MultiNet V5.6 Release Notes August 2020 This document contains a list of new features and bug fixes that have been made since MultiNet V5.5. Revision/Update Information: This document supersedes the MultiNet V5.5-A Release Notes Unpublished - all rights reserved under the copyright laws of the United States No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means electronic, mechanical, magnetic, optical, or otherwise without the prior written permission of: Process Software, LLC 959 Concord Street Framingham, MA 01701-4682 USA Voice: +1 508 879 6994; FAX: +1 508 879 0042 info@process.com Process Software, LLC ("Process") makes no representations or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Process Software reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of Process Software to notify any person of such revision or changes. o Alpha AXP, AXP, MicroVAX, OpenVMS, VAX, VAX Notes, VMScluster, and VMS are registered trademarks of Hewlett-Packard Corporation. o Kerberos. Copyright © 1989, DES.C and PCBC_ENCRYPT.C Copyright © 1985, 1986, 1987, 1988 by Massachusetts Institute of Technology. Export of this software from the United States of America is assumed to require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. o MultiNet is a registered trademark of Process Software. o This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) ii o Secure Shell (SSH). Copyright © 2000. This License agreement, including the Exhibits (Agreement), effective as of the latter date of execution (Effective Date), is hereby made by and between Data Fellows, Inc., a California corporation, having principal offices at 675 N. First Street, 8th floor, San Jose, CA 95112170 (Data Fellows) and Process Software, LLC, having a place of business at 959 Concord Street, Framingham, MA 01701 (OEM). o TCPware is a registered trademark of Process Software. o UNIX is a trademark of UNIX System Laboratories, Inc. o All other trademarks, service marks, registered trademarks, or registered service marks mentioned in this document are the property of their respective holders. o Copyright ©1997, 1998, 1999, 2000 Process Software Corporation. All rights reserved. Printed in USA. o Copyright ©2000, 2001, 2002, 2004 Process Software, LLC. All rights reserved. Printed in USA. o If the examples of URLs, domain names, internet addresses, and web sites we use in this documentation reflect any that actually exist, it is not intentional and should not be considered an endorsement, approval, or recommendation of the actual site, or any products or services located at any such site by Process Software. Any resemblance or duplication is strictly coincidental. iii ________________________________________________________________ Contents ________________________________________________________________ CHAPTER 1 INTRODUCTION 1-1 __________________________________________________________ 1.1 TYPOGRAPHICAL CONVENTIONS 1-1 __________________________________________________________ 1.2 OBTAINING TECHNICAL SUPPORT 1-2 1.2.1 Before Contacting Technical Support 1-3 1.2.2 Sending Electronic Mail 1-4 1.2.3 Calling Technical Support 1-5 1.2.4 Contacting Technical Support by Fax 1-5 __________________________________________________________ 1.3 OBTAINING ONLINE HELP 1-6 __________________________________________________________ 1.4 MULTINET FREQUENTLY ASKED QUESTIONS (FAQS) LIST 1-6 __________________________________________________________ 1.5 ACCESSING THE MULTINET PUBLIC MAILING LIST 1-6 __________________________________________________________ 1.6 PROCESS SOFTWARE WORLD WIDE WEB SERVER 1-7 __________________________________________________________ 1.7 OBTAINING SOFTWARE PATCHES OVER THE INTERNET 1-7 __________________________________________________________ 1.8 DOCUMENTATION COMMENTS 1-9 __________________________________________________________ 1.9 CD-ROM CONTENTS 1-9 1.9.1 Online Documentation 1-9 __________________________________________________________ 1.10 NOTE CONCERNING KERBEROS V5 1-10 __________________________________________________________ 1.11 NOTE CONCERNING SSH 1-10 __________________________________________________________ 1.12 NOTE: CONCERNING SSH SESSIONS 1-10 iii Contents ________________________________________________________________ CHAPTER 2 CHANGES, FIXES, AND ENHANCEMENTS 2-1 __________________________________________________________ 2.1 MULTINET V5.6 INSTALLATION NOTE 2-1 __________________________________________________________ 2.2 USING MULTINET FOR AN OPENVMS CLUSTER INTERCONNECT 2-1 2.2.1 Troubleshooting 2-2 __________________________________________________________ 2.3 PTPV2 2-3 __________________________________________________________ 2.4 OPENSSL 2-3 __________________________________________________________ 2.5 SSH2 2-3 2.5.1 SSH2 Enhancements 2-3 2.5.2 SSH2 bug fixes 2-4 __________________________________________________________ 2.6 KERNEL 2-6 2.6.1 Enhancements 2-6 2.6.2 Bug fixes 2-6 __________________________________________________________ 2.7 NTP 2-7 2.7.1 Enhancements 2-7 2.7.2 Bug fixes 2-8 __________________________________________________________ 2.8 NAMED 2-9 2.8.1 Enhancements 2-9 2.8.2 Bug fixes 2-9 __________________________________________________________ 2.9 TFTP 2-11 2.9.1 Enhancements 2-11 __________________________________________________________ 2.10 FTP 2-11 2.10.1 Enhancements 2-11 2.10.2 Bug fixes 2-11 iv Contents __________________________________________________________ 2.11 SFTP 2-13 2.11.1 Bug fixes 2-13 __________________________________________________________ 2.12 NFSV3 2-14 __________________________________________________________ 2.13 R_SERVICES 2-14 __________________________________________________________ 2.14 MASTER SERVER 2-14 2.14.1 Bug fixes 2-14 __________________________________________________________ 2.15 MULTINET_SET_INTERFACE 2-14 2.15.1 Bug fixes 2-15 __________________________________________________________ 2.16 TCPDUMP 2-15 2.16.1 Bug fixes 2-15 __________________________________________________________ 2.17 UCXDRIVER 2-15 2.17.1 Bug fixes 2-15 __________________________________________________________ 2.18 UCX_LIBRARY_EMULATION 2-16 2.18.1 Bug fixes 2-16 ________________________________________________________________ CHAPTER 3 DOCUMENTATION UPDATES 3-1 ________________________________________________________________ CHAPTER 4 KNOWN BUGS/ISSUES 4-1 __________________________________________________________ 4.1 NFSV3 4-1 __________________________________________________________ 4.2 DNSSEC 4-2 __________________________________________________________ 4.3 R_SERVICES 4-2 v Contents ________________________________________________________________ TABLES 1-1 Typographical Conventions 1-1 1-2 System Information 1-4 vi _______________________________________________________ 1 Introduction These Release Notes describe the changes and enhancements made to the MultiNet product in version 5.6. This chapter describes conventions used in the MultiNet documentation set and the various methods to contact and receive technical support. o For information about product changes and enhancements in the MultiNet V5.6 MultiNet Consolidated Distribution, refer to Chapter 2 of these Release Notes. o For information about changes to the documentation set, refer to Chapter 3 of these Release Notes. __________________________________________________________ 1.1 Typographical Conventions Examples in these Release Notes use the following conventions: ________________________________________________________________ Table 1-1 Typographical Conventions _______________________________________________________ Convention_______Example__________Meaning______________ Angle brackets Represents a key on your keyboard. Angle brackets Indicates that you with a slash hold down the key labeled or while simultaneously pressing another key; in this example, the A key. 1-1 Introduction Typographical Conventions ________________________________________________________________ Table 1-1 (Cont.) Typographical Conventions _______________________________________________________ Convention_______Example__________Meaning______________ Square brackets [FULL] Indicates optional choices; you can enter none of the choices, or as many as you like. When shown as part of an example, square brackets are actual characters you should type. Underscore or file_name or Between words in hyphen file-name commands, indicates the item is a single ___________________________________________element._____________ __________________________________________________________ 1.2 Obtaining Technical Support Process Software provides technical support if you have a current Maintenance Service Agreement. If you obtained MultiNet from an authorized distributor or partner, you receive your technical support directly from them. You can contact Technical Support by: o Sending electronic mail (Section 1.2.2) o Calling Technical Support (Section 1.2.3) o Faxing a description of your problem to the Technical Support Group (Section 1.2.4) 1-2 Introduction Obtaining Technical Support _____________________________ 1.2.1 Before Contacting Technical Support Before you call, or send email or a fax: 1 Verify that your Maintenance Service Agreement is current. 2 Read the online Release Notes completely. 3 Have the following information available: o Your name o Your company name o Your email address o Your voice and fax telephone numbers o Your Maintenance Contract Number o OpenVMS architecture o OpenVMS version o MultiNet layered products and versions 4 Have complete information about your configuration, error messages that appeared, and problem specifics. 5 Be prepared to let a development engineer connect to your system, either with TELNET or by dialing in using a modem. Be prepared to give the engineer access to a privileged account to diagnose your problem. You can obtain information about your OpenVMS architecture, OpenVMS version, MultiNet version, and layered products with the MULTINET SHOW /LICENSE command. Execute the following command on a fully loaded system and email the output to support@process.com: $ MULTINET SHOW /LICENSE PSC MultiNet 5.6 Rev A, AlphaServer DS20E 67/667, OpenVMS AXP V8.4-2L1 In this example: The machine or system architecture is AXP. 1-3 Introduction Obtaining Technical Support The OpenVMS version is V8.4-2L1. The MultiNet version is V5.6. Use the following table as a template to record the relevant information about your system: ________________________________________________________________ Table 1-2 System Information _______________________________________________________ Your System Required_Information_______________Information_________ Your name Company name Your email address Your voice and fax telephone numbers System architecture VAX or Alpha OpenVMS version _________MultiNet_version_______________________________________ Please provide information about installed MultiNet applications and patch kits, by sending a copy of MULTINET:MULTINET_VERSION.; file. _____________________________ 1.2.2 Sending Electronic Mail For many questions, electronic mail is the preferred communication method. Technical Support via electronic mail is available to customers with a current support contract. Send electronic mail to support@process.com. At the beginning of your mail message, include the information listed in Section 1.2.1. Continue with the description of your situation and problem specifics. Include all relevant information to help your Technical Support Specialist process and track your electronic support request. 1-4 Introduction Obtaining Technical Support Electronic mail is answered within the desired goal of two hours, during our normal business hours, Monday through Friday from 8:30 a.m. to 5:00 p.m., United States Eastern Time. _____________________________ 1.2.3 Calling Technical Support For regular support issues, call 800-394-8700 or 508- 628-5074 for support Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. For our customers in North America with critical problems, an option for support 7 days per week, 24 hours per day is available at an additional charge. Please contact your Account Representative for further details. Before calling, have available the information described in Section 1.2.1. When you call, you will be connected to a Technical Support Specialist. Be prepared to discuss problem specifics with your Technical Support Specialist and to let that person connect to your system. If our Support Specialists are assisting other customers and you are put on hold, please stay on the line. Most calls are answered in less than five minutes. If you cannot wait for a Specialist to take your call, please take advantage of our automatic call logging feature by sending email to support@process.com (see the Section on Sending Electronic Mail). _____________________________ 1.2.4 Contacting Technical Support by Fax You can send transmissions directly to Technical Support at 508-879-0042. Before faxing comments or questions, complete the steps in Section 1.2.1 and include all your system information at the beginning of your fax message. Continue with the description of your situation and problem specifics. Include all relevant information 1-5 Introduction Obtaining Technical Support to help your Technical Support Specialist process and track your fax support request. Faxed questions are answered Monday through Friday from 8:30 a.m. to 7:00 p.m., United States Eastern Time. __________________________________________________________ 1.3 Obtaining Online Help Extensive information about MultiNet is provided in the MultiNet help library. For more information, enter the following command: $ HELP MULTINET __________________________________________________________ 1.4 MultiNet Frequently Asked Questions (FAQs) List You can obtain an updated list of frequently asked questions (FAQs) and answers about MultiNet from the Process Software MultiNet home page located at http://www.process.com/techsupport/multinet_faqs.html. __________________________________________________________ 1.5 Accessing the MultiNet Public Mailing List Process Software maintains two public mailing lists for MultiNet customers: o Info-MultiNet@process.com o MultiNet-Announce@process.com The Info-MultiNet@process.com mailing list is a forum for discussion among MultiNet system managers and programmers. Questions and problems regarding MultiNet can be posted for a response by any of the subscribers. To subscribe to Info-MultiNet, send a mail message with the word SUBSCRIBE in the body to Info- MultiNet-request@process.com. The information exchanged over Info-MultiNet is also available via the USENET newsgroup vmsnet.networks.tcp-ip.multinet. You can retrieve the Info-MultiNet archives by anonymous FTP to ftp.multinet.process.com. The archives are located in the directory [MAIL_ARCHIVES.INFO- MULTINET]. 1-6 Introduction Accessing the MultiNet Public Mailing List The MultiNet-Announce@process.com mailing list is a one-way communication (from Process Software to you) used to post announcements relating to MultiNet (patch releases, product releases, etc.). To subscribe to MultiNet-Announce, send a mail message with the word SUBSCRIBE in the body to MultiNet-Announce- request@process.com. __________________________________________________________ 1.6 Process Software World Wide Web Server Electronic support is provided through the Process Software web site which you can access with any World Wide Web browser; the URL is http://www.process.com (select MultiNet) or use the URL http://www.process.com/techsupport/multinet.html __________________________________________________________ 1.7 Obtaining Software Patches over the Internet Process Software provides software patches in save set and ZIP format on its anonymous FTP server, ftp.multinet.process.com. For the location of software patches, read the .WELCOME file in the top-level anonymous directory. This file refers you to the directories containing software patches. To retrieve a software patch, enter the following commands: $ MULTINET FTP/USERNAME=ANONYMOUS/PASSWORD="emailaddress" - _$ FTP.MULTINET.PROCESS.COM A message welcoming you to the Process Software FTP directory appears next followed by the FTP prompt. Enter the following at the FTP prompt: FTP.MULTINET.PROCESS.COM>CD [.PATCHES.MULTINETxxx] FTP.MULTINET.PROCESS.COM>GET update_filename In these commands: emailaddress is your email address in the standard user@host format xxx is the version of MultiNet you want to transfer 1-7 Introduction Obtaining Software Patches over the Internet update_filename is the name of the file you want to transfer To transfer files from Process Software directly to an OpenVMS system, you can use the GET command without any other FTP commands. However, if you need to transfer a software patch through an intermediate non-OpenVMS system, use BINARY mode to transfer the files to and from that system. In addition, if you are retrieving the software patch in save set format, make sure the save set record size is 2048 bytes when you transfer the file from the intermediate system to your OpenVMS system. o If you use the GET command to download the file size from the intermediate system, use the FTP RECORD- SIZE 2048 command before transferring the file. o If you use the PUT command to upload the file to your OpenVMS system, log into the intermediate system and use the FTP quote site rms recsize 2048 command before transferring the file. Process Software also supplies UNZIP utilities for OpenVMS VAX, Alpha, and IA64 for decompressing ZIP archives in the [PATCHES] directory. To use ZIP format kits, you need a copy of the UNZIP utility. The following example shows how to use UNZIP utility, assuming you have copied the appropriate version of UNZIP.EXE to your current default directory: $ UNZIP := $SYS$DISK:[]UNZIP.EXE $ UNZIP filename.ZIP Use VMSINSTAL to upgrade your MultiNet system with the software patch. 1-8 Introduction Documentation Comments __________________________________________________________ 1.8 Documentation Comments Your comments about the information in these Release Notes can help us improve the documentation. If you have corrections or suggestion for improvement, please let us know. Be as specific as possible about your comments: include the exact title of the document, version, date, and page references as appropriate. You can send your comments by email to techpubs@process.com or mail them to: Process Software 959 Concord Street Framingham, MA 01701-4682 Attention: Marketing Director You can also fax your comments to us at 508-879-0042. Your comments about our documentation are appreciated. __________________________________________________________ 1.9 CD-ROM Contents The directory structure on the CD is as follows: [MULTINET054] MultiNet Kit for VAX and Alpha systems [MULTINET_I64054] MultiNet Kit for Integrity Systems [Documentation] PDF format (.pdf) Release Notes [BIND9-DOC] [VAX55-DECC-RTL] _____________________________ 1.9.1 Online Documentation The MultiNet documentation is no longer supplied as part of the VMSINSTAL kit, nor is it included on the product CD. To view the online MultiNet documentation, visit: 1-9 Introduction CD-ROM Contents http://www.process.com/products/multinet/ The Release Notes are available on the product CD in text format. __________________________________________________________ 1.10 Note Concerning Kerberos V5 MultiNet now supports Kerberos V5 for SSH and Telnet (Alpha and Integrity only). Kerberos V5 requires Kerberos for HP OpenVMS. VMS V8 systems are distributed with Kerberos V5, and pre-V8 systems (OpenVMS VAX V7.3 and OpenVMS AXP v7.2-3, 7.3-*) can download Kerberos V5 from the HP website. The Kerberos V5 applications can also run with any Kerberos V5 compliant Key Distribution Center (KDC) software. __________________________________________________________ 1.11 Note Concerning SSH You must install the DEC C 6.0 backport library on all OpenVMS VAX v5.5-2 and v6.0 systems prior to using SSH. This is the AACRT060.A file. You can find the ECO on the MultiNet CD in the following directory: VAX55_DECC_ RTL.DIR. __________________________________________________________ 1.12 Note: Concerning SSH Sessions For each active SSH session two(2) channels are used. Please adjust the CHANNELCNT parameter to account for this usage. 1-10 _______________________________________________________ 2 Changes, Fixes, and Enhancements This chapter describes the changes and enhancements made for MultiNet V5.6. __________________________________________________________ 2.1 MultiNet V5.6 Installation Note MultiNet V5.6 installations may only be performed from a random-access device (e.g., disk or CD-ROM). If the MultiNet V5.6 installation is attempted from a sequential-access device (e.g., magtape or TKxx cartridge), the installation will fail. If the distribution savesets have been copied to a sequential- access device (for transporting them, for example), they must be copied to a disk for installation. On VMS V8.4, the following logical definition will prevent VMSINSTAL from attempting to validate the kit and prompting as to whether or not installation should proceed even though the kit is not signed: $ define/job VMI$VALIDATE_KIT NO __________________________________________________________ 2.2 Using MultiNet for an OpenVMS Cluster Interconnect MultiNet V5.6 can be used to provide transport services for an OpenVMS IP cluster on Integrity systems running VMS V8.4. The user of this should first familiarize themselves with the section on Cluster over IP in the OpenVMS Guidelines for Cluster Configurations manual. Complete directions can be found in Chapter 34 of the MultiNet Installation & Administrator's Guide. To set up MultiNet to be used with the IP cluster follow the steps below: 2-1 Changes, Fixes, and Enhancements Using MultiNet for an OpenVMS Cluster Interconnect 1 Configure TCP/IP Services with the same set of interfaces and default routes as MultiNet will use. Though this is an inconvenience, the OpenVMS cluster configuration command procedure that HP provides requires TCP/IP Services for configuration. o SYS$SYSROOT:[SYSEXE]TCPIP$CLUSTER.DAT o SYS$SYSTEM:PE$IP_CONFIG.DAT 2 Execute MULTINET:SET_MULTINET_IP_CLUSTER.COM with the parameter INITIAL to enter the MultiNet Files in the correct directories for VMS to find at boot time 3 Use SYSGEN to set the system parameter NISCS_USE_UDP to 1 4 Reboot the system so that MultiNet will be used for IP Cluster communication. After the reboot is complete use the standard MultiNet startup procedure to finish starting MultiNet. _____________________________ 2.2.1 Troubleshooting The following set of commands will verify that the MultiNet configuration and the IP cluster configuration agree. Any differences encountered will be displayed. $ MultiNet Configure/Network MultiNet Network Configuration Utility T5.6(109) [Reading in configuration from MULTINET:NETWORK_DEVICES.CONFIGURATION] NET-CONFIG>check If the MultiNet "KRNNOTFOUND failed to locate MultiNet kernel" message is displayed while attempting to start MultiNet and the BG device exists, then the most likely problem is that TCP/IP Services is being used instead of MultiNet. Use the MULTINET:SET_MULTINET_IP_ 2-2 Changes, Fixes, and Enhancements Using MultiNet for an OpenVMS Cluster Interconnect CLUSTER.COM procedure to make sure that the MultiNet files are in the correct places. __________________________________________________________ 2.3 PTPv2 o PTPv2 is available on Alpha (V7 and V8) and ia64 systems. PTP works with time sources on a local network to synchronize when the clock ticks. MultiNet timestamps received packets so that transit time inside MultiNet can be measured. The PTP implementation does NOT manage day light saving time on the system. If your system uses day light saving time then you need to continue to use NTP. PTP and NTP can be used on a system concurrently. PTP also will be notified when the system changes the time zone if AUTO_DLIGHT_SAV is used on VMS V8. __________________________________________________________ 2.4 OpenSSL o OpenSSL 1.0.2T on Alpha and IA64 is now used with FTP, NTP, NAMED and for SSH2 Suite B support. __________________________________________________________ 2.5 SSH2 _____________________________ 2.5.1 SSH2 Enhancements o Suite B support on Alpha and ia64 (RFC 6329, 5656, 5647, 6668), Group Exchange Key Exchange (RFC 4419), Support for X509v3-rsa2048-sha256 certificates for host key exchange (RFC 6187), key exchange update to support diffie-hellman-group14-sha256 (RFC 8268). Suite B includes: o Elliptic curve Diffie-Hellman (ECDH) key agreement [RFC 5656] o Curves: nistp256, nistp384, nistp521 2-3 Changes, Fixes, and Enhancements SSH2 The curve chosen will be sufficient to support the hash for the host keys involved. This means that if the host key is ECDSA-nistp521, only the nistp521 curve will be available, an ECDSA-nistp384 key will have nistp384 and nistp521 available, and ECDSA- nistp256 will have nistp256, nistp384 and nistp521 available. o Elliptic curve digital signature algorithm (ECDSA) [RFC 5656]. Public keys are written in a format close to what is used by OpenSSH and OpenSSH public keys can be read as is. The "Subject" and "Comment" lines in the key may need to be removed to make the keys readable by OpenSSH. The curves supported are: nistp256, nistp384, nistp521 o Advanced Encryption Standard running in Galois/Counter Mode (AES-GCM) [RFC 5647], as modified by OpenSSH to resolve a potential ambiguity as the encryption and message authentication are both provided by a single algorithm. In this case the ciphers are named: aes128-gcm@openssh.com, aes256-gcm@openssh.com o New MACs: SHA-256, SHA-384 and SHA-512 [RFC 6668]. These can be used with any ciphers, except the gcm ciphers, which provide both encryption and MAC functionality. o Modifications to SSHD2 such that it can read unencrypted certificate keys for system authentication with certificates without having to process the keys and certificates with the certificate utilities. _____________________________ 2.5.2 SSH2 bug fixes o Recognize that WS_FTP-12.7 does not like IGNORE messages while doing Group Exchange Key Exchange. o Correct an error in the input sensing code that could cause delays. 2-4 Changes, Fixes, and Enhancements SSH2 o If the logical SSH_STEP_THROUGH_RADIUS_ADDRESSES is defined to True/Yes/1 then each attempt to do authentication via the radius server will use a different returned address when the DNS lookup returns multiple addresses, instead of just trying the first address. This provides additional failover capability if the DNS lookup of the radius host always returns the addresses in the same order. If the DNS lookup does a round-robin of the addresses, then the traditional behavior will provide failover capability. o Added configuration variable RadiusTimeout to allow site configuration of Radius Timeout value. The default value is 3 seconds. o When the logical MULTINET_SSH_RADIUS_TRUNCATE_ USERNAME is defined in the system logical name table, usernames will be truncated before any underscore (_) present in the name before attempting RADIUS password authentication. o Add connection timeout routine to SSH-AGENT2 to deal with dangling connections that lead to consumption of bytlm and correct some memory leaks which could cause problems with heavy usage. o Correct a problem with passwords that are 32 characters long. o Correct a data structure alignment issue in the I/O module to improve performance. o Correct attempts to open /dev/random and /dev/urandom that can cause problems on systems that have a logical for dev defined. o Modification of SSHD2 to support of LOAD_PWD_ POLICY and VMS$PASSWORD_POLICY callouts with PWDMIX on systems that support PWDMIX. Note that the VMS$PASSWORD_POLICY callouts must NOT write to SYS$OUTPUT or attempt to read from SYS$INPUT as these channels are used for network communication and doing so will cause problems. Writes to SYS$ERROR will appear in the SSH_LOG:SSHD.LOG for the session. 2-5 Changes, Fixes, and Enhancements SSH2 o Modification of SSHD2 to prevent CAPTIVE or RESTRICTED usernames from creating tunnels. o Modification of SSHD_MASTER to allow for control of the timeout of the connection id with the logical MULTINET_SSH_CONNECT_ID_TIMEOUT. This logical should be defined to a VMS delta time before SSH is started. Modification requires restarting of SSH to take effect. If the logical is not defined, or not a VMS delta time, then the default value of 1 minute (0 00:01:00.0) is used. o Fix a channel leak in SSHD_MASTER. __________________________________________________________ 2.6 Kernel _____________________________ 2.6.1 Enhancements o Performance improvements that reduce data structure scanning and eliminate periodic TCP socket scanning. _____________________________ 2.6.2 Bug fixes o Change check for binding to a specific port with a wild card address when multiple requests have been made. o Change a section of code that can sometimes fail to get memory from MultiNet's pool on VMS V8 systems (ia64 and Alpha) to allocate directly from VMS non- paged pool. o Correct an error in calculating the size of TCP packets that could lead to packets larger than the destination can accept in certain cases. o Correct the interpretation of KEEPINVTL and KEEPINIT when coming from an application. The code was assuming that they were in half seconds, but the documentation says that they are expressed in seconds. 2-6 Changes, Fixes, and Enhancements Kernel o Correct a problem that can cause a crash when manipulating interface filters. o Correct a problem with retransmits that are resulted in a full sized packet followed by a short packet. o Correct a problem with writes to the BG device when the socket buffer becomes full. o On ia64 systems let the VMS driver decide if the packet is less than the minimum size and should be padded. The adjustment that was being made in MultiNet was causing problems on some configurations. o Do not allow the TCP maximum segment size to be set to less than the minimum path mtu size as it can cause a crash. o Correct a length calculation problem with TCP packets that can cause too large packets to be sent, which are then not received or ignored by the destination. o Correct a potential memory corruption that can result in a crash. Add code to the routine that frees the socket data structure to clear the pointer from the device UCB to the socket data structure. __________________________________________________________ 2.7 NTP _____________________________ 2.7.1 Enhancements o Updated to 4.2.8p15 from NTP.ORG, this includes corrections for all CVEs as of June 23, 2020. Informs PTP if there is a day light saving time change. 2-7 Changes, Fixes, and Enhancements NTP _____________________________ 2.7.2 Bug fixes o Correct a problem where NTPD running on a system that does not observe day light saving time goes compute bound. o Add some messages when the system is unable to synchronize the time with any servers and servers are reachable stating that the accuracy is poor and displaying variables. Note that these messages may occasionally occur in configurations that eventually select a good clock. Currently there is nothing to limit messages so the log file could grow. The minimum time between polling (and hence messages) is typically about 1 minute. o More work on name resolution, particularly for when the name is a CNAME that does not specify the address family in the configuration file. o Correct a potential page fault with high IPL that can cause a system crash. o Correct an error in handling the WAYTOOBIG configuration parameter that can cause NTPD to always step the clock and not be useful as a server. o Correct a problem with using system specific time zone rules that can cause problems when entering day light saving time. o This implementation of NTPD has not had sufficient testing of the SLEW_ALWAYS configuration addition. o Reduce "Unexpected origin timestamp" messages. o Restore message about SLEW_ALWAYS being used. o Correct a few more instances where address values could overflow the space available. o Restore parsing of DISABLE OPCOM. o Correct an error that can cause stack corruption when servers with IPv6 addresses are used. On Alpha systems this can cause NTPD to be compute bound. 2-8 Changes, Fixes, and Enhancements NTP o Correct an error in the computation of the completion time for the "fall back" change from day light saving time to standard time. The error may cause the time to "fall back" more than once resulting in the wrong time. o Provide the NTPDATE image, which was not included in MultiNet 5.5. NTPDATE is available for all architectures and observes the system time zone. o Improve recognition of ; as comment character. __________________________________________________________ 2.8 NAMED _____________________________ 2.8.1 Enhancements o Updated to BIND 9.11.21 from isc.org; this is the current extended support version and includes corrections for CVEs through July 2020. _____________________________ 2.8.2 Bug fixes o Modifications to DNS cluster management: If two (or more) systems attempt to advertise at the same time then at least one of them will not recognize the other's attempt. Since systems tend to keep accurate time (due to NTP) these systems will tend to stay synchronized and continue to not notice each other. To reduce the chance that systems will stay synchronized some "salt" is now added to the advertising interval. This problem can also be avoided by defining MULTINET_CLUSTER_SERVICE_ ADVERTISEMENT_INTERVAL to slightly different values on each system and defining MULTINET_CLUSTER_ SERVICE_TIMER_INTERVAL to a smaller interval so that multiple systems don't continue to attempt to advertise at the same time. Each of these logicals take a VMS delta time as their value. Multicast communication is now disabled by default. 2-9 Changes, Fixes, and Enhancements NAMED o Modifications to DNS cluster member notification to delay if another member is currently in the notification process. o Additional error checking and reporting in DNS cluster code to help investigate missing nodes. o Added exit handler to make sure that DNS cluster locks are released upon exit. Added logical MULTINET_CLUSTER_WAIT_COUNT that can reduce the amount of time for the first member of the cluster spends in the discovery loop. Other improvements to the DNS cluster service. o Modifications to DNS cluster name support routines to make sure that ASTs are disabled while pointers are manipulated. o Note that the address parsing code has become more strict. In the past an address such as 127.0.0.1/8 would be accepted, now this will generate an error and it will need to be changed to 127.0.0.0/8 o Add support for DNSSEC-KEYGEN algorithms ECDSAP256SHA256 and ECDSAP384SHA384 on Alpha and ia64 systems. o Improve error reporting in code to load crypto routines and cluster code to get some information on some rare conditions. o Modification to accept routine to limit the number of times it will retry after a "soft" errors. Also add logging for the soft errors, so that they can be better understood in the future. o Correct a problem with verifying DNSSEC file names that caused DNSSEC to not work. While investigating this problem it was also discovered that use of the DIRECTORY option would cause problems for the support for DNSSEC with DNS clusters (NAMED- 060_A054). It is possible that use of the KEY- DIRECTORY, MANAGED-KEYS-DIRECTORY, SESSION-KEYFILE, and SESSION-KEYNAME options could have problems with the DIRECTORY option. 2-10 Changes, Fixes, and Enhancements NAMED o Correct a problem with reload when the 'directory' keyword has been used in the configuration file. __________________________________________________________ 2.9 TFTP _____________________________ 2.9.1 Enhancements o RFC 1123 compliance (elimination of Sorcerer's Apprentice Syndrome) in the server. o RFC 2348 support for transfer size and timeout __________________________________________________________ 2.10__FTP____________________ 2.10.1 Enhancements o TLSv1.2 is now the default for FTPS on Alpha and IA64 systems. _____________________________ 2.10.2 Bug fixes o Correct a build problem where the wrong SSL libraries were referenced, which will cause problems when using TLS. o Correct a memory management error in TLS handling. o Correct a problem with mailboxes and logical names not being cleaned up when using FTP over TLS. o Improve SSL error reporting in FTP_SERVER. o Miscellaneous other fixes for problems encountered when using TLS. Improve connect error messages on Integrity systems. Correct problem with LS when in +VMS+ mode. Correct a hang on connecting with TLS and not getting the desired certificates. Correct a misleading error message. 2-11 Changes, Fixes, and Enhancements FTP o Correct a kit assembly problem for FTPS_CONTROLLER on ia64. o Allow TLS PBSZ and PROT to be specified before user authentication. o Improve security for FTPS (FTP over TLS) for Alpha and ia64 to use TLSv1.2 and stronger ciphers by default. This can be disabled by defining the logicals: $ DEFINE/SYSTEM MULTINET_FTP_SERVER_ USE_ALL_CIPHERS TRUE $ DEFINE/SYSTEM MULTINET_FTP_ SERVER_ALLOW_TLSV1 TRUE o Correct various problems when using FTP over TLS with non-passive mode data connections. o Change the way that a fixed length record file with no carriage control is opened for ASCII transfers so that it is the same whether it has an odd or even number of bytes in the record and that the MULTINET_ FTP_SEMANTICS_FIXED_IGNORE_CC logical works the same. o Correct a problem with UNIX style output and file processing not being preserved after an NLST command. o Improve error reporting on ia64 systems. o Only have FTP negotiate +VMS+ mode if the logical MULTINET_FTP_CLIENT_NEGOTIATE_VMS_PLUS is defined to True, Yes or 1. o Have FTP recognize errno of zero on read with negative return as EOF. o Change how a parameter to select is computed for when non-passive transfers are done so that the number is not too large on ia64 systems. o Correct problems with client TLS connections. o Make sure that files are opened with sharing when obtaining information for MLSD/MLST functions. o Correct an error in the directory completed reply that will cause an accvio when MODE Z is used. 2-12 Changes, Fixes, and Enhancements FTP o Correct a problem with the FTP client and single line commands that can cause an unexpected exit after a bad response to the attempt to use SITE +VMS+. o Correct a problem with the FTP_SERVER implementation of MLSD that can cause looping and large FTP server log files. __________________________________________________________ 2.11 SFTP _____________________________ 2.11.1 Bug fixes o Correct a problem with exchanging files with FileZilla. o Allow a default file size to be specified with the logical MULTINET_SFTP_DEFAULT_SIZE for interacting with servers that don't return a file size. o Change installation procedures such that the V7 SFTP2 and SCP2 Alpha images are only used for system running VMS V7.2 and later. There have been some problems using the V7 images on earlier V7 VMS systems. The difference between the V6 and V7 images is large file and ODS-5 support, which is only in VMS V7.2 and later. o Correct a problem in SFTP2 with LCD to a logical name. o Correct a problem that can lead to dangling SFTP_ SERVER processes. o Fix some parsing problems in SSH_FXP_REALPATH o Improve CD operations in VMS mode when a logical is used as the target. o Make SCP2, SFTP2 and SFTP-SERVER2 observe the setting of the MULTINET_SFTP_DEFAULT_FILE_TYPE_ REGULAR at all points that files could be accessed. 2-13 Changes, Fixes, and Enhancements NFSv3 __________________________________________________________ 2.12 NFSv3 o Numerous improvements and bug fixes. __________________________________________________________ 2.13 R_Services o Added intrusion reporting for login failures. __________________________________________________________ 2.14 Master server _____________________________ 2.14.1 Bug fixes o Clear allocated memory used for the DOMAINNAME SHOW command so that stale data does not show up in the output. o Add some checking to some RPC calls to prevent possible process crashes. o Increase the size of a temporary variable to prevent possible stack corruption and process or system crashes due to it. o Correct a problem in parsing ACCEPT-HOSTS/REJECT- HOSTS and ACCEPT-NET/REJECT-NET where the length of the list would not be accurately maintained. o Change the naming scheme of MULTINET_ ROOT:[FTPS]FTPS.LOG to include the date in the filename so that it will be unlikely that it will hit version 32767 and cause problems. __________________________________________________________ 2.15 MULTINET_SET_INTERFACE 2-14 Changes, Fixes, and Enhancements MULTINET_SET_INTERFACE _____________________________ 2.15.1 Bug fixes o Improve bounds checking when examining interface parameters. __________________________________________________________ 2.16 TCPDUMP _____________________________ 2.16.1 Bug fixes o Correct a possible ACCVIO. __________________________________________________________ 2.17 UCXDRIVER _____________________________ 2.17.1 Bug fixes o VMS Software reported that a customer reported that a zero length write returned SS$_BADPARAM, and TCP/IP Services return SS$_NORMAL. I checked with the traditional UCXDRIVER and it looks like it would return SS$_NORMAL. So the code has been modified to return SS$_NORMAL for a zero length write. o Correct an error in ACCEPT processing that can overwrite memory outside of what is specified for the sockaddr. o Correct a potential crash. o Correct some issues with freeing buffers that can cause memory consumption. o Correct a problem for Alpha V7 and V8 and ia64 systems for programs writing from 64 bit address space. o Correct an error in setting up buffers for a variety of write requests that are used by Apache that can cause a crash. 2-15 Changes, Fixes, and Enhancements UCXDRIVER o Detect a bad address to prevent a crash. __________________________________________________________ 2.18 UCX_LIBRARY_EMULATION _____________________________ 2.18.1 Bug fixes o Correct a problem with the GETADDRINFO implementation that can overwrite other memory in certain situations. Make check for ipv6 interfaces recognize both types of address formats. o Correct a problem with DNS resolver code that can act differently depending upon SSH debug level, and sometimes cause erroneous name lookups. o Corrects issues with the socketpair call when the address family requested is not AF_INET. 2-16 _______________________________________________________ 3 Documentation Updates The documentation is no longer provided as part of the MultiNet V5.6 kit. To view the documents online or download PDF files, please visit: http://www.process.com/products/multinet/ 3-1 _______________________________________________________ 4 Known Bugs/Issues __________________________________________________________ 4.1 NFSv3 The following are known bugs and issues with MultiNet V5.6. o If NFSv2 makes use of the NFS password file in its configuration, the convert_nfs utility does not convert the NFS password file into the NFSv3 proxy data. o If NFSv2 makes use of a "-ro" mount restriction, the convert_nfs utility does not convert this into the correct read-only restriction in the NFS export database for the NFSv3 server. o The NFSv3 server doesn't support the use of rooted logicals in the export database. If your NFSv2 configuration makes use of a rooted logical as an export, the convert_nfs utility does not translate this logical into a value that is usable in the NFSv3 server. o Restarting the MultiNet master server from inside of $ multinet configure/server will cause the NFSv3 server to no longer be registered as an RPC program. After restarting the master server in this manner, you must restart NFSv3 to re-register it using $ multinet netcontrol nfsv3 restart o $ multinet show/nfs does not display NFSv3 clients that have an export mounted. o The NFSv3 server has a couple of performance issues that we are aware of and are working to resolve for the next beta. 4-1 Known Bugs/Issues DNSSEC __________________________________________________________ 4.2 DNSSEC DNSSEC-KEYGEN on IA64 returns an openssl failure. $ dskg :== $multinet:dnssec-keygen $ dskg -a RSASHA1 -b 768 -n ZONE child-example Generating key pair. dnssec-keygen: fatal: failed to generate key child-example/RSASHA1: openssl failure __________________________________________________________ 4.3 R_SERVICES Starting R_SERVICES will generate the following OPCOMS: %%%%%%%%%%% OPCOM 11-FEB-2011 14:45:20.21 %%%%%%%%%%% Message from user SYSTEM on XXXXXX MultiNet Server: R_SERVICES: still unable to find kernel symbol "$magic" (voo doo!!!) %%%%%%%%%%% OPCOM 11-FEB-2011 14:45:20.22 %%%%%%%%%%% Message from user SYSTEM on XXXXXX MultiNet Server: R_SERVICES: Unable to hand off WSA device to process 43B, vms status = %x134 4-2