SSH for OpenVMS V2.1 Release Notes July 2004 This document contains a list of new features and bug fixes that have been made since SSH for Open- VMS V2.0. Revision/Update Information: This document super- sedes the SSH for Open- VMS V2.0 Release Notes Software Version: 2.1 Operating System and Version: OpenVMS VAX V6.2, 7.0, 7.1, 7.2, 7.3; OpenVMS Alpha V6.2, 7.0, 7.1, 7.2, 7.2-1, 7.2-2, 7.3, 7.3-1, 7.3-2 __________ Copyright (c)2004 Process Software, LLC. Unpublished - all rights reserved under the copyright laws of the United States No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval sys- tem, or translated into any language or computer language, in any form or by any means electronic, mechanical, magnetic, optical, or otherwise with- out the prior written permission of: Process Software, LLC 959 Concord Street Framingham, MA 01701-4682 USA Voice: +1 508 879 6994; FAX: +1 508 879 0042 info@process.com Process Software, LLC ("Process") makes no rep- resentations or warranties with respect to the con- tents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. ii Alpha AXP, AXP, MicroVAX, OpenVMS, VAX, VAX Notes, VMScluster, and VMS are registered trademarks of Hewlett-Packard Corporation. Kerberos. Copyright (c) 1989, DES.C and PCBC_ENCRYPT.C Copyright (c) 1985, 1986, 1987, 1988 by Massachusetts Institute of Technology. Export of this soft- ware from the United States of America is as- sumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, mod- ify, and distribute this software and its doc- umentation for any purpose and without fee is hereby granted, provided that the above copy- right notice appear in all copies and that both that copyright notice and this permission no- tice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior per- mission. M.I.T. makes no representations about the suitability of this software for any pur- pose. It is provided "as is" without express or implied warranty. MultiNet is a registered trademark of Process Software. Secure Shell (SSH). Copyright (c) 2000. This Li- cense agreement, including the Exhibits (Agree- ment), effective as of the latter date of ex- ecution (Effective Date), is hereby made by and between Data Fellows, Inc., a California cor- poration, having principal offices at 675 N. First Street, 8th floor, San Jose, CA 95112170 (Data Fellows) and Process Software, LLC, having a place of business at 959 Concord Street, Framingham, MA 01701 (OEM). TCPware is a registered trademark of Process Soft- ware. iii UNIX is a trademark of UNIX System Laboratories, Inc. All other trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their re- spective holders. Copyright (c)1997, 1998, 1999, 2000 Process Soft- ware Corporation. All rights reserved. Printed in USA. Copyright (c)2000, 2001, 2002, 2003, 2004 Process Software, LLC. All rights reserved. Printed in USA. If the examples of URLs, domain names, inter- net addresses, and web sites we use in this doc- umentation reflect any that actually exist, it is not intentional and should not to be consid- ered an endorsement, approval, or recommenda- tion of the actual site, or any products or ser- vices located at any such site by Process Soft- ware. Any resemblance or duplication is strictly coincidental. iv _______________________________________________________ Contents _______________________________________________________ CHAPTER 1 INTRODUCTION 1-1 1.1 TYPOGRAPHICAL CONVENTIONS 1-1 1.2 OBTAINING TECHNICAL SUPPORT 1-2 1.2.1 Before Calling Technical Support _______________________ 1-3 1.2.2 Sending Electronic Mail _______ 1-3 1.2.3 Calling Technical Support _____ 1-4 1.2.4 Documentation in HTML Format __ 1-5 1.2.5 Documentation in PDF Format ___ 1-5 1.2.6 Documentation Comments ________ 1-6 1.3 GETTING HELP 1-6 1.4 RELEASE NOTES LOCATION 1-6 1.5 OBTAINING ECO KITS 1-7 _______________________________________________________ CHAPTER 2 SSH FOR OPENVMS FEATURES, KNOWN PROBLEMS AND FIXED PROBLEMS 2-1 2.1 SSH FOR OPENVMS FEATURES 2-1 2.2 KERBEROS V5 SUPPORT 2-2 2.3 KNOWN PROBLEMS 2-2 2.3.1 Secure Shell (SSH) Known Problems ______________________ 2-2 2.3.2 SFTP/SCP Known Problems _______ 2-3 2.4 CHANGES IN DEFAULT BEHAVIOR 2-5 2.5 FIXED PROBLEMS 2-6 v _______________________________________________________ 1 Introduction These Release Notes describe SSH for OpenVMS version 2.1. This set of Release Notes describes conventions used in the SSH for OpenVMS documentation set and the various meth- ods to contact and receive technical support. __________________________________________________________________ 1.1 Typographical Conventions Examples in these Release Notes use the following conven- tions: _______________________________________________ Convention_____Example________Meaning__________ Angle Represents a key brackets on your keyboard. Angle Indicates that brackets you hold down with a slash the key labeled Control or Ctrl while simultaneously pressing another key; in this example, the "A" key. 1-1 Introduction Typographical Conventions _______________________________________________ Convention_____Example________Meaning__________ Square [FULL] Indicates brackets optional choices; you can enter none of the choices, or as many as you like. When shown as part of an example, square brackets are actual characters you should type. Underscore file_name or Between words or hyphen file-name in commands, indicates the item is a single element. __________________________________________________________________ 1.2 Obtaining Technical Support Process Software provides technical support if you have a current Maintenance Service Agreement. If you obtained SSH for OpenVMS from an authorized distributor or part- ner, you receive your technical support directly from them. You can contact Technical Support by: o Sending electronic mail o Calling Technical Support 1-2 Introduction Obtaining Technical Support ___________________________ 1.2.1 Before Calling Technical Support Before you call or send e-mail: 1. Verify that your Maintenance Service Agreement is current. 2. Have the following information available: Your name Your company name Your e-mail address Your voice and fax telephone numbers Your Maintenance Contract Number OpenVMS architecture OpenVMS version TCP/IP Services for OpenVMS version 3. Have complete information about your configu- ration, error messages that appeared, and prob- lem specifics. 4. Be prepared to let Technical Support connect to your system, either with TELNET or by dialing in using a modem. Be prepared to give Techni- cal Support access to a privileged account to diagnose your problem. ___________________________ 1.2.2 Sending Electronic Mail For many questions, electronic mail is the preferred communication method. Technical support via elec- tronic mail is available to customers with a cur- rent support contract. Send electronic mail to sup- port@process.com. At the beginning of your mail message, include the information listed in the section "Before Contact- ing Technical Support." Continue with the description of your situation and 1-3 Introduction Obtaining Technical Support problem specifics. Include all relevant informa- tion to help Technical Support process and track your electronic support request. Electronic mail is generally responded to within two hours, during our normal business hours, Mon- day through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. ___________________________ 1.2.3 Calling Technical Support For regular support issues, call 800-394-8700 or 508-628-5074 for support Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. For our customers in North America with critical problems, an option for support 7 days per week, 24 hours per day is available at an additional charge. Please contact your Account Representative for fur- ther details. Before calling, be sure to have the information avail- able that is described in the section "Before Con- tacting Technical Support." When you call, you will be directly connected to Technical Support. Be prepared to discuss problem specifics with Tech- nical Support and to allow that person to connect to your system (if needed). If our Support Specialists are assisting other cus- tomers and you are put on hold, please stay on the line. Most calls are answered in less than five minutes. If you cannot wait for a Specialist to take your call, please take advantage of our au- tomatic call logging feature by sending mail to sup- port@process.com. 1-4 Introduction Obtaining Technical Support ___________________________ 1.2.4 Documentation in HTML Format The SSH for OpenVMS documentation has the follow- ing HTML files: o frontmr.htm o ssh_pre.htm o httoc.htm o ch1.htm o ch2.htm o ch3.htm o ch4.htm o ch5.htm o ch6.htm o ch7.htm o ch8.htm o AppA.htm o htindex.htm o ssh_rc.htm Note: httoc.htm is the Table of Contents file and htindex is the Index file. ___________________________ 1.2.5 Documentation in PDF Format The SSH for OpenVMS documentation has the following PDF file: o SSH_OPENVMS.PDF - Contains the SSH for Open- VMS Administration and User's Guide 1-5 Introduction Obtaining Technical Support ___________________________ 1.2.6 Documentation Comments Your comments about the information in these Release Notes can help us improve the documentation. If you have cor- rections or suggestions for improvement, please let us know. Be as specific as possible with your comments: include the exact title of the document, version, date, and page references as appropriate. You can send your comments by e-mail to: Process Software 959 Concord Street Framingham, MA 01701-4682 Attention: Marketing Manager You can also fax your comments to us at 508-879-0042. Your comments about our documentation are appreciated. __________________________________________________________________ 1.3 Getting Help Contact your SSH for OpenVMS distributor or Process Soft- ware if you need assistance or have questions concerning the installation or configuration of SSH for OpenVMS. Pro- cess Software provides technical support if you have a cur- rent Maintenance Service Agreement [support@process.com; 800-394-8700 or 508-628-5074]. If you obtained SSH for OpenVMS from an authorized distributor or partner, you re- ceive your technical support directly from them. Timely notices, pointers to new SSH for OpenVMS images, and other product-related news of interest may also be found at the Process Software web site, www.process.com. __________________________________________________________________ 1.4 Release Notes Location These release notes in text format, are located on the SSH for OpenVMS V2.1 CD-ROM in the documentation directory tree. They can be obtained from the kit using the command: $ @SYS$UPDATE:VMSINSTAL MULTINET050 DEVICE:[DIRECTORY]OPTIONS N 1-6 Introduction Obtaining ECO Kits __________________________________________________________________ 1.5 Obtaining ECO Kits ECOs may be obtained from the anonymous FTP account on ftp.multinet.process.com; use FTP to connect to the host ftp.multinet.process.com and login as the user anonymous. Use your e-mail address as the login password. Using ftp.multinet.process.com, move to the ssh021 patches subdirectory: ftp> cd patches ftp> cd ssh021 1-7 _______________________________________________________ 2 SSH for OpenVMS Features, Known Problems and Fixed Problems This chapter includes information pertaining to new fea- tures, known problems, and V2.0 reported problems that have been fixed. __________________________________________________________________ 2.1 SSH for OpenVMS Features This section describes the features provided in SSH for OpenVMS V2.1. o SSHKEYGEN default behavior change: In SSH for OpenVMS V2.1 a new qualifier has been added to SSHKEYGEN. That qualifier is /[NO]WARN. This qual- ifier is used to warn the system administrator if an SSH2 host key already exists and asks if the file should be overwritten. Using /NOWARN will not announce the file's existence and will overwrite the file. The default behavior in SSH for OpenVMS V2.1 is to warn the system admin- istrator and ask if the existing file should be replaced. SSHKEYGEN in earlier versions of SSH for OpenVMS would overwrite the existing SSH2 host key file. o A public key server and assistant have been added to make it easier to manage keys for SSH pub- lic key authentication. In order to use the Pub- lic Key Assistant, the following lines need to be added at the end of the SSHD2_CONFIG file: subsystem-publickey@vandyke.com "publickey_server" subsystem-publickey "publickey_server" 2-1 SSH for OpenVMS Features, Known Problems and Fixed Problems SSH for OpenVMS Features o Login/logout events are now logged via the VMS audit server. The user will see a login record created by the SSH server, plus login and lo- gout records for a detached session (the inter- active login session). __________________________________________________________________ 2.2 Kerberos V5 Support Single sign-on support via Kerberos V5 for both VAX and AXP is now supported with this release. In or- der to enable this feature, the HP OpenVMS Kerberos V5 kit must be installed. Kerberos V5 must be in- stalled, configured, and started prior to start- ing SSH for OpenVMS. When Kerberos V5 support is enabled, authentica- tion may be done via Kerberos password, Kerberos credentials, forwardable TGT, and passing TGT to remote hosts for single sign-on support. __________________________________________________________________ 2.3 Known Problems This section describes the known problems in SSH for OpenVMS version 2.1. ___________________________ 2.3.1 Secure Shell (SSH) Known Problems o Under some (very rare and as yet unknown) circumstances, SSHD2 server processes (SSHD nnnnn) may enter an infinite loop, consuming a lot of CPU resources. o In some cases, FTP over SSH doesn't work prop- erly. File transfers in FTP passive mode will work. 2-2 SSH for OpenVMS Features, Known Problems and Fixed Problems Known Problems ___________________________ 2.3.2 SFTP/SCP Known Problems o If OpenSSH SFTP is being used and the filename is being specified as part of starting SFTP (i.e., sftp user@host:file file), then the source (first) filename must not contain wildcards. o When using case sensitive filenames on ODS-5 disks (with out SRI encoding) there are different re- sults from OpenSSH SCP (which uses the RCP pro- tocol) and SCP that uses the SSH File Transfer Protocol for binary and ASCII transfers. A work- around for this problem is: $ DEFINE/SYSTEM DECC$EFS_CASE_PRESERVE ENABLE so that the C RTL preserves the case of the filename as specified. o SFTP2 may ACCVIO if a LS -R is done when set de- fault to a logical name that is a search list. 2-3 SSH for OpenVMS Features, Known Problems and Fixed Problems Known Problems o Files copied (with either SFTP2 or SCP2) in VMS mode to an ODS-5 disk from an ODS-2 disk will be created in lowercase. This is due to the SRI encoding being used on ODS-2 and not (by default) being used on ODS-5 and the default case for SRI encoding being lowercase. o Attempts to rename directories with SFTP2 may fail due to protection problems. o An error in opening a connection from SFTP2 will result in exiting to DCL. o ASCII transfers of small files may sometimes dis- play 0 Bytes transferred when done, even though the file has been successfully transferred. o Using "rm" (remove) from SFTP2 on a directory may give a mis-leading error message. o SFTP2 assumes that filenames that do not have a . (period) in them are references to direc- tory files for fileoperations unless the file may cause some files to be created as .DIR. o The VMS recursive directory notation ([...]) is not supported, as it cannot be translated to a UNIX equivalent. o In some cases, FTP over SSH doesn't work prop- erly. 2-4 SSH for OpenVMS Features, Known Problems and Fixed Problems Known Problems o ls -R does not return all occurrences of the spec- ified file if there is more than one. o Using a wildcard for the version number does not match any files unless the logical MULTINET_SFTP_ F_ALL_VERSIONS is defined to be "TRUE". o ASCII mode does not always report transferred file sizes correctly with the PUT command. __________________________________________________________________ 2.4 Changes in Default Behavior o The default value for MULTINET_SFTP_TRANSLATE_ VMS_FILE_TYPES has changed from 0 to 7. This will cause transfer of text files that are ini- tiated from non-VMS systems to be automatically translated into stream-LF format. o The MULTINET_SFTP_USE_SRI_ENCODING_ON_ODS5 has a default value of FALSE. This can cause files copied to ODS5 disks to have slight differences in the name from previous versions. o SSHKEYGEN default behavior change: In SSH for OpenVMS V2.1, a new qualifier has been added to SSHKEYGEN. That qualifier is /[NO]WARN. This qual- ifier is used to warn the system administrator if an SSH2 host key already exists and asks if the file should be overwritten. Using /NOWARN will not announce the file's existence and will overwrite the file. The default behavior in SSH for OpenVMS should be replaced. SSHKEYGEN in 2-5 SSH for OpenVMS Features, Known Problems and Fixed Problems Changes in Default Behavior earlier versions of SSH for OpenVMS would over- write the existing SSH2 host key file. __________________________________________________________________ 2.5 Fixed Problems o If the argument to BannerMessageFile in the SSHD2_CONFIG file contains lowercase characters, it might not be displayed at login time. (DE 9458) o If the SYSTEM account is disabled, the server will incorrectly report the desired user account is disabled. (DE 9239) o If a user's [.SSH2] directory is in a search path SSH lookups in that directory may fail. For example: $ sho log sys$manager "SYS$MANAGER" ="SYS$SYSROOT:[SYSMGR]" (LNM$SYSTEM_TABLE) $ sho log sys$sysroot "SYS$SYSROOT" ="RAPTOR$DRA0:[SYS0.]" (LNM$SYSTEM_TABLE) = "SYS$COMMON:" 1 "SYS$COMMON" ="RAPTOR$DRA0:[SYS0.SYSCOMMON.]" (LNM$SYSTEM_TABLE) $ create/dir [.ssh2] (DE 9258) o Captive accounts are incorrectly allowed to execute remote SSH commands. (DE 9260) o ASCII (text) file creates are now done such that the version number is maximized. This will al- low a specific version of a file to be trans- ferred, and for it to always end up as the most recent version of the file. (DE 9386) o Improved logical name handling to correct some problems with translating the logical name on the client rather than the server. (DE 9373) o Improved identification methods for regular files/directories to fix some problems caused by errors. 2-6 SSH for OpenVMS Features, Known Problems and Fixed Problems Fixed Problems o Put a limit (5) on the number of devices returned for the LSROOTS command. This limit can be ad- justed via the logical MULTINET_SFTP_MAXIMUM_ DEVICES. The number has been limited due to startup hangs, and the information that is causing it having limited use. (DE 9289, DE 9335) o Correct a problem with computing the file size that prevented files greater than 4GB from be- ing copied. (DE 9162) o Correct a parsing problems that resulted if a directory name started with a period ("."). (DE 9114) o Correct some potential ACCVIOs due to lack of an error callback routine where one was expected. (DE 9104) o A problem with the SFTP client that would cause it to not fully close the mailbox that is used to SSH and hence consume process resources when there are successive OPEN commands has been fixed. (DE 9097) o Security Express for Windows by ByteFusion no longer has problems getting directories with our SFTP server. 2-7