|
|
|
Reflection for Secure IT UNIX Client and Server 7.0 Service Pack 1 (SP1): Fixes and Features
Technical Note 2374
Last Reviewed 22-Oct-2008
Applies To
Reflection for Secure IT UNIX Client version 7.0
Reflection for Secure IT UNIX Server version 7.0
Summary
Technical Note 2374
Last Reviewed 22-Oct-2008
Applies To
Reflection for Secure IT UNIX Client version 7.0
Reflection for Secure IT UNIX Server version 7.0
Summary
Reflection for Secure IT UNIX Client and Server 7.0 Service Pack 1 (SP1) is available for maintained customers. This technical note provides information about how to obtain your service pack and a list of features included in SP1.
Note: This content is also available in Japanese at http://docs.attachmate.com/reflection/rsit-ssh/7.0SP1/unix/ja/RSITUNIX7_0_SP1_jpn.pdf.
Before you apply the service pack, note the following:
- This document references a Reflection service pack. Service packs are available to licensed Attachmate customers with current maintenance plans for these products.
- The service pack for UNIX client and server version 7.0 SP1 is a full product installation and does not require 7.0 to be installed.
- For information about logins and accessing the Download Library, see Technical Note 0200.
- For a list of fixes originally included in Reflection for Secure IT UNIX Client and Server 7.0, see Technical Note 2274.
This note is organized into the following sections:
Obtaining Your Service Pack
Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/. For more information about logging into and using the Download Library, see Technical Note 0200.
Note: If you download a Sun Solaris, HP-UX, or IBM AIX package using Internet Explorer, the uppercase (.Z) extension is changed to lowercase (.z). You will need to rename the file name to use an uppercase Z before you can uncompress your files.
Installing Your Service Pack
Once you have downloaded your service pack, back up the /etc/ssh2 directory (which includes config files and host keys), uninstall your current version, and then install the service pack.
For more information about replacing an existing Secure Shell program (including using backup files to merge your non-default settings to the new configuration file), see Technical Note 2282 or the Help topic "Replace an Existing Secure Shell Program" in the User Guide, which is available from http://support.attachmate.com/manuals/rsit_unix.html.
New Features and Fixes in Reflection for Secure IT 7.0 SP1
The following new features, security updates, and resolved issues are included in the Reflection for Secure IT UNIX Server and/or Client version 7.0 Service Pack 1.
New Features in the Server –and– Client 7.0 SP1
- New Platform support:
- HP-UX 11i v3 Itanium
- HP-UX 11i v2 PARISC
- Solaris 10 x86
For additional information about platform support in Reflection for Secure IT, see Technical Note 1944.
- Client and server now use a FIPS 140-2 approved cryptographic module: Attachmate Crypto Module v2.0.40.
- Enforce the use of FIPS 140-2 approved ciphers and MACs. Use the FipsMode keyword, which is supported on both the client and server. For information about configuring for FIPS 140-2 validated operation, see Technical Note 2389.
- Key generation tool (ssh-keygen) now encodes the localhost name in the name of the key pair files. This provides unique names for public key pairs created on different machines.
- Client and server now support Advanced Encryption Standard (AES) Counter Mode (CTR) ciphers, which provide strong confidentiality and hardware and software efficiency.
- Specify which key exchange algorithms the client and server support. Use the KEXs keyword, which is supported on both the client and server.
New Features in the Server 7.0 SP1
- Configure dynamic support for TCP Wrappers, eliminating the need to compile from source. Use the LibWrap keyword.
- Record successful and failed audit events through the System Administration Manager (SAM) Auditing and Security tool. This assists administrators in managing and configuring a standard HP-UX Trusted System.
- Configure immediate disconnection of blocked accounts. Use the AuthImmediateDisconnect keyword.
- Display information about authentication failures to the client. Use the AuthFailureErrorMessages keyword.
- Configure the ability to ignore the 'rlogin' attribute on AIX systems. Use the IgnoreRlogin keyword.
- Specify whether public key fingerprints used for authentication are logged to the system log. Use the LogPublicKeyFingerprint keyword.
- Use RSA SecurID authentication via Pluggable Authentication Modules (PAM).
Note: This functionality is not currently supported on Solaris 10 x64 or HP-UX 11 v2 ia64. Reflection for Secure IT requires 64-bit libraries, and RSA does not currently provide 64-bit libraries with its SecurID PAM Agent.
- Customize the SSH protocol version string the server presents to the client during the initial connection protocol. Use the ProtocolVersionString keyword.
- Specify whether or not to run the PAM Session Management modules even when using a non-PAM authentication method. Running PAM Session Management modules manages tasks when a session is created or closed such as controlling process resources using pam_limits or creating a user's home directory using pam_mkhomedir. Use the UsePAMSessions keyword.
New Features in the Client 7.0 SP1
- Delegate GSSAPI credentials to the server, enabling the client to make connections to multiple servers without requiring multiple authentications. Use the GSSAPIDelegateCredentials keyword.
- Specify an alias instead of the actual host name when storing host key files. Use the HostKeyAlias keyword.
- Disable host authentication for localhost. This option is useful when sharing home directories across multiple machines. Use the NoHostAuthenticationForLocalHost keyword.
- Specify which signals the client should relay to the server. Use the RelaySignals keyword.
- Cancel local forwarded ports created using escape sequences in a client terminal session. Use ~C.
- Send a BREAK to the remote system using the ssh ~B escape sequence.
- Copy directories recursively with sftp.
- View the list of supported sftp interactive commands using ?.
- Use scp for remote to remote transfer.
- Connect to hosts running Sun Solaris Projects. Client users will be presented with the correct default or assigned projects.
Security Updates in 7.0 SP1
- Fix for security vulnerability CVE-2006-2937: Denial of service via malformed ASN.1 structures.
- Fix for security vulnerability CVE-2006-2940: Denial of service via parasitic public keys.
- Fix for security vulnerability CVE-2007-3108: Side-channel attack due to not properly performing the Montgomery multiplication.
- Security Vulnerability CVE-2008-1657: Disable execution of ~/.ssh2/rc when a forced command has been defined.
- Fix for security vulnerability CVE-2008-1483: Avoid hijacking of X11 forwarded connections.
- Fixes for security vulnerabilities found by 3rd party analysis.
For more information about security updates and Reflection for Secure IT, see Technical Note 2288.
Resolved Issues in 7.0 SP1
- You can now execute remote commands that require access to /usr/local/bin. (Note: For this solution to work on AIX 5.2 & 5.3 and Solaris 9, the path /usr/local/bin/ needs to be included in the system configuration file. For AIX 5.2 and AIX 5.3, the file is /etc/environment. For Solaris 9, the file is /etc/default/login.)
- Connections from a ws_ftp client no longer fail with the following error: "Packet integrity error (6 bytes remaining) at packet.c:1341".
- Using the cd command in sftp sessions no longer generates the following error in some situations where the client user has appropriate permission: "Can't change directory: permission denied".
- Service dependencies on fs-autofs and fs-local for installs on Solaris 10 have been removed.
- The server now logs, at most, only one failed authentication attempt for public key authentication. Users are no longer locked out if the number of keys in the identification file is greater than the operating system limit set for logon attempts.
- Running ssh is now allowed only when the user ID and the effective user ID match.
- The key generation tool (ssh-keygen) now ignores a SIGPIPE signal and no longer displays a "Broken Pipe" error.
- The scp command used in ascii mode now handles end-of-line characters in the same manner as earlier versions.
Supported Platforms in 7.0 SP1
For information about platform support in Reflection for Secure IT, see Technical Note 1944.
Copyright and Notices Addendum
The following information supplements the Copyrights and Notices content of the notices.pdf file for Reflection for Secure IT UNIX Client and Server 7.0 SP1.
This Service Pack includes third-party "TCP wrapper header" software under the following terms:
- Copyright 1995 by Wietse Venema. All rights reserved. Some individual files may be covered by other copyrights.
- This material was originally written and compiled by Wietse Venema at Eindhoven University of Technology, The Netherlands, in 1990, 1991, 1992, 1993, 1994 and 1995.
- Redistribution and use in source and binary forms are permitted provided that this entire copyright notice is duplicated in all such copies.
- This software is provided "as is" and without any expressed or implied warranties, including, without limitation, the implied warranties of merchantability and fitness for any particular purpose.
