The main purpose of Tectia Client/Server/ConnectSecure 6.2 release is to add support for SHA-2 family of cryptographic algorithms.
The key new features in release 6.2 are:
These features are described in more detail below.
Support for SHA-2 has been added to the Secure Shell protocol. This affects key-exchange algorithms (KEX), MACs, and digital signatures used in public-key authentication, including host keys and X.509 certificates. SHA-2 refers to the family of hash functions (SHA-224, SHA-256, SHA-384, SHA-512) as defined in FIPS PUB 180-3.
As a result, the following new configuration options have been added in ssh-broker-config.xml:
<kexs /> <hostkey-algorithms /> <auth-publickey signature-algorithms="" />
The following new configuration options have been added in ssh-server-config.xml:
<settings signature-algorithms="" /> <kex name=""/> <hostkey-algorithm name=""/>
In addition, related to the introduction of SHA-2, the following algorithms have been dropped from the default ciphers and MACs:
email@example.com hmac-md5 hmac-md5-96
OpenSSL Crypto Library
When run in FIPS 140-2 mode, Tectia Client and Server use the OpenSSL FIPS-certified crypto library for ciphers, MACs and key-exchange algorithms instead of the Tectia proprietary crypto library. Tectia crypto library is used when Tectia Client and Server are run in standard (non-FIPS) mode.
The OpenSSL FIPS-certified library is not used on IBM z/OS or IBM Linux on IBM System z. For more information about the use of OpenSSL FIPS crypto library, see Tectia Client/Server Product Description.
The stability of Tectia Client and Server have been improved through various code changes, most of them "under the hood". The most visible of these changes are:
Improvements in Client and ConnectSecure
Added functionality to ssh-broker-ctl that helps in troubleshooting and controlling of Tectia Client.
The Connection Broker startup procedure was simplified and unified resulting in improved stability.
Graphical status monitoring tool (ssh-broker-gui) was separated from the main Connection Broker process, resulting in improved stability.
For more information, see Tectia Client User Manual.
Improvements in Server
ssh-server-ctl replaces ssh-server-config-tool.
ssh-server-config-tool binary still exists, but it is a direct copy from ssh-server-ctl (the tool modifies its behavior slightly when executed with the different name).
New troubleshooting commands in ssh-server-ctl:
For more information, see Tectia Server Administration Manual.
On Unix, a new configuration option <servant-lifetime total-connections="NUM" /> allows limiting the number of connections each servant process will handle.
For more information, see Tectia Server Administrator Manual.
Changes in OS Support and Third-Party Component Support
Added support for:
Dropped support for:
Tectia no longer distributes the package ssh-tectia-client-ft-only.
Tectia Name Change
SSH Communications Security Corp. changed its name to Tectia Corporation in April 2010. Starting from release 6.2.0, also the product names have been changed from "SSH Tectia" to "Tectia". The change should not affect any functionality. Binary names have not changed, but the installed product name and the version string have changed.---------
answered Jun 20 '11 at 14:28
SSH KB ♦