Request demo

Tectia Client Product Update

Read about the latest features and updates of Tectia Client.

 

1. About This Release

The 6.6 release of Tectia Client is declared Long Term Supported (LTS), and it is supported for 3 years from the release date of 6.6.2. The latest support end dates for Tectia Client/Server are available at:  https://www.ssh.com/products/support/end-of-support

The 6.6.4 release is available for AIX (POWER), HP-UX (IA-64 and PA-RISC), Solaris (SPARC and x86-64), Linux (x86-64) and Windows (x86-64) platforms.

The 6.6.4 release is a maintenance release, and doesn't add any new features  PQC algorithms supported only on AIX, Solaris, Linux and Windows.

Special items for 6.6 release are:

  • Tectia Quantum Safe Edition with multiple PQC hybrid key exchange algorithms

  • Added support for Ubuntu, Debian, Rocky (Linux) platforms

  • Improvements to Secure File Transfer on Windows

  • Improvements to certificate validation

  • FIPS module has been updated to OpenSSL 3.0.8 in Solaris, Linux and Windows

  • Removed ETM MAC algorithms from the defaults

  • Deprecation of DSA algorithms from the defaults

  • Deprecation of SHA-1 algorithms from the defaults

We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products, and on Windows also SSH Tectia 6.0.x or older, before installing SSH Tectia 6.6 products.  For the installation instructions, refer to the Tectia Client User Manual.


 

2. Important Changes

Important changes in 6.6.3

(TECT-981) The hmac-sha2-256-etm@openssh.com and hmac-sha2-512-etm@openssh.com MAC algorithmsare no longer included in the defaults. Also the strict KEX mitigation to low impact CVE-2023-48795 has been implemented.Please note that also the Secure Shell server needs to support the strict KEX.

(TECT-740) FIPS module has been updated to OpenSSL 3.0.8 in Solaris, Linux and Windows.

(TECT-968) In FIPS mode diffie-hellman-group-exchange-sha256 (DH-GEX-SHA256) and other GroupExchange (GEX) methods are now disabled in Key Exchange (KEX) to comply with FIPS140-2 NIST SP 800-56Ar3 requirement of using standard Modular Exponential (MODP)Diffie-Hellman groups such as diffie-hellman-group18-sha512. Customers using FIPS should verify that their Tectia configurations do not containGroup Exchange (GEX) methods.

Tectia Client in FIPS mode fails to connect with"KEX negotiation failed" error after upgrade if Secure Shell Server does not offerother methods or if only the diffie-hellman-group-exchange-* (DH-GEX-*) algorithmsare enabled in ssh-broker-config.xml.

(TECT-892) AES-GCM is now preferred over AES-CTR in default configurations.

(TECT-824) Added official support for Rocky Linux (8 and 9), Ubuntu (18.04, 20.04 and 22.04)and Debian GNU/Linux (11 and 12) platforms.

 

Important changes in 6.6.2

(TECT-718) DSA has been deprecated and is no longer included in default values of host key algorithms nor public-key signature algorithms. We strongly recommend to use any other supported host key algorithm and signature algorithm instead for host keys and user keys.

CAUTION: Public key authentication with DSA keys fail on signature failure after upgrade.

It is recommended to generate new RSA or Elliptic Curve Key (ECDSAor Edwards Curve) user key(s) and replace the authorized user public key(s) on the server-side. Connections will fail with "Key exchange failed" and "Host key algorithm negotiation failed" errors after upgrade if Secure Shell Server has a DSA host key as the only identity and the ssh-broker-config.xml does not explicitly allow using deprecatedDSA algorithm(s) such as ssh-dss-sha256@ssh.com.

It is recommended to create a server-specific connection profile or a generic legacy profile with deprecated DSA algorithms listed last when connecting to old servers if the DSA host key or authorized user public key cannot be changed on the server-side.

(TECT-566) Using OpenSSL 3.0 FIPS container inside Solaris, Linux and Windows. RSA, ECDSAand Ed25519 keys are supported in FIPS mode. New DSA keys cannot be generated with Client Configuration GUI when running in FIPS mode. If needed, 3072 or 2048 bit DSA keys can be generated with ssh-keygen-g3 --fips-mode.

(TECT-655) PQC algorithm support for Solaris as a part of the Tectia Quantum Safe Edition.

(TECT-663) Solaris installation packages are now 64-bit.

(TECT-721) Tectia Client now signs always with a SHA-2 algorithm in host based authentication, and therefore it does not interoperate with old servers that have host based authentication enabled as a user authentication method. It is recommended to upgrade both the client-side and server-side to the latest Tectia version if host based authentication is used in the environment.

 

Important changes in 6.6.1

(TECT-619) Increased default RSA and DSA key size from 2048 bits to 3072 bits and ECDSA from 256 bits to 384 bits. These changes reflect the new minimum values recommended by us for these authentication keys.

(TECT-614) NIST has chosen CRYSTALS-Kyber. Following this decision we have decided to remove SABER from the defaults. However, SABER still remains supported and the PQC hybrid KEX ecdh-nistp521-firesaber-sha512@ssh.com can be enabled in configuration. For more information:https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022

The new PQC hybrid KEX defaults are:

* ecdh-nistp521-kyber1024-sha512@ssh.com

* curve25519-frodokem1344-sha512@ssh.com

* sntrup761x25519-sha512@openssh.com

 

Important changes in 6.6.0

(TECT-193) Tectia Quantum Safe Edition license file enables Post Quantum Cryptography (PQC)algorithms SABER, CRYSTALS-Kyber, FrodoKEM and Streamlined NTRU Prime that are used in a Hybrid Key Exchange together with a classical ECDH algorithm.

Both the PQC and ECDH algorithm contribute to the key material resulting in a sessionkey that is at least as hard to break as the strongest composite. The hybrid approach mitigates the risk of future attacks on recorded secure shell sessions if weaknesses are discovered in either algorithm.

Note that the server-side, Tectia Server version 6.6 and above, Tectia SSH Server for z/OS version 6.6.12 or above, or OpenSSH version 9.0 or above, needs to also support and allow at least one of the PQC hybrid KEX algorithms or connections will use classical KEX algorithms by default. Note when upgrading from 6.5.1 with changed configurations or from 6.4.x, the Post Quantum Cryptography (PQC) algorithms require Tectia Quantum Safe Edition license and are not enabled unless explicitly configured. Please see the TectiaClient example file ssh-broker-config-example.xml

(TECT-541) Due to vulnerabilities discovered in the SHA-1 hashing algorithm, SHA1 algorithms for signatures and key exchange have been removed from client defaults. These algorithms can still be enabled for legacy reasons for example in profile settings when connecting to a particular legacy server. For fallback configuration please see the Tectia Client example file ssh-broker-config-example.xml in the system-wideconfiguration directory.

It is important to understand that SHA-1 algorithms are deprecated due to security issues and should not be enabled without a critical legacy dependency for them. Enabling SHA-1 algorithms is not recommended by us.

* ssh-rsa (RSA/SHA1) is no longer included in public-key signature algorithms nor host key algorithms default values. We recommended using SHA2 variants (e.g. rsa-sha2-256, ssh-rsa-sha256@ssh.com) for existing RSA keys.

* ssh-dss (DSA/SHA1) is no longer included in public-key signature algorithms nor host key algorithms. We recommend using SHA2 variants (e.g. ssh-dss-sha256@ssh.com) for existing DSA keys and creating additional RSA, ED25519, or ECDSA key(s) for better interoperability with third-party clients/servers.

* diffie-hellman-group-exchange-sha1 (DH-GEX-SHA1) and diffie-hellman-group14-sha1 are no longer included in key exchange default values. We recommend using SHA2 variants (e.g. diffie-hellman-group-exchange-sha256 and diffie-hellman-group14-sha256).

SHA2 variants @ssh.com algorithms have been supported in Tectia Client/Server since version 6.2.0 released in 2011. Standardized SHA2 variants since version 6.4.18. HMAC SHA1 algorithms still remain in client defaults. Although NIST has formally deprecated use of SHA-1 for digital signatures, SHA-1 is still considered secure for HMAC as the security of HMAC does not rely on the underlying hash function being resistant to collisions. CBC mode ciphers are no longer included in client defaults.

Although there are no known vulnerabilities for current versions, there are better counter modes available such as GCM. CBC mode ciphers can still be manually enabled in the client configuration. This change was made to alleviate false positives in security audits.

Our recommendation is to use CTR mode and GCM mode over CBC mode whenever possible and use CBC mode only when it is not possible to use the other two counter modes with ciphers.

 

3. New Features

The following new features have been implemented in Tectia Client:

New features in 6.6.4

See the bug fixes.

 

New features in 6.6.3

(TECT-943) ssh-keygen-g3 tool: Improved passphrase handling. Now if --random-pass option is used when generating a new key, the private key is protected with a BASE64 encoded passphrase and the path to <file>.pass is shown in the output.

(TECT-920) Command-line clients sshg3, sftpg3 and scpg3 now have --any-alg option that allows all supported algorithms including the insecure ones to be used.

Alternatively, all supported algorithms for a specific option can be allowed with --ciphers=any --macs=any --kexs=any --hostkey-algorithms=any or --publickey-algorithms=any. If an algorithm is explicitly specified on command line, it will be used instead of --any-alg. (TECT-878)- Performance profiling for currently running broker. Intended for better problem diagnostics with the help of SSH support. Obtain performance measurements with  'ssh-broker-ctl performance show' command.

(TECT-865) Added compatibility for Azure SFTP server due to lack of checksum support in AzureSSH_1.0.0.

(TECT-849) New MVS filetypes IDC (Idcams), PDS (Partition Dataset), IBC (IEBCOPY) and DSS (ADRDSSU) can now be used in ftadv (file transfer advisory string).

(TECT-805) Improved reporting of used signature algorithm if public key authentication is used. Also added --auth-log option to 'ssh-broker-ctl connection-status ID --auth-log'

(TECT-780) sftpg3 initial remote path can be now provided on the command-line. Also URL syntax is supported, for example sftp://user@host/path

(TECT-512) Windows: Added support for directory symlinks in SFTP.

 

New features in 6.6.2

(TECT-743) Tectia Quantum Safe Edition: Added a new PQC hybrid KEX algorithm curve448-kyber1024-sha512@ssh.com that is supported when FIPS mode is enabled. 

(TECT-591) Command-line clients sshg3, sftpg3 and scpg3 now support --template-profile option that can be used with a generic profile, specifying for example required algorithms, when connecting to servers instead of using default or server-specific profiles in ssh-broker-config.xml.

(TECT-710) Command-line clients sshg3, sftpg3 and scpg3 now support --publickey-algorithms option that specify signature algorithms in preferred order in user publickey authentication. Alternatively, signature-algorithms can be specified in ssh-broker-config.xml. 

(TECT-677) Improved user certificate filtering to make it easier to offer the certificates  that are more likely to be accepted by the server in user authentication when there  are multiple certificates. 

(TECT-793) Compatibility for OpenSSH 7.4 server that reports incorrect server-sig-algs extension so that ed25519 or ecdsa keys can be used.

 

New features in 6.6.1

(TECT-611) Added Red Hat Enterprise Linux 9 as a supported installation platform. 

(TECT-629) Added support for ncurses 6, which removes the previous dependency for libncurses compat libraries.

 

New features in 6.6.0

(TECT-193) Added support for Post Quantum Cryptography (PQC) hybrid key exchange algorithms.  Following PQC hybrid KEX algorithms are supported and enabled by default when Tectia Quantum Safe Edition license is installed:

* ecdh-nistp521-firesaber-sha512@ssh.com

* ecdh-nistp521-kyber1024-sha512@ssh.com

* curve25519-frodokem1344-sha512@ssh.com

* sntrup761x25519-sha512@openssh.com 

Tectia Client prefers the PQC hybrid KEX algorithms over classical KEX algorithms in the above order by default.  

(TECT-571) Added support for IBM AIX 7.3

(TECT-557) sftpg3 command-line client: also sha256 and sha512 can now be used with digest command with servers that support the hashes.

 

New features in 6.5.2

There are no new features introduced in this release.

 

New features in 6.5.1

(TECT-194) Windows: Japanese localization for Tectia Client. Feature can be enabled with a separate license. 

(TECT-95) Windows: Japanese character set Shift-JIS supported on Tectia Client File Transfer GUI and Terminal GUI. 

(TECT-94) Windows: Tectia Client File Transfer GUI and Terminal GUI support UTF-8. 

(TECT-462) Windows 11, Windows Server 2022, SUSE Linux Desktop 15 and SUSE Linux Enterprise Server 15 (x86-64) added as supported installation platforms. 

(TECT-313) Added support for x509-certificate-chain for user and host certificates and standardized X.509v3 signature algorithms defined in RFC6187.  Following signature-algorithms and hostkey-algorithm are supported: 

* x509v3-rsa2048-sha256

* x509v3-ecdsa-sha2-nistp256

* x509v3-ecdsa-sha2-nistp384

* x509v3-ecdsa-sha2-nistp521

* x509v3-ssh-dss (DSA/SHA1 not enabled by default on server-side)

* x509v3-ssh-rsa (RSA/SHA1 not enabled by default on server-side) 

(TECT-147) Added support for OpenSSH user and host certificates.  Following signature-algorithms and hostkey-algorithm are supported: 

* ecdsa-sha2-nistp256-cert-v01@openssh.com

* ecdsa-sha2-nistp384-cert-v01@openssh.com

* ecdsa-sha2-nistp521-cert-v01@openssh.com

* ssh-ed25519-cert-v01@openssh.com

* rsa-sha2-256-cert-v01@openssh.com

* rsa-sha2-512-cert-v01@openssh.com

* ssh-rsa-cert-v01@openssh.com (RSA/SHA1 not enabled by default)

* ssh-dss-cert-v01@openssh.com (DSA/SHA1 not enabled by default) 

(TECT-492) Added curve25519-sha256@libssh.org to client and server key exchange defaults for better interoperability with 3rd party implementations that do not support standardized curve25519-sha256. 

(TECT-365) Windows: OpenSSH-style system-wide C:\ProgramData\SSH\ssh_known_hosts is now checked after C:\ProgramData\SSH\HostKeys\ folder for existing saved public hostkeys. 

(TECT-349) External program command-line now supports '%U' (username) and '%H' (hostname) substitutions. The custom program is expected to return with exit value 0 for success within 70 seconds.  Example external-program commands with username and hostname substitution:   

sshg3 --password="extprog://getpass.sh %U"  

sshg3 --password="extprog://%U/pass.sh"  

sshg3 --password="extprog://%U_%H.sh" 

(TECT-228) Tectia Client Configuration GUI now stores saved password in base64 encoded format using string-base64 attribute for non-interactive connections. Also passwords with special character " can be used. Public-key authentication or external password program is recommended instead of saved passwords. 

(TECT-290) ssh-keygen-g3 --append=no option now correctly truncates saved public hostkey file so that shorter keys can be used to replace longer keys, for example an ECDSA key to replace a RSA key. Now subsequent alternate identities can be appended correctly. 

(TECT-160) Windows: Tectia Client File Transfer GUI has now 'Filter bar' toolbar for local and remote file list to filter folders and files using a glob pattern, e.g. '*.txt' in current folder. 

(TECT-219) RFC8308 server-sig-algs extension is now supported also on client-side. User public-key authentication is less likely to fail for example against OpenSSH server due to too many failed attempts when only signature algorithms that the server supports are attempted.

 

4. Bug Fixes

The following fixes have been implemented in Tectia Client:

Bug fixes in 6.6.4

(TECT-1030) Fixed issues with how Windows symlinks are handled. 

(TECT-1026) Added support for 'console-utf8' windows terminal mode, default is still 'console'. The 'console-utf8' helps resolve issues code page issues in windows where conflicts between client and server code pages result with displaying incorrectly some non-ASCII characters.

(TECT-1009 & TECT-1034) Windows GUI: Fixed issues in file transfer GUI with right-click to upload and with file transfer dialogues, including in queue tab. 

(TECT-1003) Fixed an issue with sftpg3 open command for example 'open user@host' now connects correctly to remote host. In 6.6.3 version the command opened sftp to local file system. Also URL syntax with path is now supported for open command, for example 'open sftp://user@host/path'

 

Bug fixes in 6.6.3

(TECT-971) Windows GUI: Fixed an issue with terminal emulation where end of lines were not always cleared correctly leaving old characters on screen when updating display. 

(TECT-938) Fixed an issue with broker running in daemon mode where simultaneous connections with authentication agent forwarding enabled might fail with 'Agent connection failed', which could lead to a broker crash. 

(TECT-910) Windows GUI: Fixed an issue using control characters to manipulate character set(s) during a single connection in GUI terminal. Using control characters should now correctly change the character set e.g. between line draw characters and defaults. 

(TECT-898) Windows GUI: Fixed an issue where reconnecting to same host after disconnecting during same the GUI session prevents files from being uploaded. 

(TECT-897) Windows GUI: Fixed issues with file Upload Dialogue. 

(TECT-846) Windows GUI: File transfer filter bar should now work as expected when "Remove view on left, local view on right" is selected. 

(TECT-845) Windows GUI: Add favorite remote folders are now added to the correct profile instead of the default.ssh2 profile. 

(TECT-842) Windows GUI: "Preserve original file time" setting is now honoured. 

(TECT-841) Windows GUI: Fixed an issue where file overwrite protection did not prompt the user when attempting to overwrite a file with the setting enabled. 

(TECT-836) Windows GUI: Fixed issues with how some of the ASCII transfer extensions were handled in GUI. 

(TECT-835) Windows GUI: Fixed set file permissions in GUI file transfer. 

(TECT-809) Fixed an issue with broker where connection would fail if "Signature operation  failed", for example if SHA-1 was attempted in FIPS mode that does not allow it. Now Key_store_sign_failed causes just the particular key to fail, and next publickey(s) are tried if authorized on the server-side.

(TECT-729) Fixed an issue in Configuration GUI where setting severity to debug goes against XML DTD definition resulting in an invalid configuration of the XML file. 

(TECT-438) Windows GUI: Client now cancels the authentication attempt and skips to next  method if empty passphrase or password is provided in the authentication prompt. Previously, GUI prompted for the passphrase repeatedly.

 

Bug fixes in 6.6.2

(TECT-762) Fixed an issue with proxy ruleset so that IP range is no longer ignored in direct configuration. Previously configured proxy was always used for all client connections.

(TECT-742) Ed25519 user keys can be now used via authentication agent. 

(TECT-746) Fixed an issue with nested authentication agent forwarding that could in some conditions result in signature failure with Externalkey provider error after waiting for 5 minutes. 

(TECT-704) Broker no longer crashes when “interactive-shy” is set as the key-selection policy under certain conditions. 

(TECT-675) Currently valid user certificates are now prioritized newest first by default. 

(TECT-646) Broker no longer crashes when using multiple certificates and user should choose the certificate, when the option 'Prompt user to select the public key' has been selected. 

(TECT-554) Broker no longer crashes under certain conditions with OpenSSH Agent.

 

Bug fixes in 6.6.1

(TECT-609) Fixed a bug with Radius authentication in RHEL that prevented the use of said authentication method. 

(TECT-606) User defined password in connection profile is now only tried once. Previously an incorrect password in connection profile would make the client reattempt the connection until all attempts were exhausted. 

(TECT-605) Client GUI connections will now honor passphrase-timeout config setting. 

(TECT-587) Compatability improvements with OpenSSH Agent.

 

Bug fixes in 6.6.0

(TECT-544) Tectia Client Configuration GUI now correctly disables "use proxy rule" for profiles when the option is toggled. 

(TECT-559) Tectia Client Configuration GUI can be used again to add multiple local tunnel configurations. 

(TECT-564) Fixed an issue with OCSP certificate validation that may have resulted in Certificate_validation_failure with error time-interval-was-invalid even if valid CRL was available when check against OCSP responder failed.

 

Bug fixes in 6.5.2

There are no Tectia Client bug fixes introduced in this release.

 

Bug fixes in 6.5.1

(TECT-308) sshg3 -f, --fork-into-background option no longer prevents executing the remote command. 

(TECT-190) Current terminal size is now requested also in the initial window size request that previously used always Terminal height: 24 rows. This improves interoperabilit with 3rd party servers like Cisco routers that do not implement window-change message defined in RFC4254. 

(TECT-201) sftpg3 and scpg3 no longer send file size in attributes during file open as some 3rd party server implementations incorrectly rely on it as final size resulting in 0 byte file. 

(TECT-136) Race condition in buffer, data structure and program memory release are fixed in sftpg3. 

(TECT-142) Fixed a race condition that sometimes could lead to a crash of scpg3 client when new hostkey was not saved by user or declined by-design in batch mode. 

(TECT-176) Fixed a race condition that sometimes could lead to a crash of ssh-broker-g3 when connection was attempted. 

(TECT-306) Windows: Tectia Client GUI command-line options now overwrite the values in connection profile.    'ssh-client-g3 [-h host] [-u user] [-p port] [profile]' 

(TECT-336) When user key renewal is disabled, the client no longer reports "Client key rotation failed: Key id N not found." upon successful publickey authentication when -K --identity-key-file or --identity option is used. Note that user key renewal should not be enabled if explicit key is defined in scripts as next login will fail after user key has been renewed. 

(TECT-464) Client now uploads the new key correctly to found location(s) during user key renewal.

Previously, if Tectia Server was configured to use exclusively openssh-authorized-keys-file="%D/.ssh/authorized_keys" or authorization-file="%D/.ssh2/authorization", the new key was uploaded to %D/.ssh2/authorized_keys directory only.

Note that the client is able to check if the old key is found from the default locations. 

(TECT-311) Windows: When a non-responsive SOCKS proxy is used for a connection, non-matching TCP connect attempts no longer block until proxied connection times out after 60 seconds. 

(TECT-210) SHA2 signature algorithm can be now used with RSA keys with OpenSSH agent forwarding that implements agent forwarding protocol version 1. 

(TECT-246) Passphrase protected key that is locked can now be used through agent forwarding if broker GUI is able to prompt the user for passphrase. 

(TECT-127) OpenSSL generated passphrase protected PKCS#8 key no longer fails to be decoded.

 

5. Known Issues

The following issues are currently known to exist in Tectia Client:

(FB #38886) All Platforms: scpg3 and sftpg3 with --append overwrite the destination file when the server is OpenSSH 6.4 or older. 

(FB #36224, FB #36221) Windows: Connections Configuration GUI: Dots do not work correctly in profile names or profile folder names, because they are used internally for the profile folder feature. 

(FB #36222) Windows: Connections Configuration GUI: Empty connection profile folders are not saved in the Broker configuration. 

(FB #36835) All platforms: Remote translation tables only work when the site command X=BIN is used. Local translation tables work as intended. 

(FB #19541) Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable. 

(FB #13818) All Platforms: The usage of IPv6 addresses in certificates is not yet supported. 

(FB #3882) z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error. 

(FB #9840) Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details. 

(FB #9367) Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0- D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates. 

(FB #9106) AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit versions. 

(FB #9530) All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS cryptographic library health check. This will lead to a noticeable delay in the start of the process on slow machines. 

(FB #7726) Windows: --summary-format newline option '\n' does not work on Windows. 

(FB #4725) All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified. 

(RQ #18958) Windows: Password cannot be specified in a file with --password command-line option. 

(RQ #18674) Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'. Workaround: Enable file extensions. This issue will be fixed in an upcoming maintenance release. 

(RQ #17537) Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network.

Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible. 

(RQ #17535) Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions.

(RQ #17528) All platforms: The scpg3 command shows the transfer time incorrectly if "--statistics=simple" is set. 

(RQ #17482) All platforms: When trying to connect to a server that is not available (i.e. the server is not running), the error message returned by sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server". 

(RQ #17368) Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in some cases. Workaround: Select the profile from the menu.

(RQ #17343) Windows: Removing a token while it is being read could in some cases result in a Tectia Connection Broker failure. 

(RQ #17215) Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail. 

(RQ #17055) Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work. 

(RQ #16986) Windows: SFTP 'chmod' command is not supported against Tectia Server running on Windows. 

(RQ #16902) Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs. 

(RQ #16573) Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP. 

(RQ #16276) Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation. 

(RQ #16270) Windows: The exit values for scpg3 do not match the values mentioned in the documentation in the following error situations: connection lost, interrupting a file transfer using CTRL+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero. 

(RQ #15996) All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example: scpg3 "/tmp/testdir/*" user@server:/tmp However, the correct warning is displayed if the scpg3 command is used without globbing: scpg3 /tmp/testdir/* user@server:/tmp 

(RQ #15973) All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names. 

(RQ #15948) Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process. 

(RQ #15921) All platforms: The server creates empty files if a user tries to transfer files without correct server-side permissions. The correct error message is displayed. 

(RQ #15846) Windows: Local TCP tunneling using listener port 0 does not work. 

(RQ #15006) Windows: When accessing a Unix host using scpg3 or sftpg3, files with file names that contain characters that are illegal in Windows file names (for example: *, ? and ~) cannot be transferred or accessed if relative paths are used.

Workaround: Use absolute paths for accessing the files on the Unix host and escape the illegal characters with the tilde character '~'. Note also that the files with illegal characters need to be renamed when transferred to Windows. For example, to copy a file "file*name.txt" from user's Unix home directory to Windows: C:\> scpg3.exe user@server:/home/user/file~*name.txt filename.txt 

(RQ #14227) Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly.

(RQ #14226) Windows: When using regular expressions in filter rules the dot character '.' does not work as expected. For example, when using a filter rule for tunneling of telnet.exe using regular expression: '.*.ssh.com' the connection will not be tunneled even if the regular expression matched the host address.

Workaround: Add a '\' in front of the '.' For example, the previous regular expression should be: '.*\.ssh\.com'

(RQ #14222) All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key on subsequent login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication.

(RQ #14109) Windows: Secure file transfer speed may be slower against Tectia Server on Windows than against Tectia Server on Linux.

(RQ #13377) Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause the user banner and dialog boxes to be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide secure separation of sessions.

(RQ #11836) All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, either the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed.

 

 

6. Further Information

More information can be found on the Tectia man pages and manuals. Tectia manuals are also available from https://www.ssh.com/manuals/

Additional licenses can be purchased by contacting sales at https://www.ssh.com/ 

1. About This Release

The 6.6 release of Tectia Client is declared Long Term Supported (LTS), and it is supported for 3 years from the release date of 6.6.2. The latest support end dates for Tectia Client/Server are available at: https://www.ssh.com/products/support/end-of-support

The 6.6.3 release is available for AIX (POWER), HP-UX (IA-64 and PA-RISC), Solaris (SPARC and x86-64), Linux (x86-64) and Windows (x86-64) platforms.

PQC algorithms supported only on AIX, Solaris, Linux and Windows.

Special items for 6.6 release are:

  • Tectia Quantum Safe Edition with multiple PQC hybrid key exchange algorithms

  • Added support for Ubuntu, Debian, Rocky (Linux) platforms

  • Improvements to certificate validation

  • FIPS module has been updated to OpenSSL 3.0.8 in Solaris, Linux and Windows

  • Removed ETM MAC algorithms from the defaults

  • Deprecation of DSA algorithms from the defaults

  • Deprecation of SHA-1 algorithms from the defaults

We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products, and on Windows also SSH Tectia 6.0.x or older, before installing SSH Tectia 6.6 products.

For the installation instructions, refer to the Tectia Client User Manual.

2. Important Changes

Important changes in 6.6.3

(TECT-981) The hmac-sha2-256-etm@openssh.com and hmac-sha2-512-etm@openssh.com MAC algorithms are no longer included in the defaults.

Also the strict KEX mitigation to low impact CVE-2023-48795 has been implemented. Please note that also the Secure Shell server needs to support the strict KEX.

(TECT-740) FIPS module has been updated to OpenSSL 3.0.8 in Solaris, Linux and Windows.

(TECT-968) In FIPS mode diffie-hellman-group-exchange-sha256 (DH-GEX-SHA256) and other Group Exchange (GEX) methods are now disabled in Key Exchange (KEX) to comply with FIPS 140-2 NIST SP 800-56Ar3 requirement of using standard Modular Exponential (MODP) Diffie-Hellman groups such as diffie-hellman-group18-sha512.

Customers using FIPS should verify that their Tectia configurations do not contain Group Exchange (GEX) methods. Tectia Client in FIPS mode fails to connect with "KEX negotiation failed" error after upgrade if Secure Shell Server does not offer other methods or if only the diffie-hellman-group-exchange-* (DH-GEX-*) algorithms are enabled in ssh-broker-config.xml.

(TECT-892) AES-GCM is now preferred over AES-CTR in default configurations.

(TECT-824) Added official support for Rocky Linux (8 and 9), Ubuntu (18.04, 20.04 and 22.04) and Debian GNU/Linux (11 and 12) platforms.

3. New Features

The following new features have been implemented in Tectia Client:

New features in 6.6.3

(TECT-943) - ssh-keygen-g3 tool: Improved passphrase handling. Now if --random-pass option is used when generating a new key, the private key is protected with a BASE64 encoded passphrase and the path to <file>.pass is shown in the output.

(TECT-920) - Command-line clients sshg3, sftpg3 and scpg3 now have --any-alg option that allows all supported algorithms including the insecure ones to be used. Alternatively, all supported algorithms for a specific option can be allowed with --ciphers=any--macs=any --kexs=any --hostkey-algorithms=any or --publickey-algorithms=any. If an algorithm is explicitly specified on command line, it will be used instead of--any-alg.

(TECT-878) - Performance profiling for currently running broker. Intended for better problem diagnostics with the help of SSH support. Obtain performance measurements with  'ssh-broker-ctl performance show' command.

(TECT-865) - Added compatibility for Azure SFTP server due to lack of checksum support in AzureSSH_1.0.0.

(TECT-849) - New MVS filetypes IDC (Idcams), PDS (Partition Dataset), IBC (IEBCOPY) and DSS (ADRDSSU) can now be used in ftadv (file transfer advisory string).

(TECT-805) - Improved reporting of used signature algorithm if publickey authentication is used. Also added --auth-log option to 'ssh-broker-ctl connection-status ID --auth-log'

(TECT-780) - sftpg3 initial remote path can be now provided on the command-line. Also URL syntax is supported, for example sftp://user@host/path

(TECT-512) - Windows: Added support for directory symlinks in SFTP.

4. Bug Fixes

The following fixes have been implemented in Tectia Client:

Bug fixes in 6.6.3

(TECT-971) - Windows GUI: Fixed an issue with terminal emulation where end of lines were not always cleared correctly leaving old characters on screen when updating display.

(TECT-938) - Fixed an issue with broker running in daemon mode where simultaneous connections with authentication agent forwarding enabled might fail with 'Agent connection failed', which could lead to a broker crash.

(TECT-910) - Windows GUI: Fixed an issue using control characters to manipulate character set(s) during a single connection in GUI terminal. Using control characters should now correctly change the character set e.g. between line draw characters and defaults.

(TECT-898) - Windows GUI: Fixed an issue where reconnecting to same host after disconnecting during same the GUI session prevents files from being uploaded.

(TECT-897) - Windows GUI: Fixed issues with file Upload Dialogue.

(TECT-846) - Windows GUI: File transfer filter bar should now work as expected when "Remove view on left, local view on right" is selected.

(TECT-845) - Windows GUI: Add favorite remote folders are now added to the correct profile instead of the default.ssh2 profile.

(TECT-842) - Windows GUI: "Preserve original file time" setting is now honoured.

(TECT-841) - Windows GUI: Fixed an issue where file overwrite protection did not prompt the user when attempting to overwrite a file with the setting enabled.

(TECT-836) - Windows GUI: Fixed issues with how some of the ASCII transfer extensions were handled in GUI.

(TECT-835) - Windows GUI: Fixed set file permissions in GUI file transfer.

(TECT-809) - Fixed an issue with broker where connection would fail if "Signature operation failed", for example if SHA-1 was attempted in FIPS mode that does not allow it. Now Key_store_sign_failed causes just the particular key to fail, and next publickey(s) are tried if authorized on the server-side.

(TECT-729) - Fixed an issue in Configuration GUI where setting severity to debug goes against XML DTD definition resulting in an invalid configuration of the XML file.

(TECT-438) - Windows GUI: Client now cancels the authentication attempt and skips to next  method if empty passphrase or password is provided in the authentication prompt. Previously, GUI prompted for the passphrase repeatedly.

5. Known Issues

The following issues are currently known to exist in Tectia Client:

(FB #38886) - All Platforms: scpg3 and sftpg3 with --append overwrite the destination file when the server is OpenSSH 6.4 or older.

(FB #36224, FB #36221) - Windows: Connections Configuration GUI: Dots do not work correctly in profile names or profile folder names, because they are used internally for the profile folder feature.

(FB #36222) - Windows: Connections Configuration GUI: Empty connection profile folders are not saved in the Broker configuration.

(FB #36835) - All platforms: Remote translation tables only work when the site command X=BIN is used. Local translation tables work as intended.

(FB #19541) - Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable.

(FB #13818) - All Platforms: The usage of IPv6 addresses in certificates is not yet supported.

(FB #3882) - z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.

(FB #9840) - Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details.

(FB #9367) - Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0-D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates.

(FB #9106) - AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit versions.

(FB #9530) - All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS cryptographic library health check. This will lead to a noticeable delay in the start of the process on slow machines.

(FB #7726) - Windows: --summary-format newline option '\n' does not work on Windows.

(FB #4725) - All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified.

(RQ #18958) - Windows: Password cannot be specified in a file with --password command-line option.

(RQ #18674) - Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'. Workaround: Enable file extensions. This issue will be fixed in an upcoming maintenance release.

(RQ #17537) - Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network. Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible.

(RQ #17535) - Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions.

(RQ #17528) - All platforms: The scpg3 command shows the transfer time incorrectly if "--statistics=simple" is set.

(RQ #17482) - All platforms: When trying to connect to a server that is not available (i.e. the server is not running), the error message returned by sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server".

(RQ #17368) - Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in some cases. Workaround: Select the profile from the menu.

(RQ #17343) - Windows: Removing a token while it is being read could in some cases result in a Tectia Connection Broker failure.

(RQ #17215) - Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail.

(RQ #17055) - Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work.

(RQ #16986) - Windows: SFTP 'chmod' command is not supported against Tectia Server running on Windows.

(RQ #16902) - Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs.

(RQ #16573) - Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP.

(RQ #16276) - Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation.

(RQ #16270) - Windows: The exit values for scpg3 do not match the values mentioned in the documentation in the following error situations: connection lost, interrupting a file transfer using CTRL+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero.

(RQ #15996) - All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example: scpg3 "/tmp/testdir/*" user@server:/tmp However, the correct warning is displayed if the scpg3 command is used without globbing: scpg3 /tmp/testdir/* user@server:/tmp

(RQ #15973) - All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names.

(RQ #15948) - Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process.

(RQ #15921) - All platforms: The server creates empty files if a user tries to transfer files without correct server-side permissions. The correct error message is displayed.

(RQ #15846) - Windows: Local TCP tunneling using listener port 0 does not work.

(RQ #15006) - Windows: When accessing a Unix host using scpg3 or sftpg3, files with file names that contain characters that are illegal in Windows file names (for example: *, ? and ~) cannot be transferred or accessed if relative paths are used. Workaround: Use absolute paths for accessing the files on the Unix host and escape the illegal characters with the tilde character '~'. Note also that the files with illegal characters need to be renamed when transferred to Windows. For example, to copy a file "file*name.txt" from user's Unix home directory to Windows: C:\> scpg3.exe user@server:/home/user/file~*name.txt filename.txt

(RQ #14227) - Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly.

(RQ #14226) - Windows: When using regular expressions in filter rules the dot character '.' does not work as expected. For example, when using a filter rule for tunneling of telnet.exe using regular expression: '.*.ssh.com' the connection will not be tunneled even if the regular expression matched the host address. Workaround: Add a '\' in front of the '.' For example, the previous regular expression should be:  '.*\.ssh\.com'

(RQ #14222) - All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key on subsequent login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication.

(RQ #14109) - Windows: Secure file transfer speed may be slower against Tectia Server on Windows than against Tectia Server on Linux.

(RQ #13377) - Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause the user banner and dialog boxes to be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide secure separation of sessions.

(RQ #11836) - All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, either the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed.

 

6. Further Information

More information can be found on the Tectia man pages and manuals. Tectia manuals are also available from https://www.ssh.com/manuals/

Additional licenses can be purchased by contacting sales at https://www.ssh.com/ 

1. About This Release

The 6.6 release of Tectia Client is declared Long Term Supported (LTS), and it is supported for 3 years from the release date of 6.6.2.

The latest support end dates for Tectia Client/Server are available here.

The 6.6.2 release is available for AIX (POWER), HP-UX (IA-64 and PA-RISC), Solaris (SPARC and x86-64), Linux (x86-64) and Windows (x86-64) platforms.

PQC algorithms are supported only on AIX, Solaris, Linux, and Windows.

Special items for 6.6 release are:

  • Tectia Quantum Safe Edition with multiple PQC hybrid key exchange algorithms
  • Improvements to certificate validation
  • FIPS module has been updated to OpenSSL 3.0 in Solaris, Linux, and Windows
  • Deprecation of DSA algorithms from the defaults
  • Deprecation of SHA-1 algorithms from the defaults

We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products, and on Windows, also SSH Tectia 6.0.x or older, before installing SSH Tectia 6.6 products.

For the installation instructions, refer to the Tectia Client User Manual.

2. Important Changes

(TECT-718) DSA has been deprecated and is no longer included in default values of host key algorithms nor public-key signature algorithms. We strongly recommend to use any other supported hostkey algorithm and signature algorithm instead for host keys and user keys.

CAUTION: Public key authentication with DSA keys fail on signature failure after upgrade. It is recommended to generate new RSA or Elliptic Curve Key (ECDSA or Edwards Curve) user key(s) and replace the authorized user public key(s) on the server-side.

Connections will fail with "Key exchange failed" and "Host key algorithm negotiation failed" errors after upgrade if Secure Shell Server has a DSA host key as the only identity and the ssh-broker-config.xml does not explicitly allow using deprecated DSA algoritm(s) such as ssh-dss-sha256@ssh.com.

It is recommended to create a server-specific connection profile or a generic legacy profile with deprecated DSA algorithms listed last when connecting to old servers if the DSA host key or authorized user public key cannot be changed on the server-side.

(TECT-566) Using OpenSSL 3.0 FIPS container inside Solaris, Linux, and Windows. RSA, ECDSA, and Ed25519 keys are supported in FIPS mode. New DSA keys cannot be generated with Client Configuration GUI when running in FIPS mode. If needed, 3072- or 2048-bit DSA keys can be generated with ssh-keygen-g3 --fips-mode.

(TECT-655) PQC algorithm support for Solaris as a part of the Tectia Quantum Safe Edition.

(TECT-663) Solaris installation packages are now 64-bit.

(TECT-721) Tectia Client now signs always with a SHA-2 algorithm in host-based authentication, and therefore it does not interoperate with old servers that have host-based authentication enabled as a user authentication method. It is recommended to upgrade both the client-side and server-side to the latest Tectia version if host-based authentication is used in the environment.

3. New Features

(TECT-743) Tectia Quantum Safe Edition: Added a new PQC hybrid KEX algorithm curve448-kyber1024-sha512@ssh.com that is supported when FIPS mode is enabled.

(TECT-591) Command-line clients sshg3, sftpg3 and scpg3 now support --template-profile option that can be used with a generic profile, specifying for example required algorithms, when connecting to servers instead of using default or server-specific profiles in ssh-broker-config.xml.

(TECT-710) Command-line clients sshg3, sftpg3 and scpg3 now support --publickey-algs option that specify signature algorithms in preferred order in user publickey authentication. Alternatively, signature-algorithms can be specified in ssh-broker-config.xml.

(TECT-677) Improved user certificate filtering to make it easier to offer the certificates that are more likely to be accepted by the server in user authentication when there are multiple certificates.

(TECT-793) Compatibility for OpenSSH 7.4 server that reports incorrect server-sig-algs extension so that ed25519 or ecdsa keys can be used.

4. Bug Fixes

(TECT-762) Fixed an issue with proxy ruleset so that IP range is no longer ignored in direct configuration. Previously configured proxy was always used for all client connections. 

(TECT-742) Ed25519 user keys can be now used via an authentication agent.

(TECT-746) Fixed an issue with nested authentication agent forwarding that could in some conditions result in signature failure with External key provider error after waiting for 5 minutes.

(TECT-704) Broker no longer crashes when “interactive-shy” is set as the key-selection policy under certain conditions.

(TECT-675) Currently, valid user certificates are now prioritized newest first by default.

(TECT-646) Broker no longer crashes when using multiple certificates and the user should choose the certificate when the option 'Prompt user to select the public key' has been selected.

(TECT-554) Broker no longer crashes under certain conditions with OpenSSH Agent.

5. Known Issues

The following issues are currently known to exist in Tectia Client:

(TECT-347) In Windows Server virtual folders are incorrectly resolved, if the users home directory is a virtual folder.

Workaround: Specify commands to use the real path to Windows directories instead of the virtual directories when home directory is a virtual folder.

(FB #38886) All Platforms: scpg3 and sftpg3 with --append overwrite the destination file when the server is OpenSSH 6.4 or older. 

(FB# 39847) AIX: Host-based authentication in FIPS mode requires copying or linking the libcrypto.a to /lib or /usr/lib.

(FB #36224, FB #36221) Windows: Connections Configuration GUI: Dots do not work correctly in profile names or profile folder names, because they are used internally for the profile folder feature.

(FB #36222) Windows: Connections Configuration GUI: Empty connection profile folders are not saved in the Broker configuration.

(FB #36835) All platforms: Remote translation tables only work when the site command X=BIN is used. Local translation tables work as intended.

(FB #19541) Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable.

(FB #13818) All Platforms: The usage of IPv6 addresses in certificates is not yet supported.

(FB #3882) z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.

(FB #10425) Unix: if OpenSSL 0.9.8 is installed on the host where Tectia Server is installed, it may fail when using PAM with software that uses that OpenSSL library.

Workaround if FIPS is not used: Rename the libcrypto.so.0.9.8 existent under /opt/tectia/sshlib to another name (note that this will make FIPS mode unusable).

(FB #9840) Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details.

(FB #9367) Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0-D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates. 

(FB #9106) AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit versions. 

(FB #9530) All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS cryptographic library health check. This will lead to a noticeable delay in the start of the process on slow machines.

(FB #7726) Windows: --summary-format newline option '\n' does not work on Windows.

(FB #4725) All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified.

(FB #4705) Linux SE: If the common package is installed with SElinux disabled, the following warning message will be given during the installation:

  •    /usr/bin/chcon: can't apply partial context to unlabeled file
  •    /opt/tectia/lib/shlib/libicudata.so.40
  •    /usr/bin/chcon: can't apply partial context to unlabeled file
  •    /opt/tectia/lib/shlib/libicuuc.so.40

This can be safely ignored. However, if the SElinux enforcing is enabled after the installation, the following command needs to be executed:

  •    /usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so

(RQ #18958) Windows: Password cannot be specified in a file with --password command-line option.

(RQ #18674) Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'.

Workaround: Enable file extensions. This issue will be fixed in an upcoming maintenance release.

(RQ #17537) Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network.

Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible.

(RQ #17535) Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions. 

(RQ #17528) All platforms: The scpg3 command shows the transfer time incorrectly if "--statistics=simple" is set.

(RQ #17482) All platforms: When trying to connect to a server that is not available (i.e. the server is not running), the error message returned by sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server".

(RQ #17368) Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in some cases.

Workaround: Select the profile from the menu.

(RQ #17343) Windows: Removing a token while it is being read could in some cases result in a Tectia Connection Broker failure.

(RQ #17215) Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail.

(RQ #17055) Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work. 

(RQ #16986) Windows: SFTP 'chmod' command is not supported against Tectia Server running on Windows.

(RQ #16902) Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs.

(RQ #16573) Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP.

(RQ #16276) Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation.

(RQ #16270) Windows: The exit values for scpg3 do not match the values mentioned in the documentation in the following error situations: connection lost, interrupting a file transfer using CTRL+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero.

(RQ #15996) All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example: scpg3 "/tmp/testdir/*" user@server:/tmp However, the correct warning is displayed if the scpg3 command is used without globbing: scpg3 /tmp/testdir/* user@server:/tmp

(RQ #15973) All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names.

(RQ #15948) Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process.

(RQ #15921) All platforms: The server creates empty files if a user tries to transfer files without correct server-side permissions. The correct error message is displayed. 

(RQ #15846) Windows: Local TCP tunneling using listener port 0 does not work.

(RQ #15006) Windows: When accessing a Unix host using scpg3 or sftpg3, files with file names that contain characters that are illegal in Windows file names (for example: *, ? and ~) cannot be transferred or accessed if relative paths are used.

Workaround: Use absolute paths for accessing the files on the Unix host and escape the illegal characters with the tilde character '~'. Note also that the files with illegal characters need to be renamed when transferred to Windows. For example, to copy a file "file*name.txt" from user's Unix home directory to Windows: C:\> scpg3.exe user@server:/home/user/file~*name.txt filename.txt

(RQ #14227) Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly.

(RQ #14226) Windows: When using regular expressions in filter rules the dot character '.' does not work as expected. For example, when using a filter rule for tunneling of telnet.exe using regular expression: '.*.ssh.com' the connection will not be tunneled even if the regular expression matched the host address.

Workaround: Add a '\' in front of the '.' For example, the previous regular expression should be: '.*\.ssh\.com'

(RQ #14222) All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key on subsequent login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication.

(RQ #14109) Windows: Secure file transfer speed may be slower against Tectia Server on Windows than against Tectia Server on Linux.

(RQ #13377) Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause the user banner and dialog boxes to be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide secure separation of sessions.

(RQ #11836) All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, either the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed.

6. Further Information

More information can be found on the Tectia man pages and manuals. Tectia manuals are also available here.

Additional licenses can be purchased by contacting SSH sales.

Tectia Client 6.6.1: Release Notes

Table of Contents

1. Important Changes
2. New Features
3. Bug Fixes

 

1. Important Changes

(TECT-619) Increased default RSA and DSA key size from 2048 bits to 3072 bits and ECDSA from 256 bits to 384 bits. These changes reflect the new minimum values recommended by us for these authentication keys.

(TECT-614) NIST has chosen CRYSTALS-Kyber. Following this decision we have decided to remove SABER from the defaults. However, SABER still remains supported and the PQC hybrid KEX ecdh-nistp521-firesaber-sha512@ssh.com can be enabled in configuration.

You can find more information here.

The new PQC hybrid KEX defaults are:

  • ecdh-nistp521-kyber1024-sha512@ssh.com
  • curve25519-frodokem1344-sha512@ssh.com
  • sntrup761x25519-sha512@openssh.com 

2. New Features

(TECT-611) Added Red Hat Enterprise Linux 9 as a supported installation platform.

(TECT-629) Added support for ncurses 6, which removes the previous dependency for libncurses compat libraries.

3. Bug Fixes

(TECT-609) Fixed a bug with Radius authentication in RHEL that prevented the use of said authentication method.

(TECT-606) User-defined password in connection profile is now only tried once. Previously an incorrect password in connection profile would make the client reattempt the connection until all attempts were exhausted.

(TECT-605) Client GUI connections will now honor passphrase-timeout config setting.

(TECT-587) Compatability improvements with OpenSSH Agent.

 

1. About This Release

The 6.6 release of Tectia Client is declared a Feature Release, and it is supported for 3 years from the release date of 6.6.0. The latest support end dates for Tectia Client/Server are available at: https://www.ssh.com/products/support/end-of-support

This release is based on Tectia Server 6.5.2. Items addressed in this release are listed under the "6.6.0" section.

The 6.6.0 release is available for Linux, AIX, and Windows on x86-64 platforms.

Special items for this release are:

  • Tectia Quantum-Safe Edition with multiple PQC hybrid key exchange algorithms
  • Improvements to certificate validation

We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products, and on Windows also SSH Tectia 6.0.x or older, before installing SSH Tectia  6.6 products.

For the installation instructions, refer to the Tectia Client User Manual.

 

2. Important Changes

Important changes in 6.6.0

(TECT-193) Tectia Quantum-Safe Edition license file enables Post Quantum Cryptography (PQC) algorithms SABER, CHRYSTALS/Kyber, FrodoKEM, and Streamlined NTRU Prime that are used in a Hybrid Key Exchange together with a classical ECDH algorithm. Both the PQC and ECDH algorithms contribute to the key material resulting in a session key that is at least as hard to break as the strongest composite. The hybrid approach mitigates the risk of future attacks on recorded secure shell sessions if weaknesses are discovered in either algorithm.

Note that the server-side, Tectia Server version 6.6 and above, Tectia SSH Server for z/OS version 6.6.12 or above, or OpenSSH version 9.0 or above, needs to also support and allow at least one of the PQC hybrid KEX algorithms or connections will use classical KEX algorithms by default.

Note when upgrading from 6.5.1 with changed configurations or from 6.4.x, the Post-Quantum Cryptography (PQC) algorithms require a Tectia Quantum-Safe Edition license and are not enabled unless explicitly configured.

Please see the Tectia Client example file ssh-broker-config-example.xml

(TECT-541) Due to vulnerabilities discovered in the SHA-1 hashing algorithm, SHA1 algorithms for signatures and key exchange have been removed from client defaults. These algorithms can still be enabled for legacy reasons for example in profile settings when connecting to a particular legacy server. For fallback configuration please see the Tectia Client example file ssh-broker-config-example.xml in the system-wide configuration directory. It is important to understand that SHA-1 algorithms are deprecated due to security issues and should not be enabled without a critical legacy dependency for them.

Enabling SHA-1 algorithms is not recommended by us.

  • ssh-rsa (RSA/SHA1) is no longer included in public-key signature algorithms nor host key algorithms default values. We recommended using SHA2 variants  (e.g. rsa-sha2-256, ssh-rsa-sha256@ssh.com) for existing RSA keys.
  • ssh-dss (DSA/SHA1) is no longer included in public-key signature algorithms nor host key algorithms. We recommend using SHA2 variants (e.g. ssh-dss-sha256@ssh.com) for existing DSA keys and creating additional RSA, ED25519, or ECDSA key(s)  for better interoperability with third-party clients/servers.
  • diffie-hellman-group-exchange-sha1 (DH-GEX-SHA1) and diffie-hellman-group14-sha1 are no longer included in key exchange default values. We recommend using SHA2 variants (e.g. diffie-hellman-group-exchange-sha256 and diffie-hellman-group14-sha256).

SHA2 variants @ssh.com algorithms have been supported in Tectia Client/Server since version 6.2.0 released in 2011. Standardized SHA2 variants since version 6.4.18.

HMAC SHA1 algorithms still remain in client defaults. Although NIST has formally deprecated the use of SHA-1 for digital signatures, SHA-1 is still considered secure forHMAC as the security of HMAC does not rely on the underlying hash function being resistant to collisions.

CBC mode ciphers are no longer included in client defaults. Although there are no known vulnerabilities for current versions, there are better counter modes available such as GMC. CBC mode ciphers can still be manually enabled in the client configuration. This change was made to alleviate false positives in security audits. Our recommendation is to use CTR mode and GCM mode over CBC mode whenever possible and use CBC mode only when it is not possible to use the other two counter modes with ciphers.

3. New Features

The following new features have been implemented in Tectia Client:

New Features in 6.6.0

(TECT-193) Added support for Post Quantum Cryptography (PQC) hybrid key exchange algorithms.

Following PQC hybrid KEX algorithms are supported and enabled by default when a Tectia Quantum-Safe Edition license is installed:

  • ecdh-nistp521-firesaber-sha512@ssh.com
  • ecdh-nistp521-kyber1024-sha512@ssh.com
  • curve25519-frodokem1344-sha512@ssh.com
  • sntrup761x25519-sha512@openssh.com

Tectia Client prefers the PQC hybrid KEX algorithms over classical KEX  algorithms in the above order by default.

(TECT-571) Added support for IBM AIX 7.3

(TECT-557) sftpg3 command-line client: also sha256 and sha512 can now be used with digest command with servers that support the hashes.

New Features in 6.5.2

There are no new features introduced in this release.

New Features in 6.5.1

(TECT-194) Windows: Japanese localization for Tectia Client. The feature can be enabled with a separate license.

(TECT-95) Windows: Japanese character set Shift-JIS supported on Tectia Client File Transfer GUI and Terminal GUI.

(TECT-94) Windows: Tectia Client File Transfer GUI and Terminal GUI support UTF-8.

(TECT-462) Windows 11, Windows Server 2022, SUSE Linux Desktop 15, and SUSE Linux Enterprise Server 15 (x86-64) were added as supported installation platforms.

(TECT-313) Added support for x509-certificate-chain for user and host certificates and standardized X.509v3 signature algorithms defined in RFC6187.

Following signature-algorithms and host key-algorithm are supported:

  • x509v3-rsa2048-sha256
  • x509v3-ecdsa-sha2-nistp256
  • x509v3-ecdsa-sha2-nistp384
  • x509v3-ecdsa-sha2-nistp521
  • x509v3-ssh-dss (DSA/SHA1 not enabled by default on server-side)
  • x509v3-ssh-rsa (RSA/SHA1 not enabled by default on server-side)

(TECT-147) Added support for OpenSSH user and host certificates.

Following signature-algorithms and host key-algorithm are supported:

  • ecdsa-sha2-nistp256-cert-v01@openssh.com
  • ecdsa-sha2-nistp384-cert-v01@openssh.com
  • ecdsa-sha2-nistp521-cert-v01@openssh.com
  • ssh-ed25519-cert-v01@openssh.com
  • rsa-sha2-256-cert-v01@openssh.com
  • rsa-sha2-512-cert-v01@openssh.com
  • ssh-rsa-cert-v01@openssh.com (RSA/SHA1 not enabled by default)
  • ssh-dss-cert-v01@openssh.com (DSA/SHA1 not enabled by default)

(TECT-492) Added curve25519-sha256@libssh.org to client and server key exchange defaults for better interoperability with 3rd party implementations that do not support standardized curve25519-sha256.

(TECT-365) Windows: OpenSSH-style system-wide C:\ProgramData\SSH\ssh_known_hosts is now  checked after C:\ProgramData\SSH\HostKeys\ folder for existing saved public  host keys.

(TECT-349) External program command-line now supports '%U' (username) and '%H' (hostname) substitutions. The custom program is expected to return with exit value 0 for success within 70 seconds.

Example external-program commands with username and hostname substitution:

  • sshg3 --password="extprog://getpass.sh %U"
  • sshg3 --password="extprog://%U/pass.sh"
  • sshg3 --password="extprog://%U_%H.sh"

(TECT-228) Tectia Client Configuration GUI now stores saved passwords in base64 encoded format using string-base64 attribute for non-interactive connections. Also, passwords with special characters can be used. Public-key authentication or external password program is recommended instead of saved passwords.

(TECT-290) ssh-keygen-g3 --append=no option now correctly truncates saved public host key file so that shorter keys can be used to replace longer keys, for example, an ECDSA key to replace an RSA key. Now subsequent alternate identities can be appended correctly.

(TECT-160) Windows: Tectia Client File Transfer GUI has now 'Filter bar' toolbar for local and remote file list to filter folders and files using a glob pattern, e.g. '*.txt' in current folder.

(TECT-219) RFC8308 server-sig-algs extension is now supported also on client-side. User public-key authentication is less likely to fail for example against OpenSSH server due to too many failed attempts when only signature algorithms that the server supports are attempted.

 

4. Bug Fixes

The following fixes have been implemented in Tectia Client:

Bug Fixes in 6.6.0

(TECT-544) Tectia Client Configuration GUI now correctly disables "use proxy rule" for profiles when the option is toggled.

(TECT-559) Tectia Client Configuration GUI can be used again to add multiple local tunnel configurations.

(TECT-564) Fixed an issue with OCSP certificate validation that may have resulted in  Certificate_validation_failure with error time-interval-was-invalid even if valid CRL was available when check against OCSP responder failed.

Bug Fixes in 6.5.2

There are no Tectia Client bug fixes introduced in this release.

Bug Fixes in 6.5.1

(TECT-308) sshg3 -f, --fork-into-background option no longer prevents executing the remote command.

(TECT-190) Current terminal size is now requested also in the initial window size request that previously used always Terminal height: 24 rows. This improves interoperability with 3rd party servers like Cisco routers that do not implement the window-change message defined in RFC4254.

(TECT-201) sftpg3 and scpg3 no longer send file size in attributes during file open as some 3rd party server implementations incorrectly rely on it as final size resulting in 0 byte file.

(TECT-136) Race condition in buffer, data structure and program memory release are fixed in sftpg3.

(TECT-142) Fixed a race condition that sometimes could lead to a crash of scpg3 client when new hostkey was not saved by user or declined by-design in batch mode.

(TECT-176) Fixed a race condition that sometimes could lead to a crash of ssh-broker-g3  when connection was attempted.

(TECT-306) Windows: Tectia Client GUI command-line options now overwrite the values in connection profile.

'ssh-client-g3 [-h host] [-u user] [-p port] [profile]'

(TECT-336) When user key renewal is disabled, the client no longer reports "Client key rotation failed: Key id N not found." upon successful public key authentication when -K --identity-key-file or --identity option is used.

Note that user key renewal should not be enabled if explicit key is defined in scripts as next login will fail after user key has been renewed.

(TECT-464) Client now uploads the new key correctly to found location(s) during user key renewal. Previously, if Tectia Server was configured to use exclusively openssh-authorized-keys-file="%D/.ssh/authorized_keys" or  authorization-file="%D/.ssh2/authorization", the new key was uploaded to %D/.ssh2/authorized_keys directory only.

Note that the client is able to check if the old key is found from the default locations. (TECT-311)- Windows: When a non-responsive SOCKS proxy is used for a connection,  non-matching TCP connect attempts no longer block until proxied connection times out after 60 seconds.

(TECT-210) SHA2 signature algorithm can be now used with RSA keys with OpenSSH agent forwarding that implements agent forwarding protocol version 1.

(TECT-246) Passphrase protected key that is locked can now be used through agent  forwarding if broker GUI is able to prompt the user for passphrase.

(TECT-127) OpenSSL generated passphrase protected PKCS#8 key no longer fails to be decoded.

 

5. Known Issues

The following issues are currently known to exist in Tectia Client:

(FB #38886) All Platforms: scpg3 and sftpg3 with --append overwrite the destination file when the server is OpenSSH 6.4 or older.

(FB# 39847) AIX: Host-based authentication in FIPS mode requires copying or linking the libcrypto.a to /lib or /usr/lib.

(FB #36224, FB #36221) Windows: Connections Configuration GUI: Dots do not work correctly in profile names or profile folder names, because they are used internally for the profile folder feature.

(FB #36222) Windows: Connections Configuration GUI: Empty connection profile folders are not saved in the Broker configuration.

(FB #36835) All platforms: Remote translation tables only work when the site command X=BIN is used. Local translation tables work as intended.

(FB #19541) Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable.

(FB #13818) All Platforms: The usage of IPv6 addresses in certificates is not yet supported.

(FB #3882) z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.

(FB #10425) Unix: if OpenSSL 0.9.8 is installed on the host where Tectia Server is installed, it may fail when using PAM with software that uses that OpenSSL library. Workaround if FIPS is not used: Rename the libcrypto.so.0.9.8 existent under /opt/tectia/sshlib to another name (note that this will make FIPS mode unusable).

(FB #9840) Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details.

(FB #9367) Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0- D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates.

(FB #9106) AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit versions.

(FB #9530) All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS cryptographic library health check. This will lead to a noticeable delay in the start of the process on slow machines.

(FB #7726) Windows: --summary-format newline option '\n' does not work on Windows.

(FB #4725) All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified.

(FB #4705) Linux SE: If the common package is installed with SElinux disabled, the following warning message will be given during the installation:

  • /usr/bin/chcon: can't apply partial context to unlabeled file
  • /opt/tectia/lib/shlib/libicudata.so.40
  • /usr/bin/chcon: can't apply partial context to unlabeled file
  • /opt/tectia/lib/shlib/libicuuc.so.40

This can be safely ignored. However, if the SElinux enforcing is enabled after the installation, the following command needs to be executed: /usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so

(RQ #18958) Windows: Password cannot be specified in a file with --password command-line option.

(RQ #18674) Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'. Workaround: Enable file extensions. This issue will be fixed in an upcoming maintenance release.

(RQ #17537) Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network. Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible.

(RQ #17535) Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions.

(RQ #17528) All platforms: The scpg3 command shows the transfer time incorrectly if "--statistics=simple" is set.

(RQ #17482) All platforms: When trying to connect to a server that is not available (i.e. the server is not running), the error message returned by sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server".

(RQ #17368) Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in some cases. Workaround: Select the profile from the menu.

(RQ #17343) Windows: Removing a token while it is being read could in some cases result in a Tectia Connection Broker failure.

(RQ #17215) Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail.

(RQ #17055) Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86 architecture. The packages can be installed but they will not work.

(RQ #16986) Windows: SFTP 'chmod' command is not supported against Tectia Server running on Windows.

(RQ #16902) Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs.

(RQ #16573) Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP.

(RQ #16276) Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation.

(RQ #16270) Windows: The exit values for scpg3 do not match the values mentioned in the documentation in the following error situations: connection lost, interrupting a file transfer using CTRL+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero.

(RQ #15996) All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example: scpg3 "/tmp/testdir/*" user@server:/tmp However, the correct warning is displayed if the scpg3 command is used without globbing: scpg3 /tmp/testdir/* user@server:/tmp

(RQ #15973) All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob attribute names.

(RQ #15948) Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process.

(RQ #15921) All platforms: The server creates empty files if a user tries to transfer files without correct server-side permissions. The correct error message is displayed.

(RQ #15846) Windows: Local TCP tunneling using listener port 0 does not work.

(RQ #15006) Windows: When accessing a Unix host using scpg3 or sftpg3, files with file names that contain characters that are illegal in Windows file names (for example: *, ? and ~) cannot be transferred or accessed if relative paths are used. Workaround: Use absolute paths for accessing the files on the Unix host and escape the illegal characters with the tilde character '~'.

Note also that the files with illegal characters need to be renamed when transferred to Windows. For example, to copy a file "file*name.txt" from user's Unix home directory to Windows: C:\> scpg3.exe user@server:/home/user/file~*name.txt filename.txt

(RQ #14227) Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly.

(RQ #14226) Windows: When using regular expressions in filter rules the dot character '.' does not work as expected. For example, when using a filter rule for tunneling of telnet.exe using regular expression: '.*.ssh.com' the connection will not be tunneled even if the regular expression matched the host address. Workaround: Add a '\' in front of the '.' For example, the previous regular expression should be: '.*\.ssh\.com'

(RQ #14222) All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key on subsequent login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication.

(RQ #14109) Windows: Secure file transfer speed may be slower against Tectia Server on Windows than against Tectia Server on Linux.

(RQ #13377) Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause the user banner and dialog boxes to be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide secure separation of sessions.

(RQ #11836) All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, either the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed.

 

6. Further Information

More information can be found on the Tectia man pages and manuals. Tectia manuals are also available from https://www.ssh.com/manuals/  

Additional licenses can be purchased by contacting sales at https://www.ssh.com/.

1. About This Release

-----------------------

The 6.5 release of Tectia Client is declared Feature Release, and it is supported for 2 years from the release date of 6.5.1. The latest support end
dates for Tectia Client/Server are available at:

https://www.ssh.com/products/support/end-of-support

This release is based on Tectia Client 6.4.20. Items addressed in this release are listed under the "6.5.1" section.

Special items for this release are:

  • Japanese localization for Tectia Client GUI on Windows

  • UTF-8 and Japanese font Shift-JIS support for Tectia Client GUI on Windows

  • Standardized X.509v3 and OpenSSH certificate support


We recommend uninstalling any SSH Secure Shell and SSH Tectia 4.x products, and on Windows also SSH Tectia 6.0.x or older, before installing SSH Tectia  6.5 products.

For the installation instructions, refer to the Tectia Client User Manual.

2. Important Changes

----------------------
(TECT-511)
CTR mode ciphers aes128-ctr, aes192-ctr and aes256-ctr are preferred over CBC mode ciphers in client default values. Also 3des-cbc has been remove from defaults.

Due to vulnerabilities discovered in the SHA-1 hashing algorithm, SHA1 algorithms for signatures and key exchange shall be deprecated and removed from client defaults in future releases. SHA2 has already been preferred over SHA1 in client defaults since version 6.4.18.

In future releases:

  • ssh-rsa (RSA/SHA1) will no longer be included in public-key signature algorithms nor host key algorithms default values. It is recommended to start using SHA2 variants (e.g. rsa-sha2-256, ssh-rsa-sha256@ssh.com) for existing RSA keys.

  • ssh-dss (DSA/SHA1) will no longer be included in public-key signature algorithms nor host key algorithms default values. It is recommended to start using SHA2 variants (e.g. ssh-dss-sha256@ssh.com) for existing DSA keys and create additional RSA, ED25519, or ECDSA key(s) for better interoperability with third-party clients/servers.

  • diffie-hellman-group-exchange-sha1 (DH-GEX-SHA1) and diffie-hellman-group14-sha1 will no longer be included in key exchange default values. It is recommended to start using SHA2 variants (e.g. diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha256 and diffie-hellman-group14-sha256@ssh.com).

  • SHA2 variants @ssh.com algoritms have been supported in Tectia Client/Server since version 6.2.0 released in 2011. Standardized SHA2 variants since version 6.4.18.

 

3. New Features

The following new features have been implemented in Tectia Client:

(TECT-194)
- Windows: Japanese localization for Tectia Client. Feature can be enabled with a separate license.

(TECT-95)
- Windows: Japanese character set Shift-JIS supported on Tectia Client File
Transfer GUI and Terminal GUI.

(TECT-94)
- Windows: Tectia Client File Transfer GUI and Terminal GUI support UTF-8.

(TECT-462)
- Windows 11, Windows Server 2022, SUSE Linux Desktop 15 and SUSE Linux
Enterprise Server 15 (x86-64) added as supported installation platforms.

(TECT-313)
- Added support for x509-certificate-chain for user and host certificates and standardized X.509v3 signature algorithms defined in RFC6187.

Following signature-algorithms and hostkey-algorithm are supported:

  • x509v3-rsa2048-sha256

  • x509v3-ecdsa-sha2-nistp256

  • x509v3-ecdsa-sha2-nistp384

  • x509v3-ecdsa-sha2-nistp521

  • x509v3-ssh-dss (DSA/SHA1 not enabled by default on server-side)

  • x509v3-ssh-rsa (RSA/SHA1 not enabled by default on server-side)


(TECT-147)
- Added support for OpenSSH user and host certificates.

Following signature-algorithms and hostkey-algorithm are supported:

  • ecdsa-sha2-nistp256-cert-v01@openssh.com

  • ecdsa-sha2-nistp384-cert-v01@openssh.com

  • ecdsa-sha2-nistp521-cert-v01@openssh.com

  • ssh-ed25519-cert-v01@openssh.com

  • rsa-sha2-256-cert-v01@openssh.com

  • rsa-sha2-512-cert-v01@openssh.com

  • ssh-rsa-cert-v01@openssh.com (RSA/SHA1 not enabled by default)

  • ssh-dss-cert-v01@openssh.com (DSA/SHA1 not enabled by default)


(TECT-492)
- Added curve25519-sha256@libssh.org to client and server key exchange defaults for better interoperability with 3rd party implementations that do not support standardized curve25519-sha256.

(TECT-365)
- Windows: OpenSSH-style system-wide C:\ProgramData\SSH\ssh_known_hosts is now checked after C:\ProgramData\SSH\HostKeys\ folder for existing saved public hostkeys.

(TECT-349)
- External program command-line now supports '%U' (username) and '%H' (hostname) substitutions. The custom program is expected to return with exit value 0 for success within 70 seconds.

Example external-program commands with username and hostname substitution:

  • sshg3 --password="extprog://getpass.sh %U"

  • sshg3 --password="extprog://%U/pass.sh"

  • sshg3 --password="extprog://%U_%H.sh"


(TECT-228)
- Tectia Client Configuration GUI now stores saved password in base64 encoded format using string-base64 attribute for non-interactive connections. Also passwords with special character " can be used. Public-key authentication or external password program is recommended instead of saved passwords.

(TECT-290)
- ssh-keygen-g3 --append=no option now correctly truncates saved public hostkey file so that shorter keys can be used to replace longer keys, for example an ECDSA key to replace a RSA key. Now subsequent alternate identities can be appended correctly.

(TECT-160)
- Windows: Tectia Client File Transfer GUI has now 'Filter bar' toolbar for local and remote file list to filter folders and files using a glob pattern, e.g. '*.txt' in current folder.

(TECT-219)
- RFC8308 server-sig-algs extension is now supported also on client-side. User public-key authentication is less likely to fail for example against OpenSSH server due to too many failed attempts when only signature algorithms that the server supports are attempted.

 

4. Bug Fixes

--------------

The following fixes have been implemented in Tectia Client:

Bug Fixes in 6.5.1
------------------

(TECT-308)
- sshg3 -f, --fork-into-background option no longer prevents executing the remote command.

(TECT-190)
- Current terminal size is now requested also in the initial window size request that previously used always Terminal height: 24 rows. This improves interoperabilit with 3rd party servers like Cisco routers that do not implement window-change message defined in RFC4254.

(TECT-201)
- sftpg3 and scpg3 no longer send file size in attributes during file open as some 3rd party server implementations incorrectly rely on it as final size resulting in 0 byte file.

(TECT-136)
- Race condition in buffer, data structure and program memory release are fixed in sftpg3.

(TECT-142)
- Fixed a race condition that sometimes could lead to a crash of scpg3 client when new hostkey was not saved by user or declined by-design in batch mode.

(TECT-176)
- Fixed a race condition that sometimes could lead to a crash of ssh-broker-g3 when connection was attempted.

(TECT-306)
- Windows: Tectia Client GUI command-line options now overwrite the values in connection profile.

'ssh-client-g3 [-h host] [-u user] [-p port] [profile]'

(TECT-336)
- When user key renewal is disabled, the client no longer reports "Client key rotation failed: Key id N not found." upon successful publickey authentication when -K --identity-key-file or --identity option is used. Note that user key renewal should not be enabled if explicit key is defined in scripts as next login will fail after user key has been renewed.

(TECT-464)
- Client now uploads the new key correctly to found location(s) during user key renewal. Previously, if Tectia Server was configured to use exclusively openssh-authorized-keys-file="%D/.ssh/authorized_keys" or authorization-file="%D/.ssh2/authorization", the new key was uploaded to %D/.ssh2/authorized_keys directory only. Note that the client is able to check if the old key is found from the default locations.

(TECT-311)
- Windows: When a non-responsive SOCKS proxy is used for a connection, non-matching TCP connect attempts no longer block until proxied connection times out after 60 seconds.

(TECT-210)
- SHA2 signature algoritm can be now used with RSA keys with OpenSSH agent forwarding that implements agent forwarding protocol version 1.

(TECT-246)
- Passphrase protected key that is locked can now be used through agent forwarding if broker GUI is able to prompt the user for passphrase.

(TECT-127)
- OpenSSL generated passphrase protected PKCS#8 key no longer fails to be decoded.

 

5. Known Issues

-----------------
The following issues are currently known to exist in Tectia Client:

(FB #38886)
- All Platforms: scpg3 and sftpg3 with --append overwrite the destination file when the server is OpenSSH 6.4 or older.

(FB# 39847)
- AIX: Host-based authentication in FIPS mode requires copying or linking the libcrypto.a to /lib or /usr/lib.

(FB #36224, FB #36221)
- Windows: Connections Configuration GUI: Dots do not work correctly in profile names or profile folder names, because they are used internally for the profile folder feature.

(FB #36222)
- Windows: Connections Configuration GUI: Empty connection profile folders are not saved in the Broker configuration.

(FB #36835)
- All platforms: Remote translation tables only work when the site command X=BIN is used. Local translation tables work as intended.

(FB #19541)
- Unix/Linux: When logged to the SSH Tectia Server, an executable will fail to start if any parent of the current working directory is not readable and relative paths are used to refer to the executable.

(FB #13818)
- All Platforms: The usage of IPv6 addresses in certificates is not yet supported.

(FB #3882)
- z/OS: SFTP fails when attempting to transfer an empty MVS dataset. However, FTP opens the file and proclaims that the transfer is completed without generating an error.

(FB #10425)
- Unix: if OpenSSL 0.9.8 is installed on the host where Tectia Server is installed, it may fail when using PAM with software that uses that OpenSSL library. Workaround if FIPS is not used: Rename the libcrypto.so.0.9.8 existent under /opt/tectia/sshlib to another name (note that this will make FIPS mode unusable).

(FB #9840)
- Solaris: On some Solaris configurations the ssh-capture tool does not function without configuring the operating system. The runtime linking environment must be adjusted to honor the LD_PRELOAD environment variable. See the manual page of crle(1) for details.

(FB #9367)
- Windows: If the installation fails with error message "An error occurred during the installation of assembly component {B708EB72-AA82-3EB7-8BB0-D845BAB35C93D}. HRESULT: 0x80070BC9" use Windows Update to install required operating system updates.

(FB #9106)
- AIX: Executables are now compiled in 64 bit. For PAM to work, the operating system should point to the 64-bit versions of PAM libraries instead of the 32-bit versions.

(FB #9530)
- All platforms: Extra checks are done when starting the Tectia Server and Connection Broker in the FIPS mode due to the OpenSSL FIPS cryptographic library health check. This will lead to a noticeable delay in the start of the process on slow machines.

(FB #7726)
- Windows: --summary-format newline option '\n' does not work on Windows.

(FB #4725)
- All platforms: The ssh-keygen will always use the default location of the UserConfigDirectory, if no path is specified.

(FB #4705)
- Linux SE: If the common package is installed with SElinux disabled, the following warning message will be given during the installation:
/usr/bin/chcon: can't apply partial context to unlabeled file
/opt/tectia/lib/shlib/libicudata.so.40
/usr/bin/chcon: can't apply partial context to unlabeled file
/opt/tectia/lib/shlib/libicuuc.so.40
This can be safely ignored. However, if the SElinux enforcing is enabled
after the installation, the following command needs to be executed:
/usr/bin/chcon -t textrel_shlib_t /opt/tectia/lib/shlib/*.so

(RQ #18958)
- Windows: Password cannot be specified in a file with --password command-line option.

(RQ #18674)
- Windows: Uploading files from "Upload Dialog" of the GUI file transfer tool does not work when "Hide extensions for known file types" of Windows Explorer is set to 'yes'. Workaround: Enable file extensions. This issue will be fixed in an upcoming maintenance release.

(RQ #17537)
- Windows: If the "Transparent tunneling" component of Tectia Client or Tectia ConnectSecure is installed on a Windows XP computer in a domain where firewall exceptions are managed by a group policy, the exceptions get changed so that the computer becomes inaccessible from the network. Workaround: Edit the exceptions manually so that, for example, the server port becomes accessible.

(RQ #17535)
- Windows: SFTP GUI might cause the existing local copy of a file to be partially overwritten in ASCII mode, when downloading of the file from the remote server fails due to missing file permissions.

(RQ #17528)
- All platforms: The scpg3 command shows the transfer time incorrectly if "--statistics=simple" is set.

(RQ #17482)
- All platforms: When trying to connect to a server that is not available (i.e. the server is not running), the error message returned by
sshg3 is "Unable to connect to Broker". It should return "Unable to connect to Server".

(RQ #17368)
- Windows: Reconnecting to the previously used Connection Profile by pressing Enter in the Tectia Terminal or File Transfer GUI may fail in
some cases. Workaround: Select the profile from the menu.

(RQ #17343)
- Windows: Removing a token while it is being read could in some cases result in a Tectia Connection Broker failure.

(RQ #17215)
- Windows: Opening multiple remote tunnels in a profile against OpenSSH servers can cause Tectia Connection Broker to fail.

(RQ #17055)
- Solaris: Installation packages do not detect the underlying Solaris architecture to prevent installation of the x86-64 packages on x86
architecture. The packages can be installed but they will not work.

(RQ #16986)
- Windows: SFTP 'chmod' command is not supported against Tectia Server running on Windows.

(RQ #16902)
- Unix: If scpg3 is used to copy a file to itself, the file will be truncated and the scpg3 command hangs.

(RQ #16573)
- Unix: The 'finger' command does not show the idle time correctly when logged in using SFTP.

(RQ #16276)
- Windows: When running sftpg3 in batch mode, the Connection Broker may log the Broker_channel_process_exit_failed messages with status "Operation failed". These are system internal events and do not indicate any failure in the file transfer operation.

(RQ #16270)
- Windows: The exit values for scpg3 do not match the values mentioned in the documentation in the following error situations: connection lost, interrupting a file transfer using CTRL+C, trying to copy to a directory, but the destination is not a directory. Nevertheless, in all these cases the return value is non-zero.

(RQ #15996)
- All platforms: scpg3 does not warn about the existence of directories when shell globbing is used, for example:
scpg3 "/tmp/testdir/*" user@server:/tmp

However, the correct warning is displayed if the scpg3 command is used without globbing:
scpg3 /tmp/testdir/* user@server:/tmp

(RQ #15973)
- All platforms: The certificate validation path construction from LDAP fails, if the LDAP server requires suffix ';binary' for the PKI binary blob
attribute names.

(RQ #15948)
- Windows: If the Connection Broker is started for another userID using the 'runas' command, the user dialogs are shown for the user who started the process.

(RQ #15921)
- All platforms: The server creates empty files if a user tries to transfer files without correct server-side permissions. The correct error message is displayed.

(RQ #15846)
- Windows: Local TCP tunneling using listener port 0 does not work.

(RQ #15006)
- Windows: When accessing a Unix host using scpg3 or sftpg3, files with file names that contain characters that are illegal in Windows file names (for example: *, ? and ~) cannot be transferred or accessed if relative paths are used.

Workaround: Use absolute paths for accessing the files on the Unix host and escape the illegal characters with the tilde character '~'. Note also that the files with illegal characters need to be renamed when transferred to Windows. For example, to copy a file "file*name.txt" from user's Unix home directory to Windows:
C:\> scpg3.exe user@server:/home/user/file~*name.txt filename.txt

(RQ #14227)
- Windows: If trying to connect from a Windows GUI client to an OpenSSH server with a public key and option command="ls", the client hangs. When performed with the Windows command-line client (sshg3) it works properly.

(RQ #14226)
- Windows: When using regular expressions in filter rules the dot character '.' does not work as expected. For example, when using a filter rule for tunneling of telnet.exe using regular expression: '.*.ssh.com' the connection will not be tunneled even if the regular expression matched the
host address. Workaround: Add a '\' in front of the '.' For example, the previous regular expression should be: '.*\.ssh\.com'

(RQ #14222)
- All platforms: If a wrong passphrase is provided several times for a key, the Connection Broker skips it and proceeds to the next key. If it is an OpenSSH key, once it has been skipped because of a decoding failure, the Connection Broker makes no further attempts to use the key on subsequent login attempts. The Connection Broker must be reloaded or restarted in order to use that OpenSSH key for authentication.

(RQ #14109)
- Windows: Secure file transfer speed may be slower against Tectia Server on Windows than against Tectia Server on Linux.

(RQ #13377)
- Windows: If multiple concurrent terminal services sessions are opened for the same user, the services sessions share the same Connection Broker session. This can cause the user banner and dialog boxes to be displayed to the wrong session. Opening several concurrent terminal services sessions for the same user does not provide secure separation of sessions.

(RQ #11836)
- All platforms: After changing the password on a Secure Shell server, but before logging in with the new password, either the Connection Broker must be restarted to close the previous connection, or the user must wait for the connection to time out (by default 5 seconds). If this is not done, login with the new password will not succeed.

 

6. Further Information

------------------------

More information can be found on the Tectia man pages and manuals. Tectia manuals are also available from https://www.ssh.com/manuals/

Additional licenses can be purchased by contacting sales at
https://www.ssh.com/.