VShell(TM) Server for UNIX 2.2.6 (Official) -- April 22, 2004 Copyright © 1995-2004 VanDyke Software, Inc. All rights reserved. This file contains a VShell product history. It includes lists of new features, changes, and bug fixes sorted by release. For a product description, installation notes, registration, and contact information, please refer to readme.txt (downloaded with this package). Changes in VShell 2.2.6 Official -- April 22, 2004 -------------------------------------------------- Bug fixes: - All VanDyke Software products sent invalid sftp v3 attribute packets. This only affected SSH Communications clients connecting to VShell for UNIX servers. If the client was affected by this, they might disconnect. Changes in VShell 2.2.5 Official -- February 24, 2004 ----------------------------------------------------- New features: - vshelld_config option "SendDisconnectErrorsToClient". Allows those that want it to give the client more information about why they have been disconnected (e.g., VShell Connection Limits Exceeded). Changes: - Filtered out the following log message: "Reached the end of the file". - Invalid options in the vshelld_config caused warnings about invalid data when vshelld was run, yet starting VShell with the -t (test configuration) option, would indicate that the configuration file was valid. It now states that no fatal errors were found, but warnings may exist. Bug fixes: - vsh, vcp and vsftp were looking for the incorrect license file and therefore stopped working after 90 days even when a registered license file existed. - vsh/vcp: The -auth flag was not working for vsh and vcp if more than one authentication method was specified. - VShell could crash if a disconnect was sent at the same time a key exchange happened. - If the ident string was read after VShell started to disconnect, the client could get an "invalid packet header" error. - Upload triggers did not fire if the file was opened "read/write" vs. "write" as is the case with some clients. Upload triggers now fire if the file is opened read/write or write only. Changes in VShell 2.2.4 Official -- January 8, 2004 --------------------------------------------------- Changes: - The installer was modified to include the vshell_pid.txt file so the command-line utilities will use the VShell license information. - Modified the VShell RPM init script to no longer create an /etc/software/init.d folder. It now puts the init script in /etc/init.d. Bug fixes: - The epm-generated RPM file was causing spurious messages such as "vshelld not running" after an upgrade when in fact it was. Changes in VShell 2.2.3 Official -- November 11, 2003 ----------------------------------------------------- New features: - Configuration option "EnableSharingForSftpOpen" in vshelld_config (defaults to false). When this option is true, the SftpFileHandle will open files for shared read, write, and delete. This allows a file that is held open exclusively (such as the log files) to be transferred. - Configuration option "DefaultUmask" in vshelld_config. This defaults to 077. - vsh: Support for the user@host syntax as well as the -l user syntax. - vsh: Option "-nopty" which does not request a pty upon connection. Changes: - vsh/vcp: Can now use the "-kex" option to specify key exchange methods to be used. - VShell's UNIX GSSAPI-related startup errors sounded worse than they were. Now warnings are given instead of errors when a GSSAPI or Kerberos library is not found when vshelld is loading. - Added the file permissions to the long file display sent to some SFTP clients when ls was issued (e.g., OpenSSH). Bug fixes: - VShell could crash when authenticating with gssapi-with-mic or when using gssapi-keyex. - Because of a missing lock, VShell could crash if a disconnect happened at the right moment during key exchange or key re-exchange. - VShell could crash with repeated port scanning or incomplete connections (e.g., using something like nmap) on vshelld. - VShell could fail to read host keys or public keys if another process was also reading the key. - The time string passed in VShell's trigger function was garbage. The string is now a correct time string. - Handling of SIGINT in vshelld caused ugly results on some systems. VShell now performs a "normal" SIGINT exit. - VShell would erroneously report an invalid state change in its log. - VShell could leak small amounts of memory when using public-key authentication. - VShell would erroneously report "invalid cross-device errors" to SFTP clients at the end of directory listings. - VShell would incorrectly log that it executed a file upload trigger before it logged the file that was uploaded. The events are correctly logged in order now. - vshelld failed to show the usage message when an invalid parameter was specified. - vsh: A hang occurred when remotely executing a non-existent command on a Windows VShell server. - vsh: A core dump would occur on FreeBSD and Mac OS X machines when redirecting output to /dev/null. - vsh/vcp: Didn't report an error when an invalid authentication method was specified on the command line (-auth). - vkeygen erroneously displayed an extra blank line when run. Vulnerabilities: - The VShell password authenticator failed to set the sensitive data flag on the password. This may have caused the password to have been left in memory longer than was strictly necessary. An admin with the ability to read VShell's memory space might have been able to find the password. Or, if VShell crashed after password authentication, the password might have been written to the core. Changes in VShell 2.2.2 Official -- September 18, 2003 ------------------------------------------------------ Bug fixes: - Upload triggers were incorrectly logged before the log message that happened when the uploaded file was closed. - The time string passed to the trigger function was garbage. - vsh/vcp: Experienced a memory leak whenever public key authentication was used. Changes in VShell 2.2.1 Official -- September 12, 2003 ------------------------------------------------------ New features: - vsh/vcp: added the option -key KEX, which allows you to specify which key exchange algorithm to use. Valid algorithms are diffie-hellman, diffie-hellman-group, Kerberos, and any OID (in dotted number format) supported by the GSSAPI provider Changes: - vsh/vcp: Will now only allow three failed passphrase attempts. Bug fixes: - VShell only enforced requirements for password and public key authentication methods even if gssapi was a required mechanism. If AuthenticationsAllowed in the vshelld_config was empty, or set to include non-required authentication methods, and the AuthenticationsRequired list included gssapi, then vshell would not enforce the requirement for gssapi. - Fixed a problem freeing an uninitialized pointer when using GSSAPI to authenticate to VShell. VShell would report: vsh in free(): warning: junk pointer, too high to make sense. - Fixed a problem that would occasionally cause the VShell Server to crash while transferring files to the VShell server. Vulnerabilities: - When using Kerberos host and user authentication via GSSAPI, the connection could be vulnerable to a man-in-the-middle attack. The GSSAPI introduction of GSSAPI with MIC has been introduced to eliminate this risk and the GSSAPI method has been deprecated. - Added the option EnableDeprecatedGSSAPI in the vshelld_config file to enable the deprecated GSSAPI methods in cases where GSSAPI with MIC is not available. This option is set to 0 be default. Changes in VShell 2.2 Official -- August 12, 2003 ------------------------------------------------- New features: - Support for GSSAPI authentication and key exchange in Solaris. Changes: - When RemoteExecution was added to the Access Control List, VShell defaulted to denying all users this access. The default has now been changed to allowing all users. Bug fixes: - VShell, vcp, and vsh could potentially crash if trying to get a GSSAPI error message from the Kerberos library. - Under some conditions, VShell could crash if GSSAPI got a mechanism other than Kerberos for key exchange. - Kerberos authentication could fail in situations where non- essential exports were not found in Kerberos libraries. - VShell, vcp, and vsh could potentially have a non-exploitable buffer overflow if GSSAPI got more than four mechanisms when querying how many mechanisms were supported by the local GSSAPI provider. - Socks 5 firewall connections did not work When using vcp or vsh on Solaris. Changes in VShell 2.2 (Public) Beta 9 -- July 31, 2003 ------------------------------------------------------ New features: - Support for GSSAPI secured key exchange. Currently, Kerberos v5 is supported. - Authentication banners are now read from a text file when specified in the configuration option AuthenticationBannerPath. - RemoteExecution as an AccessControl configuration option. Users and groups can now be allowed or denied remote execution abilities. - Kerberos tickets are now cached so that network credentials can be forwarded to subsequent connections. - vsh and vcp now support Socks 4 and 5 firewalls. Changes: - vsh and vcp now use /dev/tty when prompting for information such as the user's password. This change was needed for tools like cvs that use stdin/stdout for data. - When VShell fails to listen on an address, it now reports the port as well as the address. Bug fixes: - When using RestrictSFTPtoHome on FreeBSD, it would fail due to links in the system to home directories. Changes in VShell 2.2 (Public) Beta 8 -- July 17, 2003 ------------------------------------------------------ New features: - Added a FreeBSD 4.8 distribution. - Added a Mac OS X distribution. Changes: - Changed default configuration to not timeout idle connections. - UNIX man pages now substitute the correct paths for various platforms as needed. - SFTP file and directory deletes are now logged. Bug fixes: - vcp/vsh: If the -nopromt command-line option is used, vsh and vcp should never prompt for input. - Setting IdleTimeout to 0 did not disable idle timeouts. - UPN calls were not being logged for Kerberos authentications via GSSAPI. Changes in VShell 2.2 (Public) Beta 7 -- July 3, 2003 ----------------------------------------------------- Changes: - VShell logs that it cannot find or load the libgssapi.so when it is not found. - Added logging of UPN during gss-ms-kerberos authentication. - Added additional output to the Solaris 8 installation package. - The Red Hat RPM now starts vshelld when it is done installing. Bug fixes: - GSSAPI authentication could stall if an error occurred while authenticating. - VShell logging for GSSAPI delegation was incorrect, causing false output when VShell traced for delegation. - Uploading a file using FTP over SSH2 with VShell 2.2 truncated the file. - Improved SFTP download performance by using the true local window size. - vsh: Piping input to vsh from a file resulted in the following error: "The handle is invalid." - vcp was putting ^M (\r) characters in output on UNIX. - vcp/vsh: If -noprompt was enabled, vsh/vcp would try an incorrect password or passphrase multiple times if -pw or -i was specified on the command line. - vsh: Piping or redirecting files into vsh did not work. - vcp/vsh: vcp and vsh exited with 0 (success) when given a bad password. - vsh crashed when agent was not available. Changes in VShell 2.2 (Public) Beta 6 -- June 17, 2003 ------------------------------------------------------ New features: - Agent support to UNIX command-line utility vsh. Changes: - Changed VShell's "Disallow Blank Passwords" option to default to true. Bug fixes: - When copying files in the current working directory, vcp used back slashes (\) instead of forward slashes (/). - In vsh, CTRL+C did not work at the password prompt. - SFTP used stat instead of lstat under UNIX. - The Solaris uninstaller package failed if vshelld was stopped manually first. Vulnerabilities: - There were some formatting string problems that could be used to cause arbitrary program data to be overwritten. Changes in VShell 2.2 Beta 5 -- May 29, 2003 -------------------------------------------- New features: - "Jail shell" feature. Two configuration options, ChrootGroups and ChrootUsers, combine to restrict users and members of groups to their home directory with any shell or subsystem operation. - Agent support for SecureCRT and OpenSSH clients that support Agent and Agent Forwarding, and for the OpenSSH agent server. Changes: - VShell now logs all failed file operations when SFTP logging is enabled. - Improved examples in port-forward and connection filtering man pages. - Reduced the error information given to users on certain authentication failures. - vkeygen: added a prompt so that vkeygen no longer overwrites existing keys without approval. - When F-Secure / SSH-Communications clients connected, they did not understand VShell's remote forwarding requests. VShell now has a compatibility mode so that remote forwarding requests are understood by these clients. - Removed quotation marks around strings from the vshelld_config file for the default path in the PublicKeyFolder parameter. Bug fixes: - vcp: Would not copy a file starting with a / in its path. - vshelld filled /tmp up with directories related to the agent if "exit" was not typed to exit the shell. - vshelld on Solaris did not clean up user's tty on session exit. - Agent forwarding from a VShell server would cause the original SecureCRT client to disconnect. - Changed post install script to prevent VShell from trying to copy vshelld_config_config instead of vshelld_config_default. - Fixed several segfaults when exiting vshelld due to VShell not removing its signal handlers before cleaning up a pointer. - If the VShell GSSAPI authenticator received a request for a mech oid that the gssapi.so supported and it could not perform username mapping for, vshelld would crash. Vulnerabilities: - It may have been possible to exploit a buffer overrun in the transport class. - Several file descriptors were left open after a remote execution. - VShell didn't drop privilege to check .hushlogin for Message Of The Day. - VShell now explicitly checks that the padding length of transport buffers is valid and shuts down the connection when it is not. - Improved the random generation pool for each child of vshelld. - Improved the execution mechanism and variable expansion, field splitting and quoting for FileAuthCommand and SFTPUploadCommand. - There was a condition in which UNIX users with proper shells who were allowed access to SFTP but not to command execution could still execute shell commands. - The parse realpath handler for the REALPATH SFTP request did not properly honor the RestrictSFTPtoHome configuration option. Changes in VShell 2.2 Beta 4 -- May 13, 2003 -------------------------------------------- New features: - Allow or deny users access to your server and its features including shell, SFTP, and tunneling on a user or group basis. - Added a cleanup script for Solaris vshelld package uninstall. - After running vsh and failing to authenticate, the echo was gone. Changes: - Documented "AuthenticationAllowed" and "AuthenticationRequired" configuration settings. - Documented the "EncodeAuthDataAsUTF8" vshelld option. Bug fixes: - vsh on Solaris could crash after failed public-key authentication. - Idle timeout did not work when the default setting was used. - vshelld didn't restrict remote-forward requests for ports < 1024. Changes in VShell 2.2 Beta 3 -- April 29, 2003 ---------------------------------------------- New features: - RestrictSFTPToHome configuration option -- Restricts SFTP access to user's home folder. - Triggers -- When a file is uploaded via SFTP or the maximum authentications are exceeded, this can trigger a user configured event. - DenyRoot logon configuration option. - AuthenticationsAllowed and AuthenticationsRequired configuration options. - vkeygen now prompts for passphrases. - A Red Hat 7 RPM was created so that there are no conflicts with shared libraries. - X11 support added to vsh. - Now distributing .tar.gz files in addition to packages (these will not create symbolic links for initd startup and shutdown scripts). - EncodeAuthDataAsUTF8 configuration option (default value true). This flag should be set to false in environments where the clients do not encode passwords as per the IETF draft. Changes: - The post install script on Solaris hard links to /etc/initd/.vshell Bug fixes: - Message of the day was incorrectly being displayed if no PTY was being requested and also if .hushlogin existed. - vsh was not catching SIGWINCH. If you were running vsh in an xterm or SecureCRT and you resized the window, vsh would not forward this information to the (2nd) remote host. - Passing an invalid hostname to vsh (and vcp) caused it to print the incorrect error: "No such file or directory" - Occasionally, vshelld sessions would consume a lot of CPU time. - VShell could misinterpret some logon output as a umask. Changes in VShell 2.2 Beta 2 -- April 3, 2003 --------------------------------------------- New features: - GSSAPI (Kerberos) authentication method. - Options -t and -test_config that will test the configuration file and display any errors, warnings, or if the configuration is valid. - VShell now determines the user's umask when transferring files. - On a multihomed machines, control which NIC VShell listens on to better lock down access to the server sing the new "ListenV4Addresses" configuration option. - Displays the message of the day if "MOTD" is specified in the configuration file. Changes: - Removed -? from acceptable vshelld UNIX command-line parameters. - Moved Solaris install to /opt/vshell. Everything that once installed to /usr/local/[bin, sbin, man, and etc, share/doc] (except for /etc/init.d script), now installs under similar directories in /opt/vshell. Note: MANPATH needs to be updated to include "/opt/vshell/man". - vsh and vcp now look for public keys in ~/.vshell/publickey. - Added -R to the vshelld, vsh, vcp, and vkeygen link line so that shared libraries are correctly found. - Changed "VShell" to "vshelld" in syslog (VShell for UNIX) Bug fixes: - Diffie-Hellman group exchange method was offered to clients if a primes file did not exist. VShell now issues a warning (instead of a debug message) if gex is on but no primes file is found during startup. - vsh displayed an extra blank line after being executed. - vsh was not sending the screen size. - Passing an invalid hostname to vsh (and vcp) caused it to print the error: "No such file or directory". - vsh did not catch SIGWINCH so, if you were running vsh in xterm or SecureCRT and you resized the window rows and columns were not changed. - vsh displayed port-forwarding messages even with no -v. - vkeygen did not prompt for a passphrase - The public-key subsystem created public key files with the user's (maybe too permissive) umask. Changes in VShell 2.2 Beta 1 -- March 5, 2003 --------------------------------------------- Features: - Secure Shell Access - Secure File Transfer (SFTP) support - Port forwarding support - Remote command execution - X11 Forwarding - Public key and password authentication - Public Key Assistant makes it easier for users to upload their own public keys with VanDyke Software clients