NEWS YOU CAN USE FROM VANDYKE SOFTWARE®
Is SSH2 a standard? In this month's issues, we give a summary of the IETF's standards track process and an update on the status of the SSH2 protocol.
If you need to upload files to the same folder on a remote machine, we'll show you how to set up a drag and drop SFTP transfer using the SecureCRT® VCP utility, VBScript, and a desktop shortcut.
New initial beta releases for SecureCRT 4.1 and SecureFX® 2.2 provide
support for Kerberos v5 authentication in a mixed-platform environment.
Maintenance releases are also available for VShell™ 2.2.2, SecureFX
2.1.7, and Entunnel™ 1.0.7.
SPECIAL OFFER FROM USENIX
VanDyke Software is pleased to be a sponsor for the USENIX LISA '03 conference in San Diego, California. LISA is the conference for Large Installation System Administrators.
USENIX is offering a $100 discount to VanDyke newsletter subscribers who wish to attend the conference. The event will be held from October 26 through 31, 2003.
To learn more about the conference and to register, visit: http://www.usenix.org/events/lisa03/
Use this discount code to save $100: VAND10203
1. Feature - Is SSH2 a Standard?
VanDyke Software is pleased to announce the initial beta releases of SecureCRT 4.1 and SecureFX 2.2. When used with VShell 2.2 for Windows and UNIX, SecureCRT 4.1 and SecureFX 2.2 provide support for Kerberos v5 authentication in a mixed-platform server environment.
SecureCRT and SecureFX now share the host-key database and private-key agent cache to simplify integration and eliminate the need to reenter passphrases.
To find out more about these new beta releases, visit: http://www.vandyke.com/download/latestreleases.html
NEW BETA RELEASES
The Secure Shell (SSH) protocol has become a popular solution for securing TCP/IP traffic over the Internet. SSH implementations are included with most UNIX, Linux, and BSD distributions, and there are a number of commercial and free SSH client and server products available.
The SSH protocol has been in use since 1995. The initial draft protocol, SSH version 1.0 (SSH1), was rewritten as SSH version 2 (SSH2). The documents that make up the SSH2 protocol are being developed within the IETF (Internet Engineering Task Force) secsh Working Group and are at various stages in the IETF standardization process.
But is SSH2 a standard? In order to answer this question, you need to understand the IETF standardization process.
The IETF is a made up of volunteers who work on the development of protocols and their usage for the Internet. Most of this work is done in the IETF Working Groups. The Working Group responsible for the Secure Shell protocol is the secsh Working Group.
Working Groups recommend the standardization of protocols to the IESG (Internet Engineering Steering Group), which oversees the activities of the IETF and the Internet standards process.
IETF Internet standards are published as RFCs (Requests for Comments), though not all RFCs are standards. Of six different types of RFCs, three are considered standards within the IETF: proposed standards, draft standards, and full standards.
The IESG reviews and ratifies output from the IETF Working Groups, makes sure that drafts that are about to become RFCs are correct, and decides whether a draft will move forward in the standardization process.
Here's a basic outline of the process for specifications that follow the standards track:
So where is SSH2 now? The documents that make up the SSH2 protocol are at the Internet-Draft stage. SSH2 consists of five core Internet-Drafts: SSH Protocol Architecture, SSH Transport Layer Protocol, SSH Authentication Protocol, SSH Connection Protocol, and SSH Protocol Assigned Numbers. All of these core drafts have been through an IETF-wide last call and are currently being reviewed by the IESG to become RFCs or Proposed Standards.
There are also a number of extension drafts at the Internet-Draft stage. Some are in Working Group last call, while others are ready, or close to being ready, to be submitted to the IESG for consideration as Proposed Standards.
It appears likely that the five core SSH2 Internet-Drafts will be published as RFCs and become Proposed Standards. At that stage, specifications are typically quite stable and have undergone significant comment and scrutiny.
Once SSH2 becomes a Proposed Standard, it is likely that SSH2 will be implemented on a wider basis. Many vendors have been waiting for SSH2 to move further in the IETF standardization process before switching from SSH1 to the SSH2 protocol.
A stable specification will also help to ensure interoperability between SSH2 implementations that follow the IETF RFCs. VanDyke, for example, has been committed to tracking the Internet-Drafts and has been actively involved in the secsh Working Group process in order ensure interoperability.
If you'd like to learn more about the IETF and the Internet standardization process, a great resource is "The Tao of IEFT: A Novice's Guide to the Internet Engineering Task Force" which can be found at: http://www.ietf.org/tao.html
To see the current SSH2 Internet-Drafts, go to: http://www.vandyke.com/go.php?id=nl0930b
Or, you can read the original drafts and the most recent changes at: http://www.ietf.org/html.charters/secsh-charter.html
The latest releases of VShell 2.2.2 (official) for Windows and UNIX, SecureCRT 4.1 (beta 1), and SecureFX 2.2 (beta 1) address a vulnerability found in the GSSAPI authentication method.
When using Kerberos host and user authentication via GSSAPI, the connection could be vulnerable to a man-in-the-middle attack. The introduction of GSSAPI with MIC eliminates this risk and the GSSAPI method has been deprecated.
If you use Kerberos via GSSAPI for authentication, it is recommended that you update to the latest versions as soon as possible.
KERBEROS VIA GSSAPI
This month's tip was submitted by one of our software developers who has set up a way to drag and drop SFTP transfers to a folder on a remote machine using VCP, VBScript, and a desktop shortcut.
If you're like me, you need to upload files to the same folder on the
remote machine many times throughout the day. If you're a SecureCRT user
taking advantage of the VCP command-line sftp utility for secure file
transfers, it's often inconvenient to bring up a command prompt and type
Ever wish you had the ability to securely upload a file to a remote sever by simply dragging and dropping right from Windows Explorer? This tip shows you how.
For SecureFX users, we also show you how this can be done with SFXCL.exe.
Do you have a product tip you'd like to share? Send us your tip at
If we use your tip, we'll send you a VanDyke T-shirt and an Amazon.com gift certificate
In our July newsletter, we featured an article on simplifying authentication with the use of Kerberos via GSSAPI. O'Reilly recently published a guide which you might find useful if you are implementing a Kerberos solution.
This month, we recommend "Kerberos: The Definitive Guide", by Jason Garman (O'Reilly, 2003, ISBN 0-596-00403-6).
Here's the summary from the O'Reilly web site:
"Single sign-on is the holy grail of network administration, and Kerberos is the only game in town. Microsoft, by integrating Kerberos into Active Directory in Windows 2000 and 2003, has extended the reach of Kerberos to all networks large or small. 'Kerberos: The Definitive Guide' shows you how to implement Kerberos on Windows and UNIX systems for secure authentication. In addition to covering the basic principles behind cryptographic authentication, it covers everything from basic installation to advanced topics like cross-realm authentication, defending against attacks on Kerberos, and troubleshooting."
Read a sample chapter or order the guide at the O'Reilly web site:
New initial beta releases are available for SecureCRT 4.1, CRT™ 4.1, SecureFX 2.2, and AbsoluteFTP® 2.2.
The beta 1 releases of SecureCRT 4.1 and SecureFX 2.2, when used with VShell 2.2, provide support for Kerberos v5 authentication.
New maintenance releases are also available for VShell 2.2.2, SecureFX 2.1.7, and Entunnel 1.0.7.
You can download new releases at:
For quick access to previous official releases, go to:
Here are our latest official product releases:
VShell 2.2.2 Servers for Windows and UNIX
To download any of our current releases, go to http://www.vandyke.com/download/latestreleases.html
Let us know what you think about this issue. Was the tip useful? Did you like the feature? Is there a topic you'd like to see us write about? Send us an e-mail at:
VanDyke Company News is an opt-in mailing list. If you prefer not to receive e-mail like this from us, or need to change your e-mail address, go to:
VanDyke Software, AbsoluteFTP, CRT, Entunnel, SecureCRT, SecureFX, and VShell are trademarks or registered trademarks of VanDyke Software, Inc.
All other products and services mentioned are trademarks or registered
trademarks of their respective companies.