NEWS YOU CAN USE FROM VANDYKE SOFTWARE®
A Monthly Newsletter - September 2003
Is SSH2 a standard? In this month's issues, we give a summary of the IETF's standards track process and an update on the status of the SSH2 protocol.
If you need to upload files to the same folder on a remote machine, we'll show you how to set up a drag and drop SFTP transfer using the SecureCRT® VCP utility, VBScript, and a desktop shortcut.
New initial beta releases for SecureCRT 4.1 and SecureFX® 2.2 provide
support for Kerberos v5 authentication in a mixed-platform environment.
Maintenance releases are also available for VShell™ 2.2.2, SecureFX
2.1.7, and Entunnel™ 1.0.7.
SPECIAL
OFFER FROM USENIX
VanDyke Software is pleased to be a sponsor for the USENIX LISA '03 conference in San Diego, California. LISA is the conference for Large Installation System Administrators.
USENIX is offering a $100 discount to VanDyke newsletter subscribers who wish to attend the conference. The event will be held from October 26 through 31, 2003.
To learn more about the conference and to register, visit: http://www.usenix.org/events/lisa03/
Use this discount code to save $100: VAND10203
SAVE $100
-------------
Contents
-------------
1. Feature - Is SSH2 a Standard?
2. Tips - Setting Up a Drag and Drop SFTP using VCP
3. Recommended Reading - Kerberos: The Definitive Guide
4. New Releases
5. Current Releases
SECURECRT AND SECUREFX
VanDyke Software is pleased to announce the initial beta releases of SecureCRT 4.1 and SecureFX 2.2. When used with VShell 2.2 for Windows and UNIX, SecureCRT 4.1 and SecureFX 2.2 provide support for Kerberos v5 authentication in a mixed-platform server environment.
SecureCRT and SecureFX now share the host-key database and private-key agent cache to simplify integration and eliminate the need to reenter passphrases.
To find out more about these new beta releases, visit: http://www.vandyke.com/download/latestreleases.html
NEW BETA RELEASES
-------------------------------------------
1. Feature – Is SSH2 a Standard?
-------------------------------------------
The Secure Shell (SSH) protocol has become a popular solution for securing TCP/IP traffic over the Internet. SSH implementations are included with most UNIX, Linux, and BSD distributions, and there are a number of commercial and free SSH client and server products available.
The SSH protocol has been in use since 1995. The initial draft protocol, SSH version 1.0 (SSH1), was rewritten as SSH version 2 (SSH2). The documents that make up the SSH2 protocol are being developed within the IETF (Internet Engineering Task Force) secsh Working Group and are at various stages in the IETF standardization process.
But is SSH2 a standard? In order to answer this question, you need to understand the IETF standardization process.
The IETF is a made up of volunteers who work on the development of protocols and their usage for the Internet. Most of this work is done in the IETF Working Groups. The Working Group responsible for the Secure Shell protocol is the secsh Working Group.
Working Groups recommend the standardization of protocols to the IESG (Internet Engineering Steering Group), which oversees the activities of the IETF and the Internet standards process.
IETF Internet standards are published as RFCs (Requests for Comments), though not all RFCs are standards. Of six different types of RFCs, three are considered standards within the IETF: proposed standards, draft standards, and full standards.
The IESG reviews and ratifies output from the IETF Working Groups, makes sure that drafts that are about to become RFCs are correct, and decides whether a draft will move forward in the standardization process.
Here's a basic outline of the process for specifications that follow the standards track:
- Internet-Draft. All IETF standards begin as Internet-Drafts. An Internet-Draft is a temporary working document that automatically expires after six months. Before an Internet-Draft can be published as an RFC, there must be a consensus that it would be a useful standard. After consensus is reached and there has been a Working Group last call, an Internet-Draft may be submitted to the IESG for consideration to become an RFC, or Proposed Standard. After a review, the IESG performs an IETF-wide last call, which often results in changes to the draft. If the IESG approves the Internet-Draft to become an Internet Standard, it is published as an RFC and it becomes a Proposed Standard. Not all Internet-Drafts progress on the standards track.
- Proposed Standard. Most widely-used Internet standards are Proposed Standards that never move on to the next level in the standardization process. However, after 6 months, the author of the RFC or Proposed Standard, or the Working Group chair, can request that it become a Draft Standard.
- Draft Standard. In order for a Proposed Standard to become a Draft Standard, there must be at least two independent, interoperable implementations of each part of the standard. At this stage, specifications often need to be reworded or reworked.
- Internet Standard (or Full Standard). Very few Draft Standards ever become Internet Standards. This level is typically reserved for protocols that are "absolutely required for the Internet to function." The IESG thoroughly reviews every aspect of a Draft Standard before making it a full Internet Standard.
So where is SSH2 now? The documents that make up the SSH2 protocol are at the Internet-Draft stage. SSH2 consists of five core Internet-Drafts: SSH Protocol Architecture, SSH Transport Layer Protocol, SSH Authentication Protocol, SSH Connection Protocol, and SSH Protocol Assigned Numbers. All of these core drafts have been through an IETF-wide last call and are currently being reviewed by the IESG to become RFCs or Proposed Standards.
There are also a number of extension drafts at the Internet-Draft stage. Some are in Working Group last call, while others are ready, or close to being ready, to be submitted to the IESG for consideration as Proposed Standards.
It appears likely that the five core SSH2 Internet-Drafts will be published as RFCs and become Proposed Standards. At that stage, specifications are typically quite stable and have undergone significant comment and scrutiny.
Once SSH2 becomes a Proposed Standard, it is likely that SSH2 will be implemented on a wider basis. Many vendors have been waiting for SSH2 to move further in the IETF standardization process before switching from SSH1 to the SSH2 protocol.
A stable specification will also help to ensure interoperability between SSH2 implementations that follow the IETF RFCs. VanDyke, for example, has been committed to tracking the Internet-Drafts and has been actively involved in the secsh Working Group process in order ensure interoperability.
If you'd like to learn more about the IETF and the Internet standardization process, a great resource is "The Tao of IEFT: A Novice's Guide to the Internet Engineering Task Force" which can be found at: http://www.ietf.org/tao.html
To see the current SSH2 Internet-Drafts, go to: http://www.vandyke.com/go.php?id=nl0930b
Or, you can read the original drafts and the most recent changes at: http://www.ietf.org/html.charters/secsh-charter.html
VULNERABILITY
NOTICE
The latest releases of VShell 2.2.2 (official) for Windows and UNIX, SecureCRT 4.1 (beta 1), and SecureFX 2.2 (beta 1) address a vulnerability found in the GSSAPI authentication method.
When using Kerberos host and user authentication via GSSAPI, the connection could be vulnerable to a man-in-the-middle attack. The introduction of GSSAPI with MIC eliminates this risk and the GSSAPI method has been deprecated.
If you use Kerberos via GSSAPI for authentication, it is recommended that you update to the latest versions as soon as possible.
KERBEROS VIA GSSAPI
----------------------------------------------------------------------
2. Tips - Setting Up a Drag and Drop SFTP
using VCP
----------------------------------------------------------------------
This month's tip was submitted by one of our software developers who has set up a way to drag and drop SFTP transfers to a folder on a remote machine using VCP, VBScript, and a desktop shortcut.
If you're like me, you need to upload files to the same folder on the
remote machine many times throughout the day. If you're a SecureCRT user
taking advantage of the VCP command-line sftp utility for secure file
transfers, it's often inconvenient to bring up a command prompt and type
in the command and the full path to the folder or files you wish to transfer
each time you need to upload.
Ever wish you had the ability to securely upload a file to a remote sever by simply dragging and dropping right from Windows Explorer? This tip shows you how.
http://www.vandyke.com/support/tips/vcpdragdrop.html
For SecureFX users, we also show you how this can be done with SFXCL.exe.
Do you have a product tip you'd like to share? Send us your tip at
If we use your tip, we'll send you a VanDyke T-shirt and an Amazon.com gift certificate
--------------------------------------------------------------------------------
3. Recommended Reading – Kerberos: The
Definitive Guide
--------------------------------------------------------------------------------
In our July newsletter, we featured an article on simplifying authentication with the use of Kerberos via GSSAPI. O'Reilly recently published a guide which you might find useful if you are implementing a Kerberos solution.
This month, we recommend "Kerberos: The Definitive Guide", by Jason Garman (O'Reilly, 2003, ISBN 0-596-00403-6).
Here's the summary from the O'Reilly web site:
"Single sign-on is the holy grail of network administration, and Kerberos is the only game in town. Microsoft, by integrating Kerberos into Active Directory in Windows 2000 and 2003, has extended the reach of Kerberos to all networks large or small. 'Kerberos: The Definitive Guide' shows you how to implement Kerberos on Windows and UNIX systems for secure authentication. In addition to covering the basic principles behind cryptographic authentication, it covers everything from basic installation to advanced topics like cross-realm authentication, defending against attacks on Kerberos, and troubleshooting."
Read a sample chapter or order the guide at the O'Reilly web site:
http://www.oreilly.com/catalog/kerberos/
-----------------------
4. New Releases
-----------------------
New initial beta releases are available for SecureCRT 4.1, CRT™ 4.1, SecureFX 2.2, and AbsoluteFTP® 2.2.
The beta 1 releases of SecureCRT 4.1 and SecureFX 2.2, when used with VShell 2.2, provide support for Kerberos v5 authentication.
New maintenance releases are also available for VShell 2.2.2, SecureFX 2.1.7, and Entunnel 1.0.7.
You can download new releases at:
For quick access to previous official releases, go to:
---------------------------
5. Current Releases
---------------------------
Here are our latest official product releases:
VShell 2.2.2 Servers for Windows and UNIX
SecureCRT 4.0.8
SecureFX® 2.1.7
Entunnel™ 1.0.7
CRT 4.0.8
AbsoluteFTP® 2.0.5
To download any of our current releases, go to http://www.vandyke.com/download/latestreleases.html
To download OpenSSH 3.5p1, an extended version of OpenSSH that supports
the public-key subsystem, visit https://secure.vandyke.com/cgi-bin/public_keys.php
All VanDyke Software products may be downloaded and evaluated at no cost
for 30 days. Licenses include one year of free upgrades and unlimited
access to our expert technical support.
Pass it along! If you find this monthly newsletter helpful and informative,
forward it to co-workers or friends, or tell them where to sign up.
--------------------------
What do you think?
--------------------------
Let us know what you think about this issue. Was the tip useful? Did you like the feature? Is there a topic you'd like to see us write about? Send us an e-mail at:
----------------------------------
Subscription Information
----------------------------------
VanDyke Company News is an opt-in mailing list. If you prefer not to receive e-mail like this from us, or need to change your e-mail address, go to:
http://www.vandyke.com/support/newsletter.html
---
VanDyke Software, AbsoluteFTP, CRT, Entunnel, SecureCRT, SecureFX, and VShell are trademarks or registered trademarks of VanDyke Software, Inc.
All other products and services mentioned are trademarks or registered
trademarks of their respective companies.