Environment
Reflection for Secure IT UNIX Server version 8.0
Situation
Reflection for Secure IT 8.0 Client and Server for UNIX is available for new and maintained customers. This technical note lists the new features and fixes included in version 8.0.
Note the following:
- For information about logins and accessing the Download Library, see KB 7021965.
- For information about Reflection PKI Services Manager 1.2 Service Pack 1, see KB 7021877.
Resolution
New Features in 8.0
The following features in version 8.0 are available in both the Client and Server for UNIX:
- SHA256 is supported for digital signature when X.509 certificates are used for authentication.
- SHA256 is supported for key authentication using RSA 2048 bit public keys.
- The hmac-sha256 and hmac-sha512 have been added to the default MAC list, AnyStdMac. The hmac-sha256 has been placed at the beginning of the list.
Client New Feature
- The date and time is displayed when performing an sftp long directory listing on files with future dates.
Server New Features
- The Server now supports file transfer auditing. When enabled, audit events will be created for file transfer uploads and downloads, including attempts that are denied by the operating system.
- XAuth messages are now suppressed if X11 Forwarding is disabled.
- A new server keyword, PrintLastLog, is available which specifies whether the date and time of the last user login should be printed when a user logs in interactively.
- A new value, “aix”, has been added to the AccountManagement server keyword that ignores password accounting restrictions such as password expiry when using public key authentication.
- A new server keyword, SftpVersion, is available which specifies the maximum SFTP protocol version supported by the server.
Resolved Issues in 8.0
The following issues were resolved in 8.0.
Client Resolved Issues
- The Oracle Real Application Cluster (RAC) installation no longer fails to complete when using the Reflection for Secure IT scp client.
- The scp –urp command now recursively removes the source files and directories.
- Updating Subversion (SVN) repositories with a svn+ssh command no longer produces a “Killed by signal 15” message.
- The server keywords CheckpointResume=No and SmartFileCopy=No are now applied when a host stanza is used in the client configuration file (ssh2_config) and a file is transferred via the SCP utility.
Server Resolved issues
- The server protocol version string is no longer displayed on an AIX console every time an SSH connection is made.
- The evaluation has expired message no longer appears when installing an evaluation of Reflection for Secure IT Server for UNIX and an OpenSSH hostkey is found.
- When the ForceSftpFilePermissions and SftpSyslogFacility server keywords are configured and the server is run in debug mode, sftp connections are no longer terminated.
- Comma separated values are now accepted for the server keyword ListenAddress.
- Axway and Bitvise sftp clients are able to connect when the ChrootSftpGroups or ChrootSftpUsers server keywords are enabled.
- The server no longer prevents users from changing expired passwords when the Pluggable Authentication Module (PAM) use_first_pass option is enabled.
- The maxlogins counter is now properly reset when a session is disconnected.
- Failed login attempts are now displayed when the Solaris security policy (/etc/security/policy.conf) contains LOCK_AFTER_RETRIES=yes.
- The “Last failed login” message is now displayed when the Pluggable Authentication Module (PAM) module “pam_lastlog.so showfailed” option is enabled.
- User home directories are now created at logon when the AIX mkhomatlogin keyword is enabled in the /etc/security/login.cfg file.
- Other allowed authentication methods are attempted if GSSAPI authentication fails on SLES 10 and 11 platforms.
- A missing GSSAPI keytab file no longer causes a segmentation fault and the next allowed authentication method is presented.
- Refreshing the Solaris service using the command, svcadm refresh, no longer puts the server into a maintenance state.
Security Updates
- Fix for security vulnerability described in CVE-2011-5000: When gssapi-with-mic authentication is enabled, remote authenticated users can cause a denial of service (memory consumption) via a large value in a certain length field
- Fix for security vulnerability described in CVE-2012-2110: An ASN.1 input function does not properly interpret integer data, which allows remote attackers (on the Server for Windows, Server or Client for UNIX) or local attackers (on the Client for Windows) to conduct buffer overflow attacks, and cause a denial of service (memory corruption), via crafted DER data, as demonstrated by an X.509 certificate.
For current information about security alerts and advisories that may affect Reflection for Secure IT, see https://support.microfocus.com/security/.
Obtaining the Product
Maintained customers are eligible to download the latest product releases from the Attachmate Download Library web site: https://download.attachmate.com/Upgrades/. For more information about logging into and using the Download Library, see KB 7021965.
Note: If you download a Sun Solaris, HP-UX, or IBM AIX package using Internet Explorer, the uppercase (.Z) extension is changed to lowercase (.z). You will need to rename the file name to use an uppercase Z before you can uncompress your files.
For information about purchasing Reflection for Secure IT, please e-mail us: SalesRecept@attachmate.com.
Supported Platforms
Support for AIX 7.1 and Red Hat Enterprise Linux 6 have been added. For more information about supported platforms, see KB 7022010.
Installing or Upgrading to Reflection for Secure IT 8.0
Once you have downloaded the product, back up the /etc/ssh2 directory (which includes config files and host keys), uninstall your current version, and then install the latest product version. Procedures for installing and uninstalling are available in the User Guide, which is available from https://support.microfocus.com/manuals/rsit_unix.html.
For more information about replacing an existing Secure Shell program (including using backup files to merge your non-default settings to the new configuration file), see KB 7021941 or the Help topic "Replace an Existing Secure Shell Program" in the User Guide, which is available from https://support.microfocus.com/manuals/rsit_unix.html.