Reflection for Secure IT UNIX Client and Server 7.2 Service Pack 1 Update 1 - Features and Release Notes
Technical Note 2565
Last Reviewed 24-May-2012
Reflection for Secure IT UNIX Client version 7.2 SP1 or higher
Reflection for Secure IT UNIX Server version 7.2 SP1 or higher
Reflection for Secure IT UNIX Client and Server 7.2 Service Pack 1 (SP1) Update 1 is available for maintained customers. This technical note lists the features and fixes included in Update 1 and in SP1, and provides information about how to obtain your updated service pack.
Note: For information about Reflection for Secure IT 8.0 Client and Server for UNIX new features and release notes, see Technical Note 2641.
Before you apply the service pack, note the following:
- This document references a Reflection service pack. Service packs are available to licensed Attachmate customers with current maintenance plans for these products.
- Reflection for Secure IT UNIX Client and Server version 7.2 SP1 Update 1 is a full product installation and does not require 7.2 to be installed.
- For information about logins and accessing the Download Library, see Technical Note 0200.
- For a list of features originally included in Reflection for Secure IT UNIX Client and Server 7.2, see Technical Note 2519.
- For information about Reflection PKI Services Manager 1.2, see Technical Note 2564.
This note is organized into the following sections:
Fixes in 7.2 SP1 Update 1
- Fix for security vulnerability described in CVE-2012-2110: The Server and certificate utilities (ssh-certview and ssh-certtool) now correctly interpret integer data from a crafted DER X.509 certificate to prevent a buffer overflow attack causing a denial of service. For more information, see Technical Note 2288.
Client Resolved Issues
- Oracle’s Real Application Cluster (RAC) installation no longer fails when using the scp client.
- The sftp client now displays the time and date instead of just the year when performing a long file listing of a file with a future timestamp.
Server Resolved Issues
- Other allowed authentication methods are now attempted if GSSAPI authentication fails on SLES platforms.
- The maxlogins counter is properly reset when a user session is disconnected.
- Downloaded files with SFTP v4 clients no longer grow indefinitely.
- Axway and Bitvise sftp clients can connect and transfer files with chroot users.
- Sftp sessions are no longer terminated when the server is started in debug mode and the ForceSftpFilePermissions and SftpSyslogFacility keywords are configured.
Client and Server Resolved Issues
- The “Last failed login” message is now displayed at logon when the PAM module pam_lastlog.so is configured to display failed login attempts.
New Features in 7.2 SP1
The following features in version 7.2 SP1 are available in both the UNIX Client and Server:
- Starting with this service pack, Linux installers will be able support the rpm [-U|--upgrade] option for installing future versions. Note: This change affects future upgrades only; you cannot use rpm -U to install this service pack.
- The server and client now support SFTP version 4. This change provides UTF-8 character support.
- A new client keyword, SFTPVersion, is available to configure which version is used. Valid values are 3 and 4. When this setting is 4 (the default), the connection uses SFTP version 4 if the server supports it, and drops to version 3 if the server doesn’t support version 4. If this setting is 3, the client always uses SFTP version 3.
- The server defaults to SFTP version 4 and drops to version 3 if the client doesn’t support version 4.
- The ssh-certtool utility now supports specifying the UPN and IP values of the SubjectAltName extension.
- The ssh-certtool utility will now create a PKCS10 certificate signing request with default values for both the key length (2048) and algorithm (RSA) when these values aren't specified on the command line.
- The ssh-certtool and ssh-keygen utilities now support a FIPS mode option (-f). This option forces all keys generated to meet FIPS standards. For ssh-certtool this option also ensures that any PKCS#10 requests include keys that meet FIPS standards.
Reflection for Secure IT UNIX Server New Feature
- Permissions on files uploaded to the server using sftp or scp, can now be configured using the ForceSftpFilePermissions server keyword. This keyword sets specified file permissions on all files uploaded to the server and overrides all other permission setting actions. Use a three-digit permission mode value. For example, if you set ForceSftpFilePermissions to 600, all uploaded files are set to 600 (-rw-------). In addition, if a user attempts to change the permissions on an existing file, that file is also set to 600, regardless of the permission value requested by the client user. This setting does not affect directory permissions.
Resolved Issues in 7.2 SP1
The following issues were resolved in 7.2 SP1.
Client Resolved Issues
- Transferring files to legacy Reflection for Secure IT UNIX servers using scp no longer fails with "(2) Protocol error: packet too long: 35044" error message.
- SSH connections using the local port forwarding command do not log “ssh2: shutdown() failed” errors in the syslog on HP-UX 11.31.
- Unrecognized output is not logged when using the Tivoli Storage Manager "dsmc" remote command.
- The sftp long listing (ls l) command properly displays file timestamps when connected to a Reflection for Secure IT Windows Server.
- A “PAM failure” message is not displayed when changing passwords during the authentication process.
- Additional documentation has been added that specifies under what network conditions High Performance Networking (HPN) will improve performance.
- Legacy host key naming format <key_port_hostname>.pub is accepted.
- Users with less restrictive NFS home directories can authenticate successfully when the StrictModes keyword is set to “no”.
- Boot and shutdown scripts on HP-UX have been corrected.
- Added support for scp commands containing glob syntax expressions.
Server Resolved issues
- Non-default values for all keywords in the server configuration file are applied when a HostSpecificConfig is used.
- Users no longer see "who: memory exhausted" messages while changing an expired password.
- References to "wixbld" in log files have been removed.
- Users are able to paste data from the clipboard into a session.
- SFTP chrooted users are able to login to HP-UX 11.31 systems.
- Generic messages for HostSpecificConfig errors have been replaced with keyword specific references.
- A failed login entry is only written to /etc/security/failedlogin when public key authentication fails instead of a single public key failure attempt.
- Set values for the SyslogFacility server keyword are properly used when TCP Wrappers is also configured.
- Upgrading the server on Linux no longer causes an sftp-server symbolic link error message.
- Added support for Pluggable Authentication Module (PAM) LDAP to an SSL enabled LDAP server.
- Fix for security vulnerability described in CVE-2009-2408: Generating certificate signing requests (PKCS#10) with the ssh-certtool utility now sanitizes input to CN= and AltSubjName strings to prevent Kaminsky PKI layer cake attacks.
For current information about security alerts and advisories that may affect Reflection for Secure IT, see Technical Note 2288.
Obtaining the Service Pack
Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/. For more information about logging into and using the Download Library, see Technical Note 0200.
Note: If you download a Sun Solaris, HP-UX, or IBM AIX package using Internet Explorer, the uppercase (.Z) extension is changed to lowercase (.z). You will need to rename the file name to use an uppercase Z before you can uncompress your files.
Installing the Service Pack
Once you have downloaded your service pack, back up the /etc/ssh2 directory (which includes config files and host keys), uninstall your current version, and then install the service pack. Procedures for installing and uninstalling are available in the User Guide, which is available from http://support.attachmate.com/manuals/rsit_unix.html.
For more information about replacing an existing Secure Shell program (including using backup files to merge your non-default settings to the new configuration file), see Technical Note 2282 or the Help topic "Replace an Existing Secure Shell Program" in the User Guide, which is available from http://support.attachmate.com/manuals/rsit_unix.html.
Support for the HP-UX 11i v1 (11.11) PARISC platform has been added back to the product. For more information about supported platforms, see Technical Note 1944.