SSH for OpenVMS V2.2 Release Notes July 2005 This document contains a list of new features and bug fixes that have been made since SSH for Open- VMS V2.1. Revision/Update Information: This document super- sedes the SSH for Open- VMS V2.0 Release Notes Software Version: 2.2 Operating System and Version: VAX VMS V5.5-2 and higher OpenVMS VAX V6.2 and higher OpenVMS Alpha V6.2 and higher OpenVMS I64 V8.2 __________ Copyright (c)2005 Process Software, LLC. Unpublished - all rights reserved under the copyright laws of the United States No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval sys- tem, or translated into any language or computer language, in any form or by any means electronic, mechanical, magnetic, optical, or otherwise with- out the prior written permission of: Process Software, LLC 959 Concord Street Framingham, MA 01701-4682 USA Voice: +1 508 879 6994; FAX: +1 508 879 0042 info@process.com Process Software, LLC ("Process") makes no rep- resentations or warranties with respect to the con- tents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. ii Alpha AXP, AXP, MicroVAX, OpenVMS, VAX, VAX Notes, VMScluster, and VMS are registered trademarks of Hewlett-Packard Corporation. Kerberos. Copyright (c) 1989, DES.C and PCBC_ENCRYPT.C Copyright (c) 1985, 1986, 1987, 1988 by Massachusetts Institute of Technology. Export of this soft- ware from the United States of America is as- sumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, mod- ify, and distribute this software and its doc- umentation for any purpose and without fee is hereby granted, provided that the above copy- right notice appear in all copies and that both that copyright notice and this permission no- tice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior per- mission. M.I.T. makes no representations about the suitability of this software for any pur- pose. It is provided "as is" without express or implied warranty. MultiNet is a registered trademark of Process Software. Secure Shell (SSH). Copyright (c) 2000. This Li- cense agreement, including the Exhibits (Agree- ment), effective as of the latter date of ex- ecution (Effective Date), is hereby made by and between Data Fellows, Inc., a California cor- poration, having principal offices at 675 N. First Street, 8th floor, San Jose, CA 95112170 (Data Fellows) and Process Software, LLC, having a place of business at 959 Concord Street, Framingham, MA 01701 (OEM). TCPware is a registered trademark of Process Soft- ware. iii UNIX is a trademark of UNIX System Laboratories, Inc. All other trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their re- spective holders. Copyright (c)1997, 1998, 1999, 2000 Process Soft- ware Corporation. All rights reserved. Printed in USA. Copyright (c)2000, 2001, 2002, 2003, 2004 Process Software, LLC. All rights reserved. Printed in USA. If the examples of URLs, domain names, inter- net addresses, and web sites we use in this doc- umentation reflect any that actually exist, it is not intentional and should not to be consid- ered an endorsement, approval, or recommenda- tion of the actual site, or any products or ser- vices located at any such site by Process Soft- ware. Any resemblance or duplication is strictly coincidental. iv _______________________________________________________ Contents _______________________________________________________ CHAPTER 1 INTRODUCTION 1-1 1.1 TYPOGRAPHICAL CONVENTIONS 1-1 1.2 OBTAINING TECHNICAL SUPPORT 1-2 1.2.2 Before Calling Technical Support _______________________ 1-3 1.2.2 Sending Electronic Mail _______ 1-3 1.2.3 Calling Technical Support _____ 1-4 1.2.4 Documentation in HTML Format __ 1-5 1.2.5 Documentation in PDF Format ___ 1-5 1.2.6 Documentation Comments ________ 1-6 1.3 GETTING HELP 1-6 1.4 RELEASE NOTES LOCATION 1-6 1.5 OBTAINING ECO KITS 1-7 1.6 SSH for OpenVMS Installation Notes 1-7 _______________________________________________________ CHAPTER 2 SSH FOR OpenVMS FEATURES, KNOWN PROBLEMS AND FIXED PROBLEMS 2-1 2.1 SSH for OpenVMS V2.2 New Features 2-1 2.2 KERBEROS V5 SUPPORT 2-2 2.3 Enhancements 2-2 2.4 FIXED PROBLEMS 2-3 v _______________________________________________________ 1 Introduction These Release Notes describe SSH for OpenVMS version 2.2. This set of Release Notes describes conventions used in the SSH for OpenVMS documentation set and the various meth- ods to contact and receive technical support. __________________________________________________________________ 1.1 Typographical Conventions Examples in these Release Notes use the following conven- tions: _______________________________________________ Convention_____Example________Meaning__________ Angle Represents a key brackets on your keyboard. Angle Indicates that brackets you hold down with a slash the key labeled Control or Ctrl while simultaneously pressing another key; in this example, the "A" key. 1-1 Introduction Typographical Conventions _______________________________________________ Convention_____Example________Meaning__________ Square [FULL] Indicates brackets optional choices; you can enter none of the choices, or as many as you like. When shown as part of an example, square brackets are actual characters you should type. Underscore file_name or Between words or hyphen file-name in commands, indicates the item is a single element. __________________________________________________________________ 1.2 Obtaining Technical Support Process Software provides technical support if you have a current Maintenance Service Agreement. If you obtained SSH for OpenVMS from an authorized distributor or part- ner, you receive your technical support directly from them. You can contact Technical Support by: o Sending electronic mail o Calling Technical Support 1-2 Introduction Obtaining Technical Support ___________________________ 1.2.2 Before Calling Technical Support Before you call or send e-mail: 1. Verify that your Maintenance Service Agreement is current. 2. Have the following information available: Your name Your company name Your e-mail address Your voice and fax telephone numbers Your Maintenance Contract Number OpenVMS architecture OpenVMS version TCP/IP Services for OpenVMS version 3. Have complete information about your configu- ration, error messages that appeared, and prob- lem specifics. 4. Be prepared to let Technical Support connect to your system, either with TELNET or by dialing in using a modem. Be prepared to give Techni- cal Support access to a privileged account to diagnose your problem. ___________________________ 1.2.2 Sending Electronic Mail For many questions, electronic mail is the preferred communication method. Technical support via elec- tronic mail is available to customers with a cur- rent support contract. Send electronic mail to sup- port@process.com. At the beginning of your mail message, include the information listed in the section "Before Contact- ing Technical Support." Continue with the description of your situation and 1-3 Introduction Obtaining Technical Support problem specifics. Include all relevant informa- tion to help Technical Support process and track your electronic support request. Electronic mail is generally responded to within two hours, during our normal business hours, Mon- day through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. ___________________________ 1.2.3 Calling Technical Support For regular support issues, call 800-394-8700 or 508-628-5074 for support Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. For our customers in North America with critical problems, an option for support 7 days per week, 24 hours per day is available at an additional charge. Please contact your Account Representative for fur- ther details. Before calling, be sure to have the information avail- able that is described in the section "Before Con- tacting Technical Support." When you call, you will be directly connected to Technical Support. Be prepared to discuss problem specifics with Tech- nical Support and to allow that person to connect to your system (if needed). If our Support Specialists are assisting other cus- tomers and you are put on hold, please stay on the line. Most calls are answered in less than five minutes. If you cannot wait for a Specialist to take your call, please take advantage of our au- tomatic call logging feature by sending mail to sup- port@process.com. 1-4 Introduction Obtaining Technical Support ___________________________ 1.2.4 Documentation in HTML Format The SSH for OpenVMS documentation has the follow- ing HTML files: o pref.htm o httoc.htm o ch01.htm o ch02.htm o ch03.htm o ch04.htm o ch05.htm o ch06.htm o ch07.htm o ch08.htm o AppA.htm o htindex.htm Note: httoc.htm is the Table of Contents file and htindex is the Index file. ___________________________ 1.2.5 Documentation in PDF Format The SSH for OpenVMS documentation has the following PDF file: o SSH_OPENVMS.PDF - Contains the SSH for Open- VMS Administration and User's Guide 1-5 Introduction Obtaining Technical Support ___________________________ 1.2.6 Documentation Comments Your comments about the information in these Release Notes can help us improve the documentation. If you have cor- rections or suggestions for improvement, please let us know. Be as specific as possible with your comments: include the exact title of the document, version, date, and page references as appropriate. You can send your comments by e-mail to: Process Software 959 Concord Street Framingham, MA 01701-4682 Attention: Marketing Manager You can also fax your comments to us at 508-879-0042. Your comments about our documentation are appreciated. __________________________________________________________________ 1.3 Getting Help Contact your SSH for OpenVMS distributor or Process Soft- ware if you need assistance or have questions concerning the installation or configuration of SSH for OpenVMS. Pro- cess Software provides technical support if you have a cur- rent Maintenance Service Agreement [support@process.com; 800-394-8700 or 508-628-5074]. If you obtained SSH for OpenVMS from an authorized distributor or partner, you re- ceive your technical support directly from them. Timely notices, pointers to new SSH for OpenVMS images, and other product-related news of interest may also be found at the Process Software web site, www.process.com. __________________________________________________________________ 1.4 Release Notes Location These release notes in text format, are located on the SSH for OpenVMS V2.2 CD-ROM in the documentation directory tree. They can be obtained from the kit using the command: $ @SYS$UPDATE:VMSINSTAL MULTINET051 DEVICE:[DIRECTORY] OPTIONS N 1-6 Introduction Obtaining ECO Kits __________________________________________________________________ 1.5 Obtaining ECO Kits ECOs may be obtained from the anonymous FTP account on ftp.multinet.process.com; use FTP to connect to the host ftp.multinet.process.com and login as the user anonymous. Use your e-mail address as the login password. Using ftp.multinet.process.com, move to the ssh022 patches subdirectory: ftp> cd patches ftp> cd ssh022 __________________________________________________________________ 1.6 SSH for OpenVMS Installation Notes SSH for OpenVMS is provided on two CD's, one that contains the installation savesets for VAX and AXP, and one that contains the installation savesets for I64. The appropriate CD must be used when performing the installation. The savesets for all platforms are found in the [MULTINET051] directory on their respective CD's. The savesets are: [MULTINET051]MULTINET051.* for VAX and AXP [MULTINET051]MULTINET_I64051.* for I64 1-7 SSH for OpenVMS Features and Fixed Problems _______________________________________________________ 2 SSH for OpenVMS Features and Fixed Problems This chapter includes information pertaining to new fea- tures, known problems, and V2.0 reported problems that have been fixed. __________________________________________________________________ 2.1 SSH for OpenVMS V2.2 New Features o SSH has been upgraded to code level 3.2.9. o The cryptographic library used is compiled from unaltered source code from F-Secure which is FIPS 140-2 level 2 compliant, as determined by the Computer Security Division of the National Institute of Science and Technology (NIST). o The CERTVIEW utility has been provided, to allow viewing and validation of certificate contents. o OpenSSH-format keys may now be converted to SSH2 format using SSHKEYGEN. o SFTP2 now has the CHMOD and LCHMOD commands for changing the protection of files. o The SSH2 server now supports the UAI$M_PWDMIX flag. [DE 10020] __________________________________________________________________ 2.2 Kerberos V5 Support Single sign-on support via Kerberos V5 for VAX, AXP and I64 is supported with this release. In order to enable this feature, the HP OpenVMS Kerberos V2 kit must be installed. Kerberos V5 must be in- stalled, configured, and started prior to start- ing SSH for OpenVMS. When Kerberos V5 support is enabled, authentica- tion may be done via Kerberos password, Kerberos credentials, forwardable TGT, and passing TGT to remote hosts for single sign-on support. 2-1 SSH for OpenVMS Features and Fixed Problems Enhancements __________________________________________________________________ 2.3 Enhancements SSH Server o The SSHD_MASTER.LOG file now includes a date stamp as well as a time stamp for messages. [DE 9953] o The location of the SSH server log files may now be set by defining the logical MULTINET_SSH_LOG_FILE to the default filespec desired. Any part of the filespec may be defined (.e.g, the complete filespec, the device/directory only, the filename, the file type). [DE 9884] File Transfer o The logical MULTINET_SFTP_FILE_ESTIMATE_THRESHOLD can be used to set the minimum size (in blocks) for a text file to report an estimated size. When a file is smaller than the specified value the file will be read to determine the exact size that would result in a transfer. Files larger than the specified value will continue to get an estimated size. [DE 9889] o GET and PUT (and MGET and MPUT) now support -p or --preserve-attributes as an option as the first parameter for the command. This option will cause SFTP to attempt to preserve timestamps and access rights when transferring a file. [DE 9888] o Setting the logical MULTINET_SFTP_VMS_ALL_VERSIONS to TRUE will now return all versions of files whether or not the SFTP server is communicating with our SFTP client. [DE 9830] o The logical MULTINET_SFTP_ODS2_SRI_ENCODING can be defined to FALSE, NO or 0 (zero) to disable SRI encoding of files with uppercase letters and special characters on ODS 2 disks. [DE 9829] 2-2 SSH for OpenVMS Features and Fixed Problems Fixed Problems __________________________________________________________________ 2.4 Fixed Problems SSH Server o Corrected a problem where an account marked /NOPASSWORD would be treated as if it had a password. [DE 10042] o After a MYDOOM attack, the SSH server process could become compute-bound. [DE 9607] o If Keberos 5 is installed but not configured on a system, the SSH1 and SSH2 server processes will ACCVIO. [DE 9519, DE 9872] o For the SSH server, the JPI$M_PWDEXPIRED flag isn't set for expired passwords if the user is authenticated by some method other than PASSWORD. [DE 9991] o The SSHD MASTER process may not terminate with "FATAL - No TCP/IP stack running, exiting" [DE 9778] o The CERTKEY keyword in the identification file is not handled properly. [DE 9807] SSH Utilities o Mixed-case passphrases aren't allowed in SSHKEYGEN. [DE 983] File Transfer o Corrected a problem with recursive copies and filenames that are SRI encoded. [DE 9969] o Corrected problems with SCP from Unix to VMS with wildcards. [DE 9579] o Corrected problems using SCP to copy a directory after installing SSH-062_A044. [DE 9690] o SCP2 now saves the file attributes when doing $ SCP2 /VMS /DIRECTORY node::device:[dir]*.LIS_* - device:[dir] [DE 9596] 2-3 SSH for OpenVMS Features and Fixed Problems Fixed Problems o Correct issues with SFTP ASCII transfers. [DE 9978] o Corrected issues with some clients adding extra "./" in directory specifications. [DE 9933] o Corrected problems with the SFTP client ACCVIOs if a file version is specified and that version already exists. [DE 9386] o The logical MULTINET_SFTP_VMS_ALL_VERSIONS is no longer restricted to VMS mode. [DE 9830] o The logical MULTINET_SFTP_DEFAULT_TYPE_REGULAR can be defined to TRUE, YES or 1 to cause file operations to use a default type of REGULAR instead of UNKNOWN. This can prevent problems with .DIR getting put on files that do not have a dot in the name. [DE 10012] 2-4