Reflection for Secure IT UNIX 8.4 Release Notes

February 2021

Reflection for Secure IT UNIX 8.4 was released in February 2021 and is now available for new and maintained customers. This update addresses several security vulnerabilities, and includes several enhancements and software fixes.

What’s New

Reflection for Secure IT UNIX includes several enhancements and new features.

  • Added support for elliptic curve cryptography

    Support for elliptic curve key exchange: ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521

    Support for elliptic curve host and user keys: ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521

  • Added support for both user and server certificates using the following additional RFC 6187 key formats: x509v3-ecdsa-sha2, x509v3-ssh-rsa, and x509v3-ssh-dss.

  • Reflection for Secure IT UNIX Server correctly expands macros for the Authorization File setting in sshd2.config.

    In the previous version of Reflection for Secure IT UNIX server macros, such as %D for the Authorization File setting in sshd2_config, did not expand as expected. This known issue has been fixed.

  • Added support for SUSE Linux Enterprise Server 15 (64-bit)

  • Support for BSM logging has been removed in Solaris 11

    The documentation for BSM logging has been removed from the product.

3.0 Known Issues

  • When installing Reflection for Secure IT (RSIT) UNIX, host identity keys of an existing installation of OpenSSH may not be preserved.

    If a fresh installation of RSIT UNIX doesn’t require the preservation of host identity keys run the following:

    sudo ssh-keygen -P /etc/ssh2/hostkey

    To preserve host identity keys of an existing installation of Open SSH

    The package installer output will show the following messages indicating that the server will fail to start:

    Converting OpenSSH hostkey to SSH2 format
    
    Failed to read private key: /etc/ssh2/hostkey
    
    Starting sshd (via systemctl):  Job for sshd.service failed because the control process exited with error code. 

    A manual process must be followed to preserve the host identity. This process requires:

    • OpenSSH ssh-keygen

    • RSIT Unix ssh-keygen

    • The file /etc/ssh/ssh_host_rsa_key

    IMPORTANT:The file /etc/ssh/ssh_host_rsa_key is a private key file and should be protected. Copies should be removed after the manual conversion has been completed.

    Follow the steps as outlined below:

    1. Copy the file to a machine with OpenSSH's ssh-keygen.

      You may wish to change the owner and file attributes at this point.

      sudo chown someuser:somegroup ssh_host_rsa_key
      
      chmod 600 ssh_host_rsa_key
    2. Convert the file to a PEM format using the following OpenSSH ssk-keygen command:

      ssh-keygen -p -N "" -m pem -f ssh_host_rsa_key
    3. Copy the converted file back to the original host.

    4. Convert the key, now in PEM format, to the Reflection format using RSIT Unix ssh-keygen.

      ssh-keygen -O ssh_host_rsa_key -o hostkey

      If desired, create the public key:

      ssh-keygen -D hostkey

      When RSIT Unix is installed alongside OpenSSH, use the full path of ssh-keygen, e.g.

      /opt/rsit/bin/ssh-keygen -O ssh_host_rsa_key -o hostkey
      
      /opt/rsit/bin/ssh-keygen -D hostkey
    5. Restore the owner and group and attributes with the following commands:

      sudo chown root:root hostkey
      
      sudo chown root:root hostkey.pub
      
      sudo chmod 600 hostkey
      
      sudo chmod 644 hostkey.pub
    6. Move these files to /etc/ssh2.

      Or in case of relocation to e.g. /opt/rsit/etc.

    7. Restart the RSIT Unix server and check the status.

4.0 Installation

For instructions that show how to install this update, see the Installation section in the Reflection for Secure IT UNIX Documentation guide.

Supported Platforms for Reflection for Secure IT UNIX

  • SUSE Linux Enterprise Server 15 (64-bit)

  • SUSE Linux Enterprise Server 12 (64-bit)

  • Red Hat Enterprise Linux 7 (64-bit)

  • Red Hat Enterprise Linux 8 (64-bit)

  • IBM AIX PowerPC 7.1

  • IBM AIX PowerPC 7.2

  • HP-UX on Itanium 11i v3

  • Oracle Solaris 11.4 (64-bit)

  • Oracle Solaris 11.4 (SPARC)