VShell(R) Server 3.0.4 Official -- March 20, 2008 Copyright (C) 1995-2008 VanDyke Software, Inc. All rights reserved. This file contains a VShell product history. It includes lists of new features, changes, and bug fixes sorted by release. For a product description, installation notes, registration, and contact information, please refer to readme.txt (downloaded with this package). Changes in VShell 3.0.4 (Official) -- March 20, 2008 ---------------------------------------------------- Bug fixes: - Windows: The "Add" button on the VShell Control Panel SFTP page was disabled unless an existing SFTP root was selected. - Windows: SCP file transfer uploads may have become corrupted if an existing file was being overwritten by a file that was smaller in size. - Windows: VShell Control Panel could crash on startup if the Access Control registry key became corrupted. - Windows: VShell Control Panel was slow to start in some environments. Changes in VShell 3.0.3 (Official) -- December 6, 2007 ------------------------------------------------------ Changes: - Added the ability to enter VShell Features that are specified in the license letter into the VShell License wizard. Bug fixes: - Windows: When port forwarding SFTP traffic through VShell, transfer speeds were very slow. - Windows: VShell would leak memory if a client attempted to authenticate using the GSSAPI (with mic) authentication method. - VShell would report a 0 concurrent connection limit if the license used contained a "Maintenance Expiration" feature. Changes in VShell 3.0.2 (Official) -- November 1, 2007 ------------------------------------------------------ Changes: - Windows: The "Use Kerberos Protocol Transition" option is now off by default. Bug fixes: - Public-key authentication could fail if the user had not been granted the "Log on locally" user right. - vsh: Redirecting input from NUL, an LPT port, or a serial port would result in an invalid handle error. Changes in VShell 3.0.1 (Official) -- August 15, 2007 ----------------------------------------------------- New features: - Added new trigger parameter that allows passing the current date to a trigger script. Bug fixes: - Windows: VShell Control Panel would crash on startup if the access control list was empty. - Windows: The VShell Control Panel Cipher page would show that all ciphers were enabled even if they had previously been deselected. - VShell would not accept connections from SFTP clients that sent a SFTP version packet with a value of zero. Changes in VShell 3.0 (Official) -- June 26, 2007 ------------------------------------------------- Changes: - Updated VShell Help documents with new features and changes. Changes in VShell 3.0 (Beta 3) -- June 12, 2007 ----------------------------------------------- Changes: - Windows: Increased the size of the tree view area in the VShell Control Panel to prevent scroll bars from appearing when all categories are expanded. - Windows: The "Use Kerberos Protocol Transition" option is now on by default. - Windows: Starting the VShell Control Panel could have caused the Windows SideBySide component to log system event warnings related to not finding the Mfcloc.dll. To prevent these warnings, redistribute the Microsoft Mfcloc.dll as part of the VShell installation. Bug fixes: - Windows: A "Deny Host" file handle error could have been logged after changing VShell configuration options. - Windows: The installer was not adding the VShell installation directory or the VShell "bin" directory to the system path. - UNIX: File listing of a symbolically linked directory was not displayed for some SFTP clients. Changes in VShell 3.0 (Beta 2) -- May 9, 2007 --------------------------------------------- Changes: - Windows: VShellConfig now logs an error when the Microsoft XML Parser (MSXML) could not be loaded. MSXML version 3.0 or later is required for VShellConfig export/import functionality. Bug fixes: - Windows: SFTP operations could fail if the SFTP root path specified in the VShell Control Panel ended with a trailing backslash (\). - Windows: VShellConfig failed to run when connected to VShell remotely on a Windows Vista system with User Access Control enabled. - Windows: SFTP operations could have failed when VShell was running on a Windows Vista system with User Access Control enabled. - VShell could crash during simultaneous loading of a malformed or missing subconfiguration file. Changes in VShell 3.0 (Beta 1) -- April 10, 2007 ------------------------------------------------ New features: - New triggers for Login, Logout, File Rename, File Delete, Folder Create, Folder Rename, and Folder Delete events to increase monitoring and automation capability. - SCP file transfers using clients operating as a secure RCP replacement that forwards a remote execution request to SCP over SSH2 (not SFTP). Honors settings for logging, ACLs, and SFTP roots. - Windows: Import and export configuration using VShellConfig to save time when backing up or moving VShell. Make backups of existing configurations and move configurations between machines. - Windows: Native 64-bit (x64) version for Microsoft Windows. Enables public-key-only authentication on a 64-bit platform. - Support for multiple host keys. One host key per algorithm type is now supported. - New page for the VShell Control Panel to edit a list of addresses and ports that VShell will listen on. - Adding the maximum connections per user to the Control Panel makes it easier to limit the number of concurrent times a user can log on to VShell. - Windows: Automatic purging of log files after specified number of days. - Support for specifying authentications required and allowed on a per-user, per-group, or per-network basis. - Support for specifying port-forward filters on a per-user or per-group basis. - Windows: Support for specifying a different command shell on a per-user, per-group, or per-network basis. - Windows: Generation of a host key from the VShell Control Panel Host Keys page. - Windows: VShellConfig now supports the /f command-line option for specifying a command file. - Windows: Added "Fire File Triggers on Error" option to the Triggers configuration page. If this option is disabled, file related triggers will not fire if the file operation failed. - Windows: Added "Use single virtual SFTP root" option to the SFTP configuration page. This option allows SFTP clients that do not support multiple SFTP roots to list all available roots. - New VShell configuration option called "Use Kerberos Protocol Transition". This option can be used to gain access to domain resources when logging in using public-key-only authentication. For this to work, the machines must be running Windows 2003 or newer and be in an active directory domain. - UNIX: Added vshelld_config options EnableUmaskDiscovery. When set to true (default), vshelld will launch a non-interactive shell to determine the default umask for SFTP connections. VShell always used a non-interactive shell to get the user's umask in previous versions. - UNIX: Support for FreeBSD 6.1. - UNIX: Support for Solaris 10 on SPARC architecture. - vsftp: A "type" command that reports the current transfer mode (ASCII or binary) when used without an argument. The type command also takes an argument of either "ascii" or "binary" to change the current transfer mode. - vcp: Added a "--ascii" flag that enables files to be transferred in ASCII mode. Changes: - Windows: The VShell installation package is now created using InstallShield. - VShell now logs the actual port that was bound, when a client specifies a port of 0 with a remote port forward request. - VShell now logs unrecognized channel open requests. - VShell now logs password change requests initiated by clients or by the server. - VShell now logs when a file is renamed via a SFTP operation. - As per draft, VShell allows an empty user name during GSSAPI authentication. - Command-line clients: When connecting to a server that requires public-key and password authentication and the public key is given on the command line, it is no longer necessary to override the "-auth" command-line option to be prompted for the password. - VShellConfig command-line options are no longer case sensitive. - Windows: VShell now logs whether Kerberos Protocol Transition or the LSA module was used during public-key authentication. - Windows: VShell no longer overwrites the permissions on the HKEY_LOCAL_MACHINE\SOFTWARE\VanDyke\VShell\Server registry key if an administrator has specified them. This will allow the administrator to customize the registry security according to their specific needs. - Windows: In the user/group picker, VShell now displays "Entire Directory" as the top level entry, and also shows domain local security groups. This makes the VShell user/group picker behave more like the user/group picker when modifying Windows file permissions. - Windows: LSA logging can now be turned on and off in the VShell Control Panel Logging Page. - Windows: The LSA module logging now goes to the same file that VShell logs to. Previously, the LSA module logged to a separate file that could only be specified through the registry. - Windows: Certificate map files now require a fully qualified user name to be specified. - Windows: The 32-bit version of VShell can no longer be installed on 64-bit systems. This is due to the native 64-bit support added to VShell. - vsftp: Added an alias for "mv" called "rename" to command set. - vsftp: File permissions are now preserved during an SFTP get operation. Bug fixes: - VShell did not log public-key fingerprints from the agent when in FIPS mode. - WinSCP could not create directories during a copy operation to VShell. - VShell no longer appends a slash (/) to the home directory path in the VShell log. - Windows: Certain public keys uploaded to VShell running in FIPS mode could have had the key basename truncated to nothing, resulting in a public-key filename of ".pub". - Windows: VShell could erroneously retrieve a user's "My Documents" directory if "Load Users Environment" was turned off after VShell was already running. - Windows: VShell no longer listens on a UDP socket if it is not configured to use keyboard interaction (RADIUS). - Windows: The "Disconnect idle sessions after " setting did not always work. VShell now logs an error if the idle timer fails to start. - Windows: With complex Windows networks, there could have been a long delay during public-key authentication while VShell was resolving user names. - Windows: The VShell License wizard would fail to parse license data from the clipboard if the license letter had been quoted in an e-mail reply. - Windows: It was possible to start more than one instance of the VShell Control Panel. - UNIX: VShell did not honor file system quotas during SFTP file uploads. - UNIX: VShell incorrectly displayed symbolically linked files as regular files. - UNIX: VShell did not display symbolic link targets when doing a long file listing. - UNIX: VShell incorrectly established credentials when authenticating via AFS Kerberos v4. - vsftp: Explicitly listing a symbolic link file (ex: ls -l link_name) would show the filename and information about the target of the link instead of listing the link. - vsftp: chgrp/chown commands were reporting an error even when the command succeeded. - vsftp: chmod failed if the owner of the file had no permissions set. - vsftp: Immediately downloading a file that was just uploaded could fail due to a handle error. - vsh: vsh was not flushing buffers when it received a channel EOF. This could have caused problems with SVN and CVS not receiving the last bits of data when the remote side finished. - vpka: vpka crashed when trying to upload a key that did not exist. - Windows vsh: VSH could hang when redirecting commands from a file (for example, vsh hostname < commands.txt) Vulnerabilities: - According to US-CERT Vulnerability Note VU#845620, it is theoretically possible for an attacker to forge RSA signatures when the RSA key has a public exponent of three. To address this, the registry-only option "Reject RSA Public Keys With Exponent 3" was added to VShell. This option enables VShell to reject client authentication if the public key used is vulnerable. VShell will also log a warning when the host key used has a public exponent of three.