|
NOTE: With the release of Client/Server/ConnectSecure 6.4.12, the 6.4 releases are now declared feature complete and Long Term Supported (LTS). Therefore, the products are supported for 3 years from
the release date of 6.4.12, until October 14, 2018. It is possible to
further extend that support for 2 more years (until October
2020). There will be 6.4 maintenance releases which will fix critical
bugs, but no new features will be added to any future 6.4 releases.
The 6.4.12 releases contain the following special items:
All platforms:
- The key-exchange method diffie-hellman-group1-sha1 was removed from the factory default Broker and Server configurations. The diffie-hellman-group1-sha1 KEX method uses the 1024-bit Oakley group1, which is small by current standards, as shown by the LogJam paper.
Windows:
- The Tectia Server installation package now contains also the client components.
- Tectia Server's logon performance has been improved.
- Separate 32- and 64-bit installation packages were introduced. Please make sure you install the correct architecture version.
- Tectia Server upgrade is only supported from 6.1 upwards. If you have an older version, we recommended you to first upgrade to 6.3 (the LTS before this release). Alternatively, you can uninstall your previous version before installing this version.
Linux:
- SUSE Linux Enterprise Server 12 (SLES 12) and SUSE Linux Enterprise
Desktop 12 are now officially supported platforms.
All released products also include other features and bug fixes. The following includes a summary of the release notes for each product.
Tectia Client/ConnectSecure
New Features:
-
All Platforms: The key-exchange method diffie-hellman-group1-sha1 was
removed from the Connection Broker's factory default configuration. The
diffie-hellman-group1-sha1 KEX method uses the 1024-bit Oakley group1,
which is small by current standards, as shown by the LogJam paper. The ssh-keyfetch utility uses from now on diffie-hellman-group14-sha1
instead of group1.
-
All Platforms: When 'end-point-identity-check="yes"', user logon with a
short hostname is allowed in addition to FQDN in server authentication
with host certificate. With a short hostname, a warning indicating the
matched certificate is issued.
-
All Platforms: The Connection Broker configuration (XML) file now has
options for certificate validation similar to the Server: cache-size,
max-crl-size, external-search-timeout, max-ldap-response-length, and
ldap-idle-timeout. This allows configuring the Broker to accept very
large CRLs, for example. No GUI support as of yet.
-
Linux: SLES 12 and SLED 12 are now officially supported platforms.
-
Windows: Tectia Connections Configuration GUI now allows creation of
keys larger than 3072 bits (up to 8192 bits).
-
Windows: The Tectia Server package now includes also Tectia Client
components. If you previously have Tectia Client installed, the Server
installation will fold that installation in, resulting in a Server
installation. It is possible to install the package without the client
components. Installing Tectia ConnectSecure and Server is supported
only if the two packages are of the same version.
-
Windows: Upgraded Qt to 4.8.3 and ICU to 51.2. The software is now
built with Visual Studio 2013. The created MSI packages will require
a Microsoft update to install on Windows 2003 and XP.
-
Windows: Upgraded the OpenSSL cryptographic library used in FIPS mode
to version 1.0.2a.
-
Windows: Due to architectural changes in Windows 8 and later, the
Capture component of ConnectSecure does not function. The installer
will now refuse to install the component on these platforms, as the
installation could cause adverse effects for the system.
Bug Fixes:
-
All Platforms: Fixed an issue which caused automatic FTP tunnels to
intermittently fail to start.
-
All Platforms: Fixed an issue that caused some file transfers to fail
silently, creating an empty file in the server.
-
All Platforms: "ssh-broker-ctl reload" with no Broker configuration
file no longer crashes.
-
All Platforms: In FIPS mode, cryptographic operations with too small
keys (<1024 bits) will now be refused.
-
All Platforms: Old or invalid licenses no longer cause warnings at
program startup if a valid license is found.
-
Unix: Host-based authentication should work with FIPS mode enabled.
AIX requires a work-around, see Known issues.
-
Unix: OpenSSH agent forwarding for ECDSA keys now works.
-
Windows: Command-line clients no longer print newline character
into standard output during authentication prompts. They are
printed to Windows console as the rest of the prompt to avoid
breaking tunneled applications (e.g., git) over sshg3.
-
Windows: Fixed an issue in the Connections Configuration GUI which
caused copied profiles to occasionally get corrupted. This also
addresses a related issue where saving layouts caused the profiles
to get corrupted.
-
Windows: Connections Configuration GUI: Copying profiles with dots in
their names no longer fails.
-
Windows: Connections Configuration GUI: Copying profiles will no longer
overwrite profiles if they happen to have a conflicting name.
-
Windows: Setting debug level to 8 or higher no longer breaks
GUI client functionality.
-
Tectia ConnectSecure on Unix: Added missing Makefile.common to the package.
-
Tectia ConnectSecure on Unix: Fixed examples to compile.
Known Issues:
-
All Platforms: scpg3 and sftpg3 with --append overwrite the destination
file when the server is OpenSSH 6.4 or older.
-
All platforms: Remote translation tables only work when the site command
X=BIN is used. Local translation tables work as intended.
-
Windows: Connections Configuration GUI: Dots do not work correctly in
profile names or profile folder names, because they are used internally
for the profile folder feature.
-
Windows: Connections Configuration GUI: Empty connection profile folders
are not saved in the Broker configuration.
-
AIX: Host-based authentication in FIPS mode requires copying or linking
the libcrypto.a to /lib or /usr/lib.
Tectia Server
New Features:
-
All Platforms: The key-exchange method diffie-hellman-group1-sha1 was
removed from factory default Server configuration. The
diffie-hellman-group1-sha1 KEX method uses the 1024-bit Oakley group1,
which is small by current standards, as shown by the LogJam paper. The ssh-keyfetch utility uses from now on diffie-hellman-group14-sha1
instead of group1.
-
Linux: SLES 12 and SLED 12 are now officially supported platforms.
-
Unix: Configuration element passwd-change-rules introduced in
6.4.10 caused regressions with configurations already containing the
rule for "passwd-change". The feature was modified to always add a
"passwd-change" rule unless the group is defined in the configuration.
This supersedes the change introduced in 6.4.10. If you wish to
disable the forced password change, you can do this by adding two
groups to the services block: A catch-all group and a passwd-change
group which will never match due to the catch-all.
-
Windows: The Tectia Server package now includes also Tectia Client
components. If you previously have Tectia Client installed, the Server
installation will fold that installation in, resulting in a Server
installation. It is possible to install the package without the client
components. Installing Tectia ConnectSecure and Server is supported
only if the two packages are of the same version.
-
Windows: It is now possible to install Tectia Server and try it out
without rebooting the machine. The caveat here is that public-key
authentication will not work, due to the necessity of restarting the
Server to register the SSH domain authentication package. Restarting
the Server will enable full functionality.
-
Windows: User impersonation for file access no longer uses an extra
binary, which should make file access faster for, e.g., public-key
authentication.
-
Windows: Primary access tokens are created consistently across
password authentication, S4U, and DAP.
-
Windows: Upgraded Qt to 4.8.3 and ICU to 51.2. The software is now
built with Visual Studio 2013. The created MSI packages will require
a Microsoft update to install on Windows 2003 and XP.
-
Windows: Upgraded the OpenSSL cryptographic library used in FIPS mode
to version 1.0.2a
Bug Fixes:
-
All Platforms: Tectia Server will only read regular files as user's
public keys as authorization information.
-
All Platforms: Authentication will no longer hang if an authorization
file is truncated during parsing.
-
All Platforms: In FIPS mode, cryptographic operations with too small
keys (<1024 bits) will now be refused.
-
All Platforms: Old or invalid licenses no longer cause warnings at
program startup if a valid license is found.
-
All Platforms: Sample files for Tectia Mapper Protocol are again
included in the distribution.
-
Unix: OpenSSH agent forwarding for ECDSA keys now works.
-
Windows: Improved error handling on authentication queries. This
allows the system to respond to error situations faster.
-
Windows: Multiple logins to a Windows server can now happen in
parallel, speeding up login times on servers with moderate to high
traffic.
-
Windows: S4U authentication is not attempted for local users, as it
cannot succeed.
-
Windows: S4U authentication is not attempted on machines not attached
to a domain, as it cannot succeed.
Known issues:
-
All platforms: Remote translation tables only work when the site command
X=BIN is used. Local translation tables work as intended.
-
Linux, RHEL6: ssh-servant-g3 processes can show large virtual memory
allocation, in excess of one GB per process. This is due to thread
arena allocation in libc 2.10 and later, included in RHEL 6.0, not
because of memory leaks.
-
Solaris: With exec-directly="no", csh on Solaris closes auditing file
descriptors for sft-server-g3, effectively disabling logging with
sftp. The recommended solution here is to use exec-directly="yes".
-
Windows: Upgrade only recognizes versions 6.1 onwards.
-
Windows: On XP and Windows Server 2003, restarting the machine is
required to be able to start Tectia Server.
For further information about the products and changes between the different versions,
and instructions on how to update the product, see the customer documentation and
release notes at the SSH product documentation site.
answered
Oct 14 '15 at 19:25
SSH doc ♦♦
26●7●8●10
|