Pragma Fortress SSH Server Version 5.0 Release Notes

The following is installed with the Pragma Fortress SSH Server and the information on this page is also available in the "readme.txt" file. These are notes on the fixes and enhancements that have been added to Pragma Fortress SSH Server 5.0 since it's initial release.

Highlights on what's new in this release:

----------------------- Build 9 Start -----------------------------

Release Date: 04/18/2012
Revision #: 1715

Enhancements:

- telmc column formatting improved to work in both 80 column and larger 132 column consoles.
Shows connected state in a column labeled "S" meaning state with one character: C means connected. R means awaiting reconnect.
- scp now supports giving * pattern in source file names. E.g. scp mydir/t*.txt targetmachine:.
- scp will accept drive letters in file path or directory; in paths both forward and back slashes are accepted - Support for 1.5.x versions of cygwin bash.
- Beeping is eliminated in the server side. Rather Control-G character is captured and sent to the client side for the client to beep.
System beep call was already handled properly in previous release to beep in the client and not the server, so continues to work properly.
- Non-interactive comamnd execution shell and shell parameters can now be specified. It is useful for running cygwin shells like bash
- Powershell parameters can be specified allowing Powershell XML objects to be generated in place of flat text outputs.
- View Session now uses advanced Gen2 architecture and allows viewing ssh sessions. Before one could only view telnet protocol sessions, but not ssh.
- Install adds Windows firewall enabling entries so that Pragma Inetd and Cmdserver can open needed TCP ports for connections. Before this, one had to manually add the entries in the Windows Firewall after install. For Non Windows firewall, one still has to do it manually.

Fixes:

- Directory Locations of where certificate authorization public files are stored for a user can be specified.
E.g. Typically it is "%APPDATA%\PragmaSSH" but it can be changed to C:\certs\.ssh2\%USERDOMAIN%\%USERNAME% - Session count is reduced properly before a session goes to waiting reconnect state. This allows a new session to come in and reconnect. Limiting session to 1 also would work for reconnect which was failign before this fix.
- Fix for non-interactive command execution with command plus parameters greater than 512 - Fix for non-interactive command specifications supporting arguments.
- Fix for command server trap under advanced console when logging 3 or higher is enabled and large data is written to the console. - scp use like "scp file.txt localhost:." trapping is now fixed.
- HOME environment variable was incorrectly set to users's APPDATA directory which affected cygwin commands like pwd as cygwin sets HOME to a user's home directory. HOME environment variable is no longer touched or modified by Pragma sshd server.
- HOMEPATH was incorrectly set to the user's APPDATA directory in place of the user's home directory. Now Pragma sshd server does not modify HOMEPATH and HOMEDRIVE environment variable as Windows sets them properly when a user profile is loaded in Pragma sshd server.
- Servers with Pragma Fortress SSH server installed were sometime rebooting itself spontaniously as CmdServer.exe process terminated the csrss.exe process during shell process cleanup.

Release Date: 01/18/2012
Revision #: 1584

Enhancements:

- SSHD server works in the new pre-release Windows 8 operating system
- Works and certified for IBM Cloud and Intel Cloud
- Add config option for specifying kex algorithms. This setting uses the following syntax in the sshd_config file: kexalgorithms=xxx,xxx
- Add CTR mode ciphers to default client set
- Add AES CTR mode support to server
- Forward slash allowed in client config file

Fixes:

- Command execution was not blocked when shell acces was disallowed
- Our ssh.exe cmmand line client wasn't requesting confirmation of the channel request to execute a command and therefore wasn't handling the error of command execution failure properly
- SCP access was blocked when shell access was blocked. Now it functions based on whether scp is allowed or not.
- Race condition during reconnection. Clients would get no session (old or new) when this reconnection race condition occur for reconection timer expiring.
- Stream mode was terminating when user typed a character

Release Date 08/19/2011
Revision #: 1370

Enhancements:

- Added directory check for scp copies if target ends with trailing slash
- Recursive mget added to console sftp client, syntax: mget -R directory
- Clients can set the kex algorithm
- improved logging
- Improved processing with latest version of cygwin
- Modified how scp root is define
- Ability to run .NET applications compiled with AnyCPU in Advanced Console
- Ability for sftp client to use escape characters
- Improved path handling from Sun sftp clients

Fixes:

- Fixed SSH1 connections failing issue
- Removed erroneous possible resource issue warning
- Fixed SSH1 protocol negotiation issue
- Fixed memory leak in key verification
- Fixed the failure with ssh_rsa_verify with some keys

Release Date 04/20/2011
Revision #: 1225

Enhancements:

- Added PTY output processing
- Added new session variable PRAGMASYS_REMOTE_CLIENT to provide information clients version string to session
- Improved speed on group membership checking.
- Added / Enhanced UNC path utilization in setting user home directory on a mapped drive
- Modified how scp root is define
     \ - refers to start path from root
     . - refers to start path from home directory

Fixes:

- Application error on large path variables
- file size in sftp displayed incorrectly on files larger than 4GB
- Fix for clients with very large sftp buffer sizes
- Fix for channel closing session when only channel should be closed
- Fixed intermittent application error when session closes
- Fixed intermittent CPU spike
- Fixed %APPDATA% setting
- Fixed user drive mapping issue

Release Date 11/29/2010
Revision #: 1055

Enhancements:

- US DOD CAC PKI, Microsoft Windows PKI and Smart card support added
- x509 Certificate use is now supported throughout the Fortress product - server, clients, gui clients and management programs. x509 Certificates can be in Windows Certificate Store/LDAP/smart cards or exported files. x509 Certificate can be used as host keys and in user authentication. Certificate Chain is verified & Certificate revocation list is checked for certificate validity.
- Full support of x509 and Smart card in FortressCL
- PragmaAP (Pragma Authentication Process) subsystem added to enhance certificate/keys authentication. Windows AD domain account can now be authenticated with x509 certificates or keys.
- PAD is enhanced with PAD2. Credential storage is secured with stronger cryptography
- Keyboard interactive mode is added and used to inquire users for auto-enrollment/store of certificates/keys.

Fixes:

- fixed CuteFTP sftp and WinSCP sftp upload problem to Pragma sftp server is fixed.)

Release Date 06/28/2010
Revision #: 827

Enhancements:

- Added options to turn on/off the different modes of certificate authentication
- Added Admin and MapRoot modes for scp.
- Added scp home directory option.
- Added configurable home directory for sftp administrator client mode
- Improved subsystem (scp, sftp, shell) performance
- "Put" transfer speed into SFTP server has been increased substantially
- SFTP server and client speeds increased with data path performance optimization
- SFTP and SCP server configurations can now be separately set via enhanced gui management
- Use FIPS 140-2 PragamCrypto.dll in all parts of the product ( servers, clients, management )
- Improved Enterprise Push options, including pull from remote server, and multi select of servers for pushing - added option to map user drives based on type of subsystem
- New Administrative group added at installation to increase security on configuration settings. Only group members allowed to alter server settings
- Conversion option added to sshkeygen to convert from competitors key syntax - Added option to limit server operation log file size.
To use add string value, "DebugFileSize", to registry HKLM\SOFTWARE\PragmaSystems\SSHD. Value is in KBs.

Fixes:

- PragmaMgrC.exe invokes registry editor correctly (regedtc.exe in place of re.exe)
- fixed scp/sftp Cisco connectivity issues
- fixed scp parsing issues.
- fixed FortressCL connection issue with Cisco routers.
- fixed upload problem to Cisco routers with scp.
- fixed session limit on a per user basis
- fixed domain user Windows scripts failing to run
- fixed environment variable overwrite
- fixed group access verification requiring computer name and not domain name

Release Date 12/02/09
Revision #: 507

Enhancements:

- "Certified for Windows Server 2008 R2" logo status achieved.
- "Compatible with Windows 7" logo status achieved.
- FIPSMode introduced to choose product features to conform to FIPS 140-2 certification.
- Build with FIPS certified OpenSSL-fips1.2 library and headers to achieve FIPS 140-2 certifications for few calls we still make to OPENSSL
- FortressCL now uses Pragma SSH library instead of its own crypto code. Pragma SSH library used MS Crypto calls and some OPENSSSL, both of which are FIPS 140-2 certified.
- IPv6 is now supported in all parts of the product (sshd, ssh, sftp, scp, gui, management programs)
- scp now has -A option like in our ssh and sftp so that password can be passed for automated file transfers
- diffie-hellman-group-exchange-sha256 support added in ssh key exchange
- CmdServer passes its shell/applic return code so that sshd can pass it to the client side.
- Returned call to TerminateJobObject to our TerminateCommandShell so that MonitorChildProcesses is checked, graceful termination is available, and Recording of terminated events occurs.
- Return call to NetworkCleanup and changed OS version check to run on anything since Win2000 instead of Win2000 only - Returned code to clean up mapped drives
- Modified logging for server process to create unique file name based off PID and time and pass as argument to CmdServer - Multiple sessions within one remote channel are logged correctly now.
- Changed how log files are opened so that now they can be read during live session; ssh session input is logged to files - Added check box for mapping network drives in separate thread, exposing existing registry value via PrgamaMgr.exe gui. - SCP: removed check for / and \\ in search for colon() to determine if parameter is remote machine. This allows domain accounts
to be used for scp file transfer.
- Sha-1 algorithm is used in place of md5 for fingerprint to ease support of FIPS
- FortressCL updated with numerous fix to support both FIPS or non-FIPS modes.
- PragmaCrypto.dll introduced which contains all crypto code used to comply with FIPS 140-2 guidelines/tests.

Fixes:

- SSH server Reconnect was turned off. Now it works.
- Running it in Win 2000 server does not need turning on "Replace a Process Level Token" user rights change - FortressCL will not get getaddrinfo() not available error in Windows Server 2000.
- ssh.exe cmd line client's -R option stopped working. The problem was limited to our ssh command line client, other vendor's ssh client's -R option worked fine.
- scp -o option used to crash scp and has now been fixed.
- Use SHA1 hash for fingerprint instead of MD5 in sshkeygen
- SSH2 standard's diffie-hellman oakley group14 support added
- default value for ThreadDriveMap changed to off, so that drives can be available for non-interactive sessions
- Default value for CustomAppSupport now set to yes.
- Fix for garbage characters showing up on screen in Advanced Console
- PragmaMgrC.exe invokes registry editor correctly (regedtc.exe in place of re.exe)

Release Date 07/23/09
Revision # 342

Enhancements:

- New Pragma Gen2 architecture for higher speed, reliability and enterprise deployment readiness.
- Multiple sessions within a single sshd are now supported. Up to 64 shell, sftp, scp or port forwarding sessions within one sshd can be started.
- Advance console and Shell support greatly improved by reducing APIs needed to be redirected
- Reconnection of dropped sessions is now supported by sshd. Useful for Handhelds An industry first for a sshd server
- Server to client heartbeat feature added to sshd. SSH_MSG_IGNORE packet is sent to the client by sshd to know that the ssh client is alive
- Handheld configuration settings consolidated in a separate page on Local Server Configuration program for ease of setting up Handheld connectivity options
- Server has added smart logic to distinguish between explicit disconnect issued by user versus disconnect due to network connection drop. The former will not cause "Reconnect" mode to be entered but the latter will Handhelds reconnection support needs this smart disconnection difference detection for real life use.
- SSH1 protocol support added for legacy support of old devices SSH1 can be disabled with a config entry change for sites that do not need it
- Improved Group Membership algorithm for group based access restriction control
- Customer Application has clean documented way to send custom code for beep or special functions sshd and Pragma telnetd can work from the same custom code
- User drive letter mapping improvements to get logon prompts quickly by launching an extra thread that maps user drives in the background; this thread exits when done. ThreadDriveMap can be set to "no" to avoid this asynchronous drive mapping for scripts who may need drive letters at the launch
- Windows PowerShell is now fully supported and can be set as the default shell
- Supports new Windows Server 2008 R2 and Windows 7
- All languages supported by Windows are now supported by sshd server and clients.
UTF-8 (65001) is a good page to choose. Users can choose any CodePage and Fonts that support their national language.

Fixes:

- Group access not detected correctly
- Ports not forwarded correctly on some occasions
- scp not showing all filenames in recursive transfer
- scp not showing file transfer status for all files
- Client disconnects at any time will not tie up sshd/sftp/scp servers
- sshd, sftp, scp start or later failures reported better to clients
- Auto load of Certificate login fixed to work for new users who had not logged in before. Auto load of certificates now works correctly for Windows 2000 and all later Windows operating systems
- If "PATH" in user level was set, it would override "PATH" in system level. Now User level PATH is appended after system's PATH.

Clients/Tools:

- telnetc supports TelnetSSL protocol. telnetc /s option is used to invoke SSL

FortressCL

- control-c and control-break is now passed to server enabling application termination/exit
- TelnetSSL protocol is now supported

>Known Issues:

- NONE.

----------------------- Build 9 End -------------------------------

----------------------- Build 8 Start -------------------------------

Release Date 03/18/09
Revision # 183

Enhancements:

- Support for Microsoft's new PowerShell. Many fixes done (listed below) to have PowerShell run well with Pragma SSH server.
- Tested to run with new Windows server 2008 R2 and Windows 7.
- SSH1 protocol support added and can be easily disabled if desired

Fixes:

- Line editing insert key toggle is handled correctly by SSH server
- Server turns on AutoWrap at start as PC screens assumes/expects it
- Server handles tab command completions by command shells
- Works with any screen sizes. Sizes like 120x50 was a problem before.
- 16bit programs, like edit.com, do not have 43 lines limitations any more
- Server sets the screen margins
- Server properly clears the screen buffer and maintains attributes
- Screen attributes/color maintained during erase, clearing, region drawing.
- Screen flicker reduced in large screen drawing/updates
- PowerShell can execute commands passed. Advanced Console/Console mode and not Stream mode is needed by Powershell for its run or running passed commands

Known Issues:

- NONE.

----------------------- Build 8 End -------------------------------

----------------------- Build 7 Start -------------------------------

Release Date 01/12/09
Revision # 108

*** This build is Certified for Windows Server 2008 and has passed Microsoft Hyper-V virtualization test ***

Enhancements:

- New NamedPipe for ssh aware applications to write to clients
- New trouble shooting logging option to log server operation to debug window or file

Fixes:

Known Issues:

- NONE.

----------------------- Build 7 End -------------------------------

----------------------- Build 6 Start -------------------------------

Release Date 09/23/08

Revision # 149

Enhancements:

- New technology used (Detours) to make AdvancedConsole mode more robust
- Native Itanium 64 bit support now available with Detours use for AdvancedConsole and wrap.
- New graphic set definition added for use with Stay-Linked console client add registry value "DECCharSet" under configured users with a value of 6, plus true vt220 character map

Fixes:

- Characters outside ASCII character set allowed in password and username
- PRB: User defined in 3rd or greater Active Directory group in Pragma Manager Group page cannot gain access
- AdvancedConsole mode enhanced to give these features and robustness:
a) Backspace now works when tabbed command completion text is edited
b) Backspace processing will not erase passed command prompts
c) Backspace processing technique redone to use Windows console for more accurate backspace processing in all cases
c) F7 popped command history works robustly
d) F2, F3, F4 cmd shell processing works correctly
e) In editors like vi.exe, ": " command now erases texts where command is typed.
ESC-K clear line server was sending was not getting out properly to client
- PRB: environment variables defined for user appending s to variable in session
- Multiple groups added from single dialog selection list all groups
- Configuration values for groups near end of long list work
- Pragma Manager stops Remote Registry service
- forwarded ports not closing when client disconnects
- forwarded ports closing unexpectedly

Known Issues:

- NONE.

----------------------- Build 6 End -------------------------------

----------------------- Build 5 Start -------------------------------

NOTE: There is no Build 5 for FortressSSH.

----------------------- Build 5 End -------------------------------

----------------------- Build 4 Start -------------------------------

Release Date 12/07/07
Revision # 289 (pragmareg displays this revision number as # 33)

Enhancements:

- Client size not limited by server side maximum window size
- New Configuration Push in Pragma Manager
- improved search for user profiles for key authentication

Fixes:

- FIX: PCI Compliance issue which reports a buffer-overflow. Our testing did not result in a buffer overflow, so there is no security risk of execution of arbitrary code. The complaint would cause the server to appear to freeze.
- Updated child process termination
- Advanced Console redraw when using special input keys
- sftp bad address error on directory change

Known Issues:

- NONE.

----------------------- Build 4 End -------------------------------

----------------------- Build 3 Start -------------------------------

Release Date 01/24/07

Enhancements:

- Groups configurable by domain name and not domain controller machine name.

Fixes:

- In Vista 64-bit, 64-bit programs failed to show output
- Improved key generation for writing to user shell
- Report of invalid character map value in environment variable
- sftp.exe command line client hung in file uploads to BITVISE WinSSHD
- fix for ssh client script processing
- ssh client display fixes
- PROB: crash for some group access
- backspace fix in Advanced Console
- InetD handle leak if maximum number of connections reached
- support for Windows 2003 Active Directory domain functional level added
- PROB: SSHD process hangs if user shell cannot be launched
- sftp file transfer hanging

Known Issues:

- NONE.

----------------------- Build 3 End -------------------------------

----------------------- Build 2 Start -------------------------------

Release Date 12/08/06

Enhancements:

- Network shares referenced by UNC name allowed as virtual directories

Fixes:

- FIX 09272006: FortressFX SSH/sftp Port number not passed to lower layer.
This would disallow connection to server port other than standard 22.
- FIX: ESC key can be pressed once to send ESC to server
- FIX: port forwarding
- FIX: SFTP from some clients does not close
- FIX: screens clear completely
- FIX: Server and client exit status reported
- FIX: SCP access does not need Shell Access as well
- FIX: Term environment variable assigned correctly

Known Issues:

- NONE.

----------------------- Build 2 End -------------------------------

----------------------- Build 1 Start -------------------------------

Release Date 09/26/06

Enhancements:

- Full 64 bit x64 version support for Intel EM64T and AMD64 processors
- Two separate packages available. One for 32-bit and another for 64-bit.
- Support for Windows Vista (both 32 and 64 bit) and Windows Longhorn server
- Session Monitoring configurable by Pragma Manager
- More troubleshooting features added
- More sessions possible with smaller desktop count
- Optimized for both 64bit and 32bit with the newest compiler technologies
- 64 bit version allows for reaching new scalability heights in terms
of session support and larger file transfer size
- environment variable can be used in Home Directory designation
- Import/Export of Configuration Settings
- Easier Configuration of Idle Session Timeout
- Reverse Video configuration
- Bigger and faster File transfer speeds
- Escape sequences can be sent in multiple packets allowing improved emulation
- SSH1 code taken out to improve product security. Only SSH2 is supported

Fixes:

- New Release. N/A

Known Issues:

- NONE.

----------------------- Build 1 End -------------------------------