ECO kit SSHB-045_A056
SSHB-045_A056 ECO kit rev 4.5 For MultiNet V5.6 Rev A 2-Apr-2024
Copyright (c) 2010-2023 Process Software LLC
This ECO kit provides a new version of the following files for
MultiNet V5.6 and V5.5 Rev A:
LDAP-PLUGIN.EXE LOAD_SSHLEI.EXE PUBLICKEY-SERVER.EXE
PUBLICKEY_ASSISTANT.EXE SCP-SERVER1.EXE
SCP2.EXE SECURID-PLUGIN.EXE SFTP-SERVER2.EXE
SFTP2.EXE SSH-ADD2.EXE SSH-AGENT2.EXE
SSH-CERTTOOL.EXE SSH-CERTVIEW.EXE SSH-CMPCLIENT.EXE
SSH-KEYGEN.EXE SSH-KEYGEN2.EXE SSH-SIGNER2.EXE
SSH2.EXE SSHD.EXE SSHD2.EXE
SSHD_MASTER.EXE SSHLEI.EXE SSH_FSCLM.EXE
SSH_ZLIB.EXE UNLOAD_SSHLEI.EXE START_SSH.COM
SSHSHR.EXE MULTINET.CLD
NOTE: A system reboot is required after installing this kit.
This kit has an ECO ranking of 3.
This update to Process Software's implementation of SSH adds functionality
to Alpha AXP and ia64 systems to support SSH Suite B (RFC 6329), which
provides new key exchange mechanisms, new encryption methods and new
hashes (MACS). Primary testing has been with OpenSSH, with additional
testing with PuTTY, Core FTP and other applications that use SSH. Some of
the applications had problems with older versions that were resolved when
upgrading to a more recent version.
Change details:
- Correct some ACCVIOs and improve some error messages.
SSHB-045_A056 2-Apr-2024
- Correct an ACCVIO that can happen with clients that open multiple
sessions. SSHB-044_A056 25-Mar-2024
- Only offer Curve25519 for key exchange when the server can offer an
ed25519 key. SSHB-043_A056 19-Mar-2024
- More work disabling ASTs when operating on lists so that lists
aren't corrupted. SSHB-043_A056 19-Mar-2024
- Disable sending SSH_MSG_IGNORE during the initial key exchange to
maintain compatibility with other implementations.
SSHB-042_A056 12-Feb-2024
- Disable debugging in SSHADT modules.
SSHB-042_A056 12-Feb-2024
- Add Group Exchange Key Exchange (RFC 4419) for VAX.
SSHB-042_A056 12-Feb-2024
- Disable ASTs when operating on lists so that lists can't be corrupted.
SSHB-041_A056 15-Nov-2023
- More work on ADT Priority Heap diagnostics. Recognize pointers in
freed memory. SSHB-040_A056 3-Nov-2023
- More work on ADT Priority Heap diagnostics. SSHB-039_A056 1-Nov-2023
- More work on support for MAXJOBS and MAXACCTJOBS uaf parameters.
SSHB-038_A056 5-Sep-2023
- Improve diagnostics in ADT Priority Heap so that we can understand
the occasional errors that happen there. SSHB-037_A056 27-Jul-2023
- Add support for maxjobs and maxacctjobs uaf parameters to limit the
number of concurrent jobs a user may have.
SSHB-037_A056 21-Jul-2023
- Correct a problem with duplicate intrusion logging.
SSHB-036_A056 14-Jun-2023
- Correct a problem with password login being allowed when the user is
marked as an INTRUDER. SSHB-035_A056 13-Jun-2023
- Correct a problem with random number generation on older VMS
systems. SSHB-035_A056 13-Jun-2023
- Change the way that public keys are stored in the user's host key
directory and looked for to include the type of the key in the file
extension. This allows multiple key types from a system to be stored
and can help when migrating from one key type to another. Existing
keys will be found as the lookup code falls back to the ".pub"
extension if the ".pub_" extension. RSA keys will be
.pub_rsa, DSA keys will be .pub_dsa, ECDSA keys will be .pub_ecdsa,
ed25519 keys will be .pub_ed25519. SSHB-035_A056 13-Jun-2023
- Improve random number generation on very quiet systems.
SSHB-034_A056 31-May-2023
- Correct an error handling DSA keys that was introduced in
SSHB-030_A056. SSHB-033_A056 17-May-2023
- More work on reporting name for attempted login when it isn't a
username present on the system. SSHB-033_A056 17-May-2023
- Correct some problems with key exchanges in SSHB-030_A056. Note that
it is possible for key exchange or algorithm negotion to fail due to
configuration differences. The failures that were due to coding
errors have been resolved. SSHB-032_A056 11-May-2023
- VAX systems will now display key fingerprints in SHA256 as well as
SHA1, as Alpha and ia64 systems have. SSHB-032_A056 11-May-2023
- Attempts to login with non-existent usernames will now show the
username tried in the OPCOM messages along with a status of
"no such user". SSHB-031_A056 3-May-2023
- If user messages are enabled in accounting
(SET ACCOUNTING/ENABLE=MESSAGE)
the connecting client identification string will be written to the
accounting file. This can be matched with other accounting records
and OPCOM messages by using the PID to identify the remote node
address. This can help identify what kind of system is attempting to
connect. SSHB-031_A056 3-May-2023
- Correct an error in installation scripts which were causing the
wrong images to be installed on Alpha systems running VMS versions
between 7.0 and 7.2 SSHB-030_A056 13-Mar-2023
- Add support for diffie-hellman-group14-sha256 for VAX systems. This
provides the RFC 8268 support that we can offer for VAX systems.
SSHB-030_A056 13-Mar-2023
- Support for ED25519 public key algorithms (RFC 8709 and 8731) for
Alpha and ia64 systems. SSHKEYGEN/keytype will now recognize ED25519
and SSH2 can do key exchange and user authentication with these
keys. SSHB-030_A056 13-Mar-2023
- More work on the exit handler that deletes the SSH_EXPIRED_PWD
logicals. It is now called directly from the end of the main
routine.
SSHB-028_A056 17-Nov-2022
- Have the exit handler that deletes SSH_EXPIRED_PWD_ logical names
make sure that it has sufficient privileges to do so.
SSHB-027_A056 24-Oct-2022
- Change default version timeout to be 10 seconds (instead of 1 minute).
The value can be controlled by define/system the logical
MULTINET_SSH_CONNECT_ID_TIMEOUT to a VMS differential time before
starting SSH.
SSHB-027_A056 14-Oct-2022
- Change when SSHD_MASTER_DEBUG is check to be at startup so that the
value is available for error reporting when the cause of the error
could also have a negative impact on the ability to check the logical.
The SSHD_Master process now only checks for the logical
SSHD_MASTER_DEBUG when it is started.
SSHB-025_A024 20-Sep-2022
- Correct an error in an exit handler so that it can work as desired.
SSHB-024_A056 16-Sep-2022
- Change error reporting in SSHD_MASTER to not use STRERROR, which
appears to be causing compute and I/O bound in some circumstances.
SSHB-024_A056 6-Sep-2022
- Add bounds checking to accesses of the global section.
SSHB-024_A056 29-Aug-2022
- Correct an error in SELECT parameters in SSHD_MASTER.
SSHB-024_A056 25-Aug-2022
- Correct an error in DUPLNAM handling in SSHD_MASTER.
SSHB-023_A056 2-Aug-2022
- More work on exit handler to delete SSH_EXPIRED_PWD_ logical names.
SSHB-022_A056 22-Jul-2022
- Work to handle ECDSA keys stored in the same format as DSA and RSA
keys as some systems are changing towards that format. This
maintains compatibility with other implementations. Prior ECDSA key
formats continue to be handled. SSHB-022_A056 22-Jul-2022
- Correct an error path in SSHD_MASTER that could leave ASTs disabled.
SSHB-021_A056 21-Jul-2022
- Add an exit handler to make sure that logical names of the format
SSH_EXPIRED_PWD_ are deleted when SSHD2 exits.
SSHB-020_A056 12-Jun-2022
- Have SCP2 and SFTP2 treat "file name syntax error" as "file not
found" to avoid warnings about unexpected errors.
SSHB-019_A056 14-Feb-2022
- Correct an error in /PRESERVE for SCP2. /PRESERVE[=all] is the
default, even when not specified.
SSHB-018_A056 9-Feb-2022
- Correct an error in SSH version number string format. Disable key
exchange guesses, which are of questionable value.
SSHB-017_A056 28-Jan-2022
- Correct a path in SFTP-SERVER2 that would not get the file type
properly set. SSHB-016_A056 10-Jan-2022
- The qualifier /exit_on_error will cause SFTP to stop processing
commands and exit on the first error encountered when in batch mode.
The default is to NOT exit on error.
SSHB-015_A056 BZ 6733 ECO Rank 3 3-Jan-2022
- The qualifier /noverify will disable the displaying of each command
when in batch mode. The default is /verify.
SSHB-015_A056 BZ 6729 ECO Rank 3 3-Jan-2022
- Add optional values (ALL, DATES, ATTRIBUTES) to the /PRESERVE
qualifier. These values can be negated to choose what is preserved.
The default is ALL.
SSHB-015_A056 BZ 6724 ECO Rank 3 3-Jan-2022
- Add ip address to message that is logged to opcom when there is a
timeout or bad format for the SSH id message that is exchanged at
the beginning. BZ 6742 ECO Rank 3 3-Jan-2022
- Correct a problem with "successful" intrusions being logged.
SSHB-014_A056 ECO Rank 3 12-Oct-2021
- More work on memory growth problem with SSH-AGENT2.
SSHB-013_A056 ECO Rank 3 1-Oct-2021
- Correct a memory leak in SSH-AGENT2.
SSHB-012_A056 ECO Rank 3 17-Aug-2021
- Update SSHD_MASTER.EXE to correct a channel leak problem
SSHB-011_A056 ECO Rank 3 30-Jul-2021
- Correct a problem with SSH-SIGNER2 that prevented hostbased
authentication from working. Add support to allow Suite B keys for
host based authentication on Alpha and ia64 systems.
An ECDSA521 key will be named HOST_EXAMPLE_COM_ECDSA-SHA2-NISTP21.PUB
SSHB-010_A056 ECO Rank 3 14-May-2021
----------------------------------------------------------------------
This kit also includes the following changes from previous ECO kits:
- The updated images correct a problem with SSHKEYGEN/SSH2 on VAX
processors.
SSHB-046_A055 ECO Rank 3 23-Sep-2020
- Update images with those from the MultiNet 5.6 EAK. This was done
primarily to get line numbers in debugging messages to be accurate,
and also makes sure that the kits have the current images.
SSHB-045_A055 ECO Rank 3 16-Sep-2020
- If the logical MULTINET_SSH_VMS_ONLY_STATUS is defined then the SSH
exit status only reflects the status (success/failure) of the SSH
command, and does not include any status from the remote system.
SSHB-045_A055 ECO Rank 3 31-Aug-2020
- Set the symbol SSH_REMOTE_EXIT_STATUS to the value of "exit-status"
provided by the remote system documented in RFC 4254 section 6.10.
Interpretation of this value depends upon the remote system.
SSHB-045_A055 ECO Rank 3 20-Aug-2020
- Correct an error in handling the use of MULTINET_SSH_username_ROOT
logical in some cases. SSHB-044_A055 ECO Rank 3 17-Jun-2020
- Correct an error in ECDH signing that can cause disconnects during
key exchange. (AXP and ia64 only) SSHB-044_A055 ECO Rank 3 12-Jun-2020
- Correct a problem with exchanging files with FileZilla.
SSHB-043_A055 ECO Rank 3 21-Apr-2020
- Allow a default file size to be specified with the logical
MULTINET_SFTP_DEFAULT_SIZE for interacting with servers that don't
return a file size.
SSHB-042_A055 ECO Rank 3 24-Sep-2019
- Recognize that WS_FTP-12.7 doesn't like IGNORE messages while doing
Group Exchange Key Exchange.
SSHB-041_A055 ECO Rank 3 9-Sep-2019
- Correct an error in the input sensing code that could cause delays.
SSHB-040_A055 ECO Rank 3 10-Jul-2019
- If the logical SSH_STEP_THROUGH_RADIUS_ADDRESSES is defined to
True/Yes/1 then each attempt to do authenication via the radius
server will use a different returned address when the DNS lookup
returns multiple addresses, instead of just trying the first
address. This provides additional failover capability if the DNS
lookup of the radius host always returns the addresses in the same
order. If the DNS lookup does a round-robin of the addresses, then
the traditional behavior will provide failover capability.
SSHB-040_A024 ECO Rank 3 8-Jul-2019
- Correct an error in Group Exchange Key Exchange for group 18.
SSHB-040_A055 ECO Rank 3 8-Jul-2019
- Change installation procedures such that the V7 SFTP2 and SCP2
Alpha AXP images are only used for system running VMS V7.2 and later.
There have been some problems using the V7 images on earlier V7 VMS
systems. The difference between the V6 and V7 images is large
file and ODS-5 support, which is only in VMS V7.2 and later.
SSHB-040_A055 ECO Rank 3 8-Jul-2019
- Correct a problem in SFTP2 with LCD to a logical name.
SSHB-039_A055 ECO Rank 3 27-Mar-2019
- Correct a problem that can lead to dangling SFTP_SERVER processes.
SSHB-038_A055 ECO Rank 3 7-Mar-2019
- Fix some parsing problems in SSH_FXP_REALPATH
SSHB_038-A024 ECO Rank 3 17-Jan-2019
- Fix a channel leak in SSHD_MASTER.
SSHB-038 ECO Rank 3 14-Jan-2019
- Add connection timeout routine to SSH-AGENT2 to deal with dangling
connections that lead to consumption of bytlm.
SSHB-037_A024 ECO Rank 3 14-Dec-2018
- Improve CD operations in VMS mode when a logical is used as the target.
7-Dec-2018
- Correct some memory leaks in SSH-AGENT2, which could cause problems
with heavy usage. SSHB-036_A024 ECO Rank 3 21-Nov-2018
- Correct a problem with verifying an RSA host key with ECDH
key exchange. SSHB-035_A055 ECO Rank 3 31-Oct-2018
- Correct a problem with passwords that are 32 characters long.
SSHB-034_A055 ECO Rank 3 17-Sep-2018
- Updates to key exchange code to support diffie-hellman-group14-sha256
SSHB-033_A055 ECO Rank 3 10-Aug-2018
- Added configuration variable RadiusTimeout to allow site
configuration of Radius Timeout value. The default value is 3
seconds. SSH-029_A055 ECO Rank 3 12-Jul-2018
- Updates to certificate authentication code after testing with
RSA2048-SHA256 certificates.
SSHB-032_A055 ECO Rank 3 29-May-2018
- Correct a data structure alignment issue in the I/O module to
improve performance. This provides new images for SSH2, SSHD2,
SFTP2, SCP2 and SFTP-SERVER2. SSH-019_A055 ECO Rank 3 25-Apr-2018
- Make SCP2, SFTP2 and SFTP-SERVER2 observe the setting of the
MULTINET_SFTP_DEFAULT_FILE_TYPE_REGULAR at all points that files
could be accessed. SSH-018_A055 ECO Rank 3 30-Jan-2018
- When the logical MULTINET_SSH_RADIUS_TRUNCATE_USERNAME is defined in
the system logical name table, usernames will be truncated before
any underscore (_) present in the name before attempting RADIUS
password authentication. SSH-017_A055 ECO Rank 3 29-Jan-2018
- Correct attempts to open /dev/random and /dev/urandom that can cause
problems on systems that have a logical for dev defined.
SSH-017_A055 ECO Rank 3 29-Jan-2018
- Modification to SSHD2 and SSH2 to support SSH Group Exchange Key
Exchange (RFC 4419), so the the correct minimum level of security
can be maintained for RSA2048-SHA256 certificates.
SSHB-031_A055 ECO Rank 3 21-Nov-2017
- Modification of SSHD2 to support of LOAD_PWD_POLICY and
VMS$PASSWORD_POLICY callouts with PWDMIX on systems that support
PWDMIX. Note that the VMS$PASSWORD_POLICY callouts must NOT write to
SYS$OUTPUT or attempt to read from SYS$INPUT as these channels are
used for network communication and doing so will cause problems.
Writes to SYS$ERROR will appear in the SSH_LOG:SSHD.LOG for the
session. SSH-016_A055 ECO Rank 3 8-Nov-2017
- Modification of SSHD2 to prevent CAPTIVE or RESTRICTED usernames
from creating tunnels. SSH-016_A055 ECO Rank 3 8-Nov-2017
- Modification to SSHD2 and SSH2 to support X509v3-rsa2048-sha256
certificates for host key exchange. (RFC 6187)
SSHB-022_a055 ECO Rank 3 31-Oct-2017
- Modification of SSHD_MASTER to allow for control of the timeout of
the connection id with the logical MULTINET_SSH_CONNECT_ID_TIMEOUT.
This logical should be defined to a VMS delta time before SSH is
started. Modification requires restarting of SSH to take effect.
If the logical is not defined, or not a VMS delta time, then the
default value of 1 minute (0 00:01:00.0) is used.
SSHB-021_A055 ECO Rank 3
- Modifications to SSHD2 such that it can read unencrypted certificate
keys for system autentication with certificates without having to
process the keys & certificates with the certificate utilities.
- Elliptic curve Diffie-Hellman (ECDH) key agreement [RFC 5656]
Curves: nistp256, nistp384, nistp521
The curve chosen will be sufficient to support the hash for
the host keys involved. This means that if the host key is
ECDSA-nistp521, only the nistp521 curve will be available, an
ECDSA-nistp384 key will have nistp384 and nistp521 available,
and ECDSA-nistp256 will have nistp256, nistp384 and nistp521
available.
- Elliptic curve digital signature algorithm (ECDSA) [RFC 5656].
Public keys are written in a format close to what is used by OpenSSH
and OpenSSH public keys can be read as is. The "Subject" and
"Comment" lines in the key may need to be removed to make the keys
readable by OpenSSH. The curves supported are:
nistp256, nistp384, nistp521
- Advanced Encryption Standard running in Galois/Counter Mode
(AES-GCM) [RFC 5647], as modified by OpenSSH to resolve a
potential ambiguity as the encryption and message authentication are
both provided by a single algorithm. In this case the ciphers are
named:
aes128-gcm@openssh.com, aes256-gcm@openssh.com
- New MACs: SHA-256, SHA-384 and SHA-512 [RFC 6668]. These can be used
with any ciphers, except the gcm ciphers, which provide both
encryption and MAC functionality.
- The implementations have been built with OpenSSL LIBCRYPTO 1.0.2j
and have been tested with OpenSSH 7.2p2.
The following problems are fixed by this ECO:
o Fix problems in SFTP2 when transfering files from VMS to non-VMS when
a transfer mode was not set.
SSH-014_A055 ECO Rank 3 20-Jul-2017
o The format of the /ASCII qualifier on the SCP2 command line has been
expanded to allow for the specification of separate source and
destination newline sequences such as /ASCII=(SOURCE=VMS,DEST=UNIX).
Old syntax (/ASCII=UNIX) is the same as /ASCII=(DEST=UNIX). This
requires that the new USER.CLD be used to set the commands in the
command tables. Use the following command line to save these as the
system command tables:
$ set command/table=sys$common:[syslib]dcltables.exe -
/output=sys$common:[syslib]dcltables.exe multinet:user.cld
$ install replace sys$library:dcltables
SSH-013_A055 ECO Rank 3
o Changes to SFTP2 and SFTP-SERVER2 to fix problems with CD and files
named .; in the directory. SSH-012_A055 ECO Rank 3
o Changes to debugging output in SCP2 to make it more like earlier
patches. SSH-011_A055 ECO rank 3
o Map two different status code groups used in SFTP2 into a single one
to resolve problems with SFTP2 sometime returning unexpected
completion status when operating in batch mode.
SSH-010_A055 ECO rank 3
o Correct a potential memory leak in SFTP2. SSH-010_A055 ECO Rank 3
o Additional checks in SFTP2 to detect a freed data structure and reduce
the chance of an ACCVIO. SSH-010_A055 ECO Rank 3
-----------------------------------------------------------------------------
Post-Installation Instructions
A system reboot is required after applying this ECO.