SSH for OpenVMS V2.3 Release Notes April 2007 This document contains a list of new features and bug fixes that have been made since SSH for OpenVMS V2.2. Revision/Update Information: This document supersedes the SSH for OpenVMS V2.2 Release Notes Unpublished - all rights reserved under the copyright laws of the United States No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means electronic, mechanical, magnetic, optical, or otherwise without the prior written permission of: Process Software, LLC 959 Concord Street Framingham, MA 01701-4682 USA Voice: +1 508 879 6994; FAX: +1 508 879 0042 info@process.com Process Software, LLC ("Process") makes no representations or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. o Alpha AXP, AXP, MicroVAX, OpenVMS, VAX, VAX Notes, VMScluster, and VMS are registered trademarks of Hewlett-Packard Corporation. o Kerberos. Copyright © 1989, DES.C and PCBC_ENCRYPT.C Copyright © 1985, 1986, 1987, 1988 by Massachusetts Institute of Technology. Export of this software from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. o MultiNet is a registered trademark of Process Software. o Secure Shell (SSH). Copyright © 2000. This License agreement, including the Exhibits (Agreement), effective as of the latter date of execution (Effective Date), is hereby made by and between Data Fellows, Inc., a California corporation, having principal offices at 675 N. First Street, 8th floor, San Jose, CA 95112170 (Data Fellows) and Process ii Software, LLC, having a place of business at 959 Concord Street, Framingham, MA 01701 (OEM). o TCPware is a registered trademark of Process Software. o UNIX is a trademark of UNIX System Laboratories, Inc. o All other trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their respective holders. o Copyright ©1997, 1998, 1999, 2000 Process Software Corporation. All rights reserved. Printed in USA. o Copyright ©2000, 2001, 2002, 2004, 2007 Process Software, LLC. All rights reserved. Printed in USA. o If the examples of URLs, domain names, internet addresses, and web sites we use in this documentation reflect any that actually exist, it is not intentional and should not be considered an endorsement, approval, or recommendation of the actual site, or any products or services located at any such site by Process Software. Any resemblance or duplication is strictly coincidental. iii ________________________________________________________________ Contents ________________________________________________________________ CHAPTER 1 INTRODUCTION 1-1 __________________________________________________________ 1.1 TYPOGRAPHICAL CONVENTIONS 1-1 __________________________________________________________ 1.2 OBTAINING TECHNICAL SUPPORT 1-2 1.2.1 Before Contacting Technical Support 1-3 1.2.2 Sending Electronic Mail 1-5 1.2.3 Calling Technical Support 1-5 1.2.4 Contacting Technical Support by Fax 1-6 __________________________________________________________ 1.3 OBTAINING ONLINE HELP 1-6 __________________________________________________________ 1.4 ACCESSING THE SSH FOR OPENVMS PUBLIC MAILING LIST 1-6 __________________________________________________________ 1.5 PROCESS SOFTWARE WORLD WIDE WEB SERVER 1-7 __________________________________________________________ 1.6 OBTAINING SOFTWARE PATCHES OVER THE INTERNET 1-7 __________________________________________________________ 1.7 DOCUMENTATION COMMENTS 1-8 __________________________________________________________ 1.8 CD-ROM CONTENTS 1-9 1.8.1 Online Documentation 1-9 1.8.1.1 PDF Format, 1-9 1.8.1.2 Using Acrobat Reader, 1-10 __________________________________________________________ 1.9 NOTE CONCERNING KERBEROS V5 1-11 __________________________________________________________ 1.10 NOTE CONCERNING VAX V5.5-2 1-11 __________________________________________________________ 1.11 NOTE: CONCERNING SSH SESSIONS 1-11 iii Contents ________________________________________________________________ CHAPTER 2 CHANGES AND ENHANCEMENTS 2-1 __________________________________________________________ 2.1 SSH FOR OPENVMS V2.3 INSTALLATION NOTE 2-1 __________________________________________________________ 2.2 SSH UPDATES 2-1 __________________________________________________________ 2.3 FIXED PROBLEMS 2-2 2.3.1 SFTP/SCP2 2-2 2.3.2 SSH 2-4 ________________________________________________________________ CHAPTER 3 DOCUMENTATION UPDATES 3-1 __________________________________________________________ 3.1 SSH FOR OPENVMS V2.3 3-1 __________________________________________________________ 3.2 CORRECTIONS TO THE SSH FOR OPENVMS V2.3 DOCUMENTATION 3-1 ________________________________________________________________ CHAPTER 4 KNOWN BUGS/ISSUES 4-1 ________________________________________________________________ TABLES 1-1 Typographical Conventions 1-1 1-2 System Information 1-4 iv _______________________________________________________ 1 Introduction These Release Notes describe the changes and enhancements made to the SSH for OpenVMS product in version 2.3. This chapter describes conventions used in the SSH for OpenVMS documentation set and the various methods to contact and receive technical support. o For information about product changes and enhancements in the SSH for OpenVMS V2.3 Consolidated Distribution, refer to Chapter 2 of these Release Notes. o For information about changes to the documentation set, refer to Chapter 3 of these Release Notes. __________________________________________________________ 1.1 Typographical Conventions Examples in these Release Notes use the following conventions: ________________________________________________________________ Table 1-1 Typographical Conventions _______________________________________________________ Convention_______Example__________Meaning______________ Angle brackets Represents a key on your keyboard. Angle brackets Indicates that you with a slash hold down the key labeled or while simultaneously pressing another key; in this example, the A key. 1-1 Introduction Typographical Conventions ________________________________________________________________ Table 1-1 (Cont.) Typographical Conventions _______________________________________________________ Convention_______Example__________Meaning______________ Square brackets [FULL] Indicates optional choices; you can enter none of the choices, or as many as you like. When shown as part of an example, square brackets are actual characters you should type. Underscore or file_name or Between words in hyphen file-name commands, indicates the item is a single ___________________________________________element._____________ __________________________________________________________ 1.2 Obtaining Technical Support Process Software provides technical support if you have a current Maintenance Service Agreement. If you obtained SSH for OpenVMS from an authorized distributor or partner, you receive your technical support directly from them. You can contact Technical Support by: o Sending electronic mail (Section 1.2.2) o Calling Technical Support (Section 1.2.3) o Faxing a description of your problem to the Technical Support Group (Section 1.2.4) 1-2 Introduction Obtaining Technical Support _____________________________ 1.2.1 Before Contacting Technical Support Before you call, or send email or a fax: 1 Verify that your Maintenance Service Agreement is current. 2 Read the online Release Notes completely. 3 Have the following information available: o Your name o Your company name o Your email address o Your voice and fax telephone numbers o Your Maintenance Contract Number o OpenVMS architecture o OpenVMS version o SSH for OpenVMS layered products and versions 4 Have complete information about your configuration, error messages that appeared, and problem specifics. 5 Be prepared to let a development engineer connect to your system, either with TELNET or by dialing in using a modem. Be prepared to give the engineer access to a privileged account to diagnose your problem. You can obtain information about your OpenVMS architecture, OpenVMS version, SSH for OpenVMS version, and layered products with the SSH for OpenVMS SSHCTRL VERSION command and some VMS DCL commands. Execute the following commands on a fully loaded system and email the output to support@process.com: 1-3 Introduction Obtaining Technical Support $ sshctrl version SSHCTRL-S-SSHCTRLVERS, This is SSHCTRL V2.3 $ show system/noprocess OpenVMS V7.3 on node BEANS 16-APR-2007 13:49:19.16 Uptime 0 03:08:21 $ write sys$output f$getsyi("arch_name") VAX $ In this example: The machine or system architecture is VAX. The OpenVMS version is V7.3. The SSH for OpenVMS version is V2.3. Use the following table as a template to record the relevant information about your system: ________________________________________________________________ Table 1-2 System Information _______________________________________________________ Your System Required_Information_______________Information_________ Your name Company name Your email address Your voice and fax telephone numbers System architecture VAX or Alpha OpenVMS version _________SSH_for_OpenVMS_version________________________________ Please provide information about installed SSH for OpenVMS applications and patch kits, by sending a copy of MULTINET:SSH_VERSION.; file. 1-4 Introduction Obtaining Technical Support _____________________________ 1.2.2 Sending Electronic Mail For many questions, electronic mail is the preferred communication method. Technical Support via electronic mail is available to customers with a current support contract. Send electronic mail to support@process.com. At the beginning of your mail message, include the information listed in Section 1.2.1. Continue with the description of your situation and problem specifics. Include all relevant information to help your Technical Support Specialist process and track your electronic support request. Electronic mail is answered within the desired goal of two hours, during our normal business hours, Monday through Friday from 8:30 a.m. to 5:00 p.m., United States Eastern Time. _____________________________ 1.2.3 Calling Technical Support For regular support issues, call 800-394-8700 or 508- 628-5074 for support Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. For our customers in North America with critical problems, an option for support 7 days per week, 24 hours per day is available at an additional charge. Please contact your Account Representative for further details. Before calling, have available the information described in Section 1.2.1. When you call, you will be connected to a Technical Support Specialist. Be prepared to discuss problem specifics with your Technical Support Specialist and to let that person connect to your system. If our Support Specialists are assisting other customers and you are put on hold, please stay on the line. Most calls are answered in less than five minutes. If you cannot wait for a Specialist to take your call, please take advantage of our automatic call 1-5 Introduction Obtaining Technical Support logging feature by sending email to support@process.com (see the Section on Sending Electronic Mail). _____________________________ 1.2.4 Contacting Technical Support by Fax You can send transmissions directly to Technical Support at 508-879-0042. Before faxing comments or questions, complete the steps in Section 1.2.1 and include all your system information at the beginning of your fax message. Continue with the description of your situation and problem specifics. Include all relevant information to help your Technical Support Specialist process and track your fax support request. Faxed questions are answered Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. __________________________________________________________ 1.3 Obtaining Online Help Extensive information about SSH for OpenVMS is provided in the SSH for OpenVMS help library. For more information, enter the following command: $ HELP SSH __________________________________________________________ 1.4 Accessing the SSH for OpenVMS Public Mailing List Process Software maintains two public mailing lists for SSH for OpenVMS customers: o Info-SSH@process.com o SSH-Announce@process.com The Info-SSH@process.com mailing list is a forum for discussion among SSH for OpenVMS system managers and programmers. Questions and problems regarding SSH for OpenVMS can be posted for a response by any of the subscribers. To subscribe to Info-SSH, send a mail message with the word SUBSCRIBE in the body to Info- SSH-request@process.com. 1-6 Introduction Accessing the SSH for OpenVMS Public Mailing List You can retrieve the Info-SSH archives by anonymous FTP to ftp.multinet.process.com. The archives are located in the directory [MAIL_ARCHIVES.INFO-SSH]. The SSH-Announce@process.com mailing list is a one-way communication (from Process Software to you) used to post announcements relating to SSH for OpenVMS (patch releases, product releases, etc.). To subscribe to SSH- Announce, send a mail message with the word SUBSCRIBE in the body to SSH-Announce-request@process.com. __________________________________________________________ 1.5 Process Software World Wide Web Server Electronic support is provided through the Process Software web site which you can access with any World Wide Web browser; the URL is http://www.process.com (select SSH for OpenVMS) or use the URL http://www.process.com/techsupport/ssh.html __________________________________________________________ 1.6 Obtaining Software Patches over the Internet Process Software provides software patches in save set and ZIP format on its anonymous FTP server, ftp.multinet.process.com. For the location of software patches, read the .WELCOME file in the top-level anonymous directory. This file refers you to the directories containing software patches. Enter the following at the FTP prompt: FTP.MULTINET.PROCESS.COM>CD [.PATCHES.SSHxxx] FTP.MULTINET.PROCESS.COM>GET update_filename In these commands: emailaddress is your email address in the standard user@host format xxx is the version of SSH for OpenVMS you want to transfer update_filename is the name of the file you want to transfer 1-7 Introduction Obtaining Software Patches over the Internet To transfer files from Process Software directly to an OpenVMS system, you can use the GET command without any other FTP commands. However, if you need to transfer a software patch through an intermediate non-OpenVMS system, use BINARY mode to transfer the files to and from that system. In addition, if you are retrieving the software patch in save set format, make sure the save set record size is 2048 bytes when you transfer the file from the intermediate system to your OpenVMS system. o If you use the GET command to download the file size from the intermediate system, use the FTP RECORD- SIZE 2048 command before transferring the file. o If you use the PUT command to upload the file to your OpenVMS system, log into the intermediate system and use the FTP quote site rms recsize 2048 command before transferring the file. Process Software also supplies UNZIP utilities for OpenVMS VAX and Alpha for decompressing ZIP archives in the [PATCHES] directory. To use ZIP format kits, you need a copy of the UNZIP utility. The following example shows how to use UNZIP utility, assuming you have copied the appropriate version of UNZIP.EXE to your current default directory: $ UNZIP := $SYS$DISK:[]UNZIP.EXE $ UNZIP filename.ZIP Use VMSINSTAL to upgrade your SSH for OpenVMS system with the software patch. __________________________________________________________ 1.7 Documentation Comments Your comments about the information in these Release Notes can help us improve the documentation. If you have corrections or suggestion for improvement, please let us know. 1-8 Introduction Documentation Comments Be as specific as possible about your comments: include the exact title of the document, version, date, and page references as appropriate. You can send your comments by email to techpubs@process.com or mail them to: Process Software 959 Concord Street Framingham, MA 01701-4682 Attention: Marketing Director You can also fax your comments to us at 508-879-0042. Your comments about our documentation are appreciated. __________________________________________________________ 1.8 CD-ROM Contents The directory structure on the CD is as follows: [MULTINET052] SSH for OpenVMS for VAX and Alpha systems [MULTINET_I64052] SSH for OpenVMS Kit for Integrity Systems [Documentation] PDF format (.pdf) Release Notes [BIND9-DOC] [VAX55-DECC-RTL] _____________________________ 1.8.1 Online Documentation The SSH for OpenVMS documentation set is available on the product CD in PDF format. The Release Notes are available on the product CD in text format. _____________________________ 1.8.1.1 PDF Format The SSH for OpenVMS documentation consists of the following PDF file: o SSH_OPENVMS.PDF (Administration and User's Guid) 1-9 Introduction CD-ROM Contents The PDF format is readable from a PC, a VAX, or an Alpha system. o Use Adobe Acrobat to read the PDF files from a PC. Your PC must have 386 architecture or later to use Adobe Acrobat Reader. You can get Acrobat Reader free from Adobe Systems' Website: www.adobe.com. PCs running the Windows or NT operating system cannot read Process Software's CD. You cannot load files from the SSH for OpenVMS CD directly to a PC. Load them to your VAX or Alpha machine, then transfer them to your PC. We suggest using FTP to transfer these files. The following is an example using MS-DOS: C:> ftp node ftp> binary ftp> mget cd:*.pdf _____________________________ 1.8.1.2 Using Acrobat Reader To read the PDF files using Acrobat Reader: 1 Double click Acrobat Exchange. 2 Choose Open from the File menu. 3 Select the .pdf file you want to open. 4 Use the menu bar at the top of the screen to navigate the document, or click a Table of Contents entry (on the left) to go directly to that information. Note The binocular icon opens search functions. The magnifying glass icon enlarges the text and illustrations. 1-10 Introduction Note Concerning Kerberos V5 __________________________________________________________ 1.9 Note Concerning Kerberos V5 SSH for OpenVMS supports Kerberos V5. Kerberos V5 requires Kerberos for HP OpenVMS. VMS V8 systems are distributed with Kerberos V5, and pre-V8 systems (OpenVMS VAX V7.3 and OpenVMS AXP v7.2-3, 7.3-*) can download Kerberos V5 from the HP website. The Kerberos V5 applications can also run with any Kerberos V5 compliant Key Distribution Center (KDC) software. __________________________________________________________ 1.10 Note Concerning VAX V5.5-2 You must install the DEC C 6.0 backport library on all OpenVMS VAX v5.5-2 systems prior to using SSH. This is the AACRT060.A file. You can find the ECO on the SSH for OpenVMS CD in the following directory: VAX55_DECC_ RTL.DIR. __________________________________________________________ 1.11 Note: Concerning SSH Sessions For each active SSH session two(2) channels are used. Please adjust the CHANNELCNT parameter to account for this usage. 1-11 _______________________________________________________ 2 Changes and Enhancements This chapter describes the changes and enhancements made for SSH for OpenVMS V2.3. __________________________________________________________ 2.1 SSH for OpenVMS V2.3 Installation Note SSH for OpenVMS V2.3 installations may only be performed from a random-access device (e.g., disk or CD-ROM). If the SSH for OpenVMS V2.3 installation is attempted from a sequential-access device (e.g., magtape or TKxx cartridge), the installation will fail. If the distribution savesets have been copied to a sequential-access device (for transporting them, for example), they must be copied to a disk for installation. __________________________________________________________ 2.2 SSH Updates SSH has been updated to the latest release from WRQ. This updates includes: o A new tool, SSH-CERTTOOL, can be used to generate PKCS#10 and PKCS#12 requests, and to view PKCS#10 and PKCS#12 packages. o The SSH-CERTENROLL2 tool has been renamed to SSH- CMPCLIENT. o The address (IPv4 or IPv6) on which to listen may now be specified as an SSH parameter in CONFIGURE/SERVER. o The SSH client may now specify using either IPv4 or IPv6 to make connections. 2-1 Changes and Enhancements Fixed Problems __________________________________________________________ 2.3__Fixed_Problems__________ 2.3.1 SFTP/SCP2 o Problems with the SFTP CD command have been corrected. [10381] o SFTP errors in opening text files for write have been corrected. [10365] o Corrected an error with SCP2 not using the specified target file name. [10358] o /NOPROGRESS no longer removes the file transfer completion status line. The progress line is not displayed during the transfer, but a status line is displayed upon completion of the transfer. [DE 10354] o If the logical MULTINET_SFTP_STAT_DESTINATION_FILE is defined to be FALSE, NO or 0 (zero) then the SFTP client will not attempt to do a STAT operation to check for the presence of the destination file before opening the destination file for write. The assumption is that the destination file does not exist. If the logical MULTINET_SFTP_STAT_DESTINATION_ DIRECTORY is defined to be FALSE, NO or 0 (zero) then the SFTP client will not attempt to do a STAT operation on the destination directory before opening the destination file for write. The assumption is that the destination directory exists. These two logicals should be defined to FALSE in order to have the SFTP client work with Sterling Commerce's Connect:Enterprise product. [10276] o Restored /ASCII=VMS to SCP2, omitted for V5.1. [10259] o Fixed an ACCVIO that can occur when exiting SFTP2 from a command file. [10251] 2-2 Changes and Enhancements Fixed Problems o Modified the SFTP server to allow MULTINET_SFTP_VMS_ ALL_VERSIONS to be used no matter what the remote (client) side is. Note that when a file is copied from the VMS system to the client, the filename will contain the version number. [10238] o Correct an ACCVIO when processinmg errors from SFTP protocol version 2 [10234] o If the logical MULTINET_SFTP_DIRECTORY_WITH_ CREATION_DATE is define to True, Yes or 1, then the creation date is displayed in the output for DIRECTORY when operating in VMS mode instead of the modification date. Note that the times are still adjusted by the local offset from UTC. [10179] o FTRUNCATE is no longer done on files that SFTP has opened in text transfer mode. [10172] o Corrected errors in parsing filenames for the SFTP rename and lrename commands [10147] o Corrected errors in the SRI decoding algorithm in SFTP. [10133] o Improved SFTP file size estimation routines to include newline length. [10106] o Added support of FTRUNCATE operation to the SFTP code. [10102] o Corrected an error that would lead to SFTP access violations in batch mode. [10092] o Fixed a problem which would cause some files to be truncated when transferred with SFTP. [10090] o Corrected problems with using SCP/SFTP to transfer files > 5GB. [9866] o Access controls and operation logging have been added to the SFTP server. The logical MULTINET_SFTP_ {username}_CONTROL can be defined /SYSTEM to any combination of NOLIST, NOREAD, NOWRITE, NODELETE, NORENAME, NOMKDIR, NORMDIR, to restrict operations. NOWRITE will disable PUT, DELETE, RENAME, MKDIR, RMDIR; NOREAD will disable GET and LIST. The restriction keywords must be spelt out in full, but 2-3 Changes and Enhancements Fixed Problems puctuation does not matter. The logical MULTINET_ SFTP_{username}_ROOT can be defined /SYSTEM to restrict the user to the directory path specified. (Subdirectories below the specified directory are allowed.) The logical SSH_SFTP_LOG_SEVERITY can be defined /SYSTEM to 20000 to log file transfers or 30000 to log all SFTP operations. The logical SSH2_ SFTP_LOG_FACILITY must also be defined /SYSTEM to specify the lgging class that is used with OPCOM. Values below 5 will use the network class; 5 will use OPER1, 6 will user OPER2, etc. The maximum value that can be specified is 12, which will use OPER8. [9988] _____________________________ 2.3.2 SSH o Corrected some problems with SSH handling pre- expired passwords [10330] o The logicals sys$rem_node and sys$rem_node_fullname are now properly defined. [10327] o Increase the length of DNS names that SSH can handle. [10262] o Addresses an accvio which occurred in those cases where the password being verified was not initialized properly. [10182] o When the HP Kerberos V2.1-72 kit is installed on AXP systems, SSH and ktelnet stopped working, and the various Kerberos components (e.g., kadmin) would encounter SYSTEM-F-SHRIDMISMAT errors regarding the TCPIP$IPC_SHR (UCX$IPC_SHR) image. [10099] o SSHKEYGEN/nowarn improperly returned an error message. This has been fixed. [10073] o The CLD causing conflicting SSH utility qualifiers messages has been fixed. [10071] o SSH now creates intrusion records on login failures. [9972] o Failed SSH login attempts now record auditing data. [9842] 2-4 Changes and Enhancements Fixed Problems o A problem where SSH could consume large quantities of CPU time has been fixed. [9020] o SSHKEYGEN can now convert keys from OpenSSH format to the RFC format that we use. [8479] o A problem interacting with the SSH2 server on Cisco routers has been corrected. 2-5 _______________________________________________________ 3 Documentation Updates This chapter contains a summary of changes to the documentation for SSH for OpenVMS V2.3. __________________________________________________________ 3.1 SSH for OpenVMS V2.3 o Changed the SSH for OpenVMS version number to read V2.3. __________________________________________________________ 3.2 Corrections to the SSH for OpenVMS V2.3 documentation 3-1 _______________________________________________________ 4 Known Bugs/Issues The following are known bugs and issues with SSH for OpenVMS V2.3. o The SFTP2 and SCP2 client programs do not properly operate when SFTP protocol version 2 is in use. Very few implementations are still using protocol version 2, most are using verion 3 or version 4. 4-1