What's new in Tectia Client/Server/ConnectSecure 6.4.12?

NOTE: With the release of Client/Server/ConnectSecure 6.4.12, the 6.4 releases are now declared feature complete and Long Term Supported (LTS). Therefore, the products are supported for 3 years from the release date of 6.4.12, until October 14, 2018. It is possible to further extend that support for 2 more years (until October 2020). There will be 6.4 maintenance releases which will fix critical bugs, but no new features will be added to any future 6.4 releases.

The 6.4.12 releases contain the following special items:

All platforms:

• The key-exchange method diffie-hellman-group1-sha1 was removed from the factory default Broker and Server configurations. The diffie-hellman-group1-sha1 KEX method uses the 1024-bit Oakley group1, which is small by current standards, as shown by the LogJam paper.

Windows:

• The Tectia Server installation package now contains also the client components.
• Tectia Server's logon performance has been improved.
• Separate 32- and 64-bit installation packages were introduced. Please make sure you install the correct architecture version.
• Tectia Server upgrade is only supported from 6.1 upwards. If you have an older version, we recommended you to first upgrade to 6.3 (the LTS before this release). Alternatively, you can uninstall your previous version before installing this version.
  

Linux:

• SUSE Linux Enterprise Server 12 (SLES 12) and SUSE Linux Enterprise Desktop 12 are now officially supported platforms.
  

All released products also include other features and bug fixes. The following includes a summary of the release notes for each product.

Tectia Client/ConnectSecure

New Features:

• All Platforms: The key-exchange method diffie-hellman-group1-sha1 was removed from the Connection Broker's factory default configuration. The diffie-hellman-group1-sha1 KEX method uses the 1024-bit Oakley group1, which is small by current standards, as shown by the LogJam paper. The ssh-keyfetch utility uses from now on diffie-hellman-group14-sha1 instead of group1.

• All Platforms: When 'end-point-identity-check="yes"', user logon with a short hostname is allowed in addition to FQDN in server authentication with host certificate. With a short hostname, a warning indicating the matched certificate is issued.

• All Platforms: The Connection Broker configuration (XML) file now has options for certificate validation similar to the Server: cache-size, max-crl-size, external-search-timeout, max-ldap-response-length, and ldap-idle-timeout. This allows configuring the Broker to accept very large CRLs, for example. No GUI support as of yet.

• Linux: SLES 12 and SLED 12 are now officially supported platforms.

• Windows: Tectia Connections Configuration GUI now allows creation of keys larger than 3072 bits (up to 8192 bits).

• Windows: The Tectia Server package now includes also Tectia Client components. If you previously have Tectia Client installed, the Server installation will fold that installation in, resulting in a Server installation. It is possible to install the package without the client components. Installing Tectia ConnectSecure and Server is supported only if the two packages are of the same version.

• Windows: Upgraded Qt to 4.8.3 and ICU to 51.2. The software is now built with Visual Studio 2013. The created MSI packages will require a Microsoft update to install on Windows 2003 and XP.

• Windows: Upgraded the OpenSSL cryptographic library used in FIPS mode to version 1.0.2a.

• Windows: Due to architectural changes in Windows 8 and later, the Capture component of ConnectSecure does not function. The installer will now refuse to install the component on these platforms, as the installation could cause adverse effects for the system.
  

Bug Fixes:

• All Platforms: Fixed an issue which caused automatic FTP tunnels to intermittently fail to start.

• All Platforms: Fixed an issue that caused some file transfers to fail silently, creating an empty file in the server.

• All Platforms: "ssh-broker-ctl reload" with no Broker configuration file no longer crashes.

• All Platforms: In FIPS mode, cryptographic operations with too small keys (<1024 bits) will now be refused.

• All Platforms: Old or invalid licenses no longer cause warnings at program startup if a valid license is found.

• Unix: Host-based authentication should work with FIPS mode enabled. AIX requires a work-around, see Known issues.

• Unix: OpenSSH agent forwarding for ECDSA keys now works.

• Windows: Command-line clients no longer print newline character into standard output during authentication prompts. They are printed to Windows console as the rest of the prompt to avoid breaking tunneled applications (e.g., git) over sshg3.

• Windows: Fixed an issue in the Connections Configuration GUI which caused copied profiles to occasionally get corrupted. This also addresses a related issue where saving layouts caused the profiles to get corrupted.

• Windows: Connections Configuration GUI: Copying profiles with dots in their names no longer fails.

• Windows: Connections Configuration GUI: Copying profiles will no longer overwrite profiles if they happen to have a conflicting name.

• Windows: Setting debug level to 8 or higher no longer breaks GUI client functionality.

• Tectia ConnectSecure on Unix: Added missing Makefile.common to the package.

• Tectia ConnectSecure on Unix: Fixed examples to compile.

Known Issues:

• All Platforms: scpg3 and sftpg3 with --append overwrite the destination file when the server is OpenSSH 6.4 or older.

• All platforms: Remote translation tables only work when the site command X=BIN is used. Local translation tables work as intended.

• Windows: Connections Configuration GUI: Dots do not work correctly in profile names or profile folder names, because they are used internally for the profile folder feature.

• Windows: Connections Configuration GUI: Empty connection profile folders are not saved in the Broker configuration.

• AIX: Host-based authentication in FIPS mode requires copying or linking the libcrypto.a to /lib or /usr/lib.

Tectia Server

New Features:

• All Platforms: The key-exchange method diffie-hellman-group1-sha1 was removed from factory default Server configuration. The diffie-hellman-group1-sha1 KEX method uses the 1024-bit Oakley group1, which is small by current standards, as shown by the LogJam paper. The ssh-keyfetch utility uses from now on diffie-hellman-group14-sha1 instead of group1.

• Linux: SLES 12 and SLED 12 are now officially supported platforms.

• Unix: Configuration element passwd-change-rules introduced in 6.4.10 caused regressions with configurations already containing the rule for "passwd-change". The feature was modified to always add a "passwd-change" rule unless the group is defined in the configuration. This supersedes the change introduced in 6.4.10. If you wish to disable the forced password change, you can do this by adding two groups to the services block: A catch-all group and a passwd-change group which will never match due to the catch-all.

• Windows: The Tectia Server package now includes also Tectia Client components. If you previously have Tectia Client installed, the Server installation will fold that installation in, resulting in a Server installation. It is possible to install the package without the client components. Installing Tectia ConnectSecure and Server is supported only if the two packages are of the same version.

• Windows: It is now possible to install Tectia Server and try it out without rebooting the machine. The caveat here is that public-key authentication will not work, due to the necessity of restarting the Server to register the SSH domain authentication package. Restarting the Server will enable full functionality.

• Windows: User impersonation for file access no longer uses an extra binary, which should make file access faster for, e.g., public-key authentication.

• Windows: Primary access tokens are created consistently across password authentication, S4U, and DAP.

• Windows: Upgraded Qt to 4.8.3 and ICU to 51.2. The software is now built with Visual Studio 2013. The created MSI packages will require a Microsoft update to install on Windows 2003 and XP.

• Windows: Upgraded the OpenSSL cryptographic library used in FIPS mode to version 1.0.2a

Bug Fixes:

• All Platforms: Tectia Server will only read regular files as user's public keys as authorization information.

• All Platforms: Authentication will no longer hang if an authorization file is truncated during parsing.

• All Platforms: In FIPS mode, cryptographic operations with too small keys (<1024 bits) will now be refused.

• All Platforms: Old or invalid licenses no longer cause warnings at program startup if a valid license is found.

• All Platforms: Sample files for Tectia Mapper Protocol are again included in the distribution.

• Unix: OpenSSH agent forwarding for ECDSA keys now works.

• Windows: Improved error handling on authentication queries. This allows the system to respond to error situations faster.

• Windows: Multiple logins to a Windows server can now happen in parallel, speeding up login times on servers with moderate to high traffic.

• Windows: S4U authentication is not attempted for local users, as it cannot succeed.

• Windows: S4U authentication is not attempted on machines not attached to a domain, as it cannot succeed.

Known issues:

• All platforms: Remote translation tables only work when the site command X=BIN is used. Local translation tables work as intended.

• Linux, RHEL6: ssh-servant-g3 processes can show large virtual memory allocation, in excess of one GB per process. This is due to thread arena allocation in libc 2.10 and later, included in RHEL 6.0, not because of memory leaks.
  

• Solaris: With exec-directly="no", csh on Solaris closes auditing file descriptors for sft-server-g3, effectively disabling logging with sftp. The recommended solution here is to use exec-directly="yes".

• Windows: Upgrade only recognizes versions 6.1 onwards.

• Windows: On XP and Windows Server 2003, restarting the machine is required to be able to start Tectia Server.

For further information about the products and changes between the different versions, and instructions on how to update the product, see the customer documentation and release notes at the SSH product documentation site.