                   H                     HP_TCP/IP_Services_for_OpenVMS______________________!                     Release Notes                          July 2006   H                     This document describes the new features and changesI                     introduced with Version 5.6 of the HP TCP/IP Services 1                     for OpenVMS software product.               I                     Revision/Update Information:  This is a new document.   H                     Software Version:             HP TCP/IP Services forE                                                   OpenVMS Version 5.6   I                     Operating Systems:            OpenVMS I64 Version 8.3 =                                                   OpenVMS I64 ?                                                   Version 8.2.1 ?                                                   OpenVMS Alpha =                                                   Version 8.3 G                                                   OpenVMS Alpha Version 5                                                   8.2                         +                     Hewlett-Packard Company )                     Palo Alto, California                  N               ________________________________________________________________  H                Copyright 2006 Hewlett-Packard Development Company, L.P.  C               Confidential computer software. Valid license from HP F               required for possession, use or copying. Consistent withB               FAR 12.211 and 12.212, Commercial Computer Software,E               Computer Software Documentation, and Technical Data for H               Commercial Items are licensed to the U.S. Government under3               vendor's standard commercial license.   C               The information contained herein is subject to change E               without notice. The only warranties for HP products and G               services are set forth in the express warranty statements E               accompanying such products and services. Nothing herein I               should be construed as constituting an additional warranty. I               HP shall not be liable for technical or editorial errors or )               omissions contained herein.   G               Intel and Itanium are trademarks or registered trademarks D               of Intel Corporation or its subsidiaries in the United)               States and other countries.   ?               UNIX is a registered trademark of The Open Group.                  Printed in the US   A               The HP TCP/IP Services for OpenVMS documentation is "               available on CD-ROM.  H               This document was prepared using DECdocument, Version 3.3-               1b.                                  F      _________________________________________________________________  F                                                               Contents      F      Preface...................................................    vii  0      1  New Features and Behavioral Enhancements  F            1.1   BIND 9 Resolver...............................    1-3F            1.2   DNS/BIND V9.3 Server..........................    1-3F            1.3   Integrate Tru64 BL26 Updates..................    1-3F            1.4   NFS Client TCP Support........................    1-4F            1.5   NFS Server Support for Integrity..............    1-4F            1.6   NFS Symbolic Link Support.....................    1-4F            1.7   NTP Security Update (SSL).....................    1-4F            1.8   SMTP Multiple Domains in a Zone...............    1-4F            1.9   SSH Upgrade with Kerberos Support.............    1-4F            1.9.1     Forwarding of Credentials.................    1-5F            1.9.2     Password Authentication...................    1-7F            1.9.3     Logicals Defined by SSH Startup...........    1-8F            1.9.4     Using Kerberos KDC/DNS....................    1-9F            1.9.5     New Configuration Parameters..............   1-10F            1.10  TELNET Upgrade with Kerberos Support..........   1-10F            1.11  TELNET Server Device Limit....................   1-10F            1.12  IPv6 Support for LPD and TELNETSYM............   1-10:            1.13  FTP Performance Enhancements for VMS PlusF                  Mode..........................................   1-114            1.14  Improved Interface Configuration inF                  TCPIP$CONFIG..................................   1-11?            1.15  Added TSIG-based Authentication Support to the F                  Load Broker...................................   1-11              F                                                                    iii                   =         2  Installation, Configuration, Startup, and Shutdown   =               2.1   Installing Over V5.3 Early Adopter's Kits I                     (EAKs)........................................    2-1 I               2.2   Upgrading from TCP/IP Services Version 4.x....    2-1 I               2.3   Adding a System to an OpenVMS Cluster.........    2-1 >               2.3.1     Running a Newly Configured Host on theI                         Cluster...................................    2-2 A               2.3.2     Configuring TCP/IP Services Before Adding I                         the System to the Cluster.................    2-3 I               2.3.3     Disabling or Enabling SSH Server..........    2-3 I               2.4   SSH Configuration Files Must Be Updated.......    2-3 9               2.5   Troubleshooting SMTP and LPD Shutdown I                     Problems......................................    2-4   '         3  Restrictions and Limitations   7               3.1   Netstat Utility -z Option No Longer I                     Implemented...................................    3-1 =               3.2   Manually Configuring an Interface as DHCP I                     Leads to Startup Problems.....................    3-1 I               3.3   SLIP Restrictions.............................    3-1 A               3.4   Advanced Programming Environment Restrictions I                     and Guidelines................................    3-2 I               3.5   BIND/DNS Restrictions.........................    3-2 I               3.6   IPv6 Restrictions.............................    3-4 I               3.6.1     Mobile IPv6 Restrictions..................    3-4 I               3.6.2     IPv6 Requires the BIND Resolver...........    3-4 I               3.7   NFS Restrictions on Alpha Platforms...........    3-4 I               3.7.1     NFS Server Problems and Restrictions......    3-4 I               3.7.2     NFS Client Problems and Restrictions......    3-5 I               3.8   NTP Problems and Restrictions.................    3-6 I               3.9   SNMP Problems and Restrictions................    3-6 I               3.9.1     Incomplete Restart........................    3-6 I               3.9.2     SNMP IVP Error............................    3-7 I               3.9.3     Using Existing MIB Subagent Modules.......    3-7 I               3.9.4     Upgrading SNMP............................    3-9 ?               3.9.5     Communication Controller Data Not Fully I                         Updated...................................    3-9 I               3.9.6     SNMP MIB Browser Usage....................   3-10 I               3.9.7     Duplicate Subagent Identifiers............   3-10 I               3.9.8     Community Name Restrictions...............   3-10 6               3.9.9     eSNMP Programming and SubagentI                         Development...............................   3-11   
         iv                   >               3.9.10    SNMP Installation Verification ProgramI                         Restriction...............................   3-11 I               3.10  SSH Problems and Restrictions.................   3-12 I               3.10.1    SSH-Related Security Advisories...........   3-13 I               3.10.2    SSH General Notes and Restrictions........   3-14 ?               3.10.3    UNIX Features That are Not Supported by I                         SSH.......................................   3-15 I               3.10.4    SSH Command Syntax........................   3-15 I               3.10.5    SSH Authentication........................   3-16 I               3.10.6    SSH Keys..................................   3-17 I               3.10.7    SSH Sessions..............................   3-19 I               3.10.8    SSH Messages..............................   3-20 I               3.10.9    SSH Remote Commands.......................   3-21 I               3.10.10   SSH Batch Mode............................   3-22 B               3.10.11   ls Fails After cd to a Logical Name from aI                         Tru64 UNIX Client.........................   3-24 I               3.10.12   SSH X11 Port Forwarding...................   3-24 I               3.10.13   SSH File Transfer (All File Sizes)........   3-25 I               3.10.14   SSH Transferring Large Files..............   3-28 ?               3.10.15   SSH Server Signals Internal Credentials I                         Cache Error...............................   3-29 @               3.10.16   SFTP Generates Audit Warnings with ClassI                         Device....................................   3-29 @               3.10.17   BIND Resolver Diagnostics Creates an SSHI                         Packet Corruption.........................   3-30 I               3.11  TCPDUMP Restrictions..........................   3-30 I               3.12  TCP/IP Management Command Restrictions........   3-31            4  Corrections  =               4.1   Advanced Programming Environment Problems I                     Fixed in This Release.........................    4-1 I               4.1.1     Socket Routines Limited to 64k Bytes......    4-1 A               4.1.2     Symbol Vector Inappropriately Inserted in I                         the IPC Options File......................    4-2 I               4.1.3     AF_AAL Defined Twice......................    4-2 I               4.2   BIND Server Problems Fixed in This Release....    4-2 :               4.2.1     BIND Server Not Properly Using theI                         TCPIP$BIND_COMMON Logical Name............    4-2 B               4.2.2     Change to List of BIND Servers in ResolverI                         Configuration Recognized..................    4-3 @               4.2.3     Resolver Clients Not Receiving ResponsesI                         from the BIND Server......................    4-4     I                                                                         v                    I               4.2.4     ACCVIO When Using TSIG....................    4-4 I               4.3   FTP Server Problems Fixed in This Release.....    4-4 5               4.3.1     FTP Does Not Allow IP Address I                         Specification.............................    4-4 @               4.3.2     DCL DIRECTORY or UNIX ls Command ReturnsI                         "Illegal Port Command" Error..............    4-5 I               4.4   FTP Client Problems Fixed in This Release.....    4-5 @               4.4.1     FTP Client Fails to Delete Interim FilesI                         after GET/MGET Commands...................    4-5 I               4.5   IMAP Problems Fixed in This Release...........    4-6 =               4.5.1     TELNET to IMAP SSL Port 993 Hangs and I                         Aborts The Same Results in Server Crash...    4-6 ?               4.5.2     A Message Line Containing More Than 255 =                         Characters Gets Truncated to 255 When I                         Fetched via IMAP..........................    4-6 I               4.5.3     IMAP server crashes intermittently........    4-6 I               4.6   IPv6 Problems Fixed in This Release...........    4-7 ;               4.6.1     iptunnel create Command Causes BIND I                         Lookups for IPv4 Addresses................    4-7 @               4.7   LPD/LPR and TELNETSYM Problems Fixed in ThisI                     Release.......................................    4-7 <               4.7.1     Print Jobs Using Wildcard Proxy fromA                         Hosts with No Name to Address Translation I                         Available Are Rejected....................    4-7 =               4.7.2     $PRINT/PARAM=(host=x) would report an I                         access violation (ACCVIO).................    4-8 I               4.8   NFS Server Problems Fixed in This Release.....    4-8 8               4.8.1     NFS Server Overwrites Files withI                         Case-Sensitive Lookup.....................    4-8 A               4.8.2     Directories Created by non-VMS Clients Do I                         Not Inherit Version Limit.................    4-9 B               4.8.3     NFS Server and netstat Do Not Run ProperlyB                         on Alpha Systems Not Running EV56 or LaterI                         Technologies..............................    4-9 ;               4.8.4     MOUNT Server Problems Fixed in This I                         Release...................................    4-9 I               4.8.5     Client Unable to Mount Devices............    4-9 I               4.9   NTP Problems Fixed in This Release............   4-10 ?               4.9.1     NTPDATE Issue If the NTP Service Is Not I                         Defined...................................   4-10 ;               4.9.2     NTP Server Automatically Purges Log I                         Files.....................................   4-10       
         vi                   A               4.9.3     NTP Broacast Feature Does Note Work on an I                         IPv6-enabled System.......................   4-10 I               4.10  LBROKER Problems Fixed in This Release........   4-10 =               4.10.1    Load Broker Polls Metric Servers Only I                         Twice.....................................   4-11 I               4.11  UCP Problems Fixed in This Release............   4-11 :               4.11.1    TCPIP SHOW CONFIG NAME IncorrectlyI                         Generates Write Audit Alarm...............   4-11 I               4.11.2    TCPIP SHOW MAIL/ENTRY Failure.............   4-11 =               4.11.3    PIPE to tcpip show conf communication I                         fails.....................................   4-12 <               4.11.4    Problems Generating Correct Database>                         Files with the TCPIP CONVERT/UNIX BINDI                         Command...................................   4-12 B               4.11.5    Illegal BIND Resolver Search Lists DefinedI                         via the TCPIP SET NAME/PATH Command.......   4-12 I               4.12  RLOGIN Problems Fixed in This Release.........   4-12 >               4.12.1    System Crash, INCONSTATE for an RLOGINI                         socket....................................   4-13 I               4.13  RSH Problems Fixed in This Release............   4-13 =               4.13.1    RMT Server Does Not Work with Solaris I                         Clients...................................   4-13 B               4.13.2    RSH /Escape_character for the Alpha ClientI                         Causes an Access Violation................   4-13 I               4.14  RCP Problems Fixed in This Release............   4-13 B               4.14.1    RCP Command Returns Error Status When /LOGI                         Option is Used............................   4-14 ?               4.14.2    RCP Cannot Locate A File in the Current @                         Directory When SET DEFAULTed to a SearchI                         List......................................   4-14 I               4.15  SMTP Problems Fixed in This Release...........   4-14 B               4.15.1    Try-A-Records Governs SMTP Symbiont Use ofI                         A Records For Relay.......................   4-14 >               4.15.2    Any Message Header That Unfolds into aA                         Single Line Longer Than 7192 Bytes Causes I                         SFF to Loop Infinitely....................   4-15 B               4.15.3    SMTP Fails to Send Mail with a Record SizeI                         Greater than 4093.........................   4-15 A               4.15.4    Unprivileged User Sending MAIL Results in B                         Security Alarms for Queue CONTROL and READI                         access....................................   4-16 I               4.15.5    MAIL to SMTP% Causes Security Alarms......   4-16 I               4.15.6    ACCVIO Due to Improper Parsing............   4-16     I                                                                       vii                    ;               4.15.7    Selecting MX Records to Route Mails I                         Correctly.................................   4-17 I               4.16  Startup Problems Corrected in This Release....   4-17 I               4.16.1    Unrecognized Command Verb Errors..........   4-17 I               4.17  SNMP Problems Fixed in This Release...........   4-17 I               4.17.1    SNMP Poll Time Is Not Configurable........   4-17 I               4.18  Sockets API Problems Fixed in This Release....   4-18 I               4.18.1    Socket Function getaddrinfo() Hangs ......   4-18 I               4.19  SSH Problems Fixed in This Release............   4-18 ?               4.19.1    OpenVMS SSH Does Not Support Mixed Case I                         Passwords.................................   4-18 ;               4.19.2    Signals Cause Extraneous or Cryptic I                         Messages..................................   4-19 =               4.19.3    CTRL/C Did Not Work During sftp2/scp2 I                         filecopy..................................   4-19 I               4.19.4    Usernames with $ Not Supported............   4-19 >               4.19.5    Problem With Timeout in Locking of X11I                         xauth Authority File......................   4-20 @               4.19.6    Cannot Issue a $ CREATE TERM/DETACH from@                         an SSH Session Itself Created Using ThatI                         Command...................................   4-21 A               4.19.7    SSH Client and Server Startup Fail If the B                         Correct Version of DECwindows Motif Is NotI                         Installed and Started.....................   4-21 :               4.19.8    The SFTP Client Does Not Sense theI                         Terminal Page Size Properly...............   4-22 @               4.19.9    SSH Filecopy Clients Cannot Use of GroupI                         Logical Names on the SFTP Server..........   4-22 :               4.19.10   VMS Text Editor and the DCL SEARCH?                         Command See SSH Server Log File Warning I                         Messages..................................   4-23 ?               4.19.11   SSH Client Ignores Any DNS AAAA Records I                         Belonging to the Remote Host..............   4-23 I               4.19.12   Publickey Authentication Fails............   4-23 =               4.19.13   Regular Expression Syntax Parsing Not I                         Done......................................   4-24 I               4.19.14   Login Dates Manipulation Sets Off Audit...   4-24 I               4.19.15   SFTP Server Causes Auditing Alarms........   4-24 ;               4.19.16   SFTP File Transfers Do Not Preserve I                         OpenVMS File Attributes...................   4-25 B               4.19.17   SSH Password Change Sequence Did Not CheckI                         for Password in History File..............   4-25                viii                   >               4.19.18   Non-OpenVMS Clients Overwrite Files onI                         OpenVMS Servers...........................   4-25 :               4.19.19   SSH Client Does Not See Entries inI                         TCPIP$ETC:IPNODES.DAT.....................   4-26 I               4.19.20   Limited Support for ODS-5 File Format.....   4-26 ;               4.19.21   Fixed SFTP2 Image Exits with Normal I                         Status....................................   4-27 ?               4.19.22   SFTP Batch Procedure Files Need Special I                         Format....................................   4-28 ?               4.19.23   SSH File Transfer Clients and Server Do I                         Not Handle VMS-style Wildcards............   4-29 =               4.19.24   Text Display for Usage Does Not Match I                         Documentation.............................   4-29 :               4.19.25   Allow Restrictions on Execution ofI                         SFTP-server2..............................   4-29 =               4.19.26   Using SFTP To Pull Fixed Length Files I                         Results In A Corrupted File...............   4-31 6               4.19.27   Pasting from Text Editor LosesI                         Characters................................   4-31 @               4.19.28   sftp ls on Directory with a Large NumberI                         of Files Cannot Be Interrupted............   4-31 I               4.20  SSL Problems Fixed in This Release............   4-32 ?               4.20.1    After Installing SSL, POP SSL Ceases to I                         Function..................................   4-32 I               4.21  TELNET Problems Fixed in This Release.........   4-33 2               4.21.1    TELNET Intrusion DetectionI                         Inflexibility.............................   4-33 8               4.22  Miscellaneous Problems Fixed in ThisI                     Release.......................................   4-33 @               4.22.1    PPP Supports the Scaling Kernel and IA64I                         Architecture..............................   4-33 I               4.22.2    TCPIP SHOW ROUTE/MASK Reports Error.......   4-34            5  Documentation Update   I               5.1   Documentation Updated for This Release........    5-1 <               5.2   Documentation Not Being Updated for ThisI                     Release.......................................    5-1               I                                                                        ix                    $         A  Implementing NTP Autokeys  I               A.1   Default TC Identity Scheme (method 1).........    A-1 I               A.2   Default TC Identity Scheme (method 2).........    A-2 I               A.3   PC Identity Scheme............................    A-3 I               A.4   IFF scheme (method 1).........................    A-4 I               A.5   Alternate IFF Scheme (method 2)...............    A-5 I               A.6   GQ scheme.....................................    A-7 I               A.7   MV scheme.....................................    A-8            Tables  I               1         TCP/IP Services Documentation.............     ix   7               1-1       TCP/IP Services for OpenVMS New I                         Features..................................    1-1   I               2-1       Minimum Values for SYSUAF Parameters......    2-2   I               3-1       CERT/SSRT Network Security Advisories.....   3-13                                                   	         x                              I         _________________________________________________________________   I                                                                   Preface       B               The HP TCP/IP Services for OpenVMS product is the HPF               implementation of the TCP/IP protocol suite and InternetF               services for OpenVMS Alpha and OpenVMS Industry StandardC               64 for Integrity Servers (I64) systems. This document D               describes the latest release of the HP TCP/IP Services"               for OpenVMS product.  I               TCP/IP Services provides a comprehensive suite of functions G               and applications that support industry-standard protocols C               for heterogeneous network communications and resource                sharing.  G               For installation instructions, see the HP TCP/IP Services @               for OpenVMS Installation and Configuration manual.  I               The release notes provide version-specific information that F               supersedes the information in the documentation set. TheE               features, restrictions, and corrections in this version H               of the software are described in the release notes. AlwaysD               read the release notes before installing the software.           Intended Audience   F               These release notes are intended for experienced OpenVMSH               and UNIX[R] system managers and assume a working knowledgeE               of OpenVMS system management, TCP/IP networking, TCP/IP H               terminology, and some familiarity with the TCP/IP Services               product.            I                                                                       vii                             Document Structure  B               These release notes are organized into the following               chapters:   H               o  Chapter 1 describes new features and special changes toB                  the software that enhances its observed behavior.  A               o  Chapter 2 describes changes to the installation, D                  configuration, and startup procedures, and includesB                  other related information that is not included inD                  the HP TCP/IP Services for OpenVMS Installation and&                  Configuration manual.  C               o  Chapter 3 describes information about problems and D                  restrictions, and includes notes describing changes4                  to particular commands or services.  D               o  Chapter 4 describes problems identified in previousB                  versions of TCP/IP Services that have been fixed.  I               o  Chapter 5 describes updates to information in the TCP/IP 0                  Services product documentation.           Related Documents   H               Table 1 lists the documents available with this version of               TCP/IP Services.                                           viii                   I         Table_1_TCP/IP_Services_Documentation____________________________   I         Manual____________________Contents_______________________________   A         HP TCP/IP Services for    This manual provides conceptual E         OpenVMS Concepts and      information about TCP/IP networking G         Planning                  on OpenVMS systems, including general D                                   planning issues to consider beforeD                                   configuring your system to use the;                                   TCP/IP Services software.   F                                   This manual also describes the other@                                   manuals in the TCP/IP ServicesB                                   documentation set and provides aD                                   glossary of terms and acronyms forG                                   the TCP/IP Services software product.   D         HP TCP/IP Services for    The release notes provide version-F         OpenVMS Release Notes     specific information that supersedesF                                   the information in the documentationF                                   set. The features, restrictions, andD                                   corrections in this version of theG                                   software are described in the release F                                   notes. Always read the release notesA                                   before installing the software.   I         HP TCP/IP Services for    This manual explains how to install and H         OpenVMS Installation and  configure the TCP/IP Services product.         Configuration   B         HP TCP/IP Services for    This manual describes how to useA         OpenVMS User's Guide      the applications available with E                                   TCP/IP Services such as remote file I                                   operations, e-mail, TELNET, TN3270, and 3                                   network printing.   H         HP TCP/IP Services for    This manual describes how to configureI         OpenVMS Management        and manage the TCP/IP Services product.   B         HP TCP/IP Services        This manual describes the TCP/IP?         for OpenVMS Management    Services management commands.          Command Reference   I                                                  (continued on next page)   I                                                                        ix                    I         Table_1_(Cont.)_TCP/IP_Services_Documentation____________________   I         Manual____________________Contents_______________________________   F         HP TCP/IP Services        This reference card lists the TCP/IPF         for OpenVMS Management    management commands by component andH         Command Quick Reference   describes the purpose of each command.         Card  >         HP TCP/IP Services for    This reference card containsF         OpenVMS UNIX Command      information about commonly performedD         Equivalents Reference     network management tasks and theirE         Card                      corresponding TCP/IP management and 7                                   UNIX command formats.   E         HP TCP/IP Services        This manual presents an overview of C         for OpenVMS ONC RPC       high-level programming using open D         Programming               network computing remote procedureC                                   calls (ONC RPC). This manual also I                                   describes the RPC programming interface D                                   and how to use the RPCGEN protocolB                                   compiler to create applications.  I         HP TCP/IP Services for    This manual describes how to configure, E         OpenVMS Guide to SSH      set up, use, and manage the SSH for 3                                   OpenVMS software.   F         HP TCP/IP Services for    This manual describes how to use theB         OpenVMS Sockets API       Berkeley Sockets API and OpenVMSD         and System Services       system services to develop network/         Programming               applications.   B         HP TCP/IP Services for    This manual describes the SimpleD         OpenVMS SNMP Programming  Network Management Protocol (SNMP)F         and Reference             and the SNMP application programmingA                                   interface (eSNMP). It describes D                                   the subagents provided with TCP/IPB                                   Services, utilities provided forF                                   managing subagents, and how to build5                                   your own subagents.   I                                                  (continued on next page)       	         x                    I         Table_1_(Cont.)_TCP/IP_Services_Documentation____________________   I         Manual____________________Contents_______________________________   B         HP TCP/IP Services        This manual provides informationD         for OpenVMS Tuning and    about how to isolate the causes ofB         Troubleshooting           network problems and how to tuneF                                   the TCP/IP Services software for theD                                   best performance. It also providesF                                   information about using UNIX networkB                                   management utilities on OpenVMS.  @         HP TCP/IP Services for    This manual describes the IPv6C         OpenVMS Guide to IPv6     environment, the roles of systems @                                   in this environment, the typesD                                   and function of the different IPv6H                                   addresses, and how to configure TCP/IPI         __________________________Services_to_access_the_IPv6_network.___   F               For additional information about HP OpenVMS products andC               services, visit the following World Wide Web address:e  *               http://www.hp.com/go/openvms  H               For a comprehensive overview of the TCP/IP protocol suite,H               refer to the book Internetworking with TCP/IP: Principles,<               Protocols, and Architecture, by Douglas Comer.           Reader's Commentst  C               HP welcomes your comments on this manual. Please sendm<               comments to either of the following addresses:  +               Internet    openvmsdoc@hp.com   1               Postal      Hewlett-Packard Companyn>               Mail        OSSG Documentation Group, ZKO3-4/U08,                           110 Spit Brook Rd./                           Nashua, NH 03062-2698   -         How to Order Additional Documentation   ;               For information about how to order additional H               documentation, visit the following World Wide Web address:  4               http://www.hp.com/go/openvms/doc/order  I                                                                        xi.                            Conventions   D               In the product documentation, the name TCP/IP Services)               means any of the following:_  5               o  HP TCP/IP Services for OpenVMS Alpha   3               o  HP TCP/IP Services for OpenVMS I64p  3               o  HP TCP/IP Services for OpenVMS VAXe  @               In addition, please note that all IP addresses are               fictitious.i  F               The following conventions are used in the documentation.  G               Ctrl/x           A sequence such as Ctrl/x indicates that F                                you must hold down the key labeled CtrlH                                while you press another key or a pointing-                                device button.c  F               PF1 x            A sequence such as PF1 x indicates thatG                                you must first press and release the keyeE                                labeled PF1 and then press and releaserG                                another key or a pointing device button.r  D               <Return>         In examples, a key name enclosed in aD                                box indicates that you press a key onH                                the keyboard. (In text, a key name is not2                                enclosed in a box.)  I                                In the HTML version of this document, thiseE                                convention appears as brackets, ratherU*                                than a box.  @                . . .           A horizontal ellipsis in examples=                                indicates one of the followings-                                possibilities:   D                                o  Additional optional arguments in a>                                   statement have been omitted.  D                                o  The preceding item or items can be=                                   repeated one or more times.h  I                                o  Additional parameters, values, or other.=                                   information can be entered..           xii.    3                I               .                A vertical ellipsis indicates the omissionNF               .                of items from a code example or commandD               .                format; the items are omitted becauseH                                they are not important to the topic being)                                discussed..  >               ( )              In command format descriptions,I                                parentheses indicate that you must enclose.I                                choices in parentheses if you specify more (                                than one.  G               [ ]              In command format descriptions, brackets H                                indicate optional choices. You can chooseD                                one or more items or no items. Do notE                                type the brackets on the command line.KE                                However, you must include the brackets B                                in the syntax for OpenVMS directoryA                                specifications and for a substringnH                                specification in an assignment statement.  G               |                In command format descriptions, verticaloD                                bars separate choices within bracketsF                                or braces. Within brackets, the choicesD                                are optional; within braces, at leastF                                one choice is required. Do not type theA                                vertical bars on the command line.n  E               { }              In command format descriptions, braces I                                indicate required choices; you must choose.G                                at least one of the items listed. Do notvC                                type the braces on the command line.a  I               bold type        Bold type represents the introduction of aoG                                new term. It also represents the name of.F                                an argument, an attribute, or a reason.  >               italic type      Italic type indicates important>                                information, complete titles ofG                                manuals, or variables. Variables includerG                                information that varies in system outputoB                                (Internal error number), in commandE                                lines (/PRODUCER=name), and in commandiF                                parameters in text (where dd representsH                                the predefined code for the device type).  I                                                                      xiii     e                F               UPPERCASE TYPE   Uppercase type indicates a command, theH                                name of a routine, the name of a file, orG                                the abbreviation for a system privilege..  E               Example          This typeface indicates code examples,c@                                command examples, and interactiveB                                screen displays. In text, this typeF                                also identifies URLs, UNIX commands andH                                pathnames, PC-based commands and folders,H                                and certain elements of the C programming(                                language.  F               -                A hyphen at the end of a command formatF                                description, command line, or code lineF                                indicates that the command or statement?                                continues on the following line.e  D               numbers          All numbers in text are assumed to beI                                decimal unless otherwise noted. NondecimalnH                                radixes-binary, octal, or hexadecimal-are4                                explicitly indicated.                                                       xiv                          I                                                                         1NI         _________________________________________________________________u  I                                  New Features and Behavioral Enhancementsm    D               This chapter describes new features of TCP/IP Services=               Version 5.6 as well as behavioral enhancements.n  F                 ________________________ Note ________________________  C                 TCP/IP Services Version 5.6 is supported on OpenVMS D                 Alpha and OpenVMS Industry Standard 64 for IntegrityF                 Servers (I64) systems only. On VAX systems, use TCP/IP%                 Services Version 5.3.e  D                 To use TCP/IP Services Version 5.6, you must upgrade1                 to OpenVMS Version 8.2 or higher.   F                 ______________________________________________________  >               For information about installing and configuringE               TCP/IP Services, see the HP TCP/IP Services for OpenVMS 3               Installation and Configuration guide..  I               Table 1-1 lists the new features of TCP/IP Services Version.6               5.6 and the sections that describe them.  I               Table_1-1_TCP/IP_Services_for_OpenVMS_New_Features_________.  I               Feature_________Section__Description_______________________a  B               BIND 9          1.1      This release includes a newD               Resolver                 version of the BIND resolver.  G               DNS/BIND V9.3   1.2      This release includes an updatedC<               Server                   BIND server codebase.  I                                                  (continued on next page)       I                              New Features and Behavioral Enhancements 1-1r f  i      0         New Features and Behavioral Enhancements      I               Table_1-1_(Cont.)_TCP/IP_Services_for_OpenVMS_New_Features_o  I               Feature_________Section__Description_______________________t  H               Integrate       1.3      This release incorporates severalF               Tru64 BL26               critical bug fixes in the Tru64G               Updates                  UNIX-based kernel and management.1                                        utilities.M  I               NFS Client TCP  1.4      The NFS client joins the server inMG               Support                  offering the ability to run over +                                        TCP.v  H               NFS Server      1.5      The NFS server is now operationalG               Support for              and supported on the OpenVMS I64k0               Integrity                platform.  D               NFS Symbolic    1.6      The NFS server now recognizesI               Link Support             symbolic links and can create themD4                                        as necessary.  =               NTP Security    1.7      New NTP features offer >               Update (SSL)             cryptographic security.  D               SMTP Multiple   1.8      SMTP now recognizes more thanG               Domains in a             one domain name for direct local 0               Zone                     delivery.  E               SSH Upgrade     1.9      Several improvements have beeng3               with Kerberos            made to SSH.v               Support.  G               TELNET Upgrade  1.10     The TELNET server and client are F               with Kerberos            now supported with the upgradedG               Support                  Kerberos version that ships witho4                                        OpenVMS V8.3.  E               TELNET Server   1.11     The TELNET server is no longerfF               Device Limit             limited to 9999 sessions for TN/                                        devices.   F               IPv6 Support    1.12     Both LPD and TELNETSYM printingF               for LPD and              software now allow you to print>               TELNETSYM                via the IPv6 transport.  I                                                  (continued on next page)   4         1-2 New Features and Behavioral Enhancements .         I                                  New Features and Behavioral Enhancements       I               Table_1-1_(Cont.)_TCP/IP_Services_for_OpenVMS_New_Features_.  I               Feature_________Section__Description_______________________r  ?               FTP             1.13     The FTP service has been 3               Performance              streamlined.                Enhancements               for VMS Plus               Mode  A               Improved        1.14     The menu-driven process of G               Interface                defining local interfaces and IP G               Configuration            addresses has been significantly I               in                       reworked to provide better supporte7               TCPIP$CONFIG             for failSAFE IP.   F               Added           1.15     Added TSIG-based authenticationB               TSIG-based               support to the Load Broker.               Authentication               Support to theI               Load_Broker________________________________________________            1.1 BIND 9 ResolverV  F               This release includes a new version of the BIND resolverE               that brings several API updates including thread-safetywG               for the getaddrinfo() and getnameinfo() routines. It also.G               brings new features, including the ability to resolve DNSSE               entries via the IPv6 transport. This represents a major.I               upgrade from V5.5 and other recent releases, which provided 4               resolver functionality based on BIND8.            1.2 DNS/BIND V9.3 Server  D               This release updates the BIND server to Version 9.3.1,F               which brings several incremental improvements related to%               security and stability..  (         1.3 Integrate Tru64 BL26 Updates  G               Several critical bug fixes in the Tru64 UNIX-based kernelr9               and management utilities were incorporated.       I                              New Features and Behavioral Enhancements 1-3e e  .      0         New Features and Behavioral Enhancements"         1.4 NFS Client TCP Support    "         1.4 NFS Client TCP Support  H               The NFS client joins the server in offering the ability toH               run over TCP, in addition to the more-traditional UDP modeH               of operation. This can be useful when mounting filesystemsB               across a Wide Area Network or traversing a firewall.  ,         1.5 NFS Server Support for Integrity  F               This release includes NFS Server Support for OpenVMS I64               platforms.  %         1.6 NFS Symbolic Link SupportF  I               The NFS server now recognizes symbolic links and can createC                them as necessary.  %         1.7 NTP Security Update (SSL).  F               New NTP features offer cryptographic security, enhancingI               the protection against an attacker trying to compromise theoF               accuracy of your system clock. For more information, see               Appendix A.   +         1.8 SMTP Multiple Domains in a Zonea  A               During periods of organizational transition such as D               mergers, it is common for more than one domain name toH               be in use on a corporate intranet. SMTP will now recognize(               more than one domain name.  -         1.9 SSH Upgrade with Kerberos Support2  D               TCP/IP Services for OpenVMS 5.6 introduces SSH supportG               for Kerberos, the popular network authentication protocol F               from Massachusetts Institute of Technology. SSH password@               authentication method has been enhanced to supportE               Kerberos. Three new SSH authentication methods based on )               Kerberos are now supported:.                  o  gssapi-with-mic  F               o  kerberos-2@ssh.com ("kerberos-2" is used synonymously+                  with "kerberos-2@ssh.com")   A               o  kerberos-tgt-2@ssh.com ("kerberos-tgt-2" is used <                  synonymously with "kerberos-tgt-2@ssh.com")  4         1-4 New Features and Behavioral Enhancements .  .      I                                  New Features and Behavioral Enhancements I                                     1.9 SSH Upgrade with Kerberos Support     ?               The kerberos-2@ssh.com and kerberos-tgt-2@ssh.com4C               authentication methods are proprietary, not specified.E               by an IETF draft or RFC, and as such are supported only C               by the SSH implementations based on software from SSH.C               Communications Inc. Tru64 UNIX support also these two %               authentication methods.L  F               The gssapi-with-mic authentication method is based on anH               IETF draft (GSSAPI Authentication and Key Exchange for theG               Secure Shell Protocol). As a public domain specification,.G               it is supported by a broader range of SSH implementationseD               including those based on OpenSSH. TCP/IP Services does@               not implement the key exchange part of the "GSSAPIB               Authentication and Key Exchange for the Secure ShellI               Protocol" draft. It implements only the user authenticationD,               portion of this specification.  H               The SSH server in this version of TCP/IP Services supportsD               Kerberos for OpenVMS Version V2.1 and higher. For moreB               information about Kerberos for OpenVMS, refer to theE               HP Open Source Security for OpenVMS, Volume 3: Kerberosi               manual.1  '         1.9.1 Forwarding of Credentialsm  E               Kerberos provides the ability for applications like SSHeE               to forward credentials from client host to server host, H               obviating the need for the user to re-enter their KerberosG               password each time they use a Kerberized application. FortH               example, with credentials forwarding a user on HOSTA couldI               issue a kinit command, connect with SSH from HOSTA to HOSTBnH               and then, once logged into HOSTB, they could connect on toI               HOSTC without issuing a kinit command in their user processsH               on HOSTB. They only entered the kinit command on HOSTA andI               their credentials "followed" them to their session on HOSTBi4               and then on to their session on HOSTC.  ?               The -f option on the SSH command indicates that aa0               forwardable TGT is to be produced.  F               The Kerberized application must also support credentialsG               forwarding. The kerberos-tgt-2 supports credentials being >               forwarded from the client to the server process.    I                              New Features and Behavioral Enhancements 1-5  m  .      0         New Features and Behavioral Enhancements-         1.9 SSH Upgrade with Kerberos SupportI    F               The kerberos-2 method does not support forwarding of theC               user's Kerberos credentials to the process on the SSH4E               server host. An application that uses Kerberos from the C               process on the server side requires the user to enter $               another kinit command.  C               The gssapi-with-mic method supports forwarding of theeB               user's Kerberos credentials to the user's process onF               the SSH server. However, the OpenVMS SSH server does notE               support this feature. Therefore, when connecting to the.F               OpenVMS SSH server using gssapi-with-mic authentication,I               the user's Kerberos credentials from the client will not be.=               propagated to the user's process on the server.n  F                 ________________________ Note ________________________  C                 Any use of a Kerberized application from the server.E                 side process requires the user to issue another kinitS(                 command in that process.  F                 ______________________________________________________  H               For information about how to enable SSH server support forG               Kerberos, see the HP TCP/IP Services for OpenVMS Guide toS               SSH.  ?               The following example illustrates how to obtain ar               forwardable TGT.  I                   !!! User issues kinit with -f to get a forwardable TGT.lX                   !!! In this example the Kerberos principal user name is lower case and-                   !!! the realm is uppercase.D(                   SYSA> kinit -f "smith"2                   Password for smith@SYSA.XYZ.COM:  [                   !!! Connect to system "sysb" forcing use of kerberos-tgt-2 authentication                    !!! method.tX                   SYSA> ssh -o"AllowedAuthentications kerberos-tgt-2@ssh.com" smith@sysb,                   Authentication successful.  U                    Welcome to HP OpenVMS Industry Standard 64 Evaluation Release V8.2   \                   !!! We've been allowed in. A klist -f (-f for "full") shows that we have aH                   !!! TGT without having issued a kinit command on SYSB.                    SYSB> klist -fR                   Ticket cache: FILE:WORK10$:[SMITH.KRB.SYSB.TMP]KRB5CC_14805899217                   Default principal: smith@SYSA.XYZ.COM   4         1-6 New Features and Behavioral Enhancements .  .      I                                  New Features and Behavioral Enhancements I                                     1.9 SSH Upgrade with Kerberos Support     I                   Valid starting     Expires            Service principalhX                   09/22/05 14:18:53  09/23/05 00:17:16  krbtgt/SYSA.XYZ.COM@SYSA.XYZ.COM$                           Flags: FfT  M                   Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache3348891207                   KRB$KLIST: You have no tickets cached   W                   !!! Now use ssh to connect back to sysa but this time use the simpleru7                   !!! kerberos-2 authentication method. T                   SYSB> ssh -o"AllowedAuthentications kerberos-2@ssh.com" smith@sysa,                   Authentication successful.  `                   UNAUTHORIZED ACCESS PROHIBITED OpenVMS AXP (TM) Operating System, Version V8.2  W                   !!! We have been allowed in but have no TGT created for us because we4&                   !!! used kerberos-2:                    SYSA> klist -fi                   KRB$KLIST: No credentials cache found (ticket cache FILE:krb$user:[tmp]krb5cc_33488912)W  M                   Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache33488912 7                   KRB$KLIST: You have no tickets cached.  %         1.9.2 Password Authenticatione  F               In addition, the OpenVMS SSH server provides an optionalG               Kerberos password check. In password authentication mode, H               the SSH server checks the password against Kerberos beforeH               checking it against SYSUAF. If the Kerberos password checkC               passes then the SSH server considers the SSH passwordlF               authentication successful and the user is allowed in. IfD               not, the password authentication continues on with the               SYSUAF check..  G               When the Kerberos password check succeeds, the SSH serverhA               provides to the user process on the server system a.E               forwardable TGT so that the user need not issue a kinit.H               command once logged in. Essentially, the SSH server does a*               kinit on behalf of the user.  =               This feature is not enabled by default. Use the 9               TryKerberosPassword to enable this feature..  F                 ________________________ Note ________________________  ?                 The check of the user password against KerberosR@                 is transparent to the SSH client software and isD                 performed entirely on the SSH server. The SSH clientD                 software is unaware of how the password is processed  I                              New Features and Behavioral Enhancements 1-7r c         0         New Features and Behavioral Enhancements-         1.9 SSH Upgrade with Kerberos Supporto    B                 by the SSH server. This approach has the advantageB                 of allowing use of Kerberos features from a clientD                 host that doesn't have Kerberos configured. The onlyE                 awareness of Kerberos required on the SSH client siderF                 is the knowledge of the user that they may enter theirC                 Kerberos password (which may very well be differentaF                 from the password to their account on the server host)=                 in response to the SSH client's password cue.t  D                 Because there is no knowledge on the part of the SSHB                 client software that the SSH server is passing theE                 user password to Kerberos for validation, there is nouC                 way for the SSH client user to specify the Kerberos C                 principal name to be used by the SSH server for the A                 Kerberos password check. Therefore the SSH server @                 must compose the Kerberos principal name for theB                 password check using a common sense heuristic. TheE                 SSH server uses the target username being logged intogA                 on the SSH server system for the username part of A                 the principal and the local Kerberos realm as thea?                 principal's realm name. For example, if the SSHc@                 server's Kerberos realm was SYSA.XYZ.COM and theC                 user account to be logged into was "smith" then thecA                 Kerberos principal used for the Kerberos passwordl2                 check would be smith@SYSA.XYZ.COM.  F                 ______________________________________________________  -         1.9.3 Logicals Defined by SSH Startup.  G               In order to use the gssapi-with-mic authentication method H               on an OpenVMS host with Kerberos for OpenVMS Version V2.1,C               the SSH server and client startup procedures define a F               logical name TCPIP$SSH_KRBRTL_HACK. The presence of thisI               logical tells the SSH client and server to perform steps toiG               circumvent a problem with images that use LIB$FIND_IMAGE_ D               SYMBOL to access both KRB$RTL32.EXE and GSS$RTL32.EXE.  F               The SSH server and client startup procedures will defineD               TCPIP$SSH_KRBRTL_HACK based on the version of KerberosI               running on your system and not whether Kerberos is actually D               in use on your system or configured to be used by SSH.      4         1-8 New Features and Behavioral Enhancements l  i      I                                  New Features and Behavioral Enhancements I                                     1.9 SSH Upgrade with Kerberos Supportu    E               If you are running Kerberos for OpenVMS Version V3.0 or_G               higher, the SSH server and client startup procedures willrG               not define this logical, because the steps needed to makenH               GSS$RTL32 work properly with LIB$FIND_IMAGE_SYMBOL are not               needed.n  $         1.9.4 Using Kerberos KDC/DNS  D               To configure Kerberos KDC/DNS, include fully qualifiedH               host principals. For example, a host principal for the SSHG               server host with DNS name myhost.abcd.org in the KerberosaF               realm ABCD.ORG would be "host/myhost.abcd.org@ABCD.ORG".  A               For SSH purposes the DNS host name part of the host C               principal should be fully qualified. The SSH server'smE               checking of the client user's password against KerberoseH               in password authentication also requires a fully qualified5               host principal for the SSH server host.p  B               You must define a Kerberos host principal for an SSHH               client host that is also to serve as an SSH server for theH               Kerberos-based authentication methods and for the password5               authentication Kerberos password check.   D               In addition, to use the gssapi-with-mic authenticationF               method, the first name in the list returned from a TCPIPG               SHOW HOST/LOCAL command entered on the SSH server for thesD               SSH server must be its fully-qualified canonical name.  :               For example, say the SSH server host name isD               myhost.abcd.org. This example illustrates two possibleH               local host database entries for SSH server myhost.abcd.orgH               on myhost.abcd.org. The first example prevents the gssapi-:               with-mic authentication method from working:                 Example 1   4                 MYHOST> tcpip show host/local myhost  "                     LOCAL database  )                 Host address    Host nameM  K                 10.0.0.1   myhost, myhost.abcd.org, MYHOST, MYHOST.ABCD.ORGI  H               The following example shows how to define the host name soC               that the gssapi-with-mic authentication method works:   I                              New Features and Behavioral Enhancements 1-9            0         New Features and Behavioral Enhancements-         1.9 SSH Upgrade with Kerberos Supportl                   Example 2o  4                 MYHOST> tcpip show host/local myhost  #                      LOCAL database_  )                 Host address    Host name   J                 10.0.0.1   myhost.abcd.org, myhost, MYHOST,MYHOST.ABCD.ORG  H               If your configuration requires a local host database entryG               as shown in Example 1, then gssapi-with-mic will not workv               for you.  *         1.9.5 New Configuration Parameters  >               This version of SSH recognizes the following new'               configuration parameters.t  A               o  In the server configuration file (SSHD_CONFIG.):n  '                  -  TryKerberosPasswordN  #                  -  GssapiSendErrorI  @               o  In the client configuration file (SSH_CONFIG.):  -                  -  GssapiDelegateCredentialsg  C               o  In both the client and server configuration files:e  $                  -  GssapiSendErrtok  H               For more information about these configuration parameters,B               see the HP TCP/IP Services for OpenVMS Guide to SSH.  1         1.10 TELNET Upgrade with Kerberos Support   E               The TELNET server and client are now supported with theeE               upgraded Kerberos version that ships with OpenVMS V8.3.   '         1.11 TELNET Server Device Limith  H               The TELNET server is no longer limited to 9999 sessions or               TN devices.h  /         1.12 IPv6 Support for LPD and TELNETSYM   F               Continuing our work to offer IPv6 support throughout theI               product, both LPD and TELNETSYM printing software now allow 2               you to print via the IPv6 transport.  5         1-10 New Features and Behavioral EnhancementsN P  r      I                                  New Features and Behavioral Enhancements I                       1.13 FTP Performance Enhancements for VMS Plus Modec    ;         1.13 FTP Performance Enhancements for VMS Plus Modeu  =               Streamlining was performed for the FTP service,eD               specifically addressing the case where both server and)               client are OpenVMS systems.   =         1.14 Improved Interface Configuration in TCPIP$CONFIG   I               The menu-driven process of defining local interfaces and IP I               addresses has been significantly reworked to provide better_&               support for failSAFE IP.  G         1.15 Added TSIG-based Authentication Support to the Load BrokerI  E               The Load Broker can now transact secure dynamic updatesu!               with a BIND server.e                                                          I                             New Features and Behavioral Enhancements 1-11  t  e                    I                                                                         2 I         _________________________________________________________________   I                        Installation, Configuration, Startup, and Shutdownf    A               This chapter includes notes and changes made to the C               installation and configuration of TCP/IP Services, as G               well as startup and shutdown procedures. Use this chaptercD               in conjunction with the HP TCP/IP Services for OpenVMS4               Installation and Configuration manual.  <         2.1 Installing Over V5.3 Early Adopter's Kits (EAKs)  E               If you have installed one or more of the following V5.3 F               EAKs, you must use the PCSI REMOVE command to remove the;               EAKs before you install TCP/IP Services V5.5:e  $               o  SSH for OpenVMS EAK                  o  failSAFE IP EAK  F                 ________________________ Note ________________________  B                 If you install the current TCP/IP Services version@                 after removing the failSAFE IP EAK, you must runD                 TCPIP$CONFIG.COM to reestablish your target and home                 interfaces.c  F                 ______________________________________________________  6         2.2 Upgrading from TCP/IP Services Version 4.x  @               Upgrading from versions prior to V5.0 has not been)               qualified for this release.d  1         2.3 Adding a System to an OpenVMS Clustero  E               The TCPIP$CONFIG.COM configuration procedure for TCP/IPtH               Services Version 5.6 creates OpenVMS accounts using largerE               system parameter values than in previous versions. Only D               new accounts get these larger values. These values areF               useful on OpenVMS Alpha systems but essential on OpenVMS               I64 systems.  I                    Installation, Configuration, Startup, and Shutdown 2-1            :         Installation, Configuration, Startup, and Shutdown1         2.3 Adding a System to an OpenVMS Cluster     E               To have your OpenVMS I64 system join an OpenVMS ClustersB               as a TCP/IP host, HP recommends adding the system toC               the cluster before you configure TCP/IP Services. TheiG               guidelines in Section 2.3.1 assume you have followed this                recommendation.   H               If you configure TCP/IP Services before you add the system.               to a cluster, see Section 2.3.2.  <         2.3.1 Running a Newly Configured Host on the Cluster  F               The following recommendations assume you are configuringI               TCP/IP Services on the system after having added the system %               to the OpenVMS Cluster.i  E               If TCP/IP Services has previously been installed on theaA               cluster and you encounter problems running a TCP/IP @               component on the system, modify the cluster SystemG               Authorization File (SYSUAF) to raise the parameter valuesbI               for the account used by the affected component. The minimum,9               recommended values are listed in Table 2-1.s  I               Table_2-1_Minimum_Values_for_SYSUAF_Parameters_____________   I               Parameter_____Minimum_Value________________________________                  ASTLM         100n                 BIOLM         400p  "               BYTLM         108000                 DIOLM         50                 ENQLM         100                  FILLM         100m  !               PGFLQUOTA[1]  50000                  TQELM         50                  WSEXTENT      4000                  WSQUOTA       1024I               [1]This_parameter's_value_setting_is_especially_critical.__.  I               ___________________________________________________________i  D               The IMAP, DHCP, and XDM components can exhibit accountF               parameter problems if the value assigned to PGFLQUOTA orG               to any of the other listed parameters is too low. Use theeD               OpenVMS AUTHORIZE utility to modify SYSUAF parameters.  >         2-2 Installation, Configuration, Startup, and Shutdown s  .      I                        Installation, Configuration, Startup, and Shutdown I                                 2.3 Adding a System to an OpenVMS Cluster     D               For more information, see HP OpenVMS System Management.               Utilities Reference Manual: A-L.  I         2.3.2 Configuring TCP/IP Services Before Adding the System to the                Clusteri  H               If you configure TCP/IP Services before you add the systemB               to a cluster, when you add the system to the clusterE               the owning UIC for each of the TCP/IP service SYS$LOGIN D               directories (TCPIP$service-name, where service-name isH               the name of the service) may be incorrect. Use the OpenVMS6               AUTHORIZE utility to correct these UICs.  .         2.3.3 Disabling or Enabling SSH Server  G               When you use the TCPIP$CONFIG.COM configuration procedure G               to disable or enable the SSH server, the following prompt                is displayed:h  <               * Create a new default Server host key? [YES]:  B               Unless you have a specific reason for creating a newC               default server host key, you should enter "N" at thisiE               prompt. If you accept the default, clients with the oldmH               key will need to obtain the new key. For more information,!               see Section 3.10.6.   3         2.4 SSH Configuration Files Must Be Updateds  F               Note that this section refers to upgrades from a version                prior to V5.4 ECO.  A               The SSH client and server on this version of TCP/IP C               Services cannot use configuration files from previous                versions of SSH.  <               If the SSH client and server detect systemwideC               configuration files from an older version of SSH, therC               client and server will fail to start. The client willrH               display the following warning message, and the server willD               write the following warning message to the SSH_RUN.LOG               file:c  M               You may have an old style configuration file. Please follow the L               instructions in the release notes to use the new configuration               files.  I                    Installation, Configuration, Startup, and Shutdown 2-3            :         Installation, Configuration, Startup, and Shutdown3         2.4 SSH Configuration Files Must Be Updatedo    E               If the SSH client detects a user-specific configuration D               file from an older version of SSH, the SSH client willE               display the warning and will allow the user to proceed.c  B               To preserve the modifications made to the SSH serverG               configuration file and the SSH client configuration file, G               you must edit the templates provided with the new versiona!               of SSH, as follows:p  I               1. Extract the template files using the following commands:c  P                  $ LIBRARY/EXTRACT=SSH2_CONFIG SYS$LIBRARY:TCPIP$TEMPLATES.TLB -F                  _$ /OUT=TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSH2_CONFIG.  Q                  $ LIBRARY/EXTRACT=SSHD2_CONFIG SYS$LIBRARY:TCPIP$TEMPLATES.TLB - G                  _$ /OUT=TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG.   I                  These commands copy the new template files into the SSH2 C                  configuration directory with a new version number.   G               2. Copy the modifications made in the old versions of the 9                  configuration files to the new versions.   7               3. Start SSH using the following command:   /                  $ @SYS$STARTUP:SSH_STARTUP.COM 6                  $ @SYS$STARTUP:SSH_CLIENT_STARTUP.COM  :         2.5 Troubleshooting SMTP and LPD Shutdown Problems  F               If SMTP or LPD shutdown generates errors indicating thatH               the queue manager is not running, check your site-specificF               shutdown command procedure (VMS_SYSHUTDOWN.COM). If thisF               procedure contains the command to stop the queue managerG               (STOP/QUEUE/MANAGER), make sure this command is after theSI               command that runs the TCPIP$SHUTDOWN.COM command procedure.n  F                 ________________________ Note ________________________  E                 You do not have to stop the queue manager explicitly.3F                 The queue manager is automatically stopped and started,                 when you restart the system.  F                 ______________________________________________________  >         2-4 Installation, Configuration, Startup, and Shutdown u  g                    I                                                                         3aI         _________________________________________________________________t  I                                              Restrictions and Limitationsc    B               This chapter provides information about problems andI               restrictions in the current version of TCP/IP Services, and_F               also includes other information specific to a particularF               command or service, such as changes in command syntax or               messages.   ;         3.1 Netstat Utility -z Option No Longer ImplementedC  D               In this version of TCP/IP Services for OpenVMS, the -zH               option to the netstat utility is no longer implemented. ItG               has not been determined whether future versions of TCP/IP-7               Services will restore this functionality.a  F         3.2 Manually Configuring an Interface as DHCP Leads to Startup             Problems  F               Manually configuring an interface to be managed via DHCPB               may lead to an error, TCPIP-E-DEFINTE, when startingB               TCP/IP. This causes TCP/IP to not start properly. ToD               work around this problem, shutdown TCP/IP, then on theG               interface that was manually configured as DHCP, issue the H               following command: $ tcpip set config inter ifname/PRIMARY!               Now restart TCP/IP.            3.3 SLIP Restrictions   I               The serial line IP protocol (SLIP) is not supported in this                release.                I                                          Restrictions and Limitations 3-16           $         Restrictions and LimitationsH         3.4 Advanced Programming Environment Restrictions and Guidelines    H         3.4 Advanced Programming Environment Restrictions and Guidelines  F               The header files provided in TCPIP$EXAMPLES are providedI               as part of the advanced TCP/IP programming environment. The F               following list describes restrictions and guidelines for               using them:h  F               o  Use of the functions and data structures described inG                  TCPIP$EXAMPLES:RESOLV.H is limited to 32-bit pointers. F                  The underlying implementation will only handle 32-bitC                  pointers. Previously, 64-bit pointers were wrongly B                  accepted, resulting in undefined behavior for the+                  underlying implementation.o  F               o  The IP.H and IP6.H header files are incomplete in theE                  OpenVMS environment. They contain include directivesVG                  for header files that are not provided in this versionnH                  of TCP/IP Services. Refer to the HP TCP/IP Services forH                  OpenVMS Sockets API and System Services Programming for"                  more information.  !         3.5 BIND/DNS RestrictionsP  <               BIND Version 9 has the following restrictions:  G               o  Certain DNS server implementations do not support AAAA H                  (IPv6 address) records. When queried for an AAAA (IPv6)E                  record type by the BIND resolver, these name servers D                  will return an NXDOMAIN status, even if an A (IPv4)C                  record exists for the same domain name. These name F                  servers should be returning NOERROR as the status forG                  such a query. This problem can result in delays during &                  host name resolution.  I                  BIND Version 9.3.1, which is supported with this release F                  of TCP/IP Services, and prior versions of BIND do not&                  exhibit this problem.  %               o  Serving secure zones   B                  When acting as an authoritative name server, BIND@                  Version 9 includes KEY, SIG, and NXT records inD                  responses as specified in RFC 2535 when the request2                  has the DO flag set in the query.  "               o  Secure resolution  (         3-2 Restrictions and Limitations e         I                                              Restrictions and LimitationsoI                                                 3.5 BIND/DNS RestrictionsR    E                  Basic support for validation of DNSSEC signatures ineH                  responses has been implemented but should be considered                  experimental.  E                  When acting as a caching name server, BIND Version 9fD                  is capable of performing basic DNSSEC validation ofD                  positive as well as nonexistence responses. You canF                  enable this functionality by including a trusted-keysG                  clause containing the top-level zone key of the DNSSEC 0                  tree in the configuration file.  B                  Validation of wildcard responses is not currentlyB                  supported. In particular, a "name does not exist"@                  response will validate successfully even if theE                  server does not contain the NXT records to prove thea5                  nonexistence of a matching wildcard.   F                  Proof of insecure status for insecure zones delegatedF                  from secure zones works when the zones are completelyH                  insecure. Privately secured zones delegated from secureC                  zones will not work in all cases, such as when the D                  privately secured zone is served by the same server6                  as an ancestor (but not parent) zone.  ?                  Handling of the CD bit in queries is now fullyaG                  implemented. Validation is not attempted for recursive &                  queries if CD is set.  &               o  Secure dynamic update  D                  Dynamic updating of secure zones has been partiallyI                  implemented. Affected NXT and SIG records are updated byeH                  the server when an update occurs. Use the update-policyE                  statement in the zone definition for advanced accessr                  control.r  &               o  Secure zone transfers  D                  BIND Version 9 does not implement the zone transferA                  security mechanisms of RFC 2535 because they are D                  considered inferior to the use of TSIG or SIG(0) to8                  ensure the integrity of zone transfers.  4               o  SSL$LIBCRYPTO_SHR32.EXE requirement  H                  In this version of TCP/IP Services, the BIND Server andG                  related utilities have been updated to use the OpenSSLoH                  shareable image SSL$LIBCRYPTO_SHR32.EXE. There is now aH                  requirement that this shareable image from OpenSSL V1.2  I                                          Restrictions and Limitations 3-3e e  n      $         Restrictions and Limitations!         3.5 BIND/DNS Restrictionss    I                  or higher be installed on the system before starting theiH                  BIND Server. It must also be installed before using the*                  following BIND utilities:                    BIND_CHECKCONFo                  BIND_CHECKZONE                   DIG                  DNSSEC_KEYGEN                   DNSSEC_SIGNZONE                  HOSTa                  NSUPDATE                   RNDC_CONFGEN            3.6 IPv6 Restrictionsh  H               The following sections describe restrictions in the use of               IPv6.   &         3.6.1 Mobile IPv6 Restrictions  ;               Mobile IPv6 is not supported in this release.r  -         3.6.2 IPv6 Requires the BIND Resolverd  G               If you are using IPv6, you must enable the BIND resolver.eC               To enable the BIND resolver, use the TCPIP$CONFIG.COMIG               command procedure. From the Core environment menu, selecto               BIND Resolver.  A               You must specify the BIND server to enable the BINDdC               resolver. If you do not have access to a BIND server,eE               specify the node address 127.0.0.1 as your BIND server.   /         3.7 NFS Restrictions on Alpha Platformsa  G               The following sections describe problems and restrictionss*               with NFS on Alpha platforms.  2         3.7.1 NFS Server Problems and Restrictions  C               The following restrictions apply to the NFS server on $               OpenVMS Alpha systems:  F               o  When performing a mount operation or starting the NFSE                  server with OPCOM enabled, the TCP/IP Services MOUNTrF                  server can erroneously display the following message:  S                  %TCPIP-E-NFS_BFSCAL, operation MOUNT_POINT failed on file /dev/dir   (         3-4 Restrictions and Limitations u  1      I                                              Restrictions and LimitationshI                                   3.7 NFS Restrictions on Alpha Platformsf    H                  This message appears even when the MOUNT or NFS startupC                  has successfully completed. In the case of a mountsG                  operation, if it has actually succeeded, the following 0                  message will also be displayed:  B                  %TCPIP-S-NFS_MNTSUC, mounted file system /dev/dir  F               o  If the NFS server and the NFS client are in differentI                  domains and unqualified host names are used in requests, G                  the lock server (LOCKD) fails to honor the request and *                  leaves the file unlocked.  E                  When the server attempts to look up a host using its.G                  unqualified host name (for example, johnws) instead of G                  the fully qualified host name (for example, johnws.abczD                  com), and the host is not in the same domain as the+                  server, the request fails.n  E                  To solve this type of problem, you can do one of the                   following:w  H                  -  When you configure the NFS client, specify the fullyH                     qualified host name, including the domain name. This:                     ensures that translation will succeed.  G                  -  Add an entry to the NFS server's hosts database foreE                     the client's unqualified host name. Only that NFSbD                     server will be able to translate this host name.I                     This solution will not work if the client obtains itss2                     address dynamically from DHCP.  2         3.7.2 NFS Client Problems and Restrictions  B               o  To get proper timestamps, when the system time isF                  changed for daylight savings time (DST), dismount allH                  DNFS devices. (The TCP/IP management command SHOW MOUNTD                  should show zero mounted devices.) Then remount the                  devices.   H               o  The NFS client does not properly handle file names withD                  the semicolon character on ODS-5 disk volumes. (ForE                  example, a^;b.dat;5 is a valid file name.) Such filei6                  names are truncated at the semicolon.  F               o  The NFS client included with TCP/IP Services uses the-                  NFS Version 2 protocol only.   I                                          Restrictions and Limitations 3-5     b      $         Restrictions and Limitations/         3.7 NFS Restrictions on Alpha Platformsh    G               o  With the NFS Version 2 protocol, the value of the fileG,                  size is limited to 32 bits.  F               o  The ISO Latin-1 character set is supported. The UCS-2.                  characters are not supported.  F               o  File names, including file extensions, can be no more*                  than 236 characters long.  E               o  Files containing characters not accepted by ODS-5 onsG                  the active OpenVMS version or whose name and extensioneE                  exceeds 236 characters are truncated to zero length.tG                  This makes them invisible to OpenVMS and is consistent 8                  with prior OpenVMS NFS client behavior.  )         3.8 NTP Problems and Restrictions   G               The NTP server has a stratum limit of 15. The server doeseG               not synchronize to any time server that reports a stratumSE               of 15 or greater. This may cause problems if you try toID               synchronize to a server running the UCX NTP server, ifE               that server has been designated as "free running" (withhI               the local-master command). For proper operation, the local-aD               master designation must be specified with a stratum no               greater than 14.  *         3.9 SNMP Problems and Restrictions  G               This section describes restrictions to the SNMP component8@               for this release. For more information about usingD               SNMP, refer to the HP TCP/IP Services for OpenVMS SNMP/               Programming and Reference manual.             3.9.1 Incomplete Restart  B               When the SNMP master agent and subagents fail or areC               stopped, TCP/IP Services is often able to restart allaI               processes automatically. However, under certain conditions,nH               subagent processes may not restart. When this happens, theG               display from the DCL command SHOW SYSTEM does not include G               TCPIP$OS_MIBS and TCPIP$HR_MIB. If this situation occurs,w>               restart SNMP by entering the following commands:  4               $ @SYS$STARTUP:TCPIP$SNMP_SHUTDOWN.COM  3               $ @SYS$STARTUP:TCPIP$SNMP_STARTUP.COMo  (         3-6 Restrictions and Limitations 8  2      I                                              Restrictions and Limitations1I                                        3.9 SNMP Problems and Restrictions.             3.9.2 SNMP IVP Error  A               On slow systems, the SNMP Installation Verification D               Procedure can fail because a subagent does not respondC               to the test query. The error messages look like this:e                    .                  .                  .5               Shutting down the SNMP service... done.v  B               Creating temporary read/write community SNMPIVP_153.  &               Enabling SET operations.  0               Starting the SNMP service... done.  C               SNMPIVP: unexpected text in response to SNMP request:o8               "- no such name - returned for variable 1"P               See file SYS$SYSDEVICE:[TCPIP$SNMP]TCPIP$SNMP_REQUEST.DAT for more               details.<               sysContact could not be retrieved.  Status = 0:               The SNMP IVP has NOT completed successfully.)               SNMP IVP request completed.e*               Press Return to continue ...  @               You can ignore these types of messages in the IVP.  1         3.9.3 Using Existing MIB Subagent Modules_  H               If an existing subagent does not execute properly, you mayE               need to relink it against the current version of TCP/IP G               Services to produce a working image. Some subagents (such I               as those for HP Insight Management Agents for OpenVMS) also H               require a minimum version of OpenVMS and a minimum version!               of TCP/IP Services.   /               The following restrictions apply:   F               o  In general, only executable images linked against theD                  following versions of the eSNMP shareable image areE                  upward compatible with the current version of TCP/IPn                  Services:  F                  -  UCX$ESNMP_SHR.EXE from TCP/IP Services Version 4.2                     ECO 4y  I                  -  TCPIP$ESNMP_SHR.EXE from TCP/IP Services Version 5.0Ai                     ECO 1r  I                                          Restrictions and Limitations 3-7o    t      $         Restrictions and Limitations*         3.9 SNMP Problems and Restrictions    D                  Images built under versions other than these can beC                  relinked with one of the shareable images, or withhE                  TCPIP$ESNMP_SHR.EXE in the current version of TCP/IPK                  Services.  D               o  The underlying eSNMP API changed from DPI in TCP/IPD                  Services Version 5.0 to AgentX in later versions ofE                  TCP/IP Services. Therefore, executable images linkedeA                  against older object library versions of the APIuF                  (*$ESNMP.OLB) must be relinked against either the newC                  object library or the new shareable image. Linking B                  against the shareable image ensures future upwardB                  compatibility and results in smaller image sizes.  F                 ________________________ Note ________________________  ?                 Although images may run without being relinked,eE                 backward compatibility is not guaranteed. Such images.C                 can result in inaccurate data or run-time problems._  F                 ______________________________________________________  D               o  This version of TCP/IP Services provides an updatedD                  version of the UCX$ESNMP_SHR.EXE shareable image toI                  provide compatibility with subagents linked under TCP/IP E                  Services Version 4.2 ECO 4. Do not delete this file.   D               o  The SNMP server responds correctly to SNMP requestsD                  directed to a cluster alias. Note, however, that anD                  unexpected host may be reached when querying from aI                  TCP/IP Services Version 4.x system that is a member of a C                  cluster group but is not the current impersonator.   H               o  The SNMP master agent and subagents do not start if theI                  value of the logical name TCPIP$INET_HOST does not yield E                  the IP address of a functional interface on the host I                  when used in a DNS query. This problem does not occur if I                  the server host is configured correctly with a permanent H                  network connection (for example, Ethernet or FDDI). TheG                  problem can occur when a host is connected through PPP H                  and the IP address used for the PPP connection does notI                  match the IP address associated with the TCPIP$INET_HOST                   logical name.    (         3-8 Restrictions and Limitations i  e      I                                              Restrictions and LimitationsaI                                        3.9 SNMP Problems and Restrictions     G               o  Under certain conditions observed primarily on OpenVMS/E                  VAX systems, the master agent or subagent exits withsC                  an error from an internal select() socket call. InlG                  most circumstances, looping does not occur. If loopingsD                  occurs, you can control the number of iterations byI                  defining the TCPIP$SNMP_SELECT_ERROR_LIMIT logical name.   >               o  The MIB browser provided with TCP/IP ServicesE                  (TCPIP$SNMP_REQUEST.EXE) supports getnext processingeH                  of OIDs that include the 32-bit OpenVMS process ID as aG                  component. However, other MIB browsers may not provide                   this support.  I                  For example, the following OIDs and values are supportedh                  on OpenVMS:  ?                  1.3.6.1.2.1.25.4.2.1.1.1321206828 = 1321206828 ?                  1.3.6.1.2.1.25.4.2.1.1.1321206829 = 1321206829c?                  1.3.6.1.2.1.25.4.2.1.1.1321206830 = 1321206830m  :                  These examples are from hrSWRunTable; the:                  hrSWRunPerfTable may be affected as well.  E               o  You can ignore the following warning that appears inxG                  the log file if a null OID value (0.0) is retrieved inf@                  response to a Get, GetNext, or GetBulk request:  E                  o_oid; Null oid or oid->elements, or oid->nelem == 0            3.9.4 Upgrading SNMP  >               After upgrading to the current version of TCP/IPG               Services, you must disable and then enable SNMP using theoI               TCPIP$CONFIG.COM command procedure. When prompted for "thistG               node" or "all nodes," select the option that reflects thei%               previous configuration.   =         3.9.5 Communication Controller Data Not Fully Updatedp  A               When you upgrade TCP/IP Services and then modify an F               existing communication controller, programs that use theC               communication controller might not have access to the "               updated information.  I               To ensure that programs like the MIB browser (SNMP_REQUEST)sA               have access to the new data about the communicationt+               controller, do the following:   I                                          Restrictions and Limitations 3-9h v  i      $         Restrictions and Limitations*         3.9 SNMP Problems and Restrictions    E               1. Delete the communication controller using the TCP/IP D                  management command DELETE COMMUNICATION_CONTROLLER.  B               2. Reset the communication controller by running the@                  TCPIP$CONFIG.COM command procedure and exiting.  C               3. Restart the program (such as SNMP) by entering the $                  following commands:  1                  $ @SYS$STARTUP:SNMP_SHUTDOWN.COMm  0                  $ @SYS$STARTUP:SNMP_STARTUP.COM  2               4. Use the TCP/IP management command=                  LIST COMMUNICATION_CONTROLLER to display thel                  information.e  $         3.9.6 SNMP MIB Browser Usage  D               If you use either the -l (loop mode) or -t (tree mode)H               flag, you cannot also specify the -m (maximum repetitions)F               flag or the -n (nonrepeaters) flag. The latter flags are8               incompatible with loop mode and tree mode.  A               Incorrect use of the -n and -m flags results in theE*               following types of messages:  Y               $ snmp_request mynode.co.com public getbulk -v2c -n 20 -m 10 -t 1.3.6.1.2.1nF               Warning: -n reset to 0 since -l or -t flag is specified.F               Warning: -m reset to 1 since -l or -t flag is specified.4               1.3.6.1.2.1.1.1.0 = mynode.company.com  ,         3.9.7 Duplicate Subagent Identifiers  E               With this version of TCP/IP Services, two subagents can I               have the same identifier parameter. Be aware, however, thateH               having two subagents with the same name makes it difficultD               to determine the cause of problems reported in the log               file.I  )         3.9.8 Community Name Restrictionsa  G               The following restrictions on community names are imposed "               by TCPIP$CONFIG.COM:  D               o  Do not specify community names that include a space                  character.   )         3-10 Restrictions and Limitations            I                                              Restrictions and Limitations I                                        3.9 SNMP Problems and Restrictions     F               o  A quotation mark (") specified as part of a communityF                  name might be handled incorrectly. Check the validityF                  of the name with the SHOW CONFIGURATION SNMP command,@                  and if necessary, correct the name with the SET,                  CONFIGURATION SNMP command.  8         3.9.9 eSNMP Programming and Subagent Development  B               The following notes pertain to eSNMP programming and#               subagent development.f  F               o  In the documentation, the terms "extension subagent",E                  "custom subagent", and "user-written subagent" refer F                  to any subagent other than the standard subagents forI                  MIB-II and the Host Resources MIB, which are provided ass5                  part of the TCP/IP Services product.   E               o  In the [.SNMP] subdirectory of TCPIP$EXAMPLES, files H                  with the .C, .H, .COM, .MY, and .AWK extensions contain7                  additional comments and documentation.n  H               o  The TCPIP$SNMP_REQUEST.EXE, TCPIP$SNMP_TRAPSND.EXE, andG                  TCPIP$SNMP_TRAPSND.EXE programs are useful for testing 7                  during extension subagent development._  I               o  For information about prototypes and definitions for thesF                  routines in the eSNMP API, see the TCPIP$SNMP:ESNMP.H                  file.  A         3.9.10 SNMP Installation Verification Program Restrictionn  E               The SNMP Installation Verification Program will not runeG               correctly if debug or trace options are turned on for any 4               TCP/IP Services for OpenVMS component.  .               For example, including the line:                 options debugs  I               in TCPIP$ETC:RESOLV.CONF results in unsuccessful completiona               status.   H               The problem also exists if socket tracing is turned on and@               directed to SYS$OUTPUT with the following command:  4               $ DEFINE TCPIP$SOCKET_TRACE SYS$OUTPUT  I                                         Restrictions and Limitations 3-11n    n      $         Restrictions and Limitations*         3.9 SNMP Problems and Restrictions    E               The additional output produced by these and other debug C               or trace options can cause problems with the SNMP IVP E               because it was designed to parse output from a standards!               configuration only.     F                 ________________________ Note ________________________  ?                 To run the SNMP IVP test either run the programa                 directly:u  B                 $ RUN SYS$SYSROOT:[SYSTEST.TCPIP]TCPIP$SNMPIVP.EXE  8                 or execute the TCPIP configuration menu:  +                 $ @SYS$MANAGER:TCPIP$CONFIGi  F                 and then select option "7 - Run tests" and then option                 "2 - SNMP IVP".n  F                 ______________________________________________________  *         3.10 SSH Problems and Restrictions  >               This section contains the following information:  A               o  SSH-related security advisories (Section 3.10.1)   D               o  SSH general notes and restrictions (Section 3.10.2)  <               o  UNIX features that are not supported by SSH!                  (Section 3.10.3)S  :               o  SSH command syntax notes and restrictions!                  (Section 3.10.4)   :               o  SSH authentication notes and restrictions!                  (Section 3.10.5)m  A               o  SSH keys notes and restrictions (Section 3.10.6)   :               o  SSH session restrictions (Section 3.10.7)  E               o  SSH messages notes and restrictions (Section 3.10.8)l  :               o  SSH remote command notes and restrictions!                  (Section 3.10.9)   >               o  SSH batch mode restrictions (Section 3.10.10)  C               o  X11 port forwarding restrictions (Section 3.10.12)r  )         3-12 Restrictions and Limitationsr t         I                                              Restrictions and LimitationsrI                                        3.10 SSH Problems and Restrictions     <               o  File transfer restrictions (all file sizes)"                  (Section 3.10.13)  9               o  File transfer restrictions (large files) "                  (Section 3.10.14)  F                 ________________________ Note ________________________  C                 References to SSH, SCP, or SFTP commands also imply 4                 SSH2, SCP2, and SFTP2, respectively.  F                 ______________________________________________________  .         3.10.1 SSH-Related Security Advisories  H               Computer Emergency Readiness Team (CERT[R]) advisories areH               issued by the CERT Coordination Center (CERT/CC), a centerD               of Internet security expertise located at the SoftwareD               Engineering Institute, a federally-funded research andH               development center operated by Carnegie Mellon University.C               CERT advisories are a core component of the TechnicaloC               Cyber Security Alerts document featured by the UnitedlG               States Computer Emergency Readiness Team (US-CERT), which H               provides timely information about current security issues,,               vulnerabilities, and exploits.  @               CERT and HP Software Security Response Team (SSRT)D               security advisories might be prompted by SSH activity.I               CERT advisories are documented at the following CERT/CC web                site:e  -               http://www.cert.org/advisories.s  F               Table 3-1 provides brief interpretations of several SSH-!               related advisories:a  I               Table_3-1_CERT/SSRT_Network_Security_Advisories____________g  I               Advisory__________Impact_on_OpenVMS________________________   H               CERT CA-2003-24   OpenSSH only; OpenVMS is not vulnerable.  I                                                  (continued on next page)l    I                                         Restrictions and Limitations 3-13e g  a      $         Restrictions and Limitations*         3.10 SSH Problems and Restrictions    I               Table_3-1_(Cont.)_CERT/SSRT_Network_Security_Advisories____   I               Advisory__________Impact_on_OpenVMS________________________u  @               CERT CA-2002-36   A worst case consequence of thisD                                 vulnerability is a denial of serviceG                                 (DoS) for a single connection of one of 4                                 the following types:  G                                 o  Server process handling a connection :                                    from a malicious client  A                                 o  Client process connecting to a 3                                    malicious server   G                                 In either case, a malicious remote hostrF                                 cannot gain access to the OpenVMS hostI                                 (for example, to execute arbitrary code),aG                                 and the OpenVMS server is still able to$9                                 receive a new connection.B  F               CERT-2001-35      OpenVMS is not vulnerable. Affects SSHG                                 Version 1 only, which is not supported.P  G               CERT CA-1999-15   RSAREF2 library is not used; OpenVMS isD/                                 not vulnerable.y  I               SSRT3629A/B_______OpenVMS_is_not_vulnerable._______________o  1         3.10.2 SSH General Notes and Restrictionsp  G               This section includes general notes and restrictions thati?               are not specific to a particular SSH application.H  E               o  The UNIX path /etc is interpreted by the OpenVMS SSHR8                  server as TCPIP$SSH_DEVICE:[TCPIP$SSH].  G               o  The following images are not included in this release:   1                  -  TCPIP$SSH_SSH-CERTENROLL2.EXEd  ?                     This image provides certificate enrollment.   1                  -  TCPIP$SSH_SSH-DUMMY-SHELL.EXEo  I                     This image provides access to systems where only filem8                     transfer functionality is permitted.  ,                  -  TCPIP$SSH_SSH-PROBE2.EXE  )         3-14 Restrictions and LimitationsT N  M      I                                              Restrictions and Limitations_I                                        3.10 SSH Problems and Restrictionsx    E                     This image provides the ssh-probe2 command, whichsI                     sends a query packet as a UDP datagram to servers and_H                     then displays the address and the SSH version number=                     of the servers that respond to the query.   :         3.10.3 UNIX Features That are Not Supported by SSH  I               This section describes features that are expected in a UNIX_C               environment but are not supported by SSH for OpenVMS.s  F               o  The server configuration parameter PermitRootLogin is                  not supported.   G               o  The client configuration parameter EnforceSecureRutils "                  is not supported.  I               o  There is no automatic mapping from the UNIX ROOT account /                  to the OpenVMS SYSTEM account.   F               o  The SSH1 protocol suite is not supported for terminalF                  sessions, remote command execution, and file transferH                  operations. Parameters unique to SSH1 in the server and8                  client configuration files are ignored.  !         3.10.4 SSH Command Syntaxr  H               This section includes notes and restrictions pertaining to               command syntax.   E               o  From a non-OpenVMS client, if you use OpenVMS syntaxeG                  for names (such as device names), enclose the names inrE                  single quotation marks to prevent certain charactersoB                  from being interpreted as they would be on a UNIX                  system.  G                  For example, in the following command, UNIX interprets G                  the dollar sign ($) as a terminator in the device namer?                  SYS$SYSDEVICE:[user], resulting in SYS:[user].   D                  # ssh user@vmssystem directory SYS$SYSDEVICE:[user]  C                  To avoid this problem, enter the command using ther"                  following format:  F                  # ssh user@vmssystem directory 'SYS$SYSDEVICE:[user]'  I                                         Restrictions and Limitations 3-15m g  v      $         Restrictions and Limitations*         3.10 SSH Problems and Restrictions    !         3.10.5 SSH Authentications  H               This section includes notes and restrictions pertaining to!               SSH authentication.   ?               o  The location of the SHOSTS.EQUIV file has beenU;                  moved from TCPIP$SSH_DEVICE:[TCPIP$SSH] to 3                  TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2].   C               o  If hostbased authentication does not work, the SSHnC                  server may have failed to match the host name sentrE                  by the client with the one it finds in DNS/BIND. YoufG                  can check whether this problem exists by comparing theTG                  output of the following commands (ignoring differencese-                  in case of the output text):e  '                  -  On the server host:a                        $ TCPIP7                      TCPIP> SHOW HOST client-ip-addressP  '                  -  On the client host:S  )                      $ write sys$output -rY                      $_ "''f$trnlnm("TCPIP$INET_HOST")'.''f$trnlnm("TCPIP$INET_DOMAIN")'"   E                     If the two strings do not match, you should checknH                     the host name and domain configuration on the clientH                     host. It may be necessary to reconfigure and restart7                     TCP/IP Services on the client host.   H               o  If the user default directory in the SYSUAF user recordF                  is specified with angle brackets (for example, <user-I                  name>) instead of square brackets ([user-name]), hostkey H                  authentication fails. To solve this problem, change the4                  user record to use square brackets.  G               o  The pairing of user name and UIC in the OpenVMS rightseG                  database, as displayed by the AUTHORIZE utility's SHOWeC                  /IDENTIFIER command, must match the pairing in the E                  SYSUAF record for that user name. If the pairings do9I                  not match, the following message error is displayed whenf?                  the user attempts to establish an SSH session:g    )         3-16 Restrictions and Limitationse u  n      I                                              Restrictions and Limitations I                                        3.10 SSH Problems and Restrictions                        $ ssh hostaD                   %SYSTEM-F-ACCVIO, access violation, reason mask=00, virtual address=000000000000 0000, PC=FFFFFFFF811A88E8, PS=000  D                     Improperly handled condition, image exit forced.C                       Signal arguments:   Number = 0000000000000005 C                                           Name   = 000000000000000C C                                                    0000000000000000 C                                                    0000000000000000 C                                                    FFFFFFFF811A88E8EC                                                    000000000000001B   $                       Register dump:\                       R0  = FFFFFFFFFFFFFFFE  R1  = 0000000000495D08  R2  = 000000000001DEE0\                       R3  = 00000000004ABE18  R4  = 0000000000000000  R5  = 0000000000000000\                       R6  = 0000000000000000  R7  = 0000000000000000  R8  = 0000000000000000\                       R9  = 0000000000000000  R10 = 0000000000000000  R11 = 00000000002F7C20\                       R12 = 0000000000000000  R13 = 0000000000498708  R14 = 00000000004EDF48\                       R15 = 000000007AECFE10  R16 = 0000000000000000  R17 = 0000000000000000\                       R18 = 0000000000000000  R19 = 000000007B624258  R20 = 0000000077770000\                       R21 = 0000000000000008  R22 = FFFFFFFF77774A00  R23 = 0000000300000000\                       R24 = 0000000000000001  R25 = 0000000000000001  R26 = 0000000000118A6C\                       R27 = 000000007C062700  R28 = 0000000000000000  R29 = 000000007ADEF290\                       SP  = 000000007ADEF290  PC  = FFFFFFFF811A88E8  PS  = 100000000000001B  H                  To solve this, use the AUTHORIZE utility to correct theI                  pairing of user name and UIC value in the OpenVMS rightso                  database.           3.10.6 SSH Keys   H               This section includes notes and restrictions pertaining to               SSH keys.r  G               o  SSH client users can copy their own customized version E                  of the SSH2_CONFIG. file and modify the value of the H                  variable StrictHostKeyChecking. By setting the value ofF                  this variable to "no," the user can enable the clientD                  to automatically copy the public key (without beingC                  prompted for confirmation) from an SSH server whenb;                  contacting that server for the first time.   A                  A system manager can tighten security by setting C                  the StrictHostKeyChecking variable to "yes" in the G                  systemwide SSH2_CONFIG. file, and forcing users to useRG                  only the systemwide version of the file. In this case,eG                  to copy the public key from the server, users (and theeI                  system manager) must use another mechanism (for example,   I                                         Restrictions and Limitations 3-17G           $         Restrictions and Limitations*         3.10 SSH Problems and Restrictions    E                  a privileged user can manually copy the public key).RF                  To enforce this tighter security response, the system9                  manager can perform the following steps:i  D                  1. Edit TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG. to/                     include the following line:I  .                     StrictHostKeyChecking  yes  !                  2. Restrict usereF                     access to TCPIP$SSH_DEVICE:[TCPIP$SSH]SSH2_CONFIG.                      For example:  b                     $ SET SECURITY/PROTECTION=(G,W) TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSH2_CONFIG.;  E                  3. Edit the SYS$STARTUP:TCPIP$SSH_CLIENT_STARTUP.COMoE                     command procedure to install the SSH server imagesI                     with the READALL privilege. In the following example,lH                     change the existing line to the replacement line, as                     indicated:                          .                        .                        .R                     $     image = f$edit("sys$system:tcpip$ssh_ssh2.exe","upcase")R                     $!    call install_image 'image' ""          <== existing lineP                     $     call install_image 'image' "readall"   <== replacement                        .                        .                        .  H                  4. Enable the SSH client, as described in the HP TCP/IP6                     Services for OpenVMS Guide to SSH.  F                 ________________________ Note ________________________  <                 Steps 2 and 3 involve modification of system?                 files. Therefore, it may be necessary to repeatrA                 the modifications after a future update of TCP/IPu                 Services.o  F                 ______________________________________________________  B               o  If you do not specify the key file in the SSH_ADDE                  command, and SSH_ADD finds no INDENTIFICATION. file, C                  it adds only the first private key it finds in the +                  [username.SSH2] directory.   )         3-18 Restrictions and Limitationsl    v      I                                              Restrictions and LimitationscI                                        3.10 SSH Problems and Restrictionst    F               o  Do not use the SSH_KEYGEN -e option (used to edit theH                  comment or passphrase of the key). This option does not                  work.  F               o  With this release, the default size of keys generatedD                  by the SSH_KEYGEN utility is 2048 bits (for earlierI                  releases, the default size was 1024 bits). Consequently, D                  generation of keys takes longer - sometimes five toA                  ten times longer. On slow systems, or during SSH E                  configuration, key generation may seem to be hanging D                  when it is not. No progress indicator is displayed.A                  During SSH configuration, the following messages 7                  indicate the keys are being generated:   T                  Creating private key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEYW                  Creating public key file: TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]HOSTKEY.PUBo  F                 ________________________ Note ________________________  F                 While the keys are being generated, you might notice a5                 delay. This does not indicate a hang.m  F                 ______________________________________________________           3.10.7 SSH Sessionsv  B               This section includes restrictions pertaining to SSH               sessions.   =               o  In an SSH session on the OpenVMS server, the G                  originating client host name and the user name or port D                  identification are not available. For example, in aF                  TELNET session, the OpenVMS DCL command SHOW TERMINALH                  displays the following information about a UNIX client:  C                  Remote Port Info: Host: unixsys.myco.com Port:2728m  F                  Likewise, information about an OpenVMS client appears                  as:  C                  Remote Port Info: Host: mysys.com Locn:_RTA4:/USERt  E                  Neither of these lines is displayed in a similar SSHrB                  session; however, information for SSH sessions isE                  available in the logical names SYS$REM_ID (username) F                  and SYS$REM_NODE and SYS$REM_NODE_FULLNAME (hostname)  I                                         Restrictions and Limitations 3-19M e  o      $         Restrictions and Limitations*         3.10 SSH Problems and Restrictions    @               o  Starting SSH sessions recursively (for example,E                  starting one SSH session from within an existing SSHvI                  session) creates a layer of sessions. Logging out of the G                  innermost session may return to a layer other than thec8                  one from which the session was started.  B               o  SSH escape sequences are not fully supported. ForD                  example, you may have to enter the Escape . (escapeA                  character followed by a space and a period) exit C                  sequence twice for it to take effect. On exit, thec=                  terminal is left in NOECHO and PASTHRU mode.   I               o  On certain non-OpenVMS clients, after attempting to exiteI                  from an SFTP session, you must press Enter an extra time :                  to return to the operating system prompt.           3.10.8 SSH Messages   H               This section includes notes and restrictions pertaining to#               SSH session messages.   E               o  Normally, the translation of the system logical namedB                  SYS$ANNOUNCE is displayed after authentication isI                  complete. In this version of SSH, no automated mechanismnF                  exists for displaying this text as a prelogin banner.  F                  To provide a prelogin banner from a text file, createG                  the file SSH_BANNER_MESSAGE. containing the text to be (                  displayed before login.  A                  To enter multiple lines in the banner text, makeSE                  sure each line ends with an explicit carriage-returnP0                  character except the last line.  4                  Save the banner message file in theB                  TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2] directory, withH                  privileges that allow it to be read by the user account                  [TCPIP$SSH].   <                  If you do not use the default file name and=                  location for the message banner file, define ?                  them using the BannerMessageFile option in the E                  TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG. file. B                  Specify the location and file name of your bannerE                  message file as the argument to the option using oneg*                  of the following formats:  )         3-20 Restrictions and LimitationsP :  e      I                                              Restrictions and LimitationsnI                                        3.10 SSH Problems and RestrictionsS    L                  BannerMessageFile   TCPIP$SSH_DEVICE:[TCPIP$SSH]BANNER1.TXT  L                  BannerMessageFile   /TCPIP$SSH_DEVICE/TCPIP$SSH/BANNER2.TXT  5                  BannerMessageFile   /etc/banner3.txt   C                  Note that the argument may be in either OpenVMS ortD                  UNIX format and is not case sensitive. (If multipleD                  definitions for the same option are included in theB                  configuration file, the last one listed will take                  effect.)   I               o  Some SSH informational, warning, and error message codes ;                  are truncated in the display. For example:n  =                  %TCPIP-E-SSH_FC_ERR_NO_S, file doesn't existd  <               o  Some SSH log and trace output messages, andH                  informational, warning, and error messages display file3                  specifications as UNIX path names.   "         3.10.9 SSH Remote Commands  H               This section includes notes and restrictions pertaining to"               SSH remote commands.  G               o  Command lines for remote command execution through SSHi/                  are limited to 153 characters.   I               o  After you execute an SSH remote command, you may need to C                  press the Enter key to get back to the DCL prompt.   D               o  When you execute remote commands on the OpenVMS SSHF                  server, the log file TCPIP$SSH_RCMD.LOG is created inD                  the directory defined by the logical name SYS$LOGINC                  for your user account. This log file is not purgedP                  automatically.s  C               o  When you execute remote commands on an OpenVMS SSHrE                  client connected to a non-OpenVMS SSH server, outputeH                  may not be displayed correctly. For example, sequentialF                  lines might be offset as if missing a linefeed, as in'                  the following example:     I                                         Restrictions and Limitations 3-21  o  c      $         Restrictions and Limitations*         3.10 SSH Problems and Restrictions    *                  $ ssh user@unixhost ls -a#                    user's password:g-                    Authentication successful._                    .                     .."                       .TTauthority-                                   .Xauthorityc3                                              .cshrc 6                                                    .dt@                                                       .dtprofile  H                  To display the output correctly, use the -t option withB                  the command, as in the following command example:  -                  $ ssh -t user@unixhost ls -ay  C               o  Any OpenVMS command that refreshes the display can F                  have unexpected results when executed as a remote SSHE                  command. For example, the following command exhibitsu                  this behavior:n  *                  $ MONITOR PROCESS /TOPCPU  D                  Executed locally, this command displays a bar chartH                  that is continuously updated. When executed as a remoteB                  command, it displays each update sequentially. InI                  addition, you cannot terminate the command using Ctrl/C.e           3.10.10 SSH Batch Mode  <               This section includes batch mode restrictions.  H               o  Because the SSH, SFTP, and SCP commands are implementedF                  by code ported from UNIX sources, they do not supportE                  all of the standard OpenVMS behaviors for SYS$INPUT,oE                  SYS$OUTPUT, and SYS$ERROR in command procedures. Fore                  example:   I                  -  SYS$INPUT is not the default batch command procedure.   ?                  -  Output written to a batch log file or other I                     SYS$OUTPUT file may have an extra <CR> (ASCII decimale@                     13) or other explicit formatting characters.  B                  -  You can direct SYS$OUTPUT to a file, as in the&                     following example:  /                     $ ASSIGN OUT.DAT SYS$OUTPUT   )         3-22 Restrictions and Limitationsa r  e      I                                              Restrictions and LimitationsoI                                        3.10 SSH Problems and Restrictions.    H               o  When you run these commands from an interactive commandG                  procedure, you should use the explicit UNIX batch mode 9                  flags, as listed in the following table:P  I                  ________________________________________________________eI                  For..._____________________Use..._______________________   <                  SSH (remote command        -o batchmode yes"                  execution or port                  forwarding),F  0                  SCP,                       "-B"  I                  SFTP,______________________"-B"_{batchfile}_____________.  A               o  If you use the SSH command in batch mode with an1E                  interactive session (that is, not for remote command0H                  execution or setting up port forwarding), the batch job                  hangs.R  A                  If the "-S" option is used in an interactive SSHrG                  session, or with an SSH command executed interactivelyfH                  in a DCL command procedure, the terminal session hangs.F                  Ctrl/Y and Ctrl/C will not restore the DCL prompt. ToH                  release the hung terminal session, you must restart the'                  SSH client and server.v  :               o  For the SFTP command, note the following:  E                  -  If the command is used without the -B {batchfile}eD                     option, SFTP uses the following file by default:7                     SYS$LOGIN:TCPIP$SFTP_BATCHFILE.TXT.s  ,               o  When running in batch mode:  I                  -  The SFTP command displays the final state-of-progresse8                     indicator; the SCP command does not.  C                  -  The SSH command will not prompt for a password,oG                     password update, or passphrase. If one is required,.(                     the batch job fails.  G                  -  The SSH command will not cause a new host key to bedH                     saved if the value of StrictHostkeyChecking is "no;"F                     SSH will not prompt for one if the value is "ask."  H                     For other notes and restrictions pertaining to keys,'                     see Section 3.10.6.   I                                         Restrictions and Limitations 3-23  n  m      $         Restrictions and Limitations*         3.10 SSH Problems and Restrictions    C                  -  If an ls command is contained in the SFTP batchcI                     input, and the interactive output requires input fromyE                     the keyboard to continue, then some of the output C                     lines might be omitted from the batch log file.:  E         3.10.11 ls Fails After cd to a Logical Name from a Tru64 UNIX                  Client  E               ls can fail when using sftp cd to a logical name from a                 Tru64 UNIX client.  2               For a workaround, try the following:  A               1. cd to the path for the directory in UNIX format,m<                  e.g., instead of: cd tcpip$ssh_home, use cd)                  /sys$sysdence/tcpip$ssh.   I               2. Perform the ls specifiying the logical name in the path, *                  e.g., ls /tcpip$ssh_home.  '         3.10.12 SSH X11 Port Forwarding   H               This section includes X11 port forwarding restrictions and               problems.   F               o  To use X11 forwarding in native mode, the system mustF                  be running DECwindows MOTIF Version 1.3 or higher. InF                  addition, the X Authority utility (xauth) is required@                  on the system. The X11 server uses this utilityC                  for authenticating host/user connections. For moretC                  information on how to use this utility, see the HP <                  DECwindows Motif for OpenVMS documentation.  G               o  To display a remote X11 client application on your X11.E                  server, you must set the display variable on the X11tF                  client to the address of the X11 server the client isG                  connecting to. You can verify that the variable is set F                  correctly on an OpenVMS system by using the following                  DCL command:   ,                  $ SHOW LOGICAL DECW$DISPLAY  I                  For WSA display devices, use the SHOW DISPLAY command tos0                  see the display variable value.  )         3-24 Restrictions and Limitations            I                                              Restrictions and LimitationsaI                                        3.10 SSH Problems and Restrictionss    D                  To set the display variable on an OpenVMS client toH                  point to your server, use the SET DISPLAY command as inG                  the following example, where 127.127.1.1 is the server                   node address:  F                  $ SET DISPLAY/CREATE/NODE=127.127.1.1/TRANSPORT=TCPIP  >                  SSH on OpenVMS supports only local and TCP/IPI                  transports. If you are using a local transport, you have H                  to be at the system where the display is to appear, andF                  that system must be running the X11 server. For localI                  transport, use the following command to set the display:w  5                  $ SET DISPLAY/CREATE/TRANSPORT=LOCAL   F                  On UNIX systems, use the following command to set theH                  display variable to point to a server node with address>                  16.20.176.33 and using the TCP/IP transports:  1                  >setenv display 16.20.176.33:0.0   H                  To use local transport, use the following UNIX command:  %                  >setenv display :0.0I  E               o  To set up a standard port forwarding session for X11MG                  on a remote OpenVMS system, HP recommends that you usePG                  remote port forwarding; local port forwarding will not                   work.  2         3.10.13 SSH File Transfer (All File Sizes)  G               This section includes SSH restrictions pertaining to file "               transfer operations.  D               o  On OpenVMS, setting the ForcePTTYAllocation keyword@                  to "yes" in the SSH2_CONFIG. file can result inC                  failures when performing file copy operations. (InPB                  other implementations of SSH, setting the keywordF                  ForcePTTYAllocation to "yes" in the SSH2_CONFIG. fileF                  has the same effect as using the -t option to the SSH                  command.)  F               o  When connected to some servers, the client can detectC                  packet benign file transfer protocol packet-lengthl=                  errors. By default, no message is displayed.o  A                  To display warning messages, type the following:   C                  $ DEFINE/SYS NO TCPIP$SSH_TOLERANT_PROTOCOL STATUS_  I                                         Restrictions and Limitations 3-25            $         Restrictions and Limitations*         3.10 SSH Problems and Restrictions    E                  using either the "NO" or any string starting with anS'                  upper- or lowercase N.   >                  Following is an example of a warning message:  h                  Warning: packet length mismatch: expected 27, got 8; connection to non-standard server?  C                  To retain the logical name assignment through eachaB                  reboot, add the DEFINE command to the appropriate+                  startup command procedure.                  o  VMS Plus Mode:c  C                  When the client and the server are OpenVMS systemsuD                  running v5.6, they recognize each other as such andA                  implement TCP/IP Services specific SFTP protocoloB                  extensions that allow transfer of files in either@                  direction while preserving the key OpenVMS fileA                  attributes: record format and record attributes.H  @                  The TCP/IP Services SCP client uses SFTP as theD                  underlying protocol so VMS Plus mode works with SCP                  as well.t  D                  VMS Plus mode supports only sequential ogranization                  files.t  D                  Remember that if a v5.6 system is connected with anG                  older TCP/IP Services system that does not support VMS F                  Plus mode, file attributes will not be preserved. VMSE                  Plus mode can only be used if both sides support it.c  6               o  Talking to a system without VMS Plus:  I                  If one side of the file transfer, client or server, doesrI                  not support VMS Plus mode for SFTP, file attributes will "                  not be preserved.  G                  In this mode TCP/IP Servics supports reading of any of F                  the following types of sequential organization files:                    o  Stream_LF_  #                  o  Variable Length_                    o  VFC1  ,                  o  Fortran Carriage Control                     o  Fixed Length                    o  Undefined   )         3-26 Restrictions and Limitations( T  )      I                                              Restrictions and Limitations I                                        3.10 SSH Problems and Restrictions     D                  Note that which side is the server and which is theG                  client is irrelevant. OpenVMS is simply running on the I                  side that is reading the file. You can, for exmaple, usetG                  SFTP client from OpenVMS to put a VFC file to UNIX, orrH                  you could use the SFTP client on the UNIX system to getG                  the same file from the OpenVMS system. In either case,tI                  the OpenVMS system is reading the file and the Unix file                   is writing it.E  C                  Copying some VFC files from OpenVMS to systems not D                  running OpenVMS and then back to OpenVMS may resultH                  in a file that the OpenVMS DIFFERENCES command shows asH                  different from the original file. This is unpreventableG                  and the file as transferred out and back in is correct_B                  in that the TYPE and PRINT commands display it asE                  expected and the output here is ths same as that for #                  the original file.x  G                  Copying Fortran CC files from OpenVMS to systems othertE                  than OpenVMS will always result in a file that shows F                  differences from the original. This is because on itsH                  transfer from OpenVMS to UNIX the Fortran CC attributesA                  were converted to inline ASCII control characterEI                  sequences that print the lines as the Fortran CC control F                  bytes require. For example, the Fortran character forI                  overstrike results in a pair of carriage returns for the 6                  line thus implementing an overstrike.  >               o  TCP/IP Services supports only sequential file<                  organization, not relative or indexed files  D                  To transfer these unsupported files you can packageF                  the file(s) into an OpenVMS saveset and transfer thatC                  or, depending on how many hops over which SFTP/SCPtD                  implementations and operating systems, you may needA                  to use more extreme measures. One way that works E                  consistently (provided that you have FTSV installed) E                  is packaging files into a save set, then using SPOOLnI                  COMPRESS to make them into an self-extracting VMS image, I                  then using UUENCODE to transform the image into an ASCII                   text file.i  G               o  Not all variants of UNIX path names are supported when6C                  referring to files on OpenVMS clients and servers.0  I                                         Restrictions and Limitations 3-27  e         $         Restrictions and Limitations*         3.10 SSH Problems and Restrictions    E               o  The SCP and SFTP commands from the following Windows I                  clients have been tested and interoperate correctly with (                  the OpenVMS SSH server:                    -  PuTTY   &                  -  SSH Communications  H                  Other versions and other clients may work, depending onH                  protocol implementation and factors such as whether theF                  client can handle OpenVMS-format file specifications.  F               o  When using the SFTP command, pressing Ctrl/C does notD                  display "Cancel" as expected. Also, Ctrl/T does notE                  work as in DCL to display a status line; instead, itaF                  switches two adjacent characters, as on UNIX systems.G                  Other problems with character handling have been fixedm@                  with this release, as reported in Section 4.19.  F               o  The SFTP ls command pauses for an extended time afterF                  displaying a page of data and then continues with theI                  next page. This occurs because the ssh server is sendingHD                  back a complete directory listing, which the clientI                  filters; therefore, for directories with many files, theSG                  delay is due to the client waiting for listing results H                  from the server. This is typical sftp behavior, and not%                  specific to OpenVMS.   H               o  Using SCP or SFTP command to copy a file back to itselfD                  (either in local mode, or by connecting back to the=                  client host) fails with the following error:   N                  %TCPIP-E-SSH_FC_ERR_INVA, file record format invalid for copy  I               o  The SCP command issued from a client using SSH Version 1hG                  will not work with the OpenVMS SSH server. The OpenVMS 7                  server does not support SSH Version 1.s  ,         3.10.14 SSH Transferring Large Files  >               This section includes restrictions pertaining to'               transferring large files:a  G               o  The minimum version of DECC$SHR running on your systemrE                  must be that which was released with OpenVMS Versiono                  8.2.   )         3-28 Restrictions and Limitations            I                                              Restrictions and LimitationsiI                                        3.10 SSH Problems and Restrictionsi    H               o  You may need to adjust memory parameters (WSDEF, WSQUO,A                  WSEXTENT, and PGFLQUO) to accommodate the memory]E                  requirements of the file copy client and server. TherD                  exact value depends on system resources and virtual@                  memory configuration. For more information, seeF                  Section 2.3. For ssh filecopy, testing has shown that9                  the main parameter to adjust is PGFLQUO.   C         3.10.15 SSH Server Signals Internal Credentials Cache Error   >               If an SSH client attempts to use gssapi-with-micC               authentication to the TCP/IP Services for OpenVMS SSHeG               server on a server host that is running Kerberos V2.1 andEF               the SSH client user's TGT is forwardable (a kinit -f hasF               been done) and the GssapiDelegateCredentials flag is setH               then the ssh server will signal the following error in the               server log:w  .               Internal credentials cache error  I               This error text may appear on the SSH client user's screen, )               depending on configuration.n  H               This can be worked around in either of the following ways:  A               1. Upgrade to Kerberos V3.0 on the SSH server host.   E               2. Use the kinit without the -f flag on the SSH client.   H               3. Turn the GssapiDelegateCredentials configuration switch'                  off on the SSH client.O  C               Because forwarding of client credentials with gssapi-tB               with-mic authentication to the OpenVMS SSH server isD               not supported setting GssapiDelegateCredentials is not               necessary.  ?         3.10.16 SFTP Generates Audit Warnings with Class Devicet  E               This restriction applies only to those using AUDIT with 7               class device as in the following command:g  >               $ SET AUDIT/ALARM/ENABLE=ACCESS=ALL/CLASS=DEVICE  G               If the SFTP server generates audit warnings for a logical H               IO to a mailbox when the SFTP user exits SFTP, perform the<               following step to prevent this from occurring:  ?               $ DEFINE/SYSTEM TCPIP$SSH_SERVER_WAIT_FOR_CHILD 1i  I                                         Restrictions and Limitations 3-29d u  m      $         Restrictions and Limitations*         3.10 SSH Problems and Restrictions    ?         3.10.17 BIND Resolver Diagnostics Creates an SSH Packetd                 Corruption  E               When you turn on BIND Resolver Diagnostics using eithersD               of the following methods, you can create an SSH packet               corruption:n  B               o  Define the logical name TCPIP$BIND_RES_OPTIONS to                  "debug".   A               o  Add the following line to TCPIP$ETC:RESOLV.CONF:                     options debug  !         3.11 TCPDUMP Restrictions=  F               TCPDUMP works the same way on OpenVMS as it does on UNIX7               systems, with the following restrictions:m  I               o  On UNIX systems, tcpdump sets the NIC (Network Interface H                  Controller) into promiscuous mode and everything in the1                  transmission is sent to tcpdump.   B                  On OpenVMS systems, TCPDUMP only sees the packetsF                  destined for and sent from the local host. Therefore,E                  TCPDUMP works in copy-all mode. Because it only seesrG                  a copy of the packets that are processed by the TCP/IPDF                  kernel, TCPDUMP can only trace natively IP, IPv6, and+                  ARP protocols on Ethernet.0  D                  TCPDUMP can format or filter packets that have been@                  traced from another platform running TCPDUMP inE                  promiscuous mode. In this case it will process other (                  protocols, like DECnet.  H               o  Ethernet is the only supported type of NIC. Other typesG                  of NICS (such as ATM, FDDI, Token Ring, SLIP, and PPP) #                  are not supported.0  F               o  The -i option is not supported. On UNIX systems, thisH                  option specifies the interface that tcpdump is attached                  to.  E                  On OpenVMS systems, TCPDUMP obtains packets from the                   TCP/IP kernel.0  A               o  The -p option is not supported. On UNIX systems,0D                  this option specifies that tcpdump stops working in"                  promiscuous mode.  )         3-30 Restrictions and Limitations  p  i      I                                              Restrictions and Limitations I                                                 3.11 TCPDUMP Restrictions     G                  On OpenVMS, TCPDUMP does not work in promiscuous mode.c:                  Therefore, this option is set by default.  D               o  If you are using the Ethereal software to dump IPv6E                  network traffic, use the following command format to 6                  write the data in the correct format:  .                  $ TCPDUMP -s 1500 -w filename  B               o  Only one process at a time can issue traces. ThisB                  restriction applies to both TCPTRACE and TCPDUMP.  3         3.12 TCP/IP Management Command Restrictionsa  G               The following restrictions apply to the TCP/IP managementc               commands:   @               o  TCP/IP Services Version 5.4 introduced failSAFEB                  IP, which obsoletes the IP cluster alias address.G                  Consequently, the following TCP/IP management commands,)                  are no longer supported:a  ,                  -  SET INTERFACE /NOCLUSTER  +                  -  SHOW INTERFACE /CLUSTERt  E                  To display interface addresses, including IP clustermE                  alias addresses, use the following TCP/IP management                   command:n  #                  TCPIP> ifconfig -a   B                  To delete a cluster alias address from the active@                  system, use a command similar to the following:  6                  TCPIP> ifconfig ie0 -alias 10.10.10.1  H                  The following TCP/IP management commands continue to be                  supported:   )                  -  SET INTERFACE/CLUSTER   8                  -  SET CONFIGURATION INTERFACE /CLUSTER  :                  -  SET CONFIGURATION INTERFACE /NOCLUSTER  9                  -  SHOW CONFIGURATION INTERFACE /CLUSTER_  '               o  SET NAME_SERVICE /PATHS  I                                         Restrictions and Limitations 3-31  i  a      $         Restrictions and Limitations3         3.12 TCP/IP Management Command Restrictionse    I                  This command requires the SYSNAM privilege. If you enter E                  the command without the appropriate privilege at the E                  process level, the command does not work and you are E                  not notified. If you enter the command at the SYSTEM!D                  level, the command does not work and you receive an                  error message.a  $               o  SET SERVICE command  E                  When you modify parameters to a service, disable and C                  reenable the service for the modifications to takeH                  effect.  @               For more information on TCP/IP Services managementC               commands, refer to the HP TCP/IP Services for OpenVMS 1               Management Command Reference guide.                                                           )         3-32 Restrictions and Limitationse d                       I                                                                         4_I         _________________________________________________________________t  I                                                               Correctionsi    C               This chapter describes the problems corrected in this )               version of TCP/IP Services.y  C         4.1 Advanced Programming Environment Problems Fixed in This              Release   A               The following sections describe programming-related -               problems fixed in this release.n  2         4.1.1 Socket Routines Limited to 64k Bytes  G               In previous versions, the socket routines send(), recv(),)C               read(), write(), sendto(),  and recvrom(), along withtG               routines (sendmsg(), recvmsg(), readv(),  writev(), etc.,hB               were limited to 64k bytes (65535, or FFFF hex). That*               restriction has been lifted.  D               The QIO operations IO$_READVBLK and IO$_WRITEVBLK also@               now accept buffer lengths greater than 64k, with aI               corresponding change in the format of the IOSB. The size ofaH               the IOSB remains unchanged at 8 bytes. However, the secondH               half of the IOSB is now a copy of the returned byte count.H               The count is still also returned in the second half of theH               first longword, for compatibility with older applications.E               If the count equals or exceeds 65535 bytes, that 16-bit]C               count will be returned as 65535, the maximum possible_G               value. Applications designed for TCPIP V5.5 and later areoE               encouraged to reference the second longword of the IOSBmD               in order to determine how many bytes were successfullyE               transferred. In the event of an error return, the UNIX-uE               style errno is still returned in the second half of the "               first IOSB longword.        I                                                           Corrections 4-1  p                  CorrectionscK         4.1 Advanced Programming Environment Problems Fixed in This Releaset    G         4.1.2 Symbol Vector Inappropriately Inserted in the IPC Options                File                 Problem:  E               In V5.5, a symbol vector for the routine socketpair was D               inappropriately inserted in the IPC options file. ThisD               caused applications that were linking directly againstI               TCPIP$IPC_SHR to ACCVIO when run on an OpenVMS V8.2 system.i                 Solution:   I               This problem has been corrected and allows those previouslyeC               linked programs to run on recent versions of OpenVMS.S  F                 ________________________ Note ________________________  E                 TCP/IP Services does not recommend or support linking C                 directly against the TCPIP$IPC_SHR shareable image.o  F                 ______________________________________________________  "         4.1.3 AF_AAL Defined Twice                 Problem:  G               In previous releases, the file SOCKET.H in TCPIP$EXAMPLESo@               had AF_AAL defined twice, to two different values.                 Solution:   .               This problem has been corrected.  6         4.2 BIND Server Problems Fixed in This Release  H               The following sections describe BIND server problems fixed               in this release.  B         4.2.1 BIND Server Not Properly Using the TCPIP$BIND_COMMON               Logical Name                 Problem:  F               In previous versions of TCP/IP Services, the BIND ServerB               was not properly using the TCPIP$BIND_COMMON logicalB               name. This logical name is a search list used in theF               multiple masters BIND server environment. It is designedD               to detect files first in the sys$specific:[tcpip$bind]?               directory, then in the BIND common directory. The            4-2 Correctionss i  o      I                                                               CorrectionseI                            4.2 BIND Server Problems Fixed in This Releasee    C               problem with the logical name caused the files in theg@               sys$specific:[tcpip$bind] directory to be ignored.                 Solution:   E               This problem is corrected in this release; however, the >               solution requires changes to your configuration.  H               To modify your configuration, perform the following steps:  G               1. Shut down the BIND server using the following command:a  8                   $ @sys$manager:tcpip$bind_shutdown.com  I               2. Run the sys$manager:tcpip$bind_cluster_setup.com command I                  procedure. This procedure creates a new common directory >                  that replaces your previous common directory.  <               3. Copy all of the files in your previous BIND?                  common directory to the new directory: common_e%                  device:[tcpip$bind].   ?               4. Edit the directory substatement in the options 9                  statement in the BIND configuration file :                  sys$specific:[tcpip$bind]tcpip$bind.conf:                       options { @                      directory "TCPIP$BIND_COMMON:[TCPIP$BIND]";                     };  C               5. Start the BIND server using the following command:   6                  $ @sys$manager:tcpip$bind_startup.com  F         4.2.2 Change to List of BIND Servers in Resolver Configuration               Recognized                 Problem:  H               In previous releases, a change to the list of BIND serversC               in the resolver configuration was not recognized whennE               attempting to set host via DECnet over IP. The customer >               would have to reboot for changes to take effect.                 Solution:   8               This problem is corrected in this release.  I                                                           Corrections 4-3m o  ,               Corrections 6         4.2 BIND Server Problems Fixed in This Release    D         4.2.3 Resolver Clients Not Receiving Responses from the BIND               Server                 Problem:  E               In previous releases, some resolver clients did not getmH               responses from the BIND server after a failover event when&               using the cluster alias.                 Solution:n  8               This problem is corrected in this release.  $         4.2.4 ACCVIO When Using TSIG                 Problem:  E               In previous releases, the NSUPDATE utility could ACCVIOrF               when using TSIG and attempting to delete a CNAME record.H               The ACCVIO would only occur if some other NSUPDATE commandB               was issued first with a send in between the command.                 Solution:   (               This problem is corrected.  5         4.3 FTP Server Problems Fixed in This Release   G               The following sections describe FTP server problems fixedg               in this release.  9         4.3.1 FTP Does Not Allow IP Address Specificatione                 Problem:  @               The FTP server does not allow you to specify an IPE               address other than that of the connected client, or theeD               specification of a privileged port, in the PORT, LPRT,G               or EPRT commands. Any such commands are rejected with the                following error:  3               500 Illegal {PORT|LPRT|EPRT} command.e  G               The FTP server and client prevent data connection "theft" C               by a third party. For the FTP server, this applies to H               passive-mode connections from an IP address other than theF               client's, or from a privileged port. For the FTP client,H               this applies to active-mode connections from an IP addressI               other than the server's, or from a port other than port 20..                 Solution:            4-4 Corrections  d  o      I                                                               Corrections I                             4.3 FTP Server Problems Fixed in This Release     H               If this software change is not acceptable, you can restoreE               the original behavior by defining the following logicals               names:  I         _________________________________________________________________hI         Server___________________________Client__________________________E  F         TCPIP$FTPD_ALLOW_ADDR_REDIRECT   TCPIP$FTP_ALLOW_ADDR_REDIRECT  I         TCPIP$FTPD_ALLOW_PORT_REDIRECT___TCPIP$FTP_ALLOW_PORT_REDIRECT___e  G               These logical names allow you to relax the IP address and ?               port checks in the FTP server and the FTP client.t  D         4.3.2 DCL DIRECTORY or UNIX ls Command Returns "Illegal Port               Command" Error                 Problem:  F               On an FTP client, if you use a password with an embeddedD               space to log into an OpenVMS FTP server, the followingF               error message is returned in response to the DCL command/               DIRECTORY or the UNIX command ls:o  '               500 Illegal PORT command.                  Solution:t  8               This problem is corrected in this release.  5         4.4 FTP Client Problems Fixed in This Release   G               The following sections describe FTP client problems fixed                in this release.  E         4.4.1 FTP Client Fails to Delete Interim Files after GET/MGETa               Commands                 Problem:  D               After an FTP GET or MGET command entered with wildcard<               characters completes, the temporary TCPIP$FTP_F               TEMPnnnnnnnn.TMD files created by FTP are supposed to beE               deleted from the SYS$SCRATCH area. However, if no files E               match the wildcard criteria, FTP fails to delete any of D               the temporary files. (If at least one file matches theH               wildcard criteria, FTP successfully deletes any TCPIP$FTP_=               TEMPnnnnnnnn.TMD files created in SYS$SCRATCH.)_                 Solution:_  I                                                           Corrections 4-5e e  m               Correctionss5         4.4 FTP Client Problems Fixed in This Releasef    8               This problem is corrected in this release.  /         4.5 IMAP Problems Fixed in This Release-  I               The following sections describe IMAP problems fixed in thisn               release.  C         4.5.1 TELNET to IMAP SSL Port 993 Hangs and Aborts The Same %               Results in Server Crashp                 Problem:  I               When using IMAP with SSL support, the IMAP client sometimes H               cannot connect to the server. Events such as the following8               are signaled in the IMAP server event log:  b               12:41:50 3020041B Session 10: Session::DoRun, one of our exceptions was unprocessed.J               12:41:50 3020041B Session 10: Socket::Write, Network Error:0  E               Connection requests to IMAP SSL port 993 should satisfytG               SSL handshake to complete successfully. Raw telnet cannotdI               perform SSL handshakes and hence hangs. However, exceptions F               on SSL handshake was server-wide and hence any unhandled6               exception was fatal to server. Solution:  D               The problem has been rectified by making SSL handshake               session specific.   E         4.5.2 A Message Line Containing More Than 255 Characters Getsm4               Truncated to 255 When Fetched via IMAP                 Problem:  H               In a message, any line containing more than 255 charactersF               (i.e., without intermediate CR/LF) was truncated to 255.9               This was too short in many cases. Solution:e  D               With this fix, IMAP now reads message lines up to 2048)               characters including CR/LF.t  0         4.5.3 IMAP server crashes intermittently                 Problem:  H               IMAP server crashes intermittently while fetching messagesI               with more than 256 characters per line. IMAP server crashes.C               intermittently while listing empty folders. Solution:m           4-6 CorrectionsT a  c      I                                                               Corrections I                                   4.5 IMAP Problems Fixed in This Release     A               This has been rectified in this release. The memory E               corruptions in various functions, which had caused IMAP (               to crash, have been fixed.  /         4.6 IPv6 Problems Fixed in This Release   I               The following sections describe IPv6 problems fixed in thisw               release.  B         4.6.1 iptunnel create Command Causes BIND Lookups for IPv4               Addresses$                 Problem:  E               When invoking an iptunnel create command that specifiescA               IPv4 addresses for the tunnel source or end points,tG               numerous DNS name resolution queries are sent to the name H               server even though resolution is not needed. These queries&               could result in a delay.                 Solution:d  8               This problem is corrected in this release.  @         4.7 LPD/LPR and TELNETSYM Problems Fixed in This Release  C               The following sections describe LPD/LPR and TELNETSYM 4               server problems fixed in this release.  H         4.7.1 Print Jobs Using Wildcard Proxy from Hosts with No Name to8               Address Translation Available Are Rejected                 Problem:  E               Print jobs using wildcard proxy from hosts with no namecE               to address translation available should succeed but area               rejected.                  Solution:d  B               This release resolves this problem. Print jobs using?               wildcard proxy from hosts with no name to addresst5               translation available will now succeed.     I                                                           Corrections 4-7                     Corrections @         4.7 LPD/LPR and TELNETSYM Problems Fixed in This Release    D         4.7.2 $PRINT/PARAM=(host=x) would report an access violation               (ACCVIO)                 Problem:  D               $PRINT/PARAM=(host=x) would report an access violation               (ACCVIO).c                 Solution:   8               This problem is corrected in this release.  5         4.8 NFS Server Problems Fixed in This Releasea  G               The following sections describe NFS server problems fixeds               in this release.  D         4.8.1 NFS Server Overwrites Files with Case-Sensitive Lookup  >               With OpenVMS Version 7.3-1 and higher the /CASE_H               LOOKUP=BLIND qualifier with the SET PROCESS command causesH               the case of file names to be ignored during lookups, whileH               /CASE_LOOKUP=SENSITIVE causes the case of file names to beH               considered. However, if case sensitivity is not enabled onH               the NFS server, and the NFS client attempts to create bothH               of those files, unexpected results can happen. For example8               the second file might overwrite the first.  I               With this release of TCP/IP Services, the TCP/IP management D               command ADD EXPORT has two new options: CASE_BLIND andF               CASE_SENSITIVE, which control UNIX-like case sensitivityA               for NFS server file lookups. For example, when case C               sensitivity is enabled, NFS preserves the case in theSG               file names AaBBc.TXT and AABBC.TXT, regarding them as twod               different files.  I               In general, TCP/IP Services clients (not servers) determineiE               whether lookups are case sensitive because they perform G               lookups in their local directory cache rather than on theMG               server. However, when a file is being created, the servertG               controls whether case sensitivity is in effect. Make suremI               that the case-sensitivity options for the server and clientS=               match; otherwise, unexpected results can occur.   G               For more information on the CASE_BLIND and CASE_SENSITIVEn3               options, enter the following command:)  %               $ TCPIP HELP ADD EXPORTm           4-8 Correctionse t         I                                                               Corrections I                             4.8 NFS Server Problems Fixed in This Releasep    C         4.8.2 Directories Created by non-VMS Clients Do Not InheritY               Version LimitC                 Problem:  H               Newly created directories should inherit the version limitE               attribute from their parent directory. When a directoryeE               is created at the request of an OpenVMS NFS client, theaF               attribute is inherited as expected; however, directoriesF               created at the request of non-OpenVMS NFS clients do notH               inherit this attribute. This is a problem particularly forE               UNIX clients, because UNIX files only have one version,tI               but the version limit of a new directory is set to zero (nor               limit).s                 Solution:   D               This problem is corrected in this release. DirectoriesD               created for non-OpenVMS clients now inherit the parent2               directory's version limit attribute.  I         4.8.3 NFS Server and netstat Do Not Run Properly on Alpha Systemsn4               Not Running EV56 or Later Technologies                 Problem:  D               On Alpha systems predating the EV56 processor, the NFSH               server and the netstat utility either experience excessive4               instruction time or do not run at all.                 Solution:h  8               This problem is corrected in this release.  9         4.8.4 MOUNT Server Problems Fixed in This Release   I               The following sections describe MOUNT server problems fixed                in this release.  ,         4.8.5 Client Unable to Mount Devices                 Problem:  I               In previous releases, if at least two exports were added tolG               the export database, with options specified, a client wastH               unable to mount both of the devices. It would only be able/               to mount the last export entered.p                 Solution:,  8               This problem is corrected in this release.  I                                                           Corrections 4-9                     Correctionso.         4.9 NTP Problems Fixed in This Release    .         4.9 NTP Problems Fixed in This Release  H               The following sections describe NTP problems fixed in this               release.  =         4.9.1 NTPDATE Issue If the NTP Service Is Not Defined-                 Problem:  I               In previous releases of TCP/IP Services, if the NTP servicenG               was not defined in the TCP/IP Configuration database, thee?               ntpdate utility would produce an error or ACCVIO.s                 Solution:e  8               This problem is corrected in this release.  7         4.9.2 NTP Server Automatically Purges Log Filesi                 Problem:  B               Previously, the NTP server would automatically purgeF               log files when NTP was started (/keep=5). As long as NTP@               remained running, another purge was not performed.                 Solution:   I               With this release the NTP server will still purge log files I               at NTP startup time. In addition it will also automaticallyVH               purge log files once per day before creating the new daily               log file.   D         4.9.3 NTP Broacast Feature Does Note Work on an IPv6-enabled               System                 Problem:  E               In V5.5 the NTP broadcast feature was not working on anc"               IPv6-enabled system.                 Solution:o  .               This problem has been corrected.  3         4.10 LBROKER Problems Fixed in This Release   G               The following section describes LBROKER problems fixed inO               this release.            4-10 Corrections a  y      I                                                               CorrectionshI                               4.10 LBROKER Problems Fixed in This Releaser    :         4.10.1 Load Broker Polls Metric Servers Only Twice                 Problem:  C               In previous releases of the TCP/IP software, the load ?               broker would poll the metric servers twice beforetE               marking the address for removal from the DNS alias. ThenF               documentation stated that metric servers would be polledC               three times before the address is marked for removal.                  Solution:r  ?               The software has been corrected to align with thep               documentation.  /         4.11 UCP Problems Fixed in This Releaset  H               The following section describes UCP problems fixed in this               release.  G         4.11.1 TCPIP SHOW CONFIG NAME Incorrectly Generates Write Audit                 Alarm                 Problem:  F               TCPIP SHOW CONFIGURATION NAME command generates securityH               alarm for WRITE operation on TCPIP$CONFIGURATION.DAT file.                 Solution:o  F               This release fixes this problem. The WRITE mode has beenF               removed while accessing the TCPIP$CONFIGURATION.DAT when6               using TCPIP SHOW CONFIGURATION commands.  ,         4.11.2 TCPIP SHOW MAIL/ENTRY Failure                 Problem:  E               The TCPIP SHOW MAIL /ENTRY=entry_number fails for everytG               alternative attempts when executed from the same terminalt               session.                 Solution:   :               This problem has been fixed in this release.  I                                                          Corrections 4-11t w                  CorrectionsV/         4.11 UCP Problems Fixed in This Release     :         4.11.3 PIPE to tcpip show conf communication fails                 Problem:  F               The tcpip show configuration communication command works@               well when running standalone. However, the commandF               fails when executing the same in a pipe and displays the               following error:  K               $pipe tcpip show configuration communication | type sys$input A               %TCPIP-E-TCPIPDISPLAY, error displaying information 3               -TCPIP-F-BUGCHK, TCPIP internal errorI;               -RMS-F-SYS, QIO system service request failedn                 Solution:   :               This problem has been fixed in this release.  H         4.11.4 Problems Generating Correct Database Files with the TCPIP(                CONVERT/UNIX BIND Command                 Problem:  F               In previous releases, there could be problems generatingG               correct database files when using the TCPIP CONVERT /UNIX D               BIND command. This could result in database files thatH               contained unqualified hostnames in the SOA and NS records.                 Solution:   .               This problem has been corrected.  G         4.11.5 Illegal BIND Resolver Search Lists Defined via the TCPIPF$                SET NAME/PATH Command                 Problem:  I               In previous releases, UCP would allow illegal BIND Resolver A               search list (paths) to be defined via the TCPIP SETC                NAME/PATH command.                 Solution:   .               This problem has been corrected.  2         4.12 RLOGIN Problems Fixed in This Release  F               The following section describes RLOGIN problems fixed in               this release..           4-12 Corrections l         I                                                               CorrectionsrI                                4.12 RLOGIN Problems Fixed in This ReleaseR    <         4.12.1 System Crash, INCONSTATE for an RLOGIN socket  G               Problem: System crash with INCONSTATE when logging out ofr               RLOGIN.                  Solution:   H               This problem is only with the Scalable Kernel and fixed in               this release.1  /         4.13 RSH Problems Fixed in This Release   H               The following section describes RSH problems fixed in this               release.  <         4.13.1 RMT Server Does Not Work with Solaris Clients  H               Problem: OpenVMS RMT server does not work with Solaris RMT               clients.                 Solution:r  G               This release corrects this problem. Upon the failure, theoG               Solaris client checks that it can still access the servereE               by sending an S. The fix is to add code to detect the S                command.  C         4.13.2 RSH /Escape_character for the Alpha Client Causes an                 Access ViolationC  A               Problem: RSH /escape_character for the Alpha client C               cause either an access violation or improper terminal'               characteristics.                 Solution:n  4               This problem is fixed in this release.  /         4.14 RCP Problems Fixed in This Releasen  H               The following section describes RCP problems fixed in this               release.      I                                                          Corrections 4-13     e               Corrections /         4.14 RCP Problems Fixed in This Release     H         4.14.1 RCP Command Returns Error Status When /LOG Option is Used  E               Problem: The RCP command returns error status when /LOGhC               option is used though the job completed successfully.                  Solution:   H               This problem is corrected in this release. The RCP commandD               now returns the appropriate status when /log option is               used.r  I         4.14.2 RCP Cannot Locate A File in the Current Directory When SET )                DEFAULTed to a Search List   H               Problem: RCP cannot locate a file in the current directory:               when you are SET DEFAULTed to a search list.                 Solution:l  D               This release corrects this problem in RCP. RCP can nowH               locate and copy the file in the current directory when you2               have SET DEFAULTed to a search list.  0         4.15 SMTP Problems Fixed in This Release  I               The following sections describe SMTP problems fixed in this                release.  G         4.15.1 Try-A-Records Governs SMTP Symbiont Use of A Records Fort                Relay                 Problem:  D               When attempts to relay outbound mail to the gateway(s)C               specified in MX records fail, the SMTP symbiont tries E               to relay outbound mail using A records. This is a hedgesC               against misconfigured MX records. In today's InternetrE               however, hosts pointed to by A records for a domain arenD               often configured to reject mail for the domain when itD               doesn't come from a known host as a counter measure toH               protect against SPAM route through. Attempts to relay mailE               to such a host may be rejected mid-way through the SMTPN<               dialog. This causes the message to be bounced.                 Solution:s  I               A new Try-A-Records switch is added to the SMTP.CONFIG file)I               to govern the SMTP symbiont's use of A records for outbound H               mail relay should attempts to relay to MX gateways fail or.               should no MX records be present.           4-14 Corrections h  f      I                                                               Corrections I                                  4.15 SMTP Problems Fixed in This Release     A               The switch can take the values "NEVER", "ALWAYS" or 3               IFNOMX". These values are as follows:     6               Value             SMTP Symbiont Behavior  C               NEVER             The SMTP symbiont will never try to F                                 relay mail using A records, even if no5                                 MX records are found.h  D               ALWAYS            The SMTP symbiont will always try toE                                 relay mail using A records. Note that D                                 gateways specified in MX records areE                                 still tried first. A records are usedcI                                 only if attempts to contact MX gateway(s)nE                                 fail or when no MX records are found.   H               IFNOMX            The SMTP symbiont will try to relay mailE                                 using A records only if no MX recordsnH                                 are found. If one or more MX records areF                                 found, A records will not be used. TheH                                 default value of the configuration field<                                 for Try-A-records is IFNOMX.  H         4.15.2 Any Message Header That Unfolds into a Single Line Longer<                Than 7192 Bytes Causes SFF to Loop Infinitely                 Problem:  I               The SMTP SFF feature (TCPIP$SMTP_SFF.EXE image) loops for amI               mail message that contains a single header longer than 7192 F               bytes. If such a message is delivered to a recipient whoH               has email forwarded to a PIPE% MAILSHR mechanism that usesI               SFF (such as SpamAssassin), the symbiont will hang, waitingr2               for the looping PIPE% child process.                 Solution:m  9               A fix has been implemented in this release.v  F         4.15.3 SMTP Fails to Send Mail with a Record Size Greater than                4093                  Problem:  E               SMTP symbiont had a buffer limit of 4093 characters per I               record it reads from the control file (CF). Any record that F               exceeded this limit resulted in %TCPIP-E-SMTP_CFGETERROR  I                                                          Corrections 4-15e s  s               Correctionsg0         4.15 SMTP Problems Fixed in This Release    I               and deletion of that control file. This eventually resultedf               in loss of mail.                 Solution:l  B               With this release, the read buffer limit of the SMTPG               symbiont is made flexible to extend itself to the largestt-               record size limit of a message.   H         4.15.4 Unprivileged User Sending MAIL Results in Security Alarms0                for Queue CONTROL and READ access                 Problem:  I               When a user sends MAIL, this would be submitted to the SMTP E               symbiont server queue i.e., TCPIP$SMTP_nodename_00. The F               SMTP has to check for the existence of this queue. HenceI               when an unprivileged user sends a mail, the security alarmseD               for queue control and read access are being generated.                 Solution:   D               The code has been rectified to suppress these security3               alarms while searching for the queue.   3         4.15.5 MAIL to SMTP% Causes Security Alarmsn                 Problem:  F               When a user without privileges turned on but with SYSPRVE               granted in the SYSUAF as an authorized privileges sends 9               MAIL to %SMTP, this causes security alarms.n                 Solution:l  G               This fix is provided in this release. The solution was to 1               provide the appropriate privileges.   -         4.15.6 ACCVIO Due to Improper ParsingH                 Problem:  F               Upon starting SMTP or issuing the TCPIP SHOW MX command,E               there could be an ACCVIO due to improper parsing of the <               Authority section of the DNS response message.                 Solution:   8               This problem is corrected in this release.           4-16 Corrections _  _      I                                                               CorrectionsnI                                  4.15 SMTP Problems Fixed in This Release     <         4.15.7 Selecting MX Records to Route Mails Correctly                 Problem:  G               Selection of MX records to route mails to destination didnH               not work according to the preference values. When multipleF               MX records from the DNS server are given and one of themC               has a preference value of 32768 or 65535, then the MX)H               record with that value will be used first instead of other6               MX records with lower preference values.                 Solution:   8               This problem is corrected in this release.  7         4.16 Startup Problems Corrected in This Releaseh  G               The following sections describe Startup problems fixed ine               this release.n  /         4.16.1 Unrecognized Command Verb Errors                  Problem:  E               Previously, users of site specific startup and shutdown F               command procedures could get %DCL-W-IVVERB, unrecognizedG               command verb errors if they attempt to define/use symbolsd+               from within those procedures.o                 Solution:a  .               This problem has been corrected.  0         4.17 SNMP Problems Fixed in This Release  I               The following sections describe SNMP problems fixed in thisp               release.  1         4.17.1 SNMP Poll Time Is Not Configurable                  Problem:  E               The SNMP poll time could not be changed. At times, this E               would cause the SNMP process to loop consuming high CPUn               utilization.                 Solution:e  H               The default reset/refresh value of SNMP_POLL_TIME value isI               30 seconds. This release allows the user to set the desiredp               poll time.  I                                                          Corrections 4-17e s                  Correctionsc7         4.18 Sockets API Problems Fixed in This Release     7         4.18 Sockets API Problems Fixed in This Release,  H               The following sections describe Sockets API problems fixed               in this release.  2         4.18.1 Socket Function getaddrinfo() Hangs                 Problem:  G               Two successive calls to getaddrinfo() in the same programiH               cause the second call to hang. This is only true if the afF               parameter is AF_INET6 and the ai_flags parameter has not2               been set to AI_ALL or AI_ADDRCONFIG.                 Solution:   8               This problem is corrected in this release.  /         4.19 SSH Problems Fixed in This Release   H               The following sections describe SSH problems fixed in this               release.  @         4.19.1 OpenVMS SSH Does Not Support Mixed Case Passwords                 Problem:  @               OpenVMS SSH does not support mixed case passwords.                 Solution:   F               Mixed passwords supported, assuming the username has theF               PWDMIX flag set. Note that when converting an account toG               use mixed case passwords, for access through SSH or otheroG               method, you must exercise care in resetting the password. =               Specifically, beware of the following sequence:M  H               o  pwdmix flag not set, password: changeme (Can be entered                  in any case.)  G               o  set pwdmix flag; now can login only with CHANGEME (all_                  uppercase)   9               o  reset password to be changme (lowercase)   A               o  now can login only with changeme (all lowercase)   #               o  remove pwdmix flags  G               o  Now the user may be unable to login until the passwordr2                  is reset by system administrator.           4-18 Corrections           I                                                               CorrectionseI                                   4.19 SSH Problems Fixed in This Releaseg    G               Note that the problems shown by this example have nothingiD               directly to do with ssh, but are a function of OpenVMS                password handling.  ;         4.19.2 Signals Cause Extraneous or Cryptic Messageso                 Problem:  E               Signals received by ssh client and server result in the 8               display of extraneous or cryptic messages.                 Solution:   E               Some signals are now silently ignored; others result ine&               standard VMS/DCL output.  =         4.19.3 CTRL/C Did Not Work During sftp2/scp2 filecopyn                 Problem:  I               CTRL/C did not work once a filecopy had started in sftp2 or.H               scp2, stopping the ssh/sftp/scp processes was the only way,               to abort copy on a large file.                 Solution:]  B               After entry of CTRL/C additional steps may be neededE               to restart a filecopy. For sftp, for example, it may be I               necessary to enter the quit command, and then restart sftp;iG               for scp it may be necessary to enter CTRL/C a second time +               or a $ STOP at the DCL level.a  E               The target file may remain locked until the client sidey0               processes have been fully stopped.  F               The attributes on an incompletely copied target file mayC               not be correct. In this case a manual deletion of thesG               incomplete target file may be needed once the client sideo>               processes have either completed or been stopped.  -         4.19.4 Usernames with $ Not Supported                  Problem:  -               Usernames with $ not supported.                  Solution:   <               Any valid OpenVMS usernames are now supported.  I                                                          Corrections 4-19  o  c               Correctionsr/         4.19 SSH Problems Fixed in This Release.    E         4.19.5 Problem With Timeout in Locking of X11 xauth Authoritye                File                  Problem:  E               Error in tcpip$ssh_run.log indicates timeout in lockingeH               authority file, combined with failure to run X application7               in the ssh session started at ssh client.                  Solution:o  :               The following documentation on a new option,E               DecwXauthLockAction, is drawn from that included in the ;               file sshd2_config., included in this release:   #                # Valid options are:.2                # none: no special action (default)V                #   This option is also in effect if there is no value specified, or if1                #   the variable is commented out.s-                # break: break lock (xauth -b)r/                # ignore: ignore lock (xauth -i) I                # file: use alternate xauth filename (xauth -f {filename})n                #)                # DecwXauthLockAction none   G               There is a risk to using the "break" or "ignore" options.eE               The general rule is that whichever user exits last will G               write a version of the xauth file which includes only theeH               contents at the time it opened the file + any changes thatA               user made. Any changes from other user(s) are lost.   H               If a user's display station has considerable activity fromB               different users (including applications), then usingC               "ignore" may cause problems. Perhaps in a case of thesG               typical ssh user, the display host is single user, and iseG               that user's dedicated display device; in that case ignorea                may be reasonable.  I               If the user is not concerned about having multiple users oneG               a host, then either the "ignore" or "break" values may be                appropriate.  F               Because of the potential for lost data, users may preferC               the "file" option. In this case, each ssh server that E               starts when the xauth file is locked will write for the C               user a unique xauth file, to be used only by sessionssD               supported by that instance of the ssh server. The fileG               is located in the user's sys$login, and has a name in theC           4-20 Corrections E         I                                                               Corrections I                                   4.19 SSH Problems Fixed in This Release     I               format: DECW$XAUTHORITY.DECW$XAUTHnnnnnnnn where nnnnnnnn = I               the 8 digit hex value of the pid of ssh server process (notIE               of the user's interactive session process). On OpenVMS,"B               each ssh session starts a new server process, and soD               the xauth file will be used by a user for a single sshF               session; hence there will be no conflict with either theI               default xauth file or xauth files from different ssh server F               instances. The pid of the server process is used becauseH               given the way the base UNIX code works, the file has to beI               created before the interactive terminal process is created.h  I               One restriction with the "file" option, that does not applyiH               to the "break" or "ignore" options: $ CREATE/TERM does not               work.   I               Because the DECW$DISPLAY logical is in the job logical nameGE               table (so that the terminal process can inherit it withhH               the ssh server process), the DECW$XAUTH logical is in that.               table also, for the same reason.  G               For more on xauth and interaction of ssh and X11, see theaE               DECwindows/Motif documentation, especially New Featuresi=               guide, and commercially published books on X11.c  F         4.19.6 Cannot Issue a $ CREATE TERM/DETACH from an SSH Session0                Itself Created Using That Command                 Problem:  B               Cannot cascade $ CREATE TERM/DETACH from ssh sessionG               (using x11 port forwarding). That is, from window created F               from original session window, cannot do another $ CREATE               TERM/DETACH.                 Solution:s  )               Cascading is now supported.s  H         4.19.7 SSH Client and Server Startup Fail If the Correct Version?                of DECwindows Motif Is Not Installed and Started                  Problem:  0               If the host does not have the fileC               SYS$SHARE:DECW$SETSHODISSHR.EXE installed, client and E               server startup fail, even if X11 port forwarding is not G               requested or used. The following are possible situations:2  I                                                          Corrections 4-21                     Corrections /         4.19 SSH Problems Fixed in This Release     D               o  DECwindows Motif V1.3 is installed, but not started,                  (executable not available).                 o   @         A pre-V1.3 version is installed (file is not delivered).                 Solution:s  H               SSH client and server do not attempt X11 processing if the-               file is not found or available.r  D         4.19.8 The SFTP Client Does Not Sense the Terminal Page Size                Properly.                 Problem:  C               The SFTP client does not sense the terminal page sizeeB               properly. The screen output is forced to the default+               setting of 23 lines per page.e                 Solution:t  .               This problem has been corrected.  H         4.19.9 SSH Filecopy Clients Cannot Use of Group Logical Names on                the SFTP Server                 Problem:  D               Users of SCP and SFTP cannot make use of group logicalG               names on the SFTP server. This problem occurs because the H               group logical name table in the SFTP server process pointsH               to the TCPIP$SSH account's group logical name table of theH               instead of the table of the account that is being used for                the file transfer.                 Solution:   G               The SSH file copy now points the group logical name tablelE               of the SFTP server process to the table of the group ofnG               the account that is being used for the file transfer. ForsI               example, when connecting to the account "JONES" in the user G               group "777", the sftp server process's group logical name =               table will be set to point to LNM$GROUP_000777.e           4-22 Corrections l  e      I                                                               Corrections I                                   4.19 SSH Problems Fixed in This Releasep    I         4.19.10 VMS Text Editor and the DCL SEARCH Command See SSH Server )                 Log File Warning Messagese                 Problem:  G               VMS text editor and the DCL SEARCH command see SSH server I               log file messages like WARNING: Starting image in auxiliary H               server mode as two separate lines with the text of message=               on a different line from the "WARNING:" prefix.h  G               The DCL TYPE command functions properly by displaying onep               line.   G               This behavior may cause some customer auditing procedureso               to fail.                 Solution:l  9               Write the warning message as a single line.n  H         4.19.11 SSH Client Ignores Any DNS AAAA Records Belonging to the                 Remote Hostl                 Problem:  F               The SSH client ignores any DNS AAAA records belonging toG               the remote host thus effectively disabling connecting viaf               IPv6.e                 Solution:   )               Recognize DNS AAAA records.   .         4.19.12 Publickey Authentication Fails                 Problem:  A               From some clients, e.g., the PuTTY client, when the E               username entered is other than all lowercase, publickey #               authentication fails.                  Solution:   G               The SSH server now captures the original filename as senteF               from the client and uses it in authentication procedure.  I                                                          Corrections 4-23v P  l               Corrections /         4.19 SSH Problems Fixed in This ReleaseF    :         4.19.13 Regular Expression Syntax Parsing Not Done                 Problem:  E               Regular expression syntax parsing not being done on fori)               AllowHosts in sshd2_config.                  Solution:t  B               Regular expressions are now parsed using the "egrep"G               syntax. Variables to which this appies include AllowHost,EC               DenyHosts, AllowUsers, and DenyUsers. See examples ineC               sshd2_config. One OpenVMS extension was retained fromrD               previous versions: To specify allow all hosts, both of!               the following work:.  8                Standard regular expression egrep syntax:$                       AllowHosts  .*  !                OpenVMS extension:P#                       AllowHosts  *D  H               Note that this format is the only case in which the "*" isF               accepted in addition to the ".*". In longer expressions,6               both characters ".*" are still required.  7         4.19.14 Login Dates Manipulation Sets Off Audit                  Problem:  H               Manipulation of interactive and noninteractive login dates3               for SSH session sets off audit alrms.s                 Solution:   H               The audit alarms are now suppressed for date manipulation.  2         4.19.15 SFTP Server Causes Auditing Alarms                 Problem:  F               The SFTP server causes auditing alarms in the operator's               log.                 Solution:e  5               Condition causing the alarms corrected.o           4-24 Corrections           I                                                               CorrectionsfI                                   4.19 SSH Problems Fixed in This Releaser    @         4.19.16 SFTP File Transfers Do Not Preserve OpenVMS File                 Attributes                 Problem:  I               SFTP file transfers do not preserve OpenVMS file attributes G               even when the SFTP client and server are both running the.I               TCP/IP Services implementation of SFTP. Such file transferseH               should preserve a file's record format and file attributes?               and, where applicable the RMS MRS and LRL fields.                  Solution:.  I               When both the SFTP client and server are running the TCP/IP F               Services implementation of SFTP, file transfers preserve4               the following OpenVMS file attributes:                 o  Record format                  o  File attributes  2               o  mrs and/or lrl (where applicable)  I               The attributes are preserved regardless of the direction ofe:               the file's transfer: to client or to server.  G         4.19.17 SSH Password Change Sequence Did Not Check for Password                  in History Fileo                 Problem:  E               SSH password change sequence did not check for password'H               in history file, or for using same new password as the old               one.                 Solution:o  F               Password history is now checked, unless the username has%               the DISPWDHIS flag set.5  F         4.19.18 Non-OpenVMS Clients Overwrite Files on OpenVMS Servers                 Problem:  G               Under certain conditions, non-OpenVMS clients would causehF               existing file on the OpenVMS server to be overwritten on9               filecopy (instead of creating new version).                  Solution:o  E               A new version is created; for scp only the -k option is .               available to force an overwrite.  I                                                          Corrections 4-25w x  t               Corrections /         4.19 SSH Problems Fixed in This Releasea    H         4.19.19 SSH Client Does Not See Entries in TCPIP$ETC:IPNODES.DAT                 Problem:  I               Entries made in the TCPIP$ETC:IPNODES.DAT file are not seen                 by the SSH client.                 Solution:   H               Condition interfering with reading of the IPNODES.DAT file!               has been corrected.   5         4.19.20 Limited Support for ODS-5 File Formate                 Problem:  H               SSK file copy clients and servers have limited support for$               the ODS-5 file format.                 Solution:S  F               This problem has been corrected. Note that the following,               limitations apply to this fix:  H               o  It addresses only problems with sftp ls/get/put and scpD                  copy of files with extended filenames. ODS-5 syntaxC                  may work in other situations, but they are neithere*                  guaranteed nor supported.  C               o  It is not intended to handle copying of files with C                  extended file names to target directories on ODS-2 E                  volumes. In that case an error of the following type                   results:e  K                  tcpip$ssh_scp2.exe: warning: open: ./afile,name.txt (dst):iK                  unspecified failure (server msg: 'syserr: bad file number,a)                  file: ./afile,name.txt')i  N                  %TCPIP-E-SSH_FC_ERR_FAIL, undetermined error from sshfilexfer  F               o  When wildcards are used in file specification not allF                  files with ODS-5 extended file name may be retrieved.A                  For example: sftp>get *.*;* retrieves all files,nG                  while sftp get afil*.txt does not get fines with ODS-5                   characters:           4-26 Corrections L  K      I                                                               CorrectionseI                                   4.19 SSH Problems Fixed in This ReleaseC                       sftp> get *.*;*_                  afile2.txt;1                      |     8B |   0.0 kB/s | TOC: 00:00:01 | 100%0_                  afile^%name.txt;2                 |  1008B |   1.0 kB/s | TOC: 00:00:01 | 100%y_                  afile^,name.txt;1                 |     6B |   0.0 kB/s | TOC: 00:00:01 | 100%e_                  afile^^^%name.txt;1               |    12B |   0.0 kB/s | TOC: 00:00:01 | 100%h_                  AFILE__NAME.TXT;1                 |    20B |   0.0 kB/s | TOC: 00:00:01 | 100%r  $                  sftp> get afil*.txt_                  afile2.txt                        |     8B |   0.0 kB/s | TOC: 00:00:01 | 100%h_                  afile__name.txt                   |    20B |   0.0 kB/s | TOC: 00:00:01 | 100%P  :         4.19.21 Fixed SFTP2 Image Exits with Normal Status                 Problem:  F               SFTP2 image exits with status "normal" ever after errors               are encountered.                 Solution:   F               The following DCL exit codes are now supported for batchI               procedure exit. Of these, only TCPIP$_SSH_FC_ERR_TGT_EXISTS                is a new code:  =         TCPIP$_SSH_FATAL "non-specific fatal error condition"s3         TCPIP$_SSH_FC_OK "operation was successful" ?         TCPIP$_SSH_FX_OK "the operation completed successfully" 4         TCPIP$_SSH_INFORMATIONAL "ssh informational"7         TCPIP$_SSH_ERROR "non-specific error condition" Y         TCPIP$_SSH_FX_EOF "the operation failed because of trying to read at end of file" F         TCPIP$_SSH_FX_NO_SUCH_FILE "the requested file does not exist"T         TCPIP$_SSH_FX_PERM_DENIED "insufficient privileges to perform the operation">         TCPIP$_SSH_FX_FAILURE "the requested operation failed"         TCPIP$_SSH_FX_BAD_MESSAGE "a badly formatted message was received; error or incompatibility in the protocol implementation" O         TCPIP$_SSH_FX_NO_CONNECTION "connection has not been established (yet)" s         TCPIP$_SSH_FX_CONNECTION_LOST "connection to the server was lost, and the operation could not be performed"eQ         TCPIP$_SSH_FX_OP_UNSUPPORTED "operation is unsupported by the fileserver"s>         TCPIP$_SSH_FX_INVAL_RFMT "record format not supported";         TCPIP$_SSH_FX_OUT_OF_MEMORY "out of dynamic memory" B         TCPIP$_SSH_FC_ERROR "error in ssh file transfer operation"W         TCPIP$_SSH_FC_ERR_DEST_NOT_DIR "destination is not directory or does not exist"e@         TCPIP$_SSH_FC_ERR_ELOOP "maximum symlink level exceeded"A         TCPIP$_SSH_FC_ERR_CONN_FAILED "connecting to host failed" F         TCPIP$_SSH_FC_ERR_CONN_LOST "connection broke for some reason";         TCPIP$_SSH_FC_ERR_NO_SUCH_FILE "file doesn't exist" D         TCPIP$_SSH_FC_ERR_PERM_DENIED "no permission to access file"H         TCPIP$_SSH_FC_ERR_FAILURE "error in ssh file transfer operation"  I                                                          Corrections 4-27i    u               CorrectionsA/         4.19 SSH Problems Fixed in This Release     H         TCPIP$_SSH_FC_ERR_PROTO_MSMTCH "file transfer protocol mismatch"J         TCPIP$_SSH_FC_ERR_INVAL_RFMT "file record format invalid for copy"A         TCPIP$_SSH_FC_ERR_TGT_EXISTS "target file already exists"s  F               If multiple errors are encountered, exit status reflectsG               the last error. The following logical names are available I               to control behavior for the new functionality. To use these I               names define them to have a value "TRUE" (case insensitive)l,               or any non-zero numeric value.  I               o  TCPIP$SFTP_ALWAYS_EXIT_NORMAL: preserves old behavior of H                  sftp exiting with status $STATUS "%X00000001" (normal),A                  no matter what errors occurred during a session.e  C               o  TCPIP$SSH_SFTP_BATCH_ABORT_ON_ERROR: by default antG                  sftp batch procedure continues after any errors exceptoE                  for failure of a cd (change directory) command. This E                  behavior is the same as that for the base UNIX code. B                  Setting this logical enables the OpenVMS-specificH                  behavior of the procedure exiting after the first error                   is encountered.  >         4.19.22 SFTP Batch Procedure Files Need Special Format                 Problem:  G               SFTP batch files must be in sream_lf format, or have each G               line except the last terminated by a linefeed (ASCII 10).n               Solution:   F               This version detects if a batch file is not in stream_lfI               format, and if it is not, attempts to convert it to stream_ D               lf format. The following message is displayed when theI               process begins, where batchfile is the filename of the sftpR               batch file):  >               Warning: Converting file fail4.cmd to Stream_LF.  C               The following message indicates succesful conversion:u  L               Warning: File {batchfile} converted successfully to Stream_LF.  I         while the following type of error indicates a failure (where n isc&         an internal VMS error status):           4-28 Corrections           I                                                               Corrections I                                   4.19 SSH Problems Fixed in This Release     E               openvms_specific/OPENVMS_SPECIFIC.C:1885: Error calling H               CONV$PASS_FILES for {batchfile}. STATUS = %NONAME-E-NOMSG,               Message number n  A         If automatic conversion does not succeed, the file can be H         converted manually by VMS to stream_lf (e.g., by the DCL CONVERT         command).h  B         4.19.23 SSH File Transfer Clients and Server Do Not Handle#                 VMS-style Wildcardsn                 Problem:  E               SSH file transfer clients and server do not handle VMS-e               style wildcards.                 Solution:   H               Many usages for VMS-style wildcards are now supported. TheE               behavior, where possible, matches that for DCL commandsnE               such as $ COPY and $ DIRECTORY. For example, ls afile.*hA               retrieves all versions of a file, while get afile.* F               retrieves only the highest version number. One extensionI               to the standard VMS set is recognition of the ? in addition 3               to the % to match a single character.e  C         4.19.24 Text Display for Usage Does Not Match Documentation                  Problem:  E               Text display for Usage: does not match documentation ore*               what is supported or tested.                 Solution:a  I               "Usage" text reflects what is implemented, and also matchesr0               information in any DCL help files.  ?         4.19.25 Allow Restrictions on Execution of SFTP-server2f                 Problem:  ;               Allow restrictions on access to SSH filecopy.n                 Solution:r  G               The following methods are available to restrict users whoaD               have ssh access to a server from using scp or sftp for               filecopy:g  I                                                          Corrections 4-29                     Correctionsi/         4.19 SSH Problems Fixed in This Releaseo    F               1. Use one of the following options in the SSHD2_CONFIG.                  file:  #                  DisallowSftpServer                   Default: "no":                  "yes" disables sftp-server2 for all users                    SftpDenyUsers&                  Default: empty stringD                  Interprets regular expressions in the same way that                   DenyUsers does.  8                  Note that SftpDenyUsers is used only if,                  DisallowSftpServer is "no."  F               2. If neither of the configuration restrictions is used,I                  the server checks for the identifier TCPIP$SSH_FILECOPY_ F                  DISALLOWED granted to the current user, in which case2                  access to sftp-server2 is denied.  F                  To create and grant this identifier, do the following+                  from a privileged account:                      $ MCR AUTHORIZEC                  UAF> ADD /IDENTIFIER TCPIP$SSH_FILECOPY_DISALLOWEDrK                  %UAF-I-RDBADDMSG, identifier TCPIP$SSH_FILECOPY_DISALLOWEDp:                  value %X8001009F added to rights databaseD                  UAF> SHOW /IDENTIFIER TCPIP$SSH_FILECOPY_DISALLOWEDL                  Name                             Value           Attributes<                  TCPIP$SSH_FILECOPY_DISALLOWED    %X8001009F?                  UAF> GRANT TCPIP$SSH_FILECOPY_DISALLOWED USER1 J                  %UAF-I-GRANTMSG, identifier TCPIP$SSH_FILECOPY_DISALLOWED!                  granted to USER1e                   UAF> SHOW USER1  K                  Username: USER1                            Owner:  DefaultH                  ...N                  Identifier                         Value           Attributes<                  TCPIP$SSH_FILECOPY_DISALLOWED    %X8001009F                     4-30 Corrections o  m      I                                                               Corrections I                                   4.19 SSH Problems Fixed in This Release     B         4.19.26 Using SFTP To Pull Fixed Length Files Results In A                 Corrupted File                 Problem:  H               Using SFTP to pull fixed length files with an odd-numberedG               record length, e.g., 773 bytes, from an OpenVMS system toeE               a system running an operating system other than OpenVMS *               results in a corrupted file.                 Solution:M  .               This problem has been corrected.  9         4.19.27 Pasting from Text Editor Loses Characters)                 Problem:  D               When a user logs in with SSH and pastes from the pasteF               buffer, characters can be lost. If the user is running a>               text editor, it receives a "data overrun" error.                 Solution:   .               This problem has been corrected.  H         4.19.28 sftp ls on Directory with a Large Number of Files Cannot                 Be Interrupted                 Problem:  D               When doing an ls for a directory or search list with aI               large number of files, entering q at the prompt "<Press any G               key for more or q to quit>" results in apparent hang that 0               cannot be interrupted with CTRL/C.                 Solution:   E               Pressing q now returns immediately to the sftp> prompt. A               Additional improvements for ls displays include the                following:  G               1. The display has no blank lines, but does include the qv?                  (or other character) entered after the prompt.   I               2. To start an SFTP session with continuous display use the 8                  "-C" (Continuous display) option, e.g.:  '                  $ sftp "-C" yourremotes  I                                                          Corrections 4-31m                    Corrections /         4.19 SSH Problems Fixed in This Releasen    I                  Note that the double quotes are required. Within an SFTPeG                  session, use the td (toggle display) command to switch 9                  between prompted and continuous display.d  G               3. Long directory listings do not cause the %TCPIP-F-SSH_t#                  ALLOC_ERROR error.I  I               4. CTRL/C on continuous listings causes return to the sftp>a                  prompt.  F                 ________________________ Note ________________________  C                 Because global variables are used for this fix, thes(                 code is not thread-safe.  E                 In batch mode the default remains to suppress displayCB                 of the prompt. You cannot force the display of the%                 prompt in batch mode.   @                 If CTRL/C is entered at the "<Press any key...>"A                 prompt, you may need to enter a "q" or a carriage ?                 return to return to the sftp> prompt. Note that B                 entering CTRL/C at the sftp> prompt (followed by aA                 carriage return) causes an exit to the DCL level.f  F                 ______________________________________________________  /         4.20 SSL Problems Fixed in This Release   H               The following sections describe SSL problems fixed in this               release.  ?         4.20.1 After Installing SSL, POP SSL Ceases to Functions                 Problem:  G               After installing the SSL V1.2 kit on TCP/IP Services, POP E               SSL support ceases to function. The POP server will noteH               listen on its SSL port and, consequently, will not serviceF               clients coming in through SSL. The TCPIP$POP_RUN.LOG POP3               server log file contains these lines:o  =               POP server will not listen for SSL connections. V               SSL$LIBCRYPTO_SHR32_INIT status: %LIB-E-KEYNOTFOU, key not found in tree                 Solution:   8               This problem is corrected in this release.           4-32 Corrections    b      I                                                               CorrectionspI                                4.21 TELNET Problems Fixed in This ReleaseT    2         4.21 TELNET Problems Fixed in This Release  F               The following sections describe TELNET problems fixed in               this release.P  7         4.21.1 TELNET Intrusion Detection Inflexibilityt                 Problem:  H               In certain circumstances, an intrusion (such as an invalidH               login) by one user can cause the whole system to be lockedC               out, and with multiport servers such as on a terminal G               server, all ports could be locked out. The workaround hasiF               been to set the TCPIP$TELNET_NO_REM_ID logical. However,F               this allows the intruding user to log in on another port'               without being locked out.                  Solution:   I               This problem is corrected in this release. The logical name F               TCPIP$TELNET_TRUST_LOCATION allows you to specify how toE               handle TELNET intrusion records. When this logical nameTE               is defined, any location string specified by the remote F               client is included in the intrusion record. For example,E               many terminal servers provide the physical port number,rI               while OpenVMS clients provide the originating user name and H               terminal line. Including this information in the intrusionD               records means that only a particular user or port willE               be locked out, not the entire remote host (and all userM               ports).m  9         4.22 Miscellaneous Problems Fixed in This Release   D               The following sections describe miscellaneous problems$               fixed in this release.  D         4.22.1 PPP Supports the Scaling Kernel and IA64 Architecture  ?               PPP now supports both the Scaling Kernel and IA64a               architecture.           I                                                          Corrections 4-33p i  l               Correctionse9         4.22 Miscellaneous Problems Fixed in This Release     2         4.22.2 TCPIP SHOW ROUTE/MASK Reports Error                 Problem:  H               TCPIP SHOW ROUTE dest/mask did not work as expected in fewH               cases. In cases where mask value was greater than or equal=               to 24, the response to this command as follows:e  O               %TCPIP-E-ROUTEERROR, error accessing routes database(TCPIP$ROUTE)e6               -TCPIP-W-NORECORD, information not foundH               This posed problems while checking for the dynamic routes.                 Solution:   A               This problem is fixed in this release. The code now H               considers the CIDR mask specified while matching the given!               destination addressa                                                                 4-34 Corrections e  t                    I                                                                         5 I         _________________________________________________________________y  I                                                      Documentation Updaten    F               This chapter describes updates to the information in the4               TCP/IP Services product documentation.  G               This information will be supplied in the final release ofr               TCP/IP Services.  2         5.1 Documentation Updated for This Release  C               The following manuals are updated for TCP/IP ServicesfB               Version 5.6. Documentation changes planned for these$               manuals are indicated.  =               o  TCP/IP Services for OpenVMS Installation andb                  Configuration  =               o  TCP/IP Services for OpenVMS Management Guide   9               o  TCP/IP Services for OpenVMS Guide to SSH   <         5.2 Documentation Not Being Updated for This Release  G               The following manuals are not updated for TCP/IP ServicesaB               Version 5.6. Documentation changes planned for these$               manuals are indicated.  B               o  TCP/IP Services for OpenVMS Concepts and Planning  I               o  TCP/IP Services for OpenVMS Management Command Reference   E               o  TCP/IP Services for OpenVMS Management Command Quickn                  Reference Card   @               o  TCP/IP Services for OpenVMS ONC RPC Programming  C               o  TCP/IP Services for OpenVMS Sockets API and Systeme%                  Services Programming   I                                                  Documentation Update 5-1     r               Documentation Update<         5.2 Documentation Not Being Updated for This Release    G               o  TCP/IP Services for OpenVMS Tuning and Troubleshootingr  9               o  TCP/IP Services for OpenVMS User's Guidet                                                                                              5-2 Documentation Update s  n                    I                                                                         AoI         _________________________________________________________________n  I                                                 Implementing NTP Autokeys     >               To set up NTP autokeys, use one of the following               procedures:   E               o  For the TC identity scheme, use one of the followinge                  methods:                     -  Section A.1                     -  Section A.2a  =               o  For the PC identity scheme, see Section A.3.   F               o  For the IFF scheme, use one of the following methods:                    -  Section A.4X                    -  Section A.5   4               o  For the GQ scheme, see Section A.6.  4               o  For the MV scheme, see Section A.7.  1         A.1 Default TC Identity Scheme (method 1)f  G               1. Make Alice a stratum 0 server by enabling the lines ine                   TCPIP$NTP.CONF:  +                   server 127.127.1.0 prefer -                   fudge 127.127.1.0 stratum 0u  G               2. On both Alice (server) and Bob (client), add two linesn#                  to TCPIP$NTP.CONF:n  2                   keysdir SYS$SPECIFIC:[TCPIP$NTP]                   crypto  I                                             Implementing NTP Autokeys A-1            !         Implementing NTP Autokeyst1         A.1 Default TC Identity Scheme (method 1)     ?               3. On Bob, add the server line for Alice to Bob'se                   TCPIP$NTP.CONF:  &                   server alice autokey  E               4. On Alice, generate the keys and trusted certificate:l  '                   ALICE>ntp_keygen -"T"   G               5. On Bob, generate the keys and non-trusted certificate:t                      BOB>ntp_keygen  $               6. Start NTP on Alice:  6                   ALICE>@sys$startup:tcpip$ntp_startup  E               7. Wait until Alice is synchronized to itself. ntpdc -p D                  should show an asterisk (*) in the leftmost column.  "               8. Start NTP on Bob:  4                   BOB>@sys$startup:tcpip$ntp_startup  G               Bob should eventually synch to Alice (this may take up tonF               10 minutes). ntpdc -p should show an asterisk (*) in the               leftmost column.  1         A.2 Default TC Identity Scheme (method 2)p  G               1. Make Alice a stratum 0 server by enabling the lines inO                   TCPIP$NTP.CONF:  +                   server 127.127.1.0 prefer -                   fudge 127.127.1.0 stratum 0   ;               2. On Alice, add two lines to TCPIP$NTP.CONF:   2                   keysdir SYS$SPECIFIC:[TCPIP$NTP](                   crypto pw littlesecret  ;               3. On Bob, add three lines to TCPIP$NTP.CONF:   2                   keysdir SYS$SPECIFIC:[TCPIP$NTP]%                   crypto pw bigsecret &                   server alice autokey  D               4. On Alice, generate the keys and trusted certificate!                  using passwords:   D                   ALICE>ntp_keygen -"T" -p littlesecret -q bigsecret  %         A-2 Implementing NTP Autokeyse s  h      I                                                 Implementing NTP AutokeystI                                 A.2 Default TC Identity Scheme (method 2)e    F               5. On Bob, generate the keys and non-trusted certificate!                  using passwords:e  -                   BOB>ntp_keygen -q bigsecreta  $               6. Start NTP on Alice:  6                   ALICE>@sys$startup:tcpip$ntp_startup  F               7. Wait 5 minutes until Alice is synchronized to itself.E                  ntpdc -p should show an asterisk (*) in the leftmosts                  column.  "               8. Start NTP on Bob:  4                   BOB>@sys$startup:tcpip$ntp_startup  C               Bob should eventually synch to Alice (maybe around 10 C               minutes). ntpdc -p should show an asterisk (*) in the                leftmost column.           A.3 PC Identity Scheme  G               1. Make Alice a stratum 0 server by enabling the lines ina                   TCPIP$NTP.CONF:  +                   server 127.127.1.0 preferl-                   fudge 127.127.1.0 stratum 0   H               2. On both Alice and Bob, add two lines to TCPIP$NTP.CONF:  2                   keysdir SYS$SPECIFIC:[TCPIP$NTP](                   crypto pw littlesecret  ?               3. On Bob, add the server line for Alice to Bob'se                   TCPIP$NTP.CONF:  &                   server alice autokey  =               4. On Alice, generate the keys and certificate:   7                   ALICE>ntp_keygen -"P" -p littlesecret   @               5. Copy the certificate (tcpip$ntpkey_rsa-md5cert_C                  alice.timestamp) and the key (tcpip$ntpkey_rsakey_ >                  alice.timestamp) from Alice to Bob's keysdir.  <               6. On Bob, create symbolic links to the files:  N                   BOB>ntp_keygen -"P" -l tcpip$ntpkey_rsakey_alice.timestamp -@                   _BOB> tcpip$ntpkey_rsa-md5cert_alice.timestamp  I                                             Implementing NTP Autokeys A-3F c  n      !         Implementing NTP Autokeys          A.3 PC Identity Scheme    $               7. Start NTP on Alice:  6                   ALICE>@sys$startup:tcpip$ntp_startup  F               8. Wait 5 minutes until Alice is synchronized to itself.E                  ntpdc -p should show an asterisk (*) in the leftmost                   column.  "               9. Start NTP on Bob:  4                   BOB>@sys$startup:tcpip$ntp_startup  G               Bob should eventually synch to Alice (this may take up to F               10 minutes). ntpdc -p should show an asterisk (*) in the               leftmost column.  !         A.4 IFF scheme (method 1)t  G               1. Make Alice a stratum 0 server by enabling the lines inr                   TCPIP$NTP.CONF:  +                   server 127.127.1.0 preferh-                   fudge 127.127.1.0 stratum 0m  H               2. On both Alice and Bob, add two lines to TCPIP$NTP.CONF:  2                   keysdir SYS$SPECIFIC:[TCPIP$NTP](                   crypto pw littlesecret  ?               3. On Bob, add the server line for Alice to Bob's                    TCPIP$NTP.CONF:  &                   server alice autokey  E               4. On Alice, create the trusted public key and identitye'                  scheme parameter file.   H                  Use a password with at least 4 characters. This example0                  is for the IFF identity scheme:  <                   ALICE>ntp_keygen -"T" -"I" -p littlesecret  H               5. On Bob, generate the client parameters using the server                  password:  5                   BOB>ntp_keygen -"H" -p littlesecretr  G               6. Copy the tcpip$ntpkey_iffpar_alice.timestamp file fromi(                  Alice to Bob's keysdir.  %         A-4 Implementing NTP Autokeys            I                                                 Implementing NTP AutokeyscI                                                 A.4 IFF scheme (method 1)     <               7. On Bob, create a symbolic link to the file:  Y                   BOB>ntp_keygen -"I" -l tcpip$ntpkey_iffpar_alice_tcpip_zko_h.3344261784g  $               8. Start NTP on Alice:  6                   ALICE>@sys$startup:tcpip$ntp_startup  F               9. Wait 5 minutes until Alice is synchronized to itself.E                  ntpdc -p should show an asterisk (*) in the leftmosth                  column.  "              10. Start NTP on Bob:  4                   BOB>@sys$startup:tcpip$ntp_startup  G               Bob should eventually synch to Alice (this may take up tonF               10 minutes). ntpdc -p should show an asterisk (*) in the               leftmost column.  +         A.5 Alternate IFF Scheme (method 2)l  G               1. Make Alice a stratum 0 server by enabling the lines in                    TCPIP$NTP.CONF:  +                   server 127.127.1.0 prefers-                   fudge 127.127.1.0 stratum 0i  ;               2. On Alice, add two lines to TCPIP$NTP.CONF:   2                   keysdir SYS$SPECIFIC:[TCPIP$NTP](                   crypto pw littlesecret  ;               3. On Bob, add three lines to TCPIP$NTP.CONF:   2                   keysdir SYS$SPECIFIC:[TCPIP$NTP]%                   crypto pw bigsecreti&                   server alice autokey  E               4. On Alice, create the trusted public key and identity '                  scheme parameter file.o  H                  Use a password with at least 4 characters. This example0                  is for the IFF identity scheme:  <                   ALICE>ntp_keygen -"T" -"I" -p littlesecret  H               5. On Bob, generate the client parameters using the client                  password:  2                   BOB>ntp_keygen -"H" -p bigsecret  I                                             Implementing NTP Autokeys A-5     o      !         Implementing NTP Autokeysn+         A.5 Alternate IFF Scheme (method 2)     G               6. On Alice, extract the client key specifying the server 2                  password and the client password:  B                   ALICE>ntp_keygen -e -q littlesecret -p bigsecret  2                  The output will go to the screen.  E               7. On Bob, create a file with the name specified in theaH                  screen output from step 6, the file name after "WritingD                  new IFF key". Paste the output from step 6 into theG                  file. Here is an example of the final file on Bob (thePC                  first two line starting with # are just comments):   Y                     BOB> typ SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTPKEY_IFFKEY_ALICE.3344272304 O                  # SYS$SPECIFIC:[TCPIP$NTP]TCPIP$NTPKEY_IFFKEY_ALICE.3344272304 +                  # Thu Dec 22 15:32:10 2005 0                  -----BEGIN DSA PRIVATE KEY-----'                  Proc-Type: 4,ENCRYPTED 3                  DEK-Info: DES-CBC,E03763213C218BDC   Q                  O9xAmWUEfJzCYEO6Zgn1KWm67M9NKlc/LzqHH+1K/kWQ/YXudUIf1ugdj+UmpphybQ                  R5UyrpVz8kWms4M/VsPZBvMgP2SIXPyYO5ANz0WlMYbk9Myd8Xfc/6LEhYMEhxeM Q                  Mjo95aUuWq/+YtlEAzrVvWjhQnHvNpHJtQxNw/7L6/ftVOGT0MuB1e9jJoaGo+lptQ                  yBSbhUYmwiyZfJUYvteXfOME/XH3rEx3h8/8k88zL1qACetHxeFmUMIoQq7lUqjgnQ                  CeKMAidxgUWlmhixYVcUtvuD0ZNYqQ4jjUFfDrlgfAPmeHNLndehEStcQbB3ItLC .                  -----END DSA PRIVATE KEY-----  :               8. Create a symbolic link to the client key:  M                   BOB>ntp_keygen -"I" -l tcpip$ntpkey_iffkey_alice.3344272304s  $               9. Start NTP on Alice:  6                   ALICE>@sys$startup:tcpip$ntp_startup  F              10. Wait 5 minutes until Alice is synchronized to itself.E                  ntpdc -p should show an asterisk (*) in the leftmost                   column.  "              11. Start NTP on Bob:  4                   BOB>@sys$startup:tcpip$ntp_startup  G               Bob should eventually synch to Alice (this may take up to F               10 minutes). ntpdc -p should show an asterisk (*) in the               leftmost column.  %         A-6 Implementing NTP Autokeys     h      I                                                 Implementing NTP Autokeys I                                                             A.6 GQ schemes             A.6 GQ scheme   G               1. Make Alice a stratum 0 server by enabling the lines inr                   TCPIP$NTP.CONF:  +                   server 127.127.1.0 prefert-                   fudge 127.127.1.0 stratum 0h  H               2. On both Alice and Bob, add two lines to TCPIP$NTP.CONF:  2                   keysdir SYS$SPECIFIC:[TCPIP$NTP](                   crypto pw littlesecret  ?               3. On Bob, add the server line for Alice to Bob's                    TCPIP$NTP.CONF:  &                   server alice autokey  6               4. On Alice, generate the GQ parameters:  <                   ALICE>ntp_keygen -"T" -"G" -p littlesecret  H               5. On Bob, generate the client parameters using the server                  password:  5                   BOB>ntp_keygen -"H" -p littlesecretP  I               6. Copy the GQ group key tcpip$ntpkey_gqpar_alice.timestamp -                  from Alice to Bob's keysdir.r  I               7. On Bob, create a symbolic link to the file, using the -r 3                  option to specify the server name:a  T                   BOB>ntp_keygen -"G" -r alice -l tcpip$ntpkey_gqpar_alice.timestamp  $               8. Start NTP on Alice:  6                   ALICE>@sys$startup:tcpip$ntp_startup  F               9. Wait 5 minutes until Alice is synchronized to itself.H                  <code-example>(ntpdc -p) should show an asterisk (*) in%                  the leftmost column.   "              10. Start NTP on Bob:  4                   BOB>@sys$startup:tcpip$ntp_startup  G               Bob should eventually synch to Alice (this may take up topF               10 minutes). ntpdc -p should show an asterisk (*) in the               leftmost column.  I                                             Implementing NTP Autokeys A-7a a  a      !         Implementing NTP Autokeys          A.7 MV scheme              A.7 MV scheme.  G               1. Make Alice a stratum 0 server by enabling the lines inf                   TCPIP$NTP.CONF:  +                   server 127.127.1.0 preferm-                   fudge 127.127.1.0 stratum 0R  H               2. On both Alice and Bob, add two lines to TCPIP$NTP.CONF:  2                   keysdir SYS$SPECIFIC:[TCPIP$NTP](                   crypto pw littlesecret  ?               3. On Bob, add the server line for Alice to Bob'si                   TCPIP$NTP.CONF:  &                   server alice autokey  G               4. On Alice, generate the MV parameters. The MV parameterLF                  generation process produces a server key and a numberI                  of client keys. When choosing the number of client keys,nI                  avoid factors of 512 and do not exceed 30. The followingeB                  command will generate 4 keys (N-1, where N is 5):  >                   ALICE>ntp_keygen -"T" -"V" 5 -p littlesecret  H               5. On Bob, generate the client parameters using the server                  password:  5                   BOB>ntp_keygen -"H" -p littlesecret^  H               6. Copy any one of the MV client keys tcpip$ntpkey_mvkeyN_=                  alice.timestamp from Alice to Bob's keysdir..  H               7. On Bob, create a symbolic link to the file. Specify "1"G                  after the -"V" option so it does not complain that theCG                  -"V" option requires a value. The "1" will be ignored.   N                   BOB>ntp_keygen -"V" 1 -l tcpip$ntpkey_mvkeyN_alice.timestamp  $               8. Start NTP on Alice:  6                   ALICE>@sys$startup:tcpip$ntp_startup  F               9. Wait 5 minutes until Alice is synchronized to itself.E                  ntpdc -p should show an asterisk (*) in the leftmostt                  column.  "              10. Start NTP on Bob:  4                   BOB>@sys$startup:tcpip$ntp_startup  %         A-8 Implementing NTP Autokeysf l  r      I                                                 Implementing NTP AutokeysII                                                             A.7 MV schemeF    G               Bob should eventually synch to Alice (this may take up tocF               10 minutes). ntpdc -p should show an asterisk (*) in the               leftmost column.                                                                                    I                                             Implementing NTP Autokeys A-9 