HP TCP/IP Services for OpenVMS
Release Notes


Previous Contents

4.21.19 SSH access to an account with an expired password and a PWDLIFETIME of 0

Problem:

SSH access to an account with an expired password and a PWDLIFETIME of 0 still requires a password change, unlike TELNET or SET HOST.

Solution:

This problem is corrected in this release.

4.21.20 put *.*;* may not work

Problem:

The SFTP command, put *.*;* fails with an ACCVIO error.

Solution:

This problem is corrected in this release.

4.21.21 Ability to navigate to subdirectories has regressed

Problem:

From a PC SFTP client, specifically the one from SSH Inc., the ability to navigate to subdirectories has regressed from a previous fix.

Solution:

This problem is corrected in this release.

4.21.22 ls -r fails with an error

Problem:

In SFTP, an ls -r command fails with an error and does not display any files in the subdirectories.

Solution:

This problem is corrected in this release.

4.21.23 Transferring larger files

Problem:

Using SCP or SFTP to transfer a file larger than 2 GB results in a corrupt file.

Solution:

This problem is corrected in this release.

4.21.24 ls command fails to list ODS-5 extended filenames

Problem:

In SFTP, output from an ls command fails to list ODS-5 extended filenames.

Solution:

This problem is corrected in this release.

4.21.25 Error returned by the stat() function during a "get" operation

Problem:

Although, the files are in a subdirectory of the current source with recursion disabled, SFTP complains about an error returned by the stat() function during a get operation.

Solution:

This problem is corrected in this release.

4.21.26 SSH server enforces an idle session timeout value

Problem:

The SSH server enforces an idle session timeout value because of the following issues:

Solution:

A new logical name, TCPIP$SSH_SHIFT_IDLE_TIMEOUT, when defined with anything other than "0" causes a shifting of the window of actual enforced timeout values. Rather than allowing an idle user a grace period of up to 10% of the configured IdleTimeOut, the timeout will actually be enforced at some time between 95% and 105% of that value.

4.21.27 ACCVIO error during password validation

Problem:

An ACCVIO error occurs in SSH during password validation.

Solution:

This problem is corrected in this release.

4.21.28 Issues related to the password change

Problem:

Following are the issues related to the password change feature in SSH:

Solution:

On the SSH server, if the value for pwdlifetime for a user account in the SYSUAF is 0 (none), the user at the client is not prompted to update his password even if it has expired. This is an OpenVMS feature, not specific to SSH.

For the password update feature to work, the appropriate value in SSHD2_CONFIG. must be set to "yes" (without the quotation marks).


    Client is VMS: 
    AllowVmsLoginWithExpiredPw (default is yes) 
           Client is not VMS: 
           AllowNonvmsLoginWithExpiredPw (default is no) 

For some clients, if the value of AllowedAuthentications in SSHD2_CONFIG. is set to password only, the following situation may occur for the user at the client:

This behavior does not occur with the OpenVMS client.

There is a new logical name: To enable prompting for old password in the OpenVMS SSH client when updating an expired password, use the following command:


    $ DEFINE /SYSTEM TCPIP$SSH_NUM_OLD_PASSWORD_CHECKS n 

Where; "n" is the number of guesses that the client is to be allowed for the old password. You should make this value less than or equal to the value of the variable PasswordGuesses in the server configuration file SSHD2_CONFIG. A separate mechanism is required to define the value for the client since it does not have access to SSHD2_CONFIG., but only to SSH2_CONFIG.
To make this value permanent across reboots, include the command in the system startup procedure.
Note that if n = 0 or "0", or if the logical is not defined, the SSH client will not prompt for the old password.

4.21.29 Error message appears at the conclusion of a copy operation

Problem:

When using SCP to copy a file to a remote non-OpenVMS server, the error message, got EOF reading file sometimes appears at the conclusion of copy operation, which is otherwise a successful operation.

Solution:

This problem is corrected in this release.

4.21.30 -r command does not work as expected

Problem:

The scp -r command does not work as expected.

Solution:

The -r option is intended to be used when the source path specifies a directory, not including filename(s). Copy of files where filename is specified does not require use of the -r option.

Note, however, that when a filename is specified, even if it is in a subdirectory of the current default, the file is copied to the target default. When a directory name is used as the source and -r is specified, the directory tree is reproduced on the target system.

The fix for this case enables the OpenVMS SCP client to handle directory levels more than one deep when the -r option is used. As before, recursive copy is not supported for the SFTP client.

Also, recursive copy with filenames not specified preserves the version number of the source file. This behavior means that when the target of a put command is also an OpenVMS system, the file will not be copied if that version already exists. An error message, similar to the following is displayed:


         tcpip$ssh_scp2.exe: 
  warning: open: ./testroot/AFILE.TXT;1 (dst): 
  unspecified failure (server msg: 'syserr: bad file 
  number, file: ./testroot/AFILE.TXT;1') 

4.21.31 Directory logical names gets translated on the client

Problem:

In SFTP and SCP, directory logical names gets translated on the client system instead of being passed to the server.

Solution:

Logical names entered through the SCP and SFTP clients should be translated on the server system. For example, if the client and server systems have a different translation for the same system-wide logical name, the one on the server should be used. Note that because the SFTP server does not execute the SYS$SYLOGIN command procedure, some logical names available in interactive sessions are not available, e.g., SYS$LOGIN.

If a user does not have access to the directory referenced by a logical name (e.g., TCPIP$SSH_HOME for a non-privileged account), a cd in SFTP will fail, as expected.

Also note that from a non-OpenVMS client, no attempt is made to translate a string as a logical name; behavior depends on the client. For example, from a Red Hat Linux system:


 sftp> cd name 
 (no leading slash before "name") results in an attempt to move 
 to the [.name] subdirectory of the current default location. 
 sftp> cd /name 
 results in an attempt to go to a device "name", with no 
 directory specified, which fails. 
 
 Current default: dev1:[user1]; dev1:[user2] does not exist: 
 
 sftp> cd dirname 
 sftp> pwd 
 Remote working directory: /DEV1/user1/dirname 
 
 sftp> cd /dev1 
 Couldn't canonicalise: No such file or directory 
 
 sftp> cd /dev1/user1 
 sftp> pwd 
 Remote working directory: /dev1/000000/user1 
 
 sftp> cd /dev1/user2 
 Couldn't stat remote file: No such file or directory 

4.21.32 Miscellaneous Problems

Problem:

Solution:

The following are some differences from DCL or FTP behavior and messages:

When an "ls" encounters a file for which attributes are not accessible to the user on the SFTP server, the following text is included in any message displayed: no privilege for attempted operation . For example:


  fcr_readdir_lstat: G-R.TXT;1 (src): no such file 
  (server msg: 'platform cannot stat() filename: file 
  does not exist or no privilege for attempted 
  operation.') 

Like FTP and DCL, SFTP does not allow a general ls (with no filename specified) for a directory on the server to which the user has E (Execute) access only. However, unlike FTP or DCL, SFTP does not work for an ls followed by a specific filename in an E access directory.

For certain files, mainly those that do not exist on the server, the following new client-based message is displayed instead of the standard message sent by the server:


  no such file (client msg: no such file or directory, 
  or no privilege for attempted operation) 

4.21.33 SSH server may not complete authentication

Problem:

If the TCPIP$SOCKET_TRACE logical name is defined, the SSH server may not complete authentication and all logins fail.

Solution:

This problem is corrected in this release.

4.21.34 SSH client uses an existing SSH connection for a new SFTP session

Problem:

The SSH server may fail to generate an ACCVIO error when the SSH client uses an existing SSH connection for a new SFTP session.

Solution:

This problem is corrected in this release.

4.21.35 Messages displaying the last interactive and last non-interactive login times are not displayed

Problem:

When logging into OpenVMS with SSH, messages displaying the last interactive and last non-interactive login times are not displayed. Neither a message flags the number of login failures since the last successful login.

Solution:

This problem is corrected in this release.

4.21.36 X application fails authentication

Problem:

X11 chaining with a TCP/IP Services host in the middle of the chain causes the X application to fail authentication. For example, if host1 through host3 are OpenVMS systems:


 
 host1> SSH "+X" host2 
 ...snip... 
 host2> SSH "+X" host3 
 ...snip... 
 host3> RUN SYS$SYSTEM:DECW$CLOCK 
 warning: X11 auth data does not match fake data. 
 XIO: fatal IO error 65535 (network partner disconnected logical 
 link) on X server "_WSA12:" 

Solution:

Some clients may attempt keyboard interactive client authentication, which may send a null username string. The new code should handle this situation; in case of errors, the workaround is to change or add the following line in the TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG. file:


        PreserveUserKeyCase no 

4.21.37 PUT command to Sterling or Tumbleweed software failed with errors

Problem:

SFTP put to servers running Sterling or Tumbleweed software failed with errors such as Operation unsupported or The requested operation cannot be performed because there is a file transfer in progress .

Solution:

This problem is corrected in this release.

4.21.38 Fails to set the last non-interactive login time

Problem:

SFTP sessions does not set the last non-interactive login time in the user's UAF record, which is inconsistent with FTP.

Neither SFTP sessions nor single command mode SSH logins get an SSH-generated USER type accounting record, as do other interactive terminal logins.

Solution:

This problem is corrected in this release.

4.21.39 SSH server could be sent into a tight loop

Problem:

When the Tectia SSH client is used and multiple file transfer windows are open, the SSH server could be sent into a tight loop.

When using a client that multiplexed SFTP sessions over existing SSH connections, each time an SFTP session ended, the SSH server parent process (the process running TCPIP$SSH_SSHD2.EXE) is left with a link to a BG device that no longer exists, a waste of resources for the server process.

Solution:

This problem is corrected in this release.

4.21.40 ListenAddress SSH server configuration field is not supported

Problem:

The ListenAddress SSH server configuration field is not supported on TCP/IP Services for OpenVMS. Instead, the same effect can be achieved by using the command TCPIP SET SERVICE /ADDRESS . However, this difference is not obvious to users.

Solution:

A warning message, generated by the SSH server, is added to point the user to that command.

4.21.41 Protections on key files created by SSH_KEYGEN

Problem:

Protections on key files created by the SSH_KEYGEN utility are UNIX-style, not OpenVMS-style. Specifically, they allowed only READ and not EXECUTE access. For example:


  KEYFILE.;   -- (RWD,RWD,,) 
  KEYFILE.PUB -- (RWD,RWD,R,R) 

Solution:

This problem is corrected in this release.

4.21.42 "-e" switch on SSH_KEYGEN does not work

Problem:

The -e switch on the SSH_KEYGEN utility does not work.

Solution:

This problem is corrected in this release.

4.21.43 Password expiry

Problem:

When a password expires and the UAF DisForce_Pwd_Change flag is set, the SSH server does not set the PWD_EXPIRED or PWD2_EXPIRED UAF flag to prevent subsequent user logins not to change their password with SET PASSWORD. This allows circumvention of password expiration as users with expired passwords may not continue to log in.

When logging in with the PWD_EXPIRED or PWD2_EXPIRED UAF flag set, the SSH server does not issue a text warning to the client as they expected from using TELNET and other login methods:


 
     Your password has expired; contact your system manager 

Instead, the SSH server cues three times for password, even if the password is entered correctly, and then disconnects.

Solution:

If a user's account has the DisForce_Pwd_Change UAF flag set, and the user does not change their expired password during password-based login, any subsequent login (including SSH public key) will be rejected until the user's PWD_EXPIRED (or PWD2_EXPIRED) flag is reset by the system administrator.

When logging in with the PWD_EXPIRED or PWD2_EXPIRED UAF flag set, the SSH server now correctly returns the text:


 
     Your password has expired; contact your system manager 

However, some clients do not display the message.

4.21.44 SSH access to Integrity ILO console

Problem:

SSH access to Integrity ILO console results in the following error:


     warning: Authentication failed. 
     Disconnected; key exchange or algorithm negotiation 
     failed (Key exchange failed.) 

Solution:

This problem is corrected in this release.

4.21.45 Explanatory message back to the client during an attempted password change

Problem:

The SSH server fails to send an explanatory message back to the client during an attempted password change if the chosen password is too short.

Solution:

After a password is entered, a message about the password being too short or in the history list is returned, or if the new password is good, the user is logged in. The value of PasswordGuesses in sshd2_config is not checked for new password entry guesses.

4.21.46 Connecting to AIX OpenSSH server results in an error

Problem:

Connecting from an OpenVMS SSH client to AIX OpenSSH server results in the following error message:


Did not receive identification string from n.n.n.n 

Solution:

The SSH client's modified behavior (sending an SSH protocol version string of "SSH-2.0" rather than "SSH-1.99") applies only when the new TCPIP$SSH_AIX_PATCH logical is defined in the SYSTEM table with a non-zero value.

4.21.47 Log into a non-existent account via SSH may fail

Problem:

An attempt to log into a non-existent account via SSH with password authentication may cause an SSH server ACCVIO.

Solution:

This problem is corrected in this release.

4.21.48 UserLoginLimit is ignored

Problem:

The SSH server configuration parameter UserLoginLimit is ignored.

Solution:

This problem is corrected in this release.

4.21.49 Using X11 forwarding frequently fails

Problem:

When using SSH in single command mode with the TCP/IP Services for OpenVMS SSH server, where the command being issued used X11 forwarding (such as CREATE/TERMINAL/DETACH), the command frequently fails with an error such as X Toolkit Error: Can't Open display . A call to WAIT in TCPIP$SSH_RCMD.COM worked around the problem but introduces additional delay.

When interactively logging into the TCP/IP Services for OpenVMS SSH server, every login incurred an unnecessary one second delay.

Solution:

This problem is corrected in this release.

4.21.50 RIGHTSLIST identifier missing displays an ACCVIO error

Problem:

If SSH_KEYGEN is used from an account whose RIGHTSLIST identifier is missing, an ACCVIO is displayed rather than a more graceful error message.

Solution:

This problem is corrected in this release.

4.21.51 Opening multiple interactive login sessions over one SSH TCP connection

Problem:

When an SSH client tries to open multiple interactive login sessions over one SSH TCP connection, the TCP/IP Services for OpenVMS SSH server loops or exits with an error, rather than gracefully rejecting the additional sessions.

Solution:

This problem is corrected in this release.

4.21.52 Rename command for a file with an OpenVMS version number returns an error

Problem:

When an SFTP client user issues a rename command for a file with an OpenVMS version number, an error is returned. The file is not renamed.

Solution:

This problem is corrected in this release.

4.21.53 "password aging" message is not displayed

Problem:

The SSH server does not provide a password aging message when the user logs into the system with a nearly expired password.

Solution:

This problem is corrected in this release.

4.21.54 Re-entering the old password as the new password

Problem:

During a forced password change, if the user tries to re-enter the old password as the new one, the SSH server may simply close the connection rather than displaying an error message and allows the user to choose a different password.

Solution:

This problem is corrected in this release.

4.21.55 ACCVIO when the batch mode is used

Problem:

An ACCVIO occurs in the SCP or SFTP client when the batch mode option, -b is used from a DCL procedure in a subprocess where SYS$OUTPUT or SYS$INPUT has been re-defined to point to a file.

Solution:

This problem is corrected in this release.


Previous Next Contents