TCPware ECO kit announcement

The following ECO kit is now available for TCPware:

ECO: SSH_V562P090
Description: Assorted fixes
Release date: 2-JUN-2006
Ranking: 2
Max ranking: 0
Versions: 5.6-2
Requisites: DRIVERS_V562P052

ftp://ftp.process.com/support/56_2/ssh_v562p090.zip

To search the TCPware ECO database, please visit the following URL:

http://vms.process.com/eco.html

For more information, contact Process Software via:

E-mail: support@process.com
Phone: 1-800-394-8700

The ECO kit README contents are below.

----------------------------------------------------------------------------
SSH patch kit (revision 9.0) for TCPware 5.6 31-May-2006

Copyright (c) 2002-2006 by Process Software

This VMSinstallable saveset provides a new version of the
following SSH components:

- SSH client (SSH2.EXE)
- SSH1 server (SSHD.EXE)
- SSH2 server (SSHD2.EXE)
- SSH master control program (SSHD_MASTER.EXE)
- SSH identity agent program (SSH-AGENT2.EXE)
- SSH key generators (SSH-KEYGEN.EXE and SSH-KEYGEN2.EXE)
- SSH key signer (SSH-SIGNER2.EXE)
- SSH loadable executive image (SSHLEI.EXE, LOAD_SSHLEI.EXE,
UNLOAD_SSHLEI.EXE)
- SSH agent identity manipulation program (SSH-ADD2.EXE)
- SSH file copy client (SCP2.EXE)
- SSH SFTP client (SFTP2.EXE)
- SSH file copy servers (SFTP-SERVER2.EXE and SCP-SERVER1.EXE)
- SSH certificate enrollment program (SSH-CERTENROLL2.EXE)
- SSH server configuration template file (SSHD2_CONFIG.TEMPLATE)
- SSH configuration procedure (SSH_CONTROL.COM)
- The SSH HELP (either in a standalone library or as part of
SYS$HELP:HELPLIB.HLB, as determined by the original TCPware install)
- SSH Public Key Assistant (PUBLICKEY_ASSISTANT.EXE)
- SSH Certificate Viewer (SSH-CERTVIEW.EXE)
- SSH shared libraries (SSH_ZLIB.EXE, SSH_FSCLM.EXE, SSH_ACCPORNAM.EXE)
- SSH Public Key Server (PUBLICKEY-SERVER.EXE)
- SSH Certificate Viewer (SSH-CERTVIEW.EXE)
- SSH client configuration template (SSH2_CONFIG.TEMPLATE)

A new version of the following common TCPware utilities are
provided:

- NETCU utility (NETCU.EXE)
- TCPware command definitions (TCPWARE_COMMANDS.COM and
TCPware.CLD)

This patch is applicable to TCPware SSH on all supported
versions of OpenVMS VAX and OpenVMS Alpha.

NOTE: The TCPware ECO DRIVERS_V562P052 or later is required
and must be installed in order to run SSH after installing
the SSH_V562P070 ECO.

A system reboot is requred after installing this ECO, to load
the new software features.

This kit has an ECO ranking of 2, with an overall ranking of 0.

*** Notes for Kerberos 5 Support ***

Support for Kerberos 5 is based on HP Kerberos V5 for OpenVMS.
Prior to installing and configuring the HP Kerberos product, the
following TCPware ECO must be installed:

- DRIVERS_V562P052 or later

Once the above ECO has been applied, Kerberos may be installed
and configured.

SSH may be configured and used at any time, either with or
without Kerberos; however, Kerberos is required to perform Kerberos
authentication in the SSH server. If Kerberos is installed at some
later time after SSH is started, restarting SSH will allow it to
use Kerberos.

Some chapters of the TCPware documentation having to do with SSH
have been updated. New PDF files of these are supplied in this
ECO, and are copied to the TCPWARE_COMMON:[TCPWARE] directory.
These are:

TW_MANAGEMENT_SSH1_SERVER_CH25.PDF
TW_MANAGEMENT_SSH2_SERVER_CH26.PDF
TW_USER_GUIDE_SSH_CLIENT_CH16.PDF
TW_USER_GUIDE_FILE_XFER_CH17.PDF

This ECO kit provides fixes for the following DE's:

- Failed logins are not sent to the VMS audit log. [DE 9842]

- For those clients that can support it (this includes the client
used by all Process Software SSH products), expired password handling
by the server has been modified to prompt for the new password,
then the session will continue rather than being logged out. For
those clients that don't support this, the old method of expired
password handling is still used.

There are some clients that may not support this method (an expired
password causes an abrupt disconnect from the server system), but
the server may not be able to identify them correctly. To handle
those, if the logical name

TCPWARE_SSH_USE_OLD_EXPIRED_PASSWORD_SCHEME

is defined system-wide, the server will revert to its previous
method of handling expired passwords. [DE 10260]

- Corrected an error that causes our SFTP2/SCP2 client to ACCVIO when
dealing with an SFTP server that speaks SFTP protocol version 2.
[DE 10234]

- Modified the SFTP server such that TCPWARE_SFTP_VMS_ALL_VERSIONS
will cause all file versions to be displayed no matter what the
remote (client) side is. Note that when a file is copied from the
VMS system to the client, the filename will contain the version
number. [DE 10238]

- Allowed version numbers to be used for the local source specified on
SCP2 command line, even when /VMS is not used. [DE 10242]

- Fixed a ACCVIO that can occur when exiting from a command file.
[DE 10251]

- Put the /ASCII=VMS option back in. [DE 10259]

- If the logical TCPWARE_SFTP_STAT_DESTINATION_FILE is defined to be
FALSE, NO or 0 (zero) then the SFTP client will not attempt to do a
STAT operation to check for the presence of the destination file
before opening the destination file for write. The assumption is
that the destination file does not exist.

If the logical TCPWARE_SFTP_STAT_DESTINATION_DIRECTORY is defined
to be FALSE, NO or 0 (zero) then the SFTP client will not attempt
to do a STAT operation on the destination directory before opening
the destination file for write. The assumption is that the
destination directory exists.

These two logicals should be defined to FALSE in order to have the
SFTP client work with Sterling Commerce's Connect:Enterprise
product. [DE 10276]

- If the logical TCPWARE_SFTP_DONT_TRUNCATE is defined to Yes, True
or 1 then the SFTP server will not perform truncate operations as
part of FSETSTAT and SETSTAT operations. Some systems end up with
unexpected file attributes when the truncate operation is performed
and this provides a method of disabling it. [DE 10305]

---------------------------------------------------------------------------
Post Installation Notes

If you have NOT previously installed a TCPware 5.6 SSH patch kit, or
are not sure if one was previously installed, you must perform the
following procedure:

- Save your old SSH2_DIR:SSHD2_CONFIG. file and create a new one from
the new TCPWARE:SSHD2_CONFIG.TEMPLATE file:

$ COPY SSH2_DIR:SSHD2_CONFIG. SSH2_DIR:SSHD2_CONFIG.OLD
$ COPY TCPWARE:SSHD2_CONFIG.TEMPLATE SSH2_DIR:SSHD2_CONFIG.

- If you previously customized your SSH2_DIR:SSHD2_CONFIG file (now
renamed to ".OLD"), you must edit the new SSH2_DIR:SSHD2_CONFIG
file and add your customizations to it. You MUST use the new
file created from the new TCPWARE:SSHD2_CONFIG.TEMPLATE file for
this.

- Note that if you are in a clustered environment with a shared
system disk, you must copy the TCPWARE:SSHD2_CONFIG.TEMPLATE from
the node where the ECO was initially installed to the SSH2_DIR:
directory on each of the other nodes in the cluster before making
the new SSHD2_CONFIG file and making any changes as noted above.

The old version of the replaced SSH components will be renamed to

TCPWARE_COMMON:[TCPWARE]SSH2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD_MASTER.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-ADD2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-AGENT2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SCP2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-KEYGEN.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-KEYGEN2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH-SIGNER2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SCP-SERVER1.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SFTP-SERVER2.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSHD2_CONFIG.TEMPLATE_OLD
TCPWARE_COMMON:[TCPWARE]SSHLEI.EXE_OLD
TCPWARE_COMMON:[TCPWARE]LOAD_SSHLEI.EXE_OLD
TCPWARE_COMMON:[TCPWARE]UNLOAD_SSHLEI.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH_FSCLM.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH_ACCPORNAM.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH_ZLIB.EXE_OLD
TCPWARE_COMMON:[TCPWARE]NETCU.EXE_OLD
TCPWARE_COMMON:[TCPWARE]SSH_CONTROL.COM_OLD
TCPWARE_COMMON:[TCPWARE]TCPWARE_COMMANDS.COM_OLD

Once installed, you may undo this patch by renaming the files
back to their original names, and restarting the SSH component.

NOTE: You must reboot your system after installing this ECO,
to load the new software features.

[End of ECO announcement]