MultiNet V5.0 Release Notes June 2004 This document contains a list of new features and bug fixes that have been made since MultiNet V4.4. Revision/Update Information: This document super- sedes the MultiNet V4.4-A Release Notes Operating System and Version: VAX VMS V5-5.2 or later; (OpenVMS Alpha or VAX V6.1 or later) __________ Copyright ©2004 Process Software, LLC. Unpublished - all rights reserved under the copyright laws of the United States No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval sys- tem, or translated into any language or computer language, in any form or by any means electronic, mechanical, magnetic, optical, or otherwise with- out the prior written permission of: Process Software, LLC 959 Concord Street Framingham, MA 01701-4682 USA Voice: +1 508 879 6994; FAX: +1 508 879 0042 info@process.com Process Software, LLC ("Process") makes no rep- resentations or warranties with respect to the con- tents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. Alpha AXP, AXP, MicroVAX, OpenVMS, VAX, VAX Notes, VMScluster, and VMS are registered trademarks of Hewlett-Packard Corporation. Kerberos. Copyright © 1989, DES.C and PCBC_ENCRYPT.C Copyright © 1985, 1986, 1987, 1988 by Massachusetts Institute of Technology. Export of this soft- ware from the United States of America is as- sumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, mod- ify, and distribute this software and its doc- umentation for any purpose and without fee is hereby granted, provided that the above copy- right notice appear in all copies and that both that copyright notice and this permission no- tice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior per- mission. M.I.T. makes no representations about the suitability of this software for any pur- pose. It is provided "as is" without express or implied warranty. MultiNet is a registered trademark of Process Software. Secure Shell (SSH). Copyright © 2000. This Li- cense agreement, including the Exhibits (Agree- ment), effective as of the latter date of ex- ecution (Effective Date), is hereby made by and between Data Fellows, Inc., a California cor- poration, having principal offices at 675 N. First Street, 8th floor, San Jose, CA 95112170 (Data Fellows) and Process Software, LLC, having a place of business at 959 Concord Street, Framingham, MA 01701 (OEM). TCPware is a registered trademark of Process Soft- ware. iii UNIX is a trademark of UNIX System Laboratories, Inc. All other trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their re- spective holders. Copyright ©1997, 1998, 1999, 2000 Process Soft- ware Corporation. All rights reserved. Printed in USA. Copyright ©2000, 2001, 2002, 2004 Process Soft- ware, LLC. All rights reserved. Printed in USA. If the examples of URLs, domain names, inter- net addresses, and web sites we use in this doc- umentation reflect any that actually exist, it is not intentional and should not be considered an endorsement, approval, or recommendation of the actual site, or any products or services lo- cated at any such site by Process Software. Any resemblance or duplication is strictly coinci- dental. iv _______________________________________________________ Contents _______________________________________________________ CHAPTER 1 INTRODUCTION 1-1 1.1 TYPOGRAPHICAL CONVENTIONS 1-1 1.2 OBTAINING TECHNICAL SUPPORT 1-2 1.2.1 Before Contacting Technical Support _______________________ 1-3 1.2.2 Sending Electronic Mail _______ 1-5 1.2.3 Calling Technical Support _____ 1-6 1.2.4 Contacting Technical Support by Fax ___________________________ 1-6 1.3 OBTAINING ONLINE HELP 1-7 1.4 MULTINET FREQUENTLY ASKED QUESTIONS (FAQS) LIST 1-7 1.5 ACCESSING THE MULTINET PUBLIC MAILING LIST 1-7 1.6 PROCESS SOFTWARE WORLD WIDE WEB SERVER 1-8 1.7 OBTAINING SOFTWARE PATCHES OVER THE INTERNET 1-9 1.8 DOCUMENTATION COMMENTS 1-10 1.9 CD-ROM CONTENTS 1-11 1.9.1 Online Documentation __________ 1-12 1.9.1.1 PDF Format, 1-12 1.9.1.2 Using Acrobat Reader, 1-13 1.9.1.3 Using XPDF, 1-14 _______________________________________________________ CHAPTER 2 CHANGES AND ENHANCEMENTS 2-1 2.1 MULTINET V5.0 INSTALLATION NOTE 2-1 2.2 NOTE CONCERNING KERBEROS V5 2-1 2.3 NOTE CONCERNING MULTIWARE 2-1 2.4 NOTE CONCERNING SSH 2-2 iii Contents 2.5 XNTP/NTP CHANGES 2-2 2.6 DISABLED SERVICES 2-3 2.7 CONVERTED SERVICES 2-4 2.8 NOTE CONCERNING FTP CHANGES 2-4 2.9 NOTE CONCERNING STREAM SYMBIONT CHANGES 2-5 2.10 SSH CHANGES 2-6 2.11 ENHANCEMENTS 2-8 2.12 FIXED PROBLEMS 2-16 2.13 PING BEHAVIOR CHANGE 2-35 2.14 MULTINET SET/ROUTE/FLUSH BEHAVIOR CHANGE 2-35 2.15 KNOWN PROBLEMS 2-35 _______________________________________________________ CHAPTER 3 DOCUMENTATION UPDATES 3-1 3.1 MULTINET V5.0 3-1 3.2 CORRECTIONS TO THE MULTINET V5.0 DOCUMENTATION 3-2 _______________________________________________________ TABLES 1-1 Typographical Conventions _____ 1-1 1-2 System Information ____________ 1-4 iv _______________________________________________________ 1 Introduction These Release Notes describe the changes and en- hancements made to the MultiNet product in version 5.0. This chapter describes conventions used in the MultiNet documentation set and the various meth- ods to contact and receive technical support. o For information about product changes and en- hancements in the MultiNet V5.0 MultiNet Con- solidated Distribution, refer to Chapter 2 of these Release Notes. o For information about changes to the documen- tation set, refer to Chapter 3 of these Release Notes. __________________________________________________________________ 1.1 Typographical Conventions Examples in these Release Notes use the follow- ing conventions: Table_1-1_Typographical_Conventions____________ Convention_____Example________Meaning__________ Angle Represents a key brackets on your keyboard. 1-1 Introduction Typographical Conventions Table_1-1_(Cont.)_Typographical_Conventions____ Convention_____Example________Meaning__________ Angle Indicates that brackets you hold down with a slash the key labeled or while simultaneously pressing another key; in this example, the A key. Square [FULL] Indicates brackets optional choices; you can enter none of the choices, or as many as you like. When shown as part of an example, square brackets are actual characters you should type. Underscore file_name or Between words or hyphen file-name in commands, indicates the item is a single ______________________________element._________ __________________________________________________________________ 1.2 Obtaining Technical Support Process Software provides technical support if you have a current Maintenance Service Agreement. 1-2 Introduction Obtaining Technical Support If you obtained MultiNet from an authorized dis- tributor or partner, you receive your technical sup- port directly from them. You can contact Technical Support by: o Sending electronic mail (Section 1.2.2) o Calling Technical Support (Section 1.2.3) o Faxing a description of your problem to the Tech- nical Support Group (Section 1.2.4) ___________________________ 1.2.1 Before Contacting Technical Support Before you call, or send email or a fax: 1. Verify that your Maintenance Service Agreement is current. 2. Read the online Release Notes completely. 3. Have the following information available: o Your name o Your company name o Your email address o Your voice and fax telephone numbers o Your Maintenance Contract Number o OpenVMS architecture o OpenVMS version o MultiNet layered products and versions 4. Have complete information about your configu- ration, error messages that appeared, and prob- lem specifics. 1-3 Introduction Obtaining Technical Support 5. Be prepared to let a development engineer con- nect to your system, either with TELNET or by dialing in using a modem. Be prepared to give the engineer access to a privileged account to diagnose your problem. You can obtain information about your OpenVMS architecture, OpenVMS version, MultiNet version, and layered products with the MULTINET SHOW /LI- CENSE command. Execute the following command on a fully loaded system and email the output to sup- port@process.com: $ MULTINET SHOW /LICENSE Process Software MultiNet V5.0 Rev A, VAXsta- tion 4000-90, OpenVMS VAX V7.1 In this example: The machine or system architecture is VAX. The OpenVMS version is V7.1. The MultiNet version is V5.0. Use the following table as a template to record the relevant information about your system: Table_1-2_System_Information___________________ Your System Required_Information__________Information______ Your name Company name Your email address Your voice and fax telephone numbers System architecture VAX or Alpha 1-4 Introduction Obtaining Technical Support Table_1-2_(Cont.)_System_Information___________ Your System Required_Information__________Information______ OpenVMS version MultiNet_version_______________________________ Please provide information about installed Multi- Net applications and patch kits, by sending a copy of MULTINET:MULTINET_VERSION.; file. ___________________________ 1.2.2 Sending Electronic Mail For many questions, electronic mail is the pre- ferred communication method. Technical Support via electronic mail is available to customers with a current support contract. Send electronic mail to support@process.com. At the beginning of your mail message, include the information listed in Section 1.2.1. Continue with the description of your situation and problem specifics. Include all relevant in- formation to help your Technical Support Special- ist process and track your electronic support re- quest. Electronic mail is answered within the desired goal of two hours, during our normal business hours, Monday through Friday from 8:30 a.m. to 5:00 p.m., United States Eastern Time. 1-5 Introduction Obtaining Technical Support ___________________________ 1.2.3 Calling Technical Support For regular support issues, call 800-394-8700 or 508-628-5074 for support Monday through Friday from 8:30 a.m. to 7:00 p.m., United States East- ern Time. For our customers in North America with crit- ical problems, an option for support 7 days per week, 24 hours per day is available at an additional charge. Please contact your Account Representative for fur- ther details. Before calling, have available the information described in Section 1.2.1. When you call, you will be connected to a Technical Support Specialist. Be prepared to discuss problem specifics with your Technical Support Specialist and to let that person connect to your system. If our Support Specialists are assisting other customers and you are put on hold, please stay on the line. Most calls are answered in less than five minutes. If you cannot wait for a Specialist to take your call, please take advantage of our au- tomatic call logging feature by sending email to support@process.com (see the Section on Sending Elec- tronic Mail). ___________________________ 1.2.4 Contacting Technical Support by Fax You can send transmissions directly to Techni- cal Support at 508-879-0042. 1-6 Introduction Obtaining Technical Support Before faxing comments or questions, complete the steps in Section 1.2.1 and include all your sys- tem information at the beginning of your fax mes- sage. Continue with the description of your sit- uation and problem specifics. Include all rele- vant information to help your Technical Support Spe- cialist process and track your fax support request. Faxed questions are answered Monday through Fri- day from 8:30 a.m. to 7:00 p.m., United States East- ern Time. __________________________________________________________________ 1.3 Obtaining Online Help Extensive information about MultiNet is provided in the MultiNet help library. For more informa- tion, enter the following command: $ HELP MULTINET __________________________________________________________________ 1.4 MultiNet Frequently Asked Questions (FAQs) List You can obtain an updated list of frequently asked questions (FAQs) and answers about Process Soft- ware products from the Process Software home page located at http://www.process.com. Choose the Sup- port link to access useful information on FAQs and patch ECOs. __________________________________________________________________ 1.5 Accessing the MultiNet Public Mailing List Process Software maintains two public mailing lists for MultiNet customers: o Info-MultiNet@process.com o MultiNet-Announce@process.com 1-7 Introduction Accessing the MultiNet Public Mailing List The Info-MultiNet@process.com mailing list is a forum for discussion among MultiNet system man- agers and programmers. Questions and problems re- garding MultiNet can be posted for a response by any of the subscribers. To subscribe to Info-MultiNet, send a mail message with the word SUBSCRIBE in the body to Info-MultiNet-request@process.com. The in- formation exchanged over Info-MultiNet is also avail- able via the USENET newsgroup vmsnet.networks.tcp- ip.multinet. You can retrieve the Info-MultiNet archives by anonymous FTP to ftp.multinet.process.com. The archives are located in the directory [MAIL_ARCHIVES.INFO- MULTINET]. You can also find the Info-MultiNet archives on the MultiNet consolidated CD-ROM in the directory: [INFO-MULTINET] The MultiNet-Announce@process.com mailing list is a one-way communication (from Process Software to you) used to post announcements relating to Multi- Net (patch releases, product releases, etc.). To subscribe to MultiNet-Announce, send a mail mes- sage with the word SUBSCRIBE in the body to MultiNet- Announce-request@process.com. __________________________________________________________________ 1.6 Process Software World Wide Web Server Electronic support is provided through the Pro- cess Software web site which you can access with any World Wide Web browser; the URL is http://www.process.com (select Support). 1-8 Introduction Obtaining Software Patches over the Internet __________________________________________________________________ 1.7 Obtaining Software Patches over the Internet Process Software provides software patches in save set and ZIP format on its anonymous FTP server, ftp.multinet.process.com. For the location of soft- ware patches, read the .WELCOME file in the top- level anonymous directory. This file refers you to the directories containing software patches. To retrieve a software patch, enter the follow- ing commands: $ MULTINET FTP/USERNAME=ANONYMOUS/PASSWORD="emailaddress" - _$ FTP.MULTINET.PROCESS.COM A message welcoming you to the Process Software FTP directory appears next followed by the FTP prompt. Enter the following at the FTP prompt: FTP.MULTINET.PROCESS.COM>CD [.PATCHES.MULTINETxxx] FTP.MULTINET.PROCESS.COM>GET update_filename In these commands: emailaddress is your email address in the stan- dard user@host format xxx is the version of MultiNet you want to trans- fer update_filename is the name of the file you want to transfer To transfer files from Process Software directly to an OpenVMS system, you can use the GET command without any other FTP commands. However, if you need to transfer a software patch through an in- termediate non-OpenVMS system, use BINARY mode to transfer the files to and from that system. 1-9 Introduction Obtaining Software Patches over the Internet In addition, if you are retrieving the software patch in save set format, make sure the save set record size is 2048 bytes when you transfer the file from the intermediate system to your OpenVMS sys- tem. o If you use the GET command to download the file size from the intermediate system, use the FTP RECORD-SIZE 2048 command before transferring the file. o If you use the PUT command to upload the file to your OpenVMS system, log into the interme- diate system and use the FTP quote site rms rec- size 2048 command before transferring the file. Process Software also supplies UNZIP utilities for OpenVMS VAX and Alpha for decompressing ZIP archives in the [PATCHES] directory. To use ZIP format kits, you need a copy of the UNZIP utility. The following example shows how to use UNZIP util- ity, assuming you have copied the appropriate ver- sion of UNZIP.EXE to your current default direc- tory: $ UNZIP := $SYS$DISK:[]UNZIP.EXE $ UNZIP filename.ZIP Use VMSINSTAL to upgrade your MultiNet system with the software patch. __________________________________________________________________ 1.8 Documentation Comments Your comments about the information in these Re- lease Notes can help us improve the documentation. If you have corrections or suggestion for improve- ment, please let us know. 1-10 Introduction Documentation Comments Be as specific as possible about your comments: include the exact title of the document, version, date, and page references as appropriate. You can send your comments by email to techpubs@process.com or mail them to: Process Software 959 Concord Street Framingham, MA 01701-4682 Attention: Marketing Director You can also fax your comments to us at 508-879- 0042. Your comments about our documentation are appreciated. __________________________________________________________________ 1.9 CD-ROM Contents The directory structure on the CD is as follows: [MULTINET050] MultiNet Kit [Documentation] PDF format (.pdf) HTML format (.htm) Release Notes [INFO-MULTINET] [RFCs] [BIND-DOC] [XPDF] [XPDF.AXP] for Alpha images [XPDF.VAX] for VAX images [LYNX] [LYNX.AXP] for Alpha images [LYNX.VAX] for VAX images [VAX55-DECC-RTL] 1-11 Introduction CD-ROM Contents ___________________________ 1.9.1 Online Documentation The MultiNet documentation set is available on the product CD in PDF format. The Release Notes are available on the product CD in text format. _____________________ 1.9.1.1 PDF Format The MultiNet documentation set has the follow- ing PDF files: o MULTINET_ADMIN_GUIDE.PDF (Installation and Ad- minstrator's Guide) o MULTINET_ADMIN_REFERENCE.PDF (Administrator's Reference Guide) o MULTINET_MESSAGES.PDF (Messages, Logicals, & DEC- net Apps) o MULTINET_PROGRAMMERS_REFERENCE.PDF (Programmer's Reference) o MULTINET_USER_GUIDE.PDF (User's Guide) The PDF format is readable from a PC, a VAX, or an Alpha system. There is a PDF reader on the CD for each platform. o Use Adobe Acrobat to read the PDF files from a PC. Your PC must have 386 architecture or later to use Adobe Acrobat Reader. You can get Ac- robat Reader free from Adobe Systems' Website: www.adobe.com. o Use the XPDF Reader (found in the [XPDF] direc- tory) to read the PDF files from a VAX or Al- pha system. The [XPDF.AXP] directory contains the Alpha architecture reader XPDF_AXP.EXE. The [XPDF.VAX] directory contains the VAX architec- ture reader XPDF_VAX.EXE. Note: The XPDF Reader does not work on a PC. 1-12 Introduction CD-ROM Contents PCs running the Windows or NT operating system cannot read Process Software's CD. You cannot load files from the MultiNet CD directly to a PC. Load them to your VAX or Alpha machine, then transfer them to your PC. We suggest using FTP to transfer these files. The following is an example using MS-DOS: C:> ftp node ftp> binary ftp> mget cd:*.pdf In addition, Process Software has included LYNX, the character-cell Web browser for VMS. It is in the [LYNX] directory. _____________________ 1.9.1.2 Using Acrobat Reader To read the PDF files using Acrobat Reader: 1. Double click Acrobat Exchange. 2. Choose Open from the File menu. 3. Select the .pdf file you want to open. 4. Use the menu bar at the top of the screen to nav- igate the document, or click a Table of Contents entry (on the left) to go directly to that in- formation. Note: The binocular icon opens search functions. The mag- nifying glass icon enlarges the text and illustra- tions. 1-13 Introduction CD-ROM Contents _____________________ 1.9.1.3 Using XPDF Thanks to Derek B. Noonburg for letting us down- load his XPDF application. Note: You need a three-button mouse to use XPDF. At the DCL prompt from the directory in which XPDF_VAX.EXE or XPDF_AXP.EXE is stored, do the fol- lowing: 1. Type RUN XPDF_VAX.EXE or RUN XPDF_AXP.EXE. The XPDF screen appears. 2. Position the arrow on any of the icons (except the ? icon) on the bottom of the screen. 3. Press the right nouse button to display choices. 4. Select OPEN to display the list of PDF files. 5. Select the PDF file you want, and click OPEN to read the file. 6. Use the icons on the bottom of the screen to search for the information you want. To view the online help for XPDF: 1. Position the cursor on the question mark (?) icon. 2. Press the left mouse button to open the online help. 1-14 _______________________________________________________ 2 Changes and Enhancements This chapter describes the changes and enhance- ments made for MultiNet V5.0. __________________________________________________________________ 2.1 MultiNet V5.0 Installation Note MultiNet V5.0 installations may only be performed from a random-access device (e.g., disk or CD-ROM). If the MultiNet V5.0 installation is attempted from a sequential-access device (e.g., magtape or TKxx cartridge), the installation will fail. If the dis- tribution savesets have been copied to a sequential- access device (for transporting them, for example), they must be copied to a disk for installation. __________________________________________________________________ 2.2 Note Concerning Kerberos V5 MultiNet now supports Kerberos V5 for SSH and Telnet (Alpha only). Kerberos V5 requires Kerberos for HP OpenVMS (version 2.0), which is available on the HP website. The Kerberos V5 applications can also run with any Kerberos V5 compliant Key Dis- tribution Center (KDC) software. Kerberos V5 ap- plies to OpenVMS VAX V7.3 or higher, and VMS Al- pha V7.2-2 or higher. __________________________________________________________________ 2.3 Note Concerning MultiWare If you want to continue to use MultiWare with MultiNet, do not install MultiNet V5.0 on your sys- tem. MultiWare and all MultiWare-related appli- cations, including management/configuration func- tionality, have been removed. MultiWare was desup- ported by TGV prior to 1997. 2-1 Changes and Enhancements Note Concerning SSH __________________________________________________________________ 2.4 Note Concerning SSH You must install the DEC C 6.0 backport library on all OpenVMS VAX v5.5-2 and v6.0 systems prior to using SSH. This is the AACRT060.A file. You can find the ECO on the MultiNet CD in the following directory: VAX55_DECC_RTL.DIR. __________________________________________________________________ 2.5 XNTP/NTP Changes o NTP V2 has been removed from MultiNet V5.0. CON- VNTP.COM, which converted NTP V2 service param- eters to NTP.CONF and NTP.KEYS entries for XNTP, has also been removed. You should either con- vert prior to upgrading to MultiNet V5.0 or set up the NTP.CONF file manually. o NTP v4 has been added to enhance NTP function- ality. XNTP is still being distributed to ease transition to NTP v4. Process Software recom- mends using NTP v4. o Some of the XNTP utility commands have been re- named to avoid conflicts with the new NTP (v4) commands. The names are now XNTPDATE, XNTPDC, XNTPQ and XNTPTRACE for XNTP, and NTPDATE, NT- PDC, NTPQ and NTPTRACE for NTP (v4). All are accessed through the MULTINET command, or through foreign commands created by the new NTP_DEFINE.COM procedure. The definitions previously made by USER.CLD are no longer supported. o The VMS time logical name SYS$TIMEZONE_DIFFERENTIAL can now be, optionally, maintained by NTPD at DST changes. See the "set_vms_logicals" option for NTP.CONF in the MultiNet Installation & Ad- ministrator's Guide. 2-2 Changes and Enhancements XNTP/NTP Changes o The NTP.CONF file can now be placed anywhere through the use of the MULTINET_NTP_CONFIGFILE logical name. The default location is now "MULTINET:NTP.CONF". o A new capability to have a command procedure called at NTPD startup and at DST transition times has been added. This is to allow other housekeep- ing operations to be performed as needed at such times, such as altering other time-related log- icals, calling other procedures, or sending out notifications. See the NTP chapter of the In- stallation & Administrator's Guide for details on using this capability. __________________________________________________________________ 2.6 Disabled Services GATED Due to the significant changes in the GateD con- figuration file, the GateD service will be disabled upon installation. Sites that use GateD should read the documentation and make the necessary changes before enabling GateD. RDISC The Router Discovery service is handled by the new GateD service, and will be removed from the list of configured servers after installation. Sites that wish to use Router Discovery should read the new documentation on GateD. IP AddressWorks Process Software no longer supports IP Address- Works. There are no IP AddressWorks components in this kit and IP AddressWorks has not been tested with this version of MultiNet. 2-3 Changes and Enhancements Disabled Services RSA RSA ACE/Agent for OpenVMS is no longer supported by RSA Security. Therefore, Process Software can no longer assist with RSA ACE/Agent for OpenVMS- related problems. Process Software recommends us- ing SSH instead. __________________________________________________________________ 2.7 Converted Services NTP Prior to MultiNet V5.0, the NTP service repre- sented NTP V2. In MultiNet V5.0, NTP v2 has been desupported and removed from the software distri- bution kit. The NTP service is converted during the installation to be used with NTP v4. __________________________________________________________________ 2.8 Note Concerning FTP Changes There have been a number of changes in the FTP client and server to preserve the case of filenames when ODS-5 disks are being used. This has resulted in some changes in the default operation. In par- ticular: o When not operating in UNIX mode, the FTP server no longer makes the filenames returned in an NLST command all lowercase. This can effect MGET op- erations. To get the old behavior, define the logical MULTINET_FTP_LOWERCASE_NLST to be TRUE. When operating in UNIX mode, the SRI encoding is still used. o The FTP client no longer changes the case of file- names to lowercase. This can effect MPUT op- erations. To return to the old behavior, de- fine the logical MULTINET_FTP_LOWERCASE_MPUT to be TRUE. 2-4 Changes and Enhancements Note Concerning FTP Changes o The FTP client will now use SRI encoding for file- names. This can effect GET operations. The ef- fect can be minimized by defining the logical MULTINET_FTP_UNIX_STYLE_CASE_INSENSITIVE to be TRUE. o When a UNIX style ASCII file on a non-UNIX ma- chine is transferred to MultiNet V5.0 a new line is created in the file upon receipt of either a carriage return/line feed sequence or a line feed. To return to the old behavior, define the logical MULTINET_FTP_ONLY_BREAK_ON_CRLF to be TRUE. o There are new FTP logicals added to MultiNet V5.0. Please check "Messages, Logicals, & DECnet Apps" manual for more details. MULTINET_FTP_ONLY_BREAK_ON_CRLF MULTINET_FTP_SEMANTICS_VARIABLE_IGNORE_CC MULTINET_FTP_SEMANTICS_FIXED_IGNORE_CC MULTINET_FTP_STOU_OLDNAME MULTINET_FTP_MAX_PRE_ALLOCATION __________________________________________________________________ 2.9 Note Concerning Stream symbiont Changes The following is new diagnostic information for debugging Stream symbiont operation problems. o Added some aids to problem investigation for stream symbiont. While not needed for normal process- ing, some changes have been made to aid Process support when investigating issues in the MULTI- NET_STREAM_SYMBIONT. These include additional information in debug log message, and optional announcement of the symbiont process PID and as- sociated queue name. When enabled, the process PID and queue name are announced in OPCOM, the debug log file and in a system logical name of the form "MUTLINET_STREAM_SYMBIONT__ 2-5 Changes and Enhancements Note Concerning Stream symbiont Changes PID", with a value of the process PID in hex- adecimal. This feature is enabled by defining the system logical "MULTINET_STREAM_SYMBIONT_ ANNOUNCE_PID" before starting a queue. The sym- biont will check for this logical whenever a queue is started. [DE 8473] __________________________________________________________________ 2.10 SSH Changes o If a remote MultiNet system offers both SSH1 and SSH2 protocols, the client will always use the SSH2 protocol. The only time the SSH1 proto- col will be used is if the remote system offers only the SSH1 protocol. There is no way to force the client to use the SSH1 protocol if the SSH2 protocol is available. o The default configuration for the SSH client is now SSH2_CONFIG. The SSH_CONFIG file is no longer used. o The SSH1 and SSH2 clients have been combined into a single client. When a connection to a sys- tem is made, the client senses the protocol ver- sion used and uses the correct protocol. o SSHKEYGEN default behavior change: In Multi- Net V5.0 a new qualifier has been added to SSHKEY- GEN. That qualifer is /[NO]WARN. This qualifier is used to warn the system administrator if a SSH2 host key already exists and asks if the file should be overwritten. Using /NOWARN will not announce the file's existance and will overwrite the file. The default behavior in MultiNet V5.0 is to warn the system administrator and ask if the existing file should be replaced. SSHKEY- GEN in pre-V5 MultiNet would overwrite the ex- isting SSH2 host key file. 2-6 Changes and Enhancements SSH Changes o The following SSHKEYGEN switches have been changed as follows: /CONVERT_PKCS is now /PKCS_CONVERT /CONVERT_SSH1 is now /SSH1_CONVERT /CONVERT_X509 is now /X509_CONVERT o The SSH1-specific utilities SSH-ADD and SSH-AGENT have been replaced with SSH-ADD2 and SSH-AGENT2, which work with both SSH1 and SSH2 keys. o The client no longer uses the user's [.SSH] di- rectory. All user-specific files are assumed to be in the [.SSH2] directory. o The SCP server uses SRI encoding to preserve the case of filenames. The $ character is the es- cape character that signifies that there is a change in how the following characters(s) should be interpreted. If the following character is an alphabetic character, then the case changes. (The initial case is lower, so the first $ changes it to upper, then next to lower, etc.) If the following character is a $, then the result is a $ (with no change in case). International char- acters in the range of octal 200 to 377 are trans- lated to $ followed by the three-digit octal value for the character. The dot "." character is treated as a special case. The first occurrence in a file name is interpreted explicitly as a dot; later occurrences are translated to the sequence "$5N". $4 followed by a letter is equivalent to the control value for that letter (hex val- ues 1 through 1A for $4A to $4Z). $5 followed by a letter yields hex values 21 to 3A ($5A to $5Z). $7A is space. o SCP2 treats a filename without a "." (dot) in it as a directory file name. Due to the way the C RTL works, some of the file operations expect to be a directory file, and some file operations fail, resulting in a loop in the processing of 2-7 Changes and Enhancements SSH Changes a copy operation. To prevent this problem, al- ways make sure that the destination file has a "." (dot) in the name, unless the /directory qual- ifier is included on the command line. __________________________________________________________________ 2.11 Enhancements o Kernel Upgrade from BSD 4.3 to BSD 4.4. The new kernel has additional mechanisms to prevent DOS attacks through TCP SYN flooding which improves security. Also, performance gains are achieved with improvements made to the kernel routing ta- ble. o IP Security (IPSEC): As part of the kernel up- grade, IPSEC has been added to MultiNet. This standards-based technology provides a secure tun- nel for transmitting data through an unsecured network such as the Internet. IPSEC's authen- tication header (RFC 2402) and IPSEC Encapsu- lation Security Payload (RFC 2406) are supported in transport mode, which secures packets between any compliant hosts. o Classless Inter-Domain Router (CIDR): As part of the kernel upgrade, CIDR has been added to MultiNet. CIDR assures large organizations of connectivity to their entire network by allow- ing expansion of the available IP addresses. This can be critical given today's complex topolo- gies, high traffic loads, and the explosive growth of the Internet. New scaling problems at an un- precedented rate have occurred, including ex- haustion of Class B network addresses, backbone routing overload, and exhaustion of IP network numbers. This feature implements CIDR RFC 1517, 1518, and 1519. Use of variable-length subnet 2-8 Changes and Enhancements Enhancements masks with CIDR solves these problems by allow- ing for supernetting and aggregating address as- signments. o MULTINET SET/ROUTE/[ADD]|[DELETE] new keyword NETMASK : As part of the kernel upgrade to sup- port CIDR, the NETMASK keyword has been added to both the ADD and DELETE route command to al- low specification of classless route entries. See the MultiNet Administrator's Reference Guide for further details. o Gateway Routing Daemon (GATED): A new version of GATED, based upon Gated Release 3.5 from Cor- nell University, has been provided with this ver- sion of MultiNet. The new version of GATED adds support for CIDR and OSPF. GATED provides dy- namic routing information in order to determine the best path to use between a source and des- tination host. It is more efficient than static routing because the system administrator does not have to update a host's or gateway's rout- ing table manually. GATED determines the best route for a packet to travel by gathering and using various standard routing protocol infor- mation from OSPF (Open Shortest Path First), RIP2 (Routing Information Protocol), route discov- ery, and others. GATED is no longer controlled by MULTINET NETCONTROL; there are new MULTINET GATED commands to interact with it. o ODS-5 for NFS Server: This feature allows for long file names and a mixed-case naming conven- tion. o NTP v4.1.1: NTP is a protocol designed to keep the system clock set accurately by comparing it to one or more time servers elsewhere on the net- work and adjusting as necessary. NTP v4.1.1 improves time synchronization performance for large networks and better handles rogue time servers. 2-9 Changes and Enhancements Enhancements This new implementation of NTP (4.1.1) has en- hanced support for Daylight Savings Time (DST) adjustments; particularly in terms of time to make the change when set to slewalways mode, or when not set to slewalways mode and there are no time servers available. o Kerberos v5 Telnet Server and Client: Kerberos is a network authentication protocol. It is de- signed to provide strong authentication for client/server applications by using secret-key cryptography. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity. MultiNet supports Kerberos v5 server and client for Telnet. It requires Ker- beros for HP OpenVMS which is available on the HP website and it can also run with any Kerberos v5 compliant Key Distribution Center (KDC) soft- ware. VMS V7 only. o FTP Enhancement - The logical MULTINET_FTP_MAX_ PRE_ALLOCATION can be used to limit the size of pre-allocated disk space for a file when the file size information is available at transfer time. This can be important when transferring very large files as it can take a long time to pre-allocate the file at the start of the transfer when time- out routines in FTP and/or filewalls may cause connections to be dropped. This logical does not have any effect for STRU OVMS transfers of Indexed, Contiguous, or Contiguous Best Try files; these files need to have accurate allocation size information at the start of the transfer. [DE 7805] o FTP Enhancement - The logical MULTINET_FTP_LIMITED_ FILE_SHARING when defined to True, Yes, or 1, causes files to be opened with the SHRGET op- tion. This disables the ability to get a file 2-10 Changes and Enhancements Enhancements that another program has open for write. [DE 8461] o FTP Enhancement - The FTP client now recognizes the status code 202 as "Not implemented" (as de- fined in RFC 959), and it will no longer assume that STRU VMS negotiation has completed success- fully when it receives this code. [DE 7863] o SMTP Enhancement - A new logical "MULTINET_SMTP_ INCOMING_MSGSIZE_LIMIT" has been added which can be used to reject an oversized incoming message. It can be defined as: S "Small" = 1 MB M "Medium" = 10 MB L "Large" = 100 MB X "eXtra large" = 1000 MB The default for this logical is not defined, which means that no size limit checking is per- formed. If the logical is defined, when the mes- sage size is detected to be over the defined limit, the message will be rejected. In the following example, any mail over 10 MB will be rejected: $ DEFINE/SYS/EXE MULTINET_SMTP_INCOMING_MSGSIZE_LIMIT "M" Please note: The size that the SMTP server checks is the size of the data received in the data channel. It may be different from the ac- tual message size. This is especially true when the message has an attachment. In such cases, the attachment will be encoded and the data size will be the message size plus the encoded at- tachment data size. [DE 3373] 2-11 Changes and Enhancements Enhancements o SMTP Enhancement - The System Administrator can use "MultiNet configure/mail" to set a value for "SMTP-HOST-NAME", replacing the real host name in the "Received:" lines of the mail header. [DE 7791] o The new kernel accommodates the IPV6 specifi- cations. Further development will support IPV6 in a native mode. o /PASSIVE qualifier has been added for the FTP client. [DE 7890] o UCX emulation allows KEEPINIT, KEEPCNT and NODELACK options. [DE 7004] o NTY print symbiont enhancement - Changes have been made to ignore "UNREACHABLE" errors when they are caused by printing a zero-length file. Also, a logical has been added which can be used to restore the old behavior. The logical is: MULTINET_NTYSMB__ZEROUNREACHERR where is the queue name, or a "*" wildcard character which means it applies to all queues. The old behavior will not be changed if the logical is defined to Yes, True or 1. The usage example of the logical: [DE 9364] $ define/sys MULTINET_NTYSMB_q0_ZEROUNREACHERR "Yes" o MultiNet Master Server Enhancement - The ini- tial FTP connection procedure has been modified to use SYS$GETUAI instead of reading the sys- tem authorization file. This was done to re- duce access contention problems. This change corrects a potential problem where a SYSUAF file was being blocked by other processes. [DE 9446] 2-12 Changes and Enhancements Enhancements SSH Enhancements o SSH2 server configuration files now support "sub- configurations" based on the client's hostname or desired username on the server. o SCP2 now supports ASCII-mode file transfers. o Support for performing authentication via cer- tificates. o The CERTENROLL client has been included to en- roll certificates with a Certification Author- ity (CA) via the CMPv2 protocol. o Support for using Kerberos5 for user authenti- cation. (VMS V7 only.) Requires Kerberos for HP OpenVMS. o The VMS accounting record for SSH sessions will have the REMOTE NODE field loaded with the value "SSH", "SCP" or "SFTP" as appropriate, and the REMOTE ID field will be loaded with the client's IP address and port number in hex as "xxxxxxx:xxxx". This will allow system managers to display all SSH sessions for a given timeframe, by using the /NODE= qualifier on the ACCOUNTING command line. [DE 7048] o SCP has two new qualifiers. These two quali- fiers, plus a relaxation in the synchronization of read & writes between the source and desti- nation are aimed at providing improved perfor- mance over slow links. /BUFFER_SIZE=integer Number of bytes of data to transfer in a buffer. Default=7500, min=512. 2-13 Changes and Enhancements Enhancements /CONCURRENT_REQUEST=integer Number of concurrent read requests to post to the source file. Default = 4. The following logicals names are new: o MULTINET_SSH_SFTP_SERVER_DEBUG n - sets the de- bug level for the SFTP server debug. This log- ical may be set at any point in the user's de- fault logical search list to set the amount of debugging information to include in SYS$LOGIN:SFTP- SERVER.LOG (this file is only written when the logical is defined). o MULTINET_SSH_SCP_SERVER_DEBUG n - similar to the logical MULTINET_SSH_SFTP_SERVER_DEBUG, but for the SCP1 server; the file written in SYS$LOGIN:SCP- SERVER.LOG. o SSH Port forwarding can now be used to forward FTP. The SSH software contains a filter for the FTP commands PASV and PORT and their replies, and will dynamically create an encrypted data connection for the FTP session and substitute the information in the PASV and PORT commands and the replies. To do this, create a forwarded port: $ SSH /LOCAL_FORWARD= - ("""FTP/:localhost:21""") The "localhost" is key, as it sets the outgo- ing IP address from the forwarded session and it needs to be set to "localhost" for the data port substitution to work. The 3 sets of quote char- acters (") are due to DCL parsing. 2-14 Changes and Enhancements Enhancements To use this port from MultiNet FTP: FTP>PORT FTP>OPEN localhost To allow a single system to act as a gateway be- tween two networks, add /ALLOW_REMOTE_CONNECT to the SSH command that initiates the connection. This command will establish an encrypted FTP session with the remote host that the SSH connection is sent to. o For OpenVMS AXP 7.2 and higher systems, enable support to allow transfers of files greater than 2GB in size. All OpenVMS AXP V7.1.x and lower, and all OpenVMS VAX systems, will still be re- stricted to a maximum file size of 2GB. o A public key server and assistant have been added to make it easier to manage keys for SSH pub- lic key authentication. o SFTP Server and Client: SFTP allows for secure file transfers. This feature was released in a patch for MultiNet V4.4. SFTP is now included in the MultiNet V5.0 release. Stream symbiont o The Stream symbiont was enhanced to reduce or eliminate aborted jobs when there are problems with the symbiont itself, or the environment it is running in. Jobs are now requeued, or the queue stopped, rather than the jobs being aborted. [DE 8474] o DNS translation is now retried until success- ful. Prior versions of the symbiont would give up if a DNS translation failed, resulting in aborted jobs when DNS or the queue were misconfigured. The new version of the symbiont will continue retrying the DNS translation until it is suc- cessful. The translation retries are done af- ter a delay, which starts at 30 seconds and is 2-15 Changes and Enhancements Enhancements doubled with each attempt until a maximum de- lay is reached (default is 1 hour). The ini- tial retry delay, and the maximum value it will rise to, are settable with the "MULTINET_STREAM_ SYMBIONT_TIMES" logical, which now has two ad- ditional values: $ DEFINE/SYSTEM/EXEC MULTINET_STREAM_SYMBIONT_ TIMERS - [ [ []]] [DE 7714] __________________________________________________________________ 2.12 Fixed Problems Configuration o IP-Cluster-Alias routes now get removed correctly. [DE 8008] o ACCVIO no longer occurs when using the Multi- Net Configuration Menu for either modify or show parameters. [DE 8417] DHCP o A problem where the DHCP server crashes when a DDNS update is attempted has been corrected. [DE 7872] o Corrected a problem where the DHCP server crashes under certain circumstances. [DE 8791] Drivers o A system crash on SMP based systems relating to the closing of a BG socket when there are pend- ing accepts has been corrected. [DE 8997] 2-16 Changes and Enhancements Fixed Problems FTP o Fixed a problem with MultiNet FTP server denial of service. [DE 9204] o Corrected a problem with the FTP Server that would cause it to keep files open after MDTM opera- tions and consume resources. This will gener- ally only be noticed in sessions that involve a large number of MDTM operations. [DE 9248] o FTP client Control-A counters no longer over- flow. [DE 8537] o Fixed a problem with filenames longer than 39 characters written to ODS-2 disks on Alpha VMS 7.2-1 and later. [DE 8823] o Corrected a problem in the FTP client that "Sec- onds Remaining" text was incorrect under cer- tain circumstances, such as the case of getting a big text file from a Unix machine. [DE 8804] o Fixed a problem where using a file for the "ftp_ 230_reply" message could potentially generate an ACCVIO if there is no carriage-return in the file. [DE 9228] o Corrected a problem with the FTP Server 226 re- ply which gave inaccurate bytes transferred with very large files. [DE 8463] o Fixed a problem with the DIR command returning the incorrect value on file size with very large files. [DE 8280] o Mandatory security update in FTP client. o Corrected a problem where control-A displays an incorrect calculation of bytes transferred when using the GET command. [DE 7925] o Fixed an error in displaying the modification time for some files in response to the MDTM com- mand. [DE 7802] 2-17 Changes and Enhancements Fixed Problems o Allows CD command to specify a logical name with- out requiring a terminating colon. [DE 8232] o Eliminated an ACCVIO that can occur when renam- ing a large group of files. [DE 8110] o Fixed an ACCVIO that can occur when files with multiple dots in the filename are retrieved from a Unix system. [DE 8108] o Corrected a problem with the way that FDL files are written with PUT/FDL and prevents an error in parsing them with GET/FDL by removing the OWNER statement from the FDL information. [DE 7635] IMAP o Macintosh IMAP clients no longer see several ver- sions of the same email message. [DE 8771] o Fixed a problem with IMAP showing messages with header part of body when using smtp% to send mail. [DE 9194] o Fixed a problem with the IMAP option "set case- insensitive-folders true" which could cause some IMAP clients to wait forever when trying to ini- tially subscribe to a non-existent folder on the server. [DE 8543] o Fixed a problem with the IMAP option "set case- insensitive-folders true" which could cause some IMAP clients to timeout when attempting to delete a folder on a VAX. [DE 8563] o Corrected a problem with the IMAP server which could set an incorrect timezone offset on mes- sages when a timezone name configured on Multi- Net is used by multiple timezones, such as the case that a pair of timezones of US-EST and AUSTRALIA- EST. They both use "EST" as the name of their own time-zone. [DE 8765] 2-18 Changes and Enhancements Fixed Problems o Corrected a problem that IMAP server responded incorrectly to request for the message INTER- NALDATE attribute. [DE 8766, DE 8771] o A new logical "MULTINET_IMAPD_GREETING_MESSAGE" has been added that can be used to stop display- ing version information for the IMAP service or define user specific message which is limited to 128 bytes. [DE 7702] Installation o Examples for SNMP_SUBAGENT.H and SNMP_SUBAGENT.C have been provided in MULTINET_COMMON_ROOT:[MULTINET.EXAMPLES] for those who desire to create SNMP subagents using the SNMP Extensible Agent API Routines. [DE 8494] IPP o The IPP symbiont was changed to fix several com- munication problems and to add the [NO]ABORT_ ON_ERROR queue configuration option/print com- mand parameter. If ABORT_ON_ERROR is specified for a queue or a job and there is a communica- tion error after print data has been sent, the job will abort. If NOABORT_ON_ERROR (the de- fault) is specified, the job will backstep to a prior point in processing where the server doesn't have prior knowledge of the state of the job, and will resume from that point. [DE 8889] o Fixed a problem with configuration processing that resulted in errors when /LOG_FILE was spec- ified, particularly when it wasn't the last op- tion. [DE 7962] o The IPP symbiont problem with the MS-IIS server sending "100 coninue" messages has been corrected. [DE 7888] 2-19 Changes and Enhancements Fixed Problems Load Balancing o The load balancing rating has been corrected when the number of interactive users equals but didn't exceed the limit. [DE 8743] Master Server o Fixed problems with displaying the FTP greet- ing when the logical name MULTINET_FTP_ANNOUNCE points to a file. Approximately 1800 bytes will be displayed. Any text beyond that is now re- placed with the string ".....". This also re- solves a problem that caused the master server process to crash. Please note the following change in behavior: When MULTINET_FTP_ANNOUNCE is de- fined, the default FTP connection banner or the user-defined banner (the MULTINET_FTP_CONNECT_ BANNER logical name) will not be displayed. The continuous lines of the ANNOUNCE message are now prefixed with "220-". [DE 9447], [DE 8887] o Corrected a problem where the master server could prevent some services (such as FTP, NFS, R_SERVICES) from accepting incoming connections after be- ing probed by port scan software. [DE 7896] o Fixed problems with displaying the FTP "421 re- ply" message when the logical name MULTINET_FTP_ 421_REPLY points to a file. Approximately 1800 bytes will be displayed. Any text beyond that is now replaced with the string ".....". Please note the following change in behavior: The con- tinuous lines of a "421 reply" message are now prefixed with "421-". [DE 8887] o Corrected a problem where the master server pro- cess could crash when MULTINET_FTP_421_REPLY spec- ified a file as the message. [DE 9442] 2-20 Changes and Enhancements Fixed Problems MultiCast Receiving o Problems with more than one multicast receiver listening on the same port have been corrected [DE 6718] MultiNet SHOW Command o Timestamps have been added to many of the dis- plays produced by MULTINET SHOW. [DE 8164] MultiNet Startup o The MultiNet Configure/Servers program has been modified so that the DNS service (DOMAINNAME) is written out first to MULTINET:SERVICES.MASTER_ SERVER. This causes NDS to be started before other services. If you would like to have DNS started first, then perform the following sequence of commands after upgrading to MultiNet V5.0 so that a new MULTINET:SERVICES.MASTER_SERVER file is written: [DE 9096] $MULTINET CONFIGURE/SERVER WRITE EXIT NFS V2 Client o Server shares with large amounts of free space (over 2^16 512-byte blocks) would be reported as having zero free blocks. Attempts to cre- ate new files would fail with an "Insufficient space" status. This has been corrected. Now, amounts of free space up to 2^32 blocks are di- rectly represented in the Volume Control Block. Larger amounts are represented as 0xFFFFFFFF. Please note that $ SHOW DEVICE reports these larger amounts as "********". This display limitation lies within OpenVMS, not MultiNet. 2-21 Changes and Enhancements Fixed Problems o Some NFS servers can erroneously return more data bytes than requested by a READ operation. Pre- vious versions of the MultiNet NFS client ACP could abort when a remote server did so. The NFS client has been modified to handle this NFS server violation of the NFS V2 protocol. The extra data bytes are now discarded. Programming o getsockopt now returns the correct value for TCP_ NODELAY. [DE 8973] RCP o Corrected a problem where an RCP remote to lo- cal copy was using an incorrect destination file- name when local path was using a logical name. This problem was introduced in MultiNet v4.4. [DE 9120] o Corrected an issue where RCP access violation when run in detatched process. [DE 8126] o Added code to stop passing the "SYSTEM-F-EXITFORCED" error message to the Rshell client. This change fixes a problem where this error message is dis- played when the Rshell server is on a VMS 7.3- 1 or later system and the system parameter DEL- PRC_EXIT is set by default on the system. [DE 8582] o Corrected a problem where an RCP remote to lo- cal copy was using an incorrect destination file- name. This problem was introduced in MultiNet v4.4. [DE 8697] o Corrected a problem where the RCP remote to lo- cal copy confirmation message displayed an in- correct source filename. [DE 8709] 2-22 Changes and Enhancements Fixed Problems o Corrected a problem where RCP command completed message was wrong at the source file name some- times. RSH o Corrected a problem where the output data stream of the RSHELL session can be truncated by a EOF character occasionally. A new logical "MULTI- NET_RSHELL_ENABLE_EOF" has been added to make the old behavior available. The logical usage is as follows: $ define/sys/exe MULTINET_RSHELL_ENABLE_EOF "anything" The logical is not defined by default. [DE 9376] SMTP o Fixed an SMTP channel leak that occurred when the banner was not received. [DE 8554] o Corrected a problem where the SMTP queue stopped with the OPCOM error message "$SNDJBC abort con- trol function failed on...". [DE 7846] SNMP o Access violations (ACCVIO) could occur when at- tempting to set thresholds with the Insight Man- agement Agents. [DE 8816] [DE 8764] [DE8684] o AgentX octet strings that contain a 0 (zero) byte are now properly returned. [DE 8656] o The SNMP agent can now return information on more routes by defining the logical MULTINET_SNMP_ MAX_ROUTES. The default value is 256 and the max- imum value is 3276. The maximum number of con- nections can be controlled with the logical MULTI- NET_SNMP_MAX_CONNECTIONS. The default value is 256 and the maximum value is 2978. These log- icals can be maintained with MultiNet Config- ure/Network. [DE 8590] 2-23 Changes and Enhancements Fixed Problems o The SNMP agent now correctly reports the value for ipFragFails (fragmentation failures). [DE 8458] o The names of OIDs that the MultiNet/Show/SNMP/MIB program knows about has been increased to in- clude the Host Resources MIB. [DE 8366] SSH o Using the logical name MULTINET_SSH2_HOSTKEY_ DIR now works. [DE 9166] o Fixed a problem with the SHOSTS.EQUIV file for SSH v2 Host-based Authentication. [DE 9173] o SSH on VAX/VMS V5.5-2 accounts with expiration date now work. [DE 9256] o The PWDLIFETIME field in the UAF record was not being used correctly when handling expired pass- words. [DE 9215] o Captive accounts are no longer allowed to ex- ecute remote commands. [DE 9260] o When a directory contained a search list (e.g., for SYS$MANAGER), the directories weren't pro- cessed correctly. [DE 9284] o If a client presented multiple host keys when doing hostkey authentication, only the first key was being used by the server. [DE 9137] o If the SYSTEM account was disabled, users could log in, but an intrusion record for SYSTEM may be created. [DE 9229] o AllowGroups processing was incorrect. [DE 9286] o The SSH1 server would continually do I/O when it should be idle during a session. [DE 6955] o The user keys were required to be in STREAM-LF format. They may now exist in VAR format as well. [DE 7897] 2-24 Changes and Enhancements Fixed Problems o The directory information used by the keyword UserConfigDirectory in the SSH2_DIR:SSH2_CONFIG. configuration file was ignored by SSHKEYGEN. [DE 8145] o The following command would cause the client to terminate with an error of "%SYSTEM-F-FILNOTACC, file not accessed on channel": [DE 8219] $ ssh foo.bar ssh foo.bar o If the SSHAGENT is terminated by a CTRL-C, the following message may be output and the agent might hang: [DE 8454] SSH-AGENT exiting... ssh_io_unregister_fd: file description 1179010630 was not found o Afer applying ECO SSH-030-A044 and later, SSH1 sessions will have their terminal geometry ar- bitrarily set to 24x80. [DE 8512] o When performing an SCP command and the target account has an expired password, the session will terminate and the SSH_LOG:SSHD.LOG file will con- tain the following lines: [DE 8517] Command: "set password" Attempting to find command "set" WARNING: SSHD2: Subsystem set password not defined" o When a new user account is created and the first login to it is from an SSH2 session, the SSH2 server may ACCVIO. [DE 8629] o The process login flags are not being updated correctly to reflect, for example, new mail. They are now updated to correctly reflect new mail, an expired password, or a password about to ex- pire. These flags are accessed via, for exam- ple: [DE 8715] 2-25 Changes and Enhancements Fixed Problems F$GETJPI(0, "LOGIN_FLAGS"). o When an expired password is being changed and the new password is in the history list, the ses- sion was immediately disconnected. This is in- consistent with the way telnet or a normal lo- gin works. [DE 8721] o An interactive session could sometimes have a mode of "OTHER" rather than "INTERACTIVE". [DE 8730] o The SSH client /COMPRESS switch is ignored. [DE 8737] o When performing an SCP2 copy using the /TRANS- LATE switch, an ACCVIO could be encountered. [DE 8740] o When logging in to an SSH2 session and logins are disabled or the maximum number of interac- tive logins is exceeded, the server would not notify the client of the reason (e.g., "Logins are currently disabled - try again later"). [DE 8778] o A cipher specified by /OPTION=(CIPHER=ciphername) was case-sensitive when it shouldn't be. [DE 8842] o The image that handles SCP transfers from OpenSSH had some errors in its handling of the SRI en- coding on ODS5 logicals that could result in the wrong files being transferred. This has been corrected. Note that if the user only desires to match a particular case of file, and they are VMS 7.3-1 or later, then the following command must be executed in the user's LOGIN.COM: [DE 9018, 9021] 2-26 Changes and Enhancements Fixed Problems $ SET PROCESS/CASE_LOOKUP=SENSITIVE o CERT advisory CA-2002-36, "Multiple Vulnerabil- ities in SSH Implementations", has been addressed. Note that the F-Secure security advisory "Setsid() Vulnerability in F-Secure SSH" does not affect this software. [DE 8681] o If an account is marked CAPTIVE or RESTRICTED in its UAF record and an expired password is en- countered, the LGICMD command procedure could enter an infinite loop and the password could not be changed. [DE 8676] o By default, the BannerMessageFile keyword is set to display the contents of SYS$ANNOUNCE. If the default for BannerMessageFile isn't changed and the SYS$ANNOUNCE logical is deleted from the sys- tem, the text "sys$announce" will display dur- ing the login session. The proper behavior is to display nothing. [DE 8586] o The SSHD server process would retain its iden- tity as belonging to the SSH user. It should take the identity under which SSHD_MASTER runs. [DE 8691] o The SSH2 server process will occasionally exit prematurely when attempting to copy a file via SCP or SFTP to the server system, so the copy attempt would fail. [DE 8699] o Incorrect SCP syntax could result in a process ACCVIO. [DE 8666] o When using SecureFX V2.1 from VanDyke Technolo- gies, the transfer would fail with "Invalid SFTP request ID in server response. Closed SFTP chan- nel." [DE 8520] 2-27 Changes and Enhancements Fixed Problems o Correct a problem with SCP commands issued from a system using OpenSSH that did not preserve up- percase letters in filenames. [DE 8585] o The SSH server could hang if the child process it creates terminates within a few seconds of instantiation. [DE 8433] o When a remote command was executed and DCL VER- IFY was enabled after the SYLOGIN.COM and LO- GIN.COM files were executed, "$ SET NOON" would appear in the command output. [DE 8395] o When transferring a file via SCP, some line feeds could be missing from the data, destroying the formatting. [DE 8387] o When transferring a file from a UNIX system run- ning SSH.COM SSH 3.2.0, the following error could be encountered: [DE 8422] "FATAL: filexfer_client: bad STATUS (ver 3)" o When translating a VMS text file to STREAM-LF format during a file copy operation to a UNIX system, the following error could be encountered: [DE 8413] "Restarting protocol, eSNMP error: A negative response." o When a "quit" command was executed from OpenSSH SFTP after transferring a file, the session would appear to hang for up to five minutes. [DE 8412] o Insufficient GBLPAGES causes the server to AC- CVIO during startup. o The UAF DISFORCE_PWD_CHANGE flag was not being handled correctly. o Users with NETWORK access but not REMOTE access could log in. This has been changed to use the REMOTE field in the UAF. To restore the previ- ous behavior, define the following logical system- wide: [DE 8252] 2-28 Changes and Enhancements Fixed Problems MULTINET_SSH_ACCESS_CHECK_OLD_STYLE o Under some circumstances, when executing a re- mote command it is possible to encounter a de- bug message of the format: [DE 8216] write stdout: iosb status = 1, len 400 400 after the output from the foreign command. o The wrong privilege mask was being used and there- fore users with OPER privilege were not allowed to log into systems where logins were disabled. [DE 8073] o When a remote command is specified in an SSH com- mand, and a parameter is enclosed by double-quotes: $ ssh foo.bar.com @mydcl "param1" param2 "param3" the parameter is lowercased instead of having its case preserved. [DE 8158] o A problem with data corruption when a file is translated to STREAM-LF by SCP2, SFTP-SERVER2 or SCP-SERVER1 has been corrected. [DE 8117] o Extraneous linefeeds could sometimes appear in SSH1 client output when SYS$OUTPUT was not a ter- minal device, including using intermediate hops during remote command execution (SSH node SSH node command). [DE 7215] o An SSH2 remote command execution could abort with the message "Bugcheck: failed to find record for descriptor n". [DE 8102] o A new warning status (and message) has been added to SCP2 for those cases where an existing file on the target system can not be deleted before being written. When not operating in VMS mode SCP2 deletes the destination file if it exists before copying the new data to it to prevent cre- ating a file with corrupt data if it is not able 2-29 Changes and Enhancements Fixed Problems to truncate the file to the size of the source file. If the file cannot be deleted SCP2 over- writes the existing file. The message is dis- played whenever an existing file is overwrit- ten, whether or not truncation happens. [DE 8183] o Secure file copies could fail with the message: [DE 8155] SCP2: warning: child process [SSH2] exited with code -1 o When transferring files via the Windows F-Secure SFTP client to the VMS system, only the first file will transfer. All subsequent file trans- fers attempted to the VMS system during that same session will fail. [DE 7672] o OpenSSH SCP2 commands to a MultiNet 4.4 system fail. [DE 7740] o If an SSH1 or SSH2 client command contains a ver- tical bar character: $ SSH2 FOO "PIPE SHOW SYS | SEARCH SYS$INPUT: SSH the command will usually terminate with an er- ror. [DE 7836] o SCP2 doesn't handle "<>" in file specifications and default directories correctly. [DE 7852] o The identification string output by SSHD_MASTER indicates that both SSH1 and SSH2 sessions are supported, even if both protocols are not con- figured in CONFIGURE/SERVER. This causes con- nection attempts for unsupported protocol ver- sions to hang or return an incorrect error rather than returning the correct error. [DE 7866] o Port scanning tools may cause SSHD_MASTER to AC- CVIO. [DE 7871] 2-30 Changes and Enhancements Fixed Problems o SCP2 may return the following error when attempt- ing to transfer a file: [DE 7875] SCP2: warning: received error 38018 trying to create ssh subprocess o Attempting to use remote system host keys stored in MULTINET_SSH2_HOSTKEY_DIR would fail. [DE 9166] o Fixed a problem with the SHOSTS.EQUIV file for SSH v2 Host-based Authentication. [DE 9173] o SSH would not start correctly on any version of VMS where the version didn't start with "V" (for example, VMS E7.3-2). [DE 9199] o Accounts with expiration dates may not be pro- cessed correctly. [DE 9256] o The TT_ACCPORNAM string set for an SSH sesssion has been modified so that it's prefaced with "ssh/" in order to allow a user command procedure or program to determine that it's running as an SSH session. For example, the TT_ACCPORNAM string will now look like: [DE 8678] $ write sys$output f$getjpl("", "TT_ACCPORNAM") ssh/foo.bar.com:10333 Stream Symbiont o The debug log flushing problem has been addressed. In prior releases of the stream symbiont the de- bug log was not flushed to disk explicity, and in some cases this could result in a loss of the debug information when the process was stopped suddenly. There is now a new system logical name, "MULTINET_PRINTER_FLUSH_LOGFILE", to address this issue. If flushing of the log data to disk is desired, define the logical with any value and each write to the log file will be flushed to disk immediately. By default this is not done. The logical is checked only at symbiont process 2-31 Changes and Enhancements Fixed Problems startup, so processes will need to be stopped and restarted to activate or deactivate this be- havior once the logical is created or deleted. Use of this logical is likely to slow the ex- ecution of the stream symbionts, so it should only be used when deemed necessary. When the debug logging is not active, the logical has no effect. [DE 9177] o Job requeue handling fixed. When a transmis- sion error, such as 8100 (EPIPE), occurred, the symbiont incorrectly handled the procedure to requeue the job. This left the job in an "abort- ing" state and the queue stalled. Stopping the queue with STOP/QUEUE/RESET worked, but even if this was the only queue using the stream sym- biont image, the symbiont process would not exit. STOP/ID= was needed to kill the symbiont process. This problem has been corrected. [DE 9176] o Fixed several problems with communication link handling. [DE 8409] o BLANK PAGE PROBLEM fixed. When the SUPPRESS- EOJ-FF setting in MULTINET CONFIGURE/PRINTER was enabled, or the MULTINET_PRINTER__ SUPPRESS_FF logical was manually defined in the MULTINER_PRINTERS logical name table, there would be a blank page generated before each job ex- cept the first one through the queue after queue startup. This was generated by the OpenVMS sym- biont library code when a CRFF wasn't generated by the EOF code of the prior job. Changes have been made to suppress CRFF at the start of each job. This should return the symbiont to the be- havior of the MultiNet V4.3 symbiont so far as initial CRFF suppression is concerned. The SUPPRESS- EOJ-FF setting and associated logical name may 2-32 Changes and Enhancements Fixed Problems still be used to allow or suppress the gener- ation of CRFF at the end of jobs. The default is to still generate these. [DE 8600] o CONNECTION OPEN NOW WAITS FOR PRIOR CONNECTION TO CLOSE. Prior versions of the symbiont would attempt to start the next job, opening a TCP/IP connec- tion to the printer, while the link from the prior job was still closing when there were several jobs in the queue. Some printers behave very badly when this is done, which resulted in aborted jobs. Even when printers don't misbehave, most can't handle reception of a job until the prior one is cleared from the buffer, so they reject the connect attempt. This results in unneces- sary traffic on the network. Code was added to delay connect attempts until prior connections are completely closed. [DE 8409] o CHANGED THE DEFAULT RESPONSE TO A WRITE ERROR. Older symbionts just closed the link that re- ceived the error, opened a new one and contin- ued sending data. In some cases this behavior can result in data loss without any indication that there has been a problem. The new behav- ior is to requeue the job by default, and to al- low the Dead Link logical to specify the action to take if the default is not what is desired. Basically, the symbiont will behave the same way now when it gets a socket write error as it does when it gets a Dead Link timeout, with a default of "requeue job" if Dead Link detection isn't enabled. To return to the old behavior, set up the MULTI- NET_STREAM_DEAD_LINK_TIMEOUT logical (or the queue- specific equivalent), as described below and in the MultiNet documentation (starting with rev 4.4), with an option of "CONTINUE". Note that 2-33 Changes and Enhancements Fixed Problems "timeout_secs" should not be set to too small a value to allow for printers that delay response while they process buffered data. It should be at least several minutes in most cases. Set- ting the timeout too short will result in slow printers being treated as printers with dead links. The value is a signed integer. [DE 8050] o A problem that resulted in the symbiont accu- mulating INET devices until it ran out of I/O channel resource has been fixed. The symbiont should now properly close down sockets once a job has completed. [DE 7862] UCX Emulation o An error in setting the h_length field of the hostent structure returned by gethostbyaddr has been corrected. [DE 8141] o A problem has been fixed where multicast pack- ets may not be received if pseudo-devices are configured on the system. [DE 7987] UCXDRIVER o If the SO_SNDBUF or SO_RCVBUF socket option was specified with a value greater than 57856, the UCXDRIVER would return success status, but would actually use a value of 57856. This limitation has been removed and larger values may be spec- ified, with the maximum controlled by the ker- nel variable sb_max. An application specify- ing a large value than 57856 may receive an ENOBUFS error unless sb_max is increased. [DE 7900] XDM Server o Fixed a problem where the XDM Server would some- times report the error "Cannot convert Inter- net address". [DE 8379] 2-34 Changes and Enhancements Fixed Problems o Fixed a problem starting the Font server. [DE 8384] o Fixed a problem where the XDM server would be- come the XDM_ZOMIBE process due to improper syn- chronization of the work queues. [DE 9498] __________________________________________________________________ 2.13 PING behavior change Previously, when PINGing a system that was non- responsive no message was displayed until PING was interrupted by control-C. With MultiNet V5.0, there are two possible behavior sequences. 1. If the target system doesn't respond to the ARP request then the following error status will be displayed for each packet sent: "MULTINET-F- EHOSTDOWN". 2. If the target system does respond to the ARP re- quest, but doesn't respond to the ICMP (ping) request, then no message will be displayed un- til control-C is pressed (same behavior as Multi- Net V4.4). __________________________________________________________________ 2.14 MULTINET SET/ROUTE/FLUSH behavior change This command will flush the interface route that was established with the MULTINET SET/INTERFACE. In MultiNet V4.4 this route would have been retained. __________________________________________________________________ 2.15 Known Problems DECnet over IP o The copy process comes to a standstill somewhere between 1 minute and 10 minutes. The originat- ing process remains in LEF state. [DE 7128] 2-35 Changes and Enhancements Known Problems DNS o BIND / DNS secondary server leaves copies of BIND_ MOVEFILE.xxxx hanging around. [DE 9140] o DNS Server may not answer queries. This prob- lem is encountered when the DNS Server process doesn't have sufficient page file quota. In- creasing the page file quota will fix this prob- lem.[DE 8136] o DNS_CONVERSION_TOOL on VAX produces an incor- rect DNS configuration file. [DE 8576] FTP o COPY/FTP to sys$output: writes a file. [DE 7906] o FTP does not propogate source filespec defaults to target. [DE 7886] o When QUITing out of an FTP session, an access violation error could occur if the MULTINET_FTP_ 221_REPLY logical is defined to point to a text file. [DE 9450] NAMED o NAMED server runs out of channels when a slave NAMED server is set up to handle several zones. [DE 7411] o Large Zone transfers cause NAMED's demise. [DE 9243] o NAMED log files all have the same CREATE time. [DE 8645] NFS o Process goes away when a newly allocated chan- nel is linked to open_channels. The master server must be restarted in order for the process to come back. [DE 8991] 2-36 Changes and Enhancements Known Problems o NFS Server process can become compute bound han- dling a large file. [DE 9058] o Server problems occur if the file block size is greater than 17408. o A very busy NFS client can result in orphaned NFS devices and possibly cause a system to crash. [DE 6918] o System crash in the NFSDRIVER because the call- ing process passed an invalid descriptor in the P2 argument. [DE 8259] o MultiNet system crash in NFSDISMOUNT with the NFS client. [DE 7731] o NFS file atime and mtime set with a SETATTR is lost. [DE 7199] o CMS RESERVE and CMS REPLACE commands fail with errors concerning file protection. [DE 7419] o Cannot add a new user to NFS when the number of users approaches 5,000 uid's. [DE 8260] o The following NFS-related error message occurs with MultiNet version 4.4A: "-SYSTEM-W-BADIRECTORY, bad directory file format." [DE 8541] o NFS binary file corruption occurs in a VAX clus- ter running VAX/VMS 5.5-2 and MultiNet 4.4A-X. [DE 8898] o There appears to be something wrong with the file- name mapping. [DE 9226] PCNFSD o Memory leak occurs via LPD queues when the pc clients are set up to spool to the server ver- sus spool the file locally. [DE 5452] 2-37 Changes and Enhancements Known Problems POP3 o POP3 incorrectly assumes that the first command after the AUTH command is USER. [DE 6769] Programming o UCX$C_FULLDUPLEX_CLOSE and UCX$C_USELOOPBACK are not supported. [DE 6347, 7005] RLOGIN o MultiNet v4.4A-X: rlogin does not forward cor- rect X display. [DE 8035] SCP o SCP2 copies to a MultiNet system on which the destination file already exists will inherit the file characteristics of the existing file. [DE 7999] SSH o SCP2, SFTP2, and the SFTP Server depend upon the definition of the logical SYS$LOCALTIME to ad- just the timestamps on files to UTC. This log- ical is defined during system startup on VMS V7 systems and the system manager can add the def- initions and appropriate files on earlier ver- sions of VMS. o The VMS recursive directory notation in SFTP ([...]) is not supported, as it cannot be translated into a UNIX equivalent. o SFTP2 assumes that filenames that do not have a "." (period) in them are references to direc- tory files for file operations unless the file attributes state that it is not a directory. 2-38 Changes and Enhancements Known Problems Stream o Delete stopped working with sys$sndjcb after patch streamsymb-010_a044. [DE 8012] SYSLOG o Problems occurred when configuring SYSLOG. [DE 7274] TCPDUMP o MultiNet tcpdump leaking bytelm in promiscuous mode. [DE 8731] TN3270 o Mapping file does not work correctly with DPC. [DE 8449] o DPC terminal window sizing problem. [DE 8451] 2-39 _______________________________________________________ 3 Documentation Updates This chapter contains a summary of changes to the documentation for MultiNet V5.0. __________________________________________________________________ 3.1 MultiNet V5.0 o Changed the MultiNet version number to read V5.0. o Deleted references to MultiWare. o Added a chapter about IP Security and setkey to the MultiNet Installation & Administrator's Guide (Chapter 31). o New GATED commands are listed in the MultiNet Adminstrator's Reference Guide o Chapter 13 of the MultiNet Administrator's Guide has been updated to reflect the syntax changes in the GateD configuration file. o Chapter 14 of the MultiNet Installation & Ad- ministrator's Guide has been replaced by the NTP (v4) documentation. The XNTP documentation has been moved to Appendix B. o Information about SSH2 was added to the Multi- Net Installation and Administrator's Guide and the MultiNet User's Guide. o A chapter on secure file transfers, covering SCP and SFTP, has been added to the MultiNet User's Guide. o Information about the SSH Public Key assistant, CERTENROLL, and the Certificate enrollment util- ity has been added to the MultiNet User's Guide. 3-1 Documentation Updates Corrections to the MultiNet V5.0 documentation __________________________________________________________________ 3.2 Corrections to the MultiNet V5.0 documentation o In the MultiNet Message book (MULTINET_MESSAGE.PDF) the description for the MultiNet logical MULTINET_FTP_MAXREC should be replaced with: MULTINET_FTP_MAXREC The FTP client and FTP server normally check the record size of an ASCII transfer and dis- allows transfers that exceed maximum record size. Note: The maximum record size supported by OpenVMS is 65535. o The MultiNet V5.0 Installation and Administra- tor's Guide states that the documentation set including the release notes are available in Postscript format. That is incorrect. Only HTML and PDF format are available as part of the kit. 3-2