and 
  trying to import a commercial license on Windows Vista, the operation will 
  fail. 
  Workaround: Manually copy the license file to the licenses directory 
  under "%ProgramFiles%\SSH Communications Security\SSH Tectia\SSH Tectia 
  AUX\licenses" 

- All platforms: In scpg3 and sftpg3, the command line options +C and -C 
  for enabling/disabling compression do not work. Compression must be 
  enabled/disabled globally or on a profile basis. The command line options 
  work with sshg3. 

- Linux on IBM System z: Due to a system problem in older s390 Linux 
  kernels,  probing for the cryptographic hardware produces the "Illegal 
  instruction" signal, if no crypto-HW is present. In that case, the servant 
  or Connection Broker is not able to start. 
Workaround: Remove the cryptographic HW plugins (*cpacf.so) from the 
  plugin directory. 

- Windows: When upgrading from a 4.x client, the connection profiles that 
  were migrated did not show up in the profile's dropdown menu on the 
  terminal client.  However, after restarting the Connection Broker the 
  migrated profiles will be shown on the client. 

- Unix: All installed SSH Tectia products must be upgraded to 6.0.2 at the 
  same time.  If some packages are left to 6.0.1 or older version, they will 
  stop working when the 6.0.2 common package is installed. 

- All platforms: The sftpg3 client fails if the server does not support 
  streaming. By default, streaming is disabled on the client, so by default 
  the problem does not occur. 

- Solaris 8: Use bash version later than 2.0.3 to avoid high CPU usage with 
  SSH Tectia Client on Solaris 8. 

- Windows: If the "Transparent tunneling" component of SSH Tectia Client or 
  SSH Tectia ConnectSecure is installed on a Windows XP computer in a domain 
  where firewall exceptions are managed by a group policy, the exceptions get 
  changed so that the computer becomes inaccessible from the network. 

Workaround: Edit the exceptions manually so that, for example, the server 
  port becomes accessible. 

- Windows: SFTP GUI might cause the existing local copy of a file to be 
  partially overwritten in ASCII mode, when downloading of the file from the 
  remote server fails due to missing file permissions. 

- All platforms: The scpg3 command shows the transfer time wrong if 
  "--statistics=simple" is set. 

- All platforms: When trying to connect to an SSH server that is not 
  available (i.e. the server is not running), the error message returned by 
  sshg3 is "Unable to connect to Broker". It should return "Unable to connect 
  to Server". 

- Windows: Reconnecting to the previously used Connection Profile by 
  pressing Enter in the SSH Tectia Terminal or File Transfer GUI may fail in 
  some cases. 
Workaround: Select the profile from the menu. 

- Windows: Removing a token while it is being read could in some cases 
  result in SSH Tectia Connection Broker failure. 

- Windows: Opening multiple remote tunnels in a profile against OpenSSH 
  servers can cause SSH Tectia Connection Broker to fail. 

- Solaris: Installation packages do not detect the underlying Solaris 
  architecture to prevent installation of the x86-64 packages on x86 
  architecture. The packages can be installed but they will not work. 

- All platforms: Running the SSH Tectia Connection Broker in daemon mode 
  might be unreliable if sshg3/scpg3/sftpg3 is run immediately after starting 
  ssh-broker-g3. 
Workaround: After the Connection Broker starts, wait a few seconds before 
  issuing any commands. 

- Windows: SFTP chmod command is not supported against SSH Tectia Server 
  running on Windows. 

- Unix: Scripts that execute sftpg3 in batch mode get stopped when put into 
  background (Stopped (tty output)). 

- Unix: If scpg3 is used to copy a file to itself, the file will be 
  truncated and the scpg3 command hangs. 

- Unix: The 'finger' command does not show the idle time correctly when 
  logged in using SFTP. 

- HP-UX: Starting sshg3, scpg3, and sftpg3 fails if getting the current 
  working directory fails. 

- Windows: When running sftpg3 in batch mode, the Connection Broker may log 
  the Broker_channel_process_exit_failed messages with status "Operation 
  failed". These are system internal events and do not indicate any failure 
  in the file transfer operation. 

- Windows: The exit values for scpg3 do not match the values mentioned in 
  the documentation in these error situations: connection lost, interrupting 
  a file transfer using Ctrl+C, trying to copy to a directory, but the 
  destination is not a directory. Nevertheless, in all these cases the return 
  value is non-zero. 

- All platforms: scpg3 does not warn about the existence of directories 
  when shell globbing is used, for example: 
  scpg3 "/tmp/testdir/*" user@server:/tmp 
  However, the correct warning is displayed if the scpg3 command is used 
  without globbing: 
  scpg3 /tmp/testdir/* user@server:/tmp 

- All platforms: The certificate validation path construction from LDAP 
  fails, if the LDAP server requires suffix ';binary' for the PKI binary blob 
  attribute names. 

- Windows: If the Connection Broker is started for another userID using the 
  'runas' command, the user dialogs are shown for the user who started the 
  process. 

- All platforms: The server creates empty files if a user tries to transfer 
  files without correct server-side permissions. The correct error message is 
  displayed. 

- All platforms: API function ssh_secsh_broker_channel_close() might fail 
  in some cases. 

- Windows: Local TCP tunneling using listener port 0 does not work. 

- Windows: When running a remote command against a Windows server, the 
  output from standard out and standard error might overlap. 

- Windows: When trying to remotely access Unix files that contain illegal 
  Windows characters (for example: *, ? and ~) those files cannot be 
  transferred or accessed if using relative paths.
Workaround: Use absolute paths for accessing the files on the remote 
  server after escaping the illegal characters. 

- All platforms: It is possible to generate all lengths of RSA/DSA keys in 
  FIPS mode, although the SSH Tectia Client/Server software will only accept 
  keys compliant with FIPS. 

- Windows: If trying to connect from a Windows GUI client to an OpenSSH 
  server with a public key and option command="ls", the client hangs. When 
  performed with the Windows command-line client (sshg3) it works properly. 

- Windows: When using regular expressions in filter rules the dot character 
  '.' does not work as expected. For example, when using a filter rule for 
  tunneling of telnet.exe using regular expression: '.*.ssh.com' the 
  connection will not be tunneled even if the regular expression matched the 
  host address. 
Workaround: Add a '\' in front of the '.' For example, the previous 
  regular expression should be:  '.*\.ssh\.com' 

- Windows: When the user creates a transparent tunneling rule for certain 
  applications (e.g firefox.exe), and later decides to filter another 
  application  (e.g. telnet.exe ), both applications will use the same 
  filters unless the first application is restarted. 

- All platforms: If a wrong passphrase is provided several times for a key, 
  the Connection Broker skips it and proceeds to the next key. If it is an 
  OpenSSH key, once it has been skipped because of a decoding failure, the 
  Connection Broker makes no further attempts to use the key on next login 
  attempts. The Connection Broker must be reloaded or restarted in order to 
  use that OpenSSH key for authentication. 

- Windows/Unix: On Windows, the OpenSSH key's GUI prompt cannot be 
  canceled. On OpenSSH, the key passphrase prompting loops if no passphrase 
  is given. Ctrl+C can be used to get rid of the prompt, but that cancels the 
  whole Secure Shell connection. 

- Windows: Secure file transfer speed may be slower against SSH Tectia 
  Server on Windows than against SSH Tectia Server on Linux. 

- Windows: PKCS#12 certificates cannot currently be imported via the GUI. 

- Windows: If multiple concurrent terminal services sessions are opened for 
  the same user, the services sessions share the same Connection Broker 
  session. This can cause that the user banner and dialog boxes may be 
  displayed to the wrong session. Opening several concurrent terminal 
  services sessions for the same user does not provide secure separation of 
  sessions. 

- All platforms: After changing the password on a Secure Shell server, but 
  before logging in with the new password, the Connection Broker must be 
  restarted to close the previous connection, or the user must wait for the 
  connection to time out (by default 5 seconds). If this is not done, login 
  with the new password will not succeed. 


5.   Further Information
------------------------

  In 6.1.0 and subsequent releases, the following platforms are no longer 
  supported:

  o IBM AIX 5.2 
  o Red Hat Enterprise Linux 3 
  o Sun Solaris 8 
  o Microsoft Windows 2000

  More information can be found from the man pages and from the SSH Tectia 
  manuals that are also available at http://www.ssh.com/support/.

  Additional licenses can be purchased from our online store at: 
  http://www.ssh.com/buy/online/.

