TCPware ECO kit announcement

The following ECO kit is now available for TCPware:

ECO: SSH_V562P080
Description: Assorted fixes including security fix
Release date: 26-JAN-2006
Ranking: 0
Max ranking: 0
Versions: 5.6-2
Requisites: DRIVERS_V562P052

ftp://ftp.process.com/support/56_2/ssh_v562p080.zip

To search the TCPware ECO database, please visit the following URL:

http://vms.process.com/eco.html

For more information, contact Process Software via:

E-mail: support@process.com
Phone: 1-800-394-8700

The ECO kit README contents are below.

-----------------------------------------------------------

----------------------------------------------------------------------------
SSH patch kit (revision 8.0) for TCPware 5.6 16-Jan-2006

Copyright (c) 2002-2006 by Process Software

This VMSinstallable saveset provides a new version of the
following SSH components:

- SSH client (SSH2.EXE)
- SSH1 server (SSHD.EXE)
- SSH2 server (SSHD2.EXE)
- SSH master control program (SSHD_MASTER.EXE)
- SSH identity agent program (SSH-AGENT2.EXE)
- SSH key generators (SSH-KEYGEN.EXE and SSH-KEYGEN2.EXE)
- SSH key signer (SSH-SIGNER2.EXE)
- SSH loadable executive image (SSHLEI.EXE, LOAD_SSHLEI.EXE,
UNLOAD_SSHLEI.EXE)
- SSH agent identity manipulation program (SSH-ADD2.EXE)
- SSH file copy client (SCP2.EXE)
- SSH SFTP client (SFTP2.EXE)
- SSH file copy servers (SFTP-SERVER2.EXE and SCP-SERVER1.EXE)
- SSH certificate enrollment program (SSH-CERTENROLL2.EXE)
- SSH server configuration template file (SSHD2_CONFIG.TEMPLATE)
- SSH configuration procedure (SSH_CONTROL.COM)
- The SSH HELP (either in a standalone library or as part of
SYS$HELP:HELPLIB.HLB, as determined by the original TCPware install)
- SSH Public Key Assistant (PUBLICKEY_ASSISTANT.EXE)
- SSH Certificate Viewer (SSH-CERTVIEW.EXE)
- SSH shared libraries (SSH_ZLIB.EXE, SSH_FSCLM.EXE, SSH_ACCPORNAM.EXE)
- SSH Public Key Server (PUBLICKEY-SERVER.EXE)
- SSH Certificate Viewer (SSH-CERTVIEW.EXE)
- SSH client configuration template (SSH2_CONFIG.TEMPLATE)

A new version of the following common TCPware utilities are
provided:

- NETCU utility (NETCU.EXE)
- TCPware command definitions (TCPWARE_COMMANDS.COM and
TCPware.CLD)

This patch is applicable to TCPware SSH on all supported
versions of OpenVMS VAX and OpenVMS Alpha.

NOTE: The TCPware ECO DRIVERS_V562P052 or later is required
and must be installed in order to run SSH after installing
the SSH_V562P070 ECO.

A system reboot is requred after installing this ECO, to load
the new software features.

This kit has an ECO ranking of 0 - Mandatory update: Process Software
recommends that all customers install this ECO kit.

*** Notes for Kerberos 5 Support ***

Support for Kerberos 5 is based on HP Kerberos V5 for OpenVMS.
Prior to installing and configuring the HP Kerberos product, the
following TCPware ECO must be installed:

- DRIVERS_V562P052 or later

Once the above ECO has been applied, Kerberos may be installed
and configured.

SSH may be configured and used at any time, either with or
without Kerberos; however, Kerberos is required to perform Kerberos
authentication in the SSH server. If Kerberos is installed at some
later time after SSH is started, restarting SSH will allow it to
use Kerberos.

Some chapters of the TCPware documentation having to do with SSH
have been updated. New PDF files of these are supplied in this
ECO, and are copied to the TCPWARE_COMMON:[TCPWARE] directory.
These are:

TW_MANAGEMENT_SSH1_SERVER_CH25.PDF
TW_MANAGEMENT_SSH2_SERVER_CH26.PDF
TW_USER_GUIDE_SSH_CLIENT_CH16.PDF
TW_USER_GUIDE_FILE_XFER_CH17.PDF

This ECO kit provides fixes for the following DE's:

- Correct a security vulnerability. [DE 10218]

- Users may be restricted from interactive, remote commands or
subsystems (SCP or SFTP) sessions by implementing the following
keywords that were documented but which were missing support in
the server code:

Terminal.AllowGroups
Terminal.DenyGroups
Terminal.AllowUsers
Terminal.DenyUsers

[DE 7845]

- A user could spawn multiple authentication agents (SSH-AGENT) causing
unpredictable results when trying to authenticate via the agent.
[DE 9932]

- Improved estimates of transferred file sizes to resolve problems with
transferring files in ASCII mode. [DE 10106]

- Corrected errors in the SCP/SFTP SRI decoding algorithm. [DE 10133]

- KRB5 passwords stopped working after a recent ECO. [DE 10163]

- Corrected some problems with using an absolute path name for the
file in a CHMOD request for SCP/SFTP. [DE 10169]

- Corrected a potential ACCVIO when downloading text files via SCP and
SFTP. [DE 10172]

- If the logical MULTINET_SFTP_DIRECTORY_WITH_CREATION_DATE is defined
to True, Yes or 1, then the creation date is displayed in the output
for DIRECTORY when operating in VMS mode instead of the modification
date. Note that the times are still adjusted by the local offset
from UTC. [DE 10179]

- If SSH is being executed in a VMS batch job, and it attempts to do a
remote command (e.g., "$ ssh lima.beans.com dir *.txt"), no output
would be displayed. [DE 10193]

---------------------------------------------------------------------------
Post Installation Notes

If you have NOT previously installed a TCPware 5.6 SSH patch kit, or
are not sure if one was previously installed, you must perform the
following procedure:

- Save your old SSH2_DIR:SSHD2_CONFIG. file and create a new one from
the new TCPWARE:SSHD2_CONFIG.TEMPLATE file:

$ COPY SSH2_DIR:SSHD2_CONFIG. SSH2_DIR:SSHD2_CONFIG.OLD
$ COPY TCPWARE:SSHD2_CONFIG.TEMPLATE SSH2_DIR:SSHD2_CONFIG.

- If you previously customized your SSH2_DIR:SSHD2_CONFIG file (now
renamed to ".OLD"), you must edit the new SSH2_DIR:SSHD2_CONFIG
file and add your customizations to it. You MUST use the new
file created from the new TCPWARE:SSHD2_CONFIG.TEMPLATE file for
this.

- Note that if you are in a clustered environment with a shared
system disk, you must copy the TCPWARE:SSHD2_CONFIG.TEMPLATE from
the node where the ECO was initially installed to the SSH2_DIR:
directory on each of the other nodes in the cluster before making
the new SSHD2_CONFIG file and making any changes as noted above.

The old version of the replaced SSH components will be renamed to

TCPWARE_COMMON:[TCPWARE]SSH2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD_MASTER.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-ADD2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-AGENT2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SCP2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-KEYGEN.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-KEYGEN2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-SIGNER2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SCP-SERVER1.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SFTP-SERVER2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD2_CONFIG.TEMPLATE_OLD
TCPWARE_COMMON:[TCPWARE]SSHLEI.EXE_OLD
TCPWARE_COMMON:[TCPWARE]LOAD_SSHLEI.EXE_OLD
TCPWARE_COMMON:[TCPWARE]UNLOAD_SSHLEI.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH_FSCLM.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH_ACCPORNAM.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH_ZLIB.EXE_OLD
TCPWARE_COMMON:[TCPWARE]NETCU.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH_CONTROL.COM_OLD
TCPWARE_COMMON:[TCPWARE]TCPWARE_COMMANDS.COM_OLD

Once installed, you may undo this patch by renaming the files
back to their original names, and restarting the SSH component.

NOTE: You must reboot your system after installing this ECO,
to load the new software features.

[End of ECO announcement]