Technical Notes

When NoShell is set to "Yes", the client creates a tunnel without opening a terminal session. This option can be used in combination with ConnectionReuse to create a tunnel that can be reused by other ssh connections. You can configure this option in the Secure Shell configuration file, or using the -o command-line option.

This patch includes changes that support faster SFTP and SCP file transfers.

This patch reduces the time it takes to display directory listing in SFTP sessions.

Prior to this patch, server certificate validation failed if the certificate contained unknown extended key usage OIDs. These extensions are now checked during intermediate certificate validation only if they are marked as "Critical" or if you are running Reflection in DOD mode.

Error messages for the ssh command-line utility are now sent to stderr.

The sftp and sftp2 command line usage help now displays the following additional syntax for uploading files to the server: sftp [options] sourcefile [user@]host[#port]:[destination file]. This information is displayed when you use the -h command-line option.

Reflection no longer displays a blank "Reflection Secure Shell Client" dialog box when you are configured to use keyboard-interactive authentication. This dialog box was introduced by changes made to the SP2 patch.

This patch fixes a problem that caused a halt in data display when large chunks of data are being received. Prior to the fix it was sometimes necessary to use the Enter key to view the entire display.

This patch fixes a problem that caused Reflection to show multiple entries for the same user key when both a user-specific config file and a global ssh_config file were present on the same computer.

A new setting, Use IPV6, has been added to the Connection tab in the Site Properties dialog box. Options are Always, Never, When Available. The default is When Available. Previously IPV6 support was configurable using the command window, and this technique is also still available.

The FTP Open method now supports sending passwords for Secure Shell sessions. The following sample configures a Secure Shell connection, connects to the specified host, and sends the specified user name and password.

In the Directories tab of the FTP Client Site Properties dialog box, modifying the Cache directory listing setting now correctly enables the Apply button on this tab.

This patch reduces the time it takes to display directory listings in the local pane.

This patch reduces the time it takes to display directory listings in the server pane.

The Preserve server file date option (available on the Transfer tab of the site properties dialog box) now works as expected for SFTP transfers.

You can now specify which hash algorithm the client uses in the process of proving possession of the private key during public key user authentication. To configure this, open the Reflection Secure Shell Settings dialog box. On the Encryption tab, under Signature types, select the hash you want to use for RSA and DSA keys.

This service pack fixes a problem that would sometimes cause very large (gigabyte) data transfers to hang when Reflection was configured to use the Secure Shell protocol. This problem was seen with transfers using the Reflection user interface and also using Reflection command line utilities.

This error message was displayed incorrectly when the Reflection scp command line utility was used with the -r switch. This problem has been resolved.

Sftp file transfers that use wildcard GET commands now work as expected.

In Reflection applications running with Service Pack 1 applied, the sftp and scp clients could not simultaneously access the same local file for uploading. This problem has been resolved.

This service pack corrects a problem in the Secure Shell protocol that could cause this error message to be displayed for slow or bad network connections.

You can now configure Reflection Secure Shell and SSL/TLS connections to use one or more OCSP responders to check if certificates are still valid.

By default, Reflection applications allow some configurations that do not meet DOD PKI requirements. Administrators can now use Reflection Group Policies to configure all Reflection sessions to meet DOD PKI requirements. To do this, you must first install the latest version of the Reflection Administrator's Toolkit.

For additional information, see "DOD PKI information" in the Reflection application Help index after you've installed this service pack.

Administrators can now use the Reflection Customization Manager to create custom Reflection installations that include PKI settings. For additional information, see "PKI, deploying PKI settings in a customized install" in the Reflection application Help index after you've installed this service pack.

You can now choose to export the private key of a public private key pair. To do this, open the User Keys tab of the Secure Shell Settings dialog box, click Export, then select Export Private Key.

The Reflection Windows client now uses the SECSH file format by default for exported keys. This matches the format used by other Reflection for Secure IT applications. To configure Reflection to export keys in OpenSSH format (the previous default), open the User Keys tab of the Secure Shell Settings dialog box, click Export, then select Save in OpenSSH format.

Fixed security vulnerability, US-Cert VU#845620, http://www.kb.cert.org/vuls/id/845620 -- Multiple RSA implementations fail to properly handle signatures. For more details see the General Security Alerts and Advisories section of Technical Note 1708.

The sftp and sftp2 command line utilities now accept syntax to copy host files to the local root directory or to the root directory of another local drive. Commands such as the following are now supported:

The Reflection session now remains connected if you attempt to change to an empty directory. Previously either of the following commands disconnected the session:

Reflection no longer closes unexpectedly when the network connection goes down or the server terminates while the SFTP client is transferring a file.

The scp and scp2 command line utilities now correctly support the -i identity file switch. Commands like the following are now handled correctly. Previously this would result in an invalid error option.

Reflection now correctly creates the .pki folder when a user's My Documents folder is specified using a UNC path.

This patch provides improved SFTP support for traversing directories on OpenVMS systems.

The Host Key Authenticity dialog box now displays the host key fingerprint in both bubble-babble and hex format. The bubble-babble format uses a SHA-1 hash for the fingerprint and the hex format uses an MD5 hash.

A fix was made for SSH1 connections that were failing intermittently.

The sftp and sftp2 command line utilities now display the day of the month. Previously this part of the date was not included in the date fields.

A fix was added that prevents a Secure Shell or SFTP connection from hanging when downloading a large amount of data.

Reflection now reads private keys created with F-Secure that have a passphrase with more than 23 characters.

Two new settings have been added to the Transfer tab of the Site Properties dialog box:

This patch fixes a number of problems that were seen when handling files whose size is larger than 2 gigabytes. Problems included files that could not be displayed, files that failed to transfer, and file transfers that failed to resume properly. Note that some FTP or SFTP servers still may not be able to display or transfer files greater than 4 gigabytes, in which case the Reflection client may also experience problems.

The error message above displays if you attempt to install only the FTP client on a system on which F-Secure is installed. This patch fixes this problem; the Reflection F-Secure Migration wizard will not launch when an installation doesn't include Reflection for HP, Reflection for Unix and OpenVMS, or Reflection for ReGIS Graphics.

The FTP Client now launches successfully if your Desktop or My Documents folder is not in your roaming profile.

The SSH Config Scheme value is now written properly to when you export your settings from the FTP Client. Previously the SSH Config Scheme name was written out incorrectly in the exported XML and consequently the value was not set when the xml was reimported into the FTP Client.

If the Reflection FTP client is installed and launched for the first time on a system that already contains a file called "settings.rfw", any existing settings in the registry are migrated to a file called "settings0.rfw" and Reflection FTP loads the existing "settings.rfw" file. Settings are now migrated only if a previous version of Reflection FTP was installed on the system.

When the Directory Definition Wizard is used to create custom rules for parsing directory listings, a manually added "Include Suffix" value is now honored.

The last character of the default principal, default realm, and KDC host name is no longer dropped when you have selected Use Windows logon value in the Reflection Kerberos Initial Configuration dialog box.

Wide characters (such as Japanese or Chinese) now display correctly when the Reflection host character set is set to UTF8.