VShell(R) Server for Windows 2.3.7 Official -- October 13, 2005 Copyright (C) 1995-2005 VanDyke Software, Inc. All rights reserved. This file contains a VShell product history. It includes lists of new features, changes, and bug fixes sorted by release. For a product description, installation notes, registration, and contact information, please refer to Readme.txt (downloaded with this installation). Changes in VShell 2.3.7 Official -- October 13, 2005 ---------------------------------------------------- New features: - Logging to the LSA Authentication Module when user impersonation succeeds or fails. Changes: - VShell now logs invalid connection and port-forward filters when reading the configuration and the VShell Control Panel will no longer display or allow the entry of invalid connection or port-forward filters. Previously invalid filters would be displayed in the VShell Control Panel, but would cause an incorrect filter to be selected in the filter list. - Changed the VShell installer to wait for the VShell service to stop. Previously, VShell installations could fail because the service or clients were still running. Bug fixes: - VShell crashed when the connection or port forward filters were incorrectly formatted due to a missing ":". This could occur if editing the filters manually or moving from VShell 2.5 back to 2.3. - A potential crash when setting an ACL with an invalid user or group name. - VSH: Typo in SSH1 failed authentication error was fixed. Changes in VShell 2.3.6 Official -- August 11, 2005 --------------------------------------------------- New features: - VSH: Option "-e none" which turns off all escape sequence handling. This is best used with VSH when transferring large binary files. - VSH: Support for SSH1. - VSH: An option (-remote) allowing reverse port forwarding. Changes: - The VShell installer no longer creates desktop shortcuts by default. - During installation, if Taskkill.exe was not available and the VShell Control Panel was running, the installer would fail. Now the VShell installer prompts to manually stop the VShell Control Panel if taskkill.exe is unavailable. - The License Wizard dialog and VShell Control Panel About page no longer display extraneous information entered in the license serial number field. - VShell Control Panel access control check boxes were disabled inconsistently. Now if logon is disabled, the other access control fields are disabled, otherwise the fields are enabled. - Port-forwarded data was buffered instead of sent immediately. Corrections were made to the use of TCP_NODELAY to resolve the problem. - Changed "can not" to "cannot" in error messages. - Added the connection ID to the "Transport closed cleanly..." log message. - VSH/VCP/VSFTP: Clients added support for the authentication type "gssapi-deprecated". - Improved error reporting on host name resolution errors. Bug fixes: - VShell was susceptible to host key vulnerability CERT - VU#973635 and granted more privileges to the host key than it should. The extra privileges were caused by inherited rights of the user installing VShell. Power Users and normal users could have inherited more privileges than is recommended. VShell now only grants privileges to the host key for the System and Administrator groups and does not use the inherited rights of the user installing VShell. - When any SFTP client connected with SFTP, %HOME% substitution in VShell SFTP roots was not substituted. - When SSH clients connected for shell logon, %HOMEDRIVE% and %HOMEPATH% were not set properly. These values are now set to the proper DOS shell values. - In the VShell Control Panel, manually entering a port over 999 was reported as an error because "," was considered an invalid character. Now manually entered ports over 999 do not have a "," added. - When entering licenses in the License wizard, an "&" in company or user names was incorrectly displayed by underscoring the next letter. - Changing VShell host key under a heavy load of multiple users using shell or SFTP transfers caused VShell to crash. - When using the automatic license key entry and selecting multiple keys, the VShell server had difficulty parsing the clipboard information. - VShell did not close connections properly and reached connection limit prematurely when using WinSCP clients. - Cipher AES was not thread safe and caused trouble when using different key sizes concurrently under a heavy load. - VSH/VCP/VSFTP: When clients connected using an IP address and other key exchange algorithms were allowed, gssapi was not the preferred item in the key exchange list. - VCP: Application did not check if wildcard download destination directories were valid. Downloads to invalid directories would fail but no error code was returned. Now an error exit code is returned. - VSH: Application could have hung when using Subversion or CVS. - VSH: Application modified large binary CVS transfers. Added "-e none" option to turn off all escape sequence handling. Changes in VShell 2.3.5 Official -- May 12, 2005 ------------------------------------------------ Bug fixes: - VShell's SFTP fstat was not returning ACL group and owner infor- mation when requested. - VShell would occasionally crash during port forwarding when the channel was being closed. Changes in VShell 2.3.4 Official -- March 17, 2005 -------------------------------------------------- Bug fixes: - Incorrect formatting and spelling error in log message, "User does not have privilege to logon on locally; falling back to network logon". - VShell was not internally consistent in using the client SFTP version to determine correct behavior. - VShell's SFTP fstat failed to give owner group information when requested. - VShell could erroneously log an error saying "operation success" instead of bytes transferred. Changes: - Due to changes to the keyboard-interactive draft, VShell now sends an empty language tag. Changes in VShell 2.3.3 Official -- December 9, 2004 ---------------------------------------------------- Bug fixes: - VCP was performing case-sensitive file matching for case- insensitive file systems. - VShell had problems related to selecting users in a parent Active Directory domain from the Access Control Panel. - VShell could leak a small amount of memory on a failed SFTP open command. - VShell failed to open files correctly when the SFTP_OPENFLAG_TRUNC was set. Changes in VShell 2.3.2 Official -- September 9, 2004 ----------------------------------------------------- Changes: - Changed VCP's progress indicator to be like VSFTP. - VCP is no longer case sensitive when matching local filenames. - Added support for IDN hostnames. - When matching algorithm names on the command line, the match is now case insensitive. - Improved VSFTP error messages. - Added an option called "Suppress Not Supported Errors" to force VShell to return *success* when calling SetStat...() to set only file permissions(where it used to return a *not supported* error in this case). Bug fixes: - VSH, VCP, and VSFTP could crash if processing a key exchange algorithm that was not supported. - Updated VSFTP usage message to reflect correct syntax for put and get. - VSFTP would display the incorrect file size for large (~5GB) files. Changes in VShell 2.3.1 Official -- June 8, 2004 ------------------------------------------------ Changes: - The default order for host key algorithms is now ssh-rsa then ssh-dsa. - Because multiple non-VanDyke SFTP clients fail to handle newline extensions when using SFTP v3, VShell now only sends newline extensions when using SFTP v4. Bug fixes: - When matching DC attributes in an X.509 certificate, VShell could have reported a non-match when a match had occurred. - VShell would crash when file attributes were requested via SFTP on a file residing on a FAT32 file system. - There was a potential for a buffer overflow when processing an SSH2 packet. Changes in VShell 2.3 Official -- May 6, 2004 --------------------------------------------- No changes Changes in VShell 2.3 (Beta 5) -- April 29, 2004 ------------------------------------------------ Changes: - Previous versions of VShell only checked to ensure the existence of a user's SFTP home directory before placing the user in that directory. VShell now checks to see if the user has read permission on that directory before allowing access. - VShell now attempts to place a user requesting SFTP in their "My Documents" folder before trying to place them the root of the system drive. Changes in VShell 2.3 (Beta 4) -- April 20, 2004 ------------------------------------------------ New features: - VCP: Now shows a transfer progress indicator for each file being transferred. The format is "34% 208KB 38.8KB/s 00:10 ETA". - VSH, VCP, and VSFTP now look (read only) at a common location for host keys before looking in the user's private location. If the host is in the common database but the key doesn't match, the user can accept once. Under Windows, this location is "C:\Documents and Settings\All Users\Application Data\VanDyke\ Known Hosts". Changes: - The path to the VShell program directory is now added to the system path. Bug fixes: - VSH: Under certain circumstances password and other prompts were not visible when VSH was used with applications like CVS. - VSH: Calling "cvs update" caused VSH to hang when there were several files to change. - The setting "Maximum Authentication Retries" was off by one in VShell 2.3 for both UNIX and Windows. For example, this would cause a user authentication failure after four unsuccessful attempts when the limit was set to five. - VShell was removing file type information from the POSIX modes field in SFTP v3 attribute packets. This caused various failures when interoperating with SFTP v3 clients such as OpenSSH, CuteFTP Pro 6, etc. - It was possible to get a random RSA BSafe error when attempting public-key authentication with a PuTTY RSA public key. Changes in VShell 2.3 (Beta 3) -- April 8, 2004 ----------------------------------------------- New features: - VCP, VSH, and VSFTP.exe now accept the argument "-accepthostkeys" to avoid being prompted for host keys when connecting to a host for the first time. NOTE: this should be used with caution, since, if a host key has changed, it will invalidate the ability to detect a man-in-the-middle attack. Changes: - VSFTP: the "mv" command allows moving multiple files using wildcards only when the destination is a directory. Previously, it was moving multiple files to a single file if a file was specified as the destination. Bug fixes: - Password authentication with Itanium 64-bit Windows 2003 was failing with the message: Failed to lookup authentication package MICROSOFT_AUTHENTICATION_PACKAGE_V1_0: The parameter is incorrect. - Ticket caching with the latest MIT Kerberos was not supported. This was fixed with the addition of new ticket cache-related function calls. - SFTP attrib extensions were not being processed because of a logic error. - In some cases, SFTP v4 was not sending the correct error messages due to changes from v3. VShell now sends the correct error messages for the version of SFTP in use. - VSFTP: When using the -q option, output to the screen was still verbose. - An error is returned when attempting to chmod a file using SFTP on a Windows server. Previously, this failed silently. Changes in VShell 2.3 (Beta 2) -- March 16, 2004 ------------------------------------------------ New features: - VSH: Added the following escape sequences: ~~ (escape), ~? (list escape sequences), ~R (initiate re-key), ~# (list forwarded ports), and ~. (disconnect). - VSFTP: Support for multiple files (wildcards) in the following commands: cd, ls, lls, rm, lrm, rmdir, lrmdir, mkdir, lmkdir, chown, chgrp, chmod, and mv. - VSFTP: Support for using wildcard specifications to move multiple files to a directory. Changes: - VSFTP: VSFTP now overwrites a file if it exists. Prior to this release, VSFTP skipped a file if it existed. - VSFTP: By default, VSFTP no longer reports @domainname after each user and group name when an "ls -l" command is used. To display the domain, you can use the "-domain" option. - VSFTP: Output is given when files are removed. Prior to this release, removing files gave no output. - VSFTP: Output from an "ls" command is now sorted. - VSFTP: "ls" and "lls" commands without the "-l" flag now list files in a tabular format, if the display is a tty. - VSFTP: "ls" and "lls" commands now enter directories that are the result of wildcard expansion. - VSFTP: The verbosity of output when putting and getting files was reduced. If a "-v" flag has been specified, VShell displays an additional line for each file logging the throughput of the file. - VSFTP: A more useful error is now returned when a directory cannot be removed. - VSFTP: Added the command "mv" (was previously "move"). - VSFTP: Added the command "chgrp" (was previously "chgroup"). Bug fixes: - VShell required a mutual authentication when using the gssapi-with-mic method. If a client did not also request mutual authentication, VShell incorrectly failed the authentication. - The OpenSSH ssh-agent program unexpectedly aborted when used by VanDyke clients. VanDyke clients use agent when performing public-key authentications. - All VanDyke Software products sent invalid SFTP v3 attribute packets. This only affected SSH Communications clients connecting to VShell for UNIX servers. If the client was affected by this, they might disconnect. - VShell for Windows now returns an error when chmod from VSFTP is attempted on a Windows machine. - VSFTP: Remove with a directory and a wildcard did not remove any files. - VSFTP: No filename was given in "put" errors if the file did not exist. - VSFTP: The "mv" command did not work correctly if the target was a directory (including . and ..). - VSFTP: The "vsftp>" prompt was interspersed in intermediate messages in some cases. - VSFTP: Wildcards with a local listing did not correctly resolve filenames. For example, "lls *.txt" might return an error such as "No such file or directory". - VSH: Verbose output began to stair step after port forwarding was accepted. Changes in VShell 2.3 (Beta 1) -- February 24, 2004 --------------------------------------------------- New features: - In the VShell Control Panel, applet added ability to allow, disallow, and require authentication methods. Previously, one could only require public-key and password authentication methods and could not disallow a specific authentication method. - VShell can now execute triggers (to call a program or batch file) after a download file operation has completed. - VCP/VSFTP: Multiple wildcard and globbing support in VSFTP.exe and VCP.exe. Changes: - VShell now supports the most recent version of the Public Key Assistant protocol, as specified in the IETF draft document, draft-ietf-secsh-publickey-subsystem-00.txt. - VShell now performs a reverse DNS lookup and a forward lookup to detect DNS spoofing when evaluating connection filters based on hostname or domain name. - If there is an empty "Authentications Allow" list present in the registry, VShell now allows no authentications to succeed. It used to allow all methods to succeed in this case. - Text was added to the SFTP Root page to clarify that variables like %MYDOCUMENTS% can be used for aliases. - The VShell installer no longer prompts to reboot if the same version of the LSA module has already been installed. Bug fixes: - When run for the first time, VShell failed to set the ACL on the HKLM\Software\VanDyke\VShell registry key. The ACL is now set to SYSTEM & Administrators, full control; Everyone - Read Only. Administrators can override this using the registry editor. - VShell could crash if a disconnect was sent at the same time a key exchange happened. - VSH/VCP: The -auth flag was not working for VSH.exe and VCP.exe if more than one authentication method was specified.