Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Reflection for Secure IT Windows Server 6.1 Service Pack 4 (SP4): Fixes and Features
Technical Note 2182
Last Reviewed 11-Apr-2008
Applies To
Reflection for Secure IT Windows Server version 6.1
Summary

Reflection for Secure IT Windows Server 6.1 Service Pack 4 (SP4) is available for maintained customers. This technical note provides information about how to obtain your service pack, a list of features included in SP4, as well as a list of features and fixes originally included in SP2 and SP3. (There was no SP1 for Reflection for Secure IT Windows Server 6.1.)

Before you apply the service pack, note the following:

  • This document references a Reflection service pack. Service packs are available to licensed Attachmate customers with current maintenance plans for these products. For information about logins and accessing the Download Library, see Technical Note 0200.
  • The service pack for Windows server version 6.1 SP4 is a full product installation and does not require 6.1 to be installed.

This note is organized into the following sections:

Obtaining Your Service Pack
New Features and Fixes in Reflection for Secure IT 6.1 SP4
New Features and Fixes in Reflection for Secure IT 6.1 SP3
Note: Client Incompatibility—Certificate Authentication Fails
New Features and Fixes in Reflection for Secure IT 6.1 SP2
What's Fixed in 6.1 SP2
Supported Platforms in Version 6.1
Security Updates

Obtaining Your Service Pack

Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/. For more information about logging into and using the Download Library, see Technical Note 0200.

Installing Your Service Pack

Once you have downloaded your service pack, back up the SSH Server folder (which includes config files and host keys), uninstall your current version, and then install the service pack.

New Features and Fixes in Reflection for Secure IT 6.1 SP4

The following new features are available in version 6.1 SP4:

  • Support for defining multiple OCSP Responders. You can configure this from the Server Configuration Tool or using the server configuration keyword OcspResponder. Use a comma-separated list to configure multiple responders.
  • The local certificate store (Local PKI) configuration is now available in the Server Configuration Tool. The [...] button allows you to select certificate files or CRL files. You can also specify individual intermediate CA certificates or CRL files in a comma-separated list in the text edit box, or using the LocalPKI keyword.
  • Support for configuring an OCSP responder certificate independently for each Trusted CA certificate. This enables you to specify the same or different revocation CA certificates for multiple trusted anchor points. Note: If you specify an OCSP responder that uses a self-signed certificate or certificates, you must now specify an OCSP responder certificate for each Trusted CA certificate that uses that OCSP responder. (You can also configure OCSP responder certificates in the configuration file using the RevocationCA keyword. Each PKI stanza can have one or more RevocationCA keywords. The certificates specified using RevocationCA in any given stanza apply only to that stanza and do not carry over to any other stanza.)

The following issue was fixed in version 6.1 SP4:

  • The double-byte file transfer issue is resolved for both SCP and SFTP.

New Features and Fixes in Reflection for Secure IT 6.1 SP3

The following new features are available in version 6.1 SP3:

  • The server now provides more informative messages to clients when AuthFailureErrorMessages=yes and the server closes a connection due to host, group or user restrictions, disabled Windows accounts and nonexistent Windows accounts. To configure this, open the Advanced pane of the configuration tool and use the AuthFailureErrorMessages keyword. Warning: Using the keyword increases your security risk by providing more informative messages to potential attackers.
  • The default key size and type generated by ssh-keygen2 is now RSA 2048-bit.
  • The server now logs to the Event Viewer and the debug log when you import certificates from the Microsoft Certificate Store.
  • The Windows server now automatically converts legacy SSH.COM formatted private host keys to the SecSH format used by current releases. This update provides forward compatibility with future Reflection releases. This change should have no effect on the server or client users, as the key pair is not modified; the only change is to the format in which the key is stored. This change affects all keys created prior to version 5.3, and keys generated during installation prior to 6.1 SP3.
  • Support is now available for immediately disconnecting an invalid user, or any user found in the User or Group Deny list. To configure this, open the Advanced pane of the configuration tool and use AuthImmediateDisconnect keyword. Warning: Using this keyword increases your security risk by providing clients with information about valid account names.

The following issues were fixed in version 6.1 SP3:

  • Individual file sizes are now correctly written to the Windows Event Viewer when doing multiple puts.
  • The server no longer adds an extra blank line in the registry key for HKLM\System\CurrentControlSet\Control\Lsa, which interfered with Tivoli Framework.

Note: Client Incompatibility—Certificate Authentication Fails

The Reflection for Secure IT 6.1 SP2 (or higher) servers now assume SHA1 hashed signatures for certificates containing RSA keys. The Reflection for Secure IT Windows Client 6.1 SP2 (or higher), Reflection for UNIX and OpenVMS 14.0 SP2 (or higher), and Reflection for Secure IT UNIX Client 6.1 SP2 (or higher) behavior has also been modified to use SHA1 hashes with RSA keys.

Earlier versions will experience a certificate authentication failure unless the server defaults are changed. To enable servers to accept MD5 hashed signatures from older clients, add the following line into the server's sshd2_config file:

Compat.RSA.HashScheme yes

Note: This fix applies to Reflection for Secure IT 6.1 SP3 or higher.

New Features and Fixes in Reflection for Secure IT 6.1 SP2

The following new features are available in version 6.1 SP2:

  • Support for certificate authentication using the Universal Principal Name field (UPN) in the Subject Alternative Name (SAN) certificate extension. To configure this you need to update the user map file. Two new keywords are supported for this purpose: UPN and UPNregex. To add or modify the map file, open the configuration tool and go to Certificates > Add > Certificate user authentication > Edit. The UPN keywords are described in comments in the default map. (Note: The UPN description will appear only when the map file is created; if it exists it won’t appear.) Here are two examples:

To map all users, add this line to the map file:

%subst% UPNregex ([a-z]+)@<domain>.com

To map individuals, use this syntax:

<user> UPN <user>@<domain>.com
  • The ability to read both certificates and CRLs from a specified file or files. To configure this, edit the Advanced pane of the Server Configuration Tool. To read either a certificate or a CRL file, use the LocalPKI keyword (which replaces CRLFile).
  • The ssh-certview utility can now view CRLs and display the certificate UPN.
  • Support for specifying an Online Certificate Status Protocol (OCSP) responder. OCSP can be used as an alternative to CRL checking to confirm whether a certificate is valid. Using OCSP removes the need to retrieve and sort through large CRLs. To configure this, use the Certificates pane in the configuration tool (User Authentication > Public Key > Certificates).
  • Support for configuring an OCSP responder that has a self-signed certificate. To configure this, use the "OCSP responder certificate" setting in the Add PKI dialog box (User Authentication > Public Key > Certificates> Add).
  • Support for using certificates found in the Microsoft Certificate Store for host authentication. To configure this use the "Import" button by "Import System Certificate" in the Identity Pane. Note: The private key and certificate selected for host authentication must be present (or imported to) the Local Computer | Personal store and must have the export private key capability enabled.
  • Support for using certificates found in the Microsoft Certificate Store as Trusted Certificate Authorities. To configure this use "Select System CA Certificate" in the Add (or Edit) PKI dialog box (User Authentication > Public Key > Certificates> Add/Edit). Note the following:
    • Only CA certificates residing in the Local Computer > Trusted Root Certification Authorities store are available for selection to use as trust anchors for user certificate validation. By default, Windows automatically makes any certificates residing in this store available to all users of the computer.
    • The Certification user authorization file (map file) still must be defined when using Windows system root CAs. Any of the other controls may also be configured, if desired.
    • For further details about this feature, see Technical Note 2379.
  • Windows Server debug output now displays date and time stamps at the beginning of each debug message. The time stamp is configured for the systems local time.

What's Fixed in 6.1 SP2

The following issues were fixed in Service Pack 2.

  • The correct user ID is now displayed in the Windows Event Viewer when spawned SFTP processes are started.
  • Password caching now supports lower case, upper case, and mixed case domain and user names.
  • Users who belong to over 100 groups are now able to authenticate successfully.
  • Server uptime and open connection information is available when running the Reflection for Secure IT Configuration tool in an RDP session.
  • Text is no longer truncated when the Reflection for Secure IT Configuration tool is launched on a computer running the Japanese Windows operating system.

Supported Platforms in Version 6.1

For information about platform support in Reflection for Secure IT, see Technical Note 1944.

Security Updates

Note the following security updates:

  • Reflection for Secure IT Windows Server version 6.1 SP2 and higher contains a fix to a flaw in the signature verification of RSA public keys or certificates that could cause Reflection servers to accept forged signatures from a client resulting in successful man-in-the-middle attacks. The vulnerability is described in US-CERT Vulnerability Note VU #845620. For more information, see Technical Note 2137.
  • Reflection for Secure IT Windows Server version 6.1 and higher includes a fix that prevents the possibility of executing specially-crafted and potentially malicious binary files in place of subsystem binaries, such as the sftp subsystem.
Related Technical Notes
0200 Using the Attachmate Download Library (FAQ)
1898 Readme: Features Introduced in Reflection for Secure IT Windows Server 6.1
1944 Supported Platforms in Reflection for Secure IT Client and Server
2137 Reflection Security Updates for US-CERT Vulnerability #845620: RSA Public Exponent 3
2379 Configuring Reflection for Secure IT to Use a Certificate in the Microsoft Personal Certificate Store

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.