Environment
Reflection for Secure IT UNIX Server version 7.1
Situation
This technical note outlines the new features available in the Reflection for Secure IT UNIX Client and Server 7.1 release, as well as product release notes.
Note: Reflection for Secure IT version 8.0 is available beginning in November 2012. For a list of new features in 8.0, see KB 7022091.
Resolution
Reflection for Secure IT UNIX Client and Server 7.1 New Features
The following list of features is available in both the UNIX Client and UNIX Server 7.1 release:
- Centralized Public Key Infrastructure (PKI) support enables you to centrally administer PKI functions, such as root certificate trust anchors, certificate stores, certificate revocation checking, certificate mapping, and audit logging for multiple servers.
Note: Reflection PKI Services Manager is included as a component of Reflection for Secure IT, at no additional cost. It is a separate download and installation. See KB 7021870 for more information.
- Customizable installation locations in Solaris and Linux support your organizational conventions for where applications are installed.
- Migration support leverages server, client, host, and user configuration files from prior versions of Reflection for Secure IT.
- Granular control over IP address family manages whether connections are supported with an IPv6 address family, an IPv4 address family, or both.
- Enhanced X.509 certificate utility (ssh-certview) obtains useful information from X.509 certificates, PKCS#7, and PKCS#12 files.
- AIX 6.1 on POWER support enables you to run Reflection for Secure IT on newer versions of AIX.
- Red Hat Enterprise Linux 5 on Itanium support enables you to run Reflection for Secure IT on newer versions of RHEL on the Itanium architecture.
- Arcfour128 and arcfour256 support leverages newer and stronger encryption algorithms.
Client New Feature
- Support for PKCS#11 smart cards in Solaris 10 SPARC uses smart cards for public key authentication.
Server New Features
- Granular file transfer permissions enable you to decide at a global, host, group, and user level, whether users will be able to upload, download, browse, delete, or rename files and directories.
- Enhanced file transfer logging improves troubleshooting and server monitoring with granular logging for events including login/logout, directory listings, uploads, downloads, and modifications.
- Configurable pre-authenticated session limits reduce exposure to brute force dictionary attacks by limiting the number of concurrent sessions that can be in an unauthenticated state.
- User shell inheritance control leverages centrally-administered directory services to deliver a shell environment to interactive user sessions.
- Sun Solaris Least Privilege Model support allows more fine-grained control of privileges in Sun Solaris without giving out the root user account.
Reflection for Secure IT UNIX Client and Server 7.1 Additional Features
In addition to the new features introduced in this release, 7.1 also includes many features that 6.x users are familiar with:
- File transfer resume restarts interrupted scp and sftp file transfers.
- SFTP and SCP2 Smart Copy saves time and bandwidth by eliminating the redundant transfer of identical files.
- FTP auto-forwarding enables you to securely use FTP-based scripts over a secure SSH tunnel without having to manually manage forwarding ports.
- RADIUS authentication authenticates users through a RADIUS server.
- Certificate-based client and server authentication (PKI support) integrates Reflection for Secure IT servers into your Public Key Infrastructure (PKI).
- Ssh-certtool utility enables you to create a PKCS#10 certificate request or to create a PKCS#12 package containing a private key and one or more certificates.
- MD5 signature rejection improves encryption strength by eliminating the use of MD5 hashed signatures.
- HMAC-sha256/sha512 MAC Algorithms use a strong, non-MD5 MAC algorithm.
- zLinux support with Red Hat Enterprise Linux 4 on System z 64-bit supports zLinux running 64-bit RHEL 4.
- zLinux support with SUSE Linux Enterprise Server 9 on System z 32-bit supports zLinux running 32-bit SLES 9.
Client Additional Features
- Command-line option for scp batch mode enables you to run unattended scp scripts.
- Automatic ASCII mode configuration associates specific file extension types to ASCII transfer mode, eliminating the need to explicitly specify ASCII mode in the transfer.
- Background forwarding ports with "one-shot" mode support uses scripts over a secure SSH tunnel.
- Sessionless secure channel support establishes listening ports for forwarding without the overhead of an associated shell environment.
- HostCertNameCheck keyword supports specifying whether the hostname should match the common name (CN) or Subject Alternative Name (SAN) field in the host certificate.
- Allow-from and deny-from forced commands can be specified in the authorization file.
- Authentication Agent supports the ability to add certificates.
Server Additional Features
- Default file permissions for SFTP transfers avoid the manual step of setting file permissions following a transfer.
- LogCertificateSubject keyword supports specifying whether the Serial Number and Subject of certificates used for authentication are logged to the system log.
- Message of the Day control defines whether or not the server displays the Message of the Day.
- Automatic home directory generation enables you to leverage LDAP user directories to support first-time logins to the server.
Release Notes
The following known issues have been found in the Reflection for Secure IT UNIX Client and Server 7.1.
Default XAuthPath Must Be Edited in Config Files Before Using X11
Symptom
When attempting to run an X application or session over an ssh connection, the connection fails with a "Can't open display" error message.
Solution
- Locate the xauth program, which is usually found in the user's path.
- Update your global configuration files (/etc/ssh2/ssh2_config and /etc/ssh2/sshd2_config, if present) with the absolute path to the xauth program, for example:
XAuthPath=/usr/bin/xauthReflection PKI Services Manager Does Not Automatically Shut Down or Start Up
After installing and starting Reflection PKI Services Manager, if the host system is restarted or rebooted, the PKI Manager does not automatically shut down or automatically restart when the system comes back up. See KB 7021869 for information about configuring your system's environment to start and stop the PKI Manager.
Obtaining Your Product Upgrade
Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/.
You will be prompted to login and accept the Software License Agreement before you can select and download a file. For more information on using the Download Library web site, see KB 7021965.
For information about purchasing Reflection for Secure IT, please e-mail us: SalesRecept@attachmate.com.
Replacing Your Current SSH Product
For information about replacing your current SSH product with Reflection for Secure IT UNIX Client or Server version 7.1, see KB 7021941.
Supported Platforms
For information about Reflection for Secure IT supported platforms, see KB 7022010.
Installing Reflection for Secure IT UNIX Client and Server 7.1
For information about installing Reflection, see the Installation topic in the User Guide, which is available from the documentation page, https://support.microfocus.com/manuals/rsit_unix.html.