Release Notes for Version 2¶

Defect fixes¶

• Allow PROT command to be issued by a FTPS client before the USER command. [#3017][ftps]

• Fix an internal server error when the FTP specific AUTH command is issued by a client for a FTP service for which the FTPS extensions were not enabled. [#3017][ftps]

New features¶

• Added support for Solaris 10 on SPARC.

• server-commands command line tool was reorganized into sub-commands to improve readability of available options for each command.

• server-commands start options was added to help start the SFTPPlus Server on Unix and Linux as a daemon.

• Server SSH configuration is now initialized with an RSA key of size 2048.

• Added a version for generic x86_64 64bit Linux. This version is provided for testing purposes only. It is not supported for production use, where we advise you to deploy the version specifically built for your Linux distribution. Please contact us in case we don't have a release for your distribution yet.

• Add command line option to generate an SSL key and the associated certificate signing request / CSR.

• Add Web Manager option to generate an SSL key and the associated certificate signing request / CSR.

• Emit audit events when setting the representational type for FTP data.

Defect fixes¶

• Fix an internal server error generated by the HTTP and HTTPS service when displaying the failure message for removing files or folders with Unicode names. [#2777][http]

• Fix generating of passwords from command line on Windows. [#2782][windows]

• Database connection and database log handlers now stop after 10 consecutive failures. [#2738][database]

Deprecations¶

• --start option of server-commands command line tool was replaced by the start sub-command. It is still available to provide backward compatibility with previous init scripts, but will be removed in the next major release.

• server-commands command line tool was reorganized into sub-commands and the following commands were renamed:

  • --generate-uuid into generate-uuid

  • --validate into validate

  • --debug into debug

  • --manager into manager

  • --documentation into documentation

  • --generate-key into generate-ssh-key

  • --generate-password into generate-password

  • --start-in-foreground into start-in-foreground

  • --initialize into initialize

  • --migrate into migrate

• Remove support for RHEL 4. Please contact us if you still need to deploy on this RHEL version.

New features¶

• Support Solaris 11 for x86.

• Initial update for HP-UX 11iv3 support.

• Add support for ARM64 architecture on any Linux distribution providing the OpenSSL 1.0.X library.

• Update HTTP GET API for a folder to return content in JSON format.

• Update HTTP POST API for a folder to accept commands in JSON format.

• HTTP events with ID 40010, 40011, 40012 and 40013 were updated so that now path data will contain the actual file/folder which was removed/created and not the parent path.

• HTTP events with ID 40012 and 40013 are now emitted for each file which was removed and no longer aggregated into a single event.

• HTTP events with ID 40026 and 40027 are now emitted for each folder which was removed and no longer aggregated into a single event.

Defect fixes¶

• Fix an internal server error generated by the HTTP and HTTPS service for invalid requests originating from accounts authenticated using the external HTTP authentication method. [#2758][http]

New features¶

• Allow filtering source files for monitored folders based on glob or regular expressions.

• When a file is closed in SFTP or SCP include in the emitted event the mode in which the file was opened.

• Add experimental modular authentication method over HTTP. This allows authenticating external accounts over HTTP as well as implementing a high-availability / resilient authentication.

• Add a failure-critical group for events which should not occur during normal server operation.

• Add experimental HTTP POST hooks for events.

• Add a version for generic x86 Linux. This is only for testing and evaluation and is not supported for production use, where we advise you to deploy the version specifically built for your Linux distribution.

• Monitoring local folders is now an officially supported feature, provided as part of server side services.

• Add support of ARM64 (ARMv8-A/AArch64) CPU architecture on Ubuntu 14.04. Please contact us if want to use SFTPPlus Server on ARM64 with a different operating system.

Defect fixes¶

• Fix an internal server error generated by the FTP and FTPS service when a client issues a command which fails but then disconnects before receiving the command's response. [#2628][ftp][ftps]

• Allow EPSV command after EPSV ALL request. In previous versions all data connection command were denied, including EPSV. [#2566][ftp][ftps]

• Fix --validate server command option. [#2622]

• Convert transfer specific start/stop events into generic events for components. Changed events are: 20135 -> 20156, 20136 -> 20157, 20137 -> 20158, 20138 -> 20159 [#2639]

• Fix internal server error when receiving an invalid or not supported public SSH key from the client. [#2623][sftp][scp]

• Improve error logging when launching the server in debug mode. [#2615]

• Experimental event ID 60007, 60008, 60009 were change to generic external command execution.

• Fix Windows EventLog handler to record the IDs for events. In previous releases it was always using id 1. [#2676][windows]

• Fix an internal server error when removing from Web Manager a component which was already running. Introduced in 2.6.0. [#2684]

• Fix database logger memory usage footprint. In previous versions the database loggers consumed significant amounts of memory when a lot of events were logged. [#2413]

• Fix resetting the maximum failures count after restarting a database component. [#2736]

Deprecations¶

• protocol configuration option for a service was replaced with type configuration option. This should help create an uniform configuration process, in which each configurable object has a standard type option. For backward compatibility, protocol option still works but it will be removed in the next major release. [#2563]

• Experimental event ID 60011, 60019, 60020, 60021, 60022, 60023, 60024 were removed.

• We no longer provide support for Ubuntu Server on x86. For testing you can now use our generic Linux x86 version. If you still need Ubuntu Server x86 for production, please contact us and we will make it available to you.

New features¶

• Allow configuring SSH key authentication by directly associating public SSH keys with an account. Authorized public SSH keys can now be stored in configuration file, rather than on a separate file.

• Event monitors will automatically restart on configuration changes.

• Log an error when an account is configured with invalid public SSH keys [#998][sftp][scp]

• To prevent creating huge log files, the default configuration creates a log file which is automatically rotated at the end of the day.

• Allow importing/exporting public and private SSH keys (including encrypted private keys) to and from the following formats:

  • OpenSSH

  • SSH.com (Tectia SSH and other commercial implementations)

  • PuTTY

• Show public SSH key MD5 fingerprint when importing a public SSH key from Web Manager. [sftp][scp]

• Generate SSH keys from Web Manager. [sftp][scp]

• Allow configuring a static IP address to be advertised in the PASV response for the case when server is accessed from behind a NAT. [ftp][ftps]

Defect fixes¶

• Fix monitoring local files. [#2472]

• Use valid default values when creating a new SSH (SFTP/SCP) service from local manager. [#2485][sftp][scp][local-manager]

• Fix deleting read only files on Windows, or folders containing read only files. In previous versions, files were prevented to be removed with an access denied error. [#2467][windows]

• Fix keeping Web Manager session alive while web browser page is open. [#2532][local-manager]

New features¶

• Add support for Red Hat Enterprise Linux 7 x86_64 and CentOS 7.

• Add support for Apple OS X 10.8 Mountain Lion.

• Add configuration option to disable TLS version 1.1 and 1.2. In previous version TLS versions 1.1 and 1.2 were always enabled and there was no configuration option to disable them. There is no known vulnerability in TLS version 1.1 and 1.2 and for now, there is no reason to disable them. This option was added as a proactive measure in case a vulnerability is discovered in these versions.

• Allow refreshing the CRL stored as local file using the ssl_certificate_revocation_list_refresh configuration option.

Defect fixes¶

• Fix loading of CRL files from disk. [#2465][ftps][https][local-manager]

Deprecations¶

• Support for SSLv3 in FTPS and HTTPS services is discouraged due to the SSLv3 POODLE vulnerability. It is still possible to use SSLv3, but the server will emit a warning informing that SSLv3 is no longer secure and will be removed in future versions. When SSLv3 is still required, it is highly recommended to use a non-CBC cipher, for example RC4-SHA.

New features¶

• Add support for Ubuntu 14.04 LTS x86_64.

• Add support for FTP SITE CHMOD command on Unix and Linux.

• Add support for obsolete FTP commands XCUP, XCWD, XMKD, XPWD, XRMD as described in RFC 775.

• Add support for executing external command on files from monitored folders.

• Add an option to configure the amount of time after which a file is considered stable, if no changes are made to it.

Defect fixes¶

• FTP data channel stops accepting new connection as soon as FTP client connects to the data channel. In previous version the data channel stops accepting new connections only when the FTP client requested the close of data channel. This case should reduce the time a data channel port is used and allow it to be reused faster in another session. [#2354]

• For FTP transfer, fix a data channel error which was returned when a new data channel was requested after the previous requested data channel timed out. [#2354]

• Fix an internal server error when FTP client drops the connection during a transfer [#2355][ftp].

• Fix FTP text/ASCII transfer to Unix and Linux server [#1024][ftp].

New features¶

• Update support for Solaris x86_64. Solaris support was temporarily discontinued after version 2.0.0 was launched.

• Add new "force-stop" command for the Unix init script to be used when PID file would be missing or kill -9 is required to stop the server.

• Add dedicated configuration for databases used by the server to allow using the same database for both log handlers and activity reporting.

• Log handlers attached to a database are now configured using the shared databases configurations. The old method of directly configuring a SQLite or MySQL connection is obsolete.

• Last account login information is collected and available as a report from the Web Manager UI. Data is stored in a user definable database.

• Experimental feature to monitor local filesystem paths and audit changes to files and folders. See documentation for more info. In the next release, we plan to allow the execution of an external command based on observed changes.

• On Linux and Unix, add support for FTP SITE CHMOD command.

Defect fixes¶

• When upgrading the server on Windows, the existing configuration file is no longer overwritten.

• Fix ssh_authorized_keys_path expansion of username when placeholder has not been defined for group path. In the previous version, when a path for a group did not contain a placeholder, it was used as such, without appending the username. [#2199][sftp]

• Improve error reporting when failing to save configuration file, due to permissions errors. [#2193][local-manager]

Deprecations¶

• It is no longer possible to configure a log handler directly attached to a database. Due to this a log handler with type: sqlite or mysql is no longer supported. Those options are replaced by type: database. Users now have the option to configure a log handler with a shared database configuration.

New features¶

• Add support for downloading and uploading a single file using SCP. For now, SCP protocol is very limited and available as a preview.

• Add new configuration option to independently enable SCP or SFTP support inside the SSH service.

Defect fixes¶

• Fix an internal server error when SSH client requests to execute a command, a shell or a pseudo-terminal. [#2116][sftp]

Removals¶

• Event with ID 30049 emitted when trying to open a folder as a file was removed and replaced with the generic file open error ID 30044. [#2130][sftp]

Deprecation¶

• protocol: sftp for service configuration was replaced with protocol: ssh to permit configuring SCP protocol on same service/port as SFTP service. sftp still works and is an alias for ssh but it will be removed in the next major release.

New features¶

• Add support for uploading files with unlimited size over HTTP and HTTPS. This puts HTTP/HTTPS service capabilities in line with SFTP and FTP/FTPS services.

• Add support for application accounts for creating and reading symbolic links on Windows using SFTP protocol. On Unix/Linux symbolic link support was already available.

• Add connection limits for HTTP/HTTPS file transfer services and Web Manager service.

• Allow disabling account passwords from Web Manager.

• Add more details to audit trail when reporting failures for SFTP service.

• Add more details to audit trail when reporting failures for FTP/FTPS service.

• Add details for FTP active and passive data connection failures.

• Add development mode for Web Manager service to help audit Local manager code and actions.

• Fix a JavaScript error logged in browser console while applying changes for services.

Defect fixes¶

• Fix page not found error generated while configuring a Windows EventLog from Web Manager.

• Fix FTP/FTPS service for listing folders with names similar to FTP globbing expressions.

• Fix configuring idle_connection_timeout to a disable value from both configuration file and Web Manager.

• Fix disabling of maximum connection limit from Web Manager for all services.

• Fix FTP/FTPS service for listing folders with names similar to FTP globbing expressions.

• Fix an error in FTPS service reconfiguration where FTPS service failed after Explicit FTPS was enabled.

• Fix accessing files over HTTP/HTTPS service for operating system accounts which are not locked inside home folder.

• Add account name to SFTP disconnect event (id 30015) for connection which are authenticated.

• Fix a condition in which SFTP subsystem closed event (id 30012) was emitted twice.

• In Unix and Linux fix listing of symbolic links to folder using the same visual identifier as normal folders.

New features¶

• Add initial public version of HTTP and HTTPS file transfer service. See documentation for more details.

• Windows installer generates an install log file called install.log. The file is saved in the installation folder.

Defect fixes¶

• Improve Unix init script together with improving documentation installation procedure on Unix.

New features¶

• Add support for AIX 5.3 (L6 and above) operating system.

• Add support for authentication legacy SFTPPlus WebAdmin accounts based on ssh keys. This requires a version of SFTPPlus WebAdmin greater than 1.7.0.

Defect fixes¶

• Fix intermittent errors when displaying audit log from a MySQL database.

• Use CR/LF as line terminator for all file-based loggers on Windows systems.

• Mask clear passwords in audit entries.

New features¶

• Add a graphical user interface for managing SFTPPlus.

• Add support for FTP APPE command. For more details consult the IETF RFC 959.

• Implement globbing for FTP NLST and LIST commands. Globbing support is limited to Unix Shell wildchars * , ? , [ and ].

• Add –-generate-uuid command line options to generate UUIDs.

• Add --validate command line options to server-commands to validate server configuration.

• Add –key-comment command line options to server-commands to allow specifying a comment for the generated SSH public key.

• [windows] Allow automatically creating missing home folders for OS accounts with a custom owner and group.

• [windows] Added links to local manager and documentation in start menu on Windows at installation.

• Allow sending log entries to remote HTTP server using HTTP Post requests.

• Use a generic HTTP POST request for sending logs to legacy SFTPPlus WebAdmin.

• Add support for storing server logs inside a database. MySQL and SQLite are supported.

• Allow configuring an arbitrary number of log handlers, including multiple log handlers of the same type.

Defect fixes¶

• SFTP errors are reported with specific event IDs and details instead of internal server errors.

• When requesting a file open operation on SFTP the action will emit a single signal (log entry) containing information about both action result and result file open mode. In previous versions 2 signals were emitted at file open.

• When starting the server in debug mode, the configured loggers are no longer disabled. A logger to standard output is added on top of configured loggers.

• When the server fails to launch a service at startup, it will log an error and continue to try loading the other services. In previous version, the startup was aborted as soon as a service was failing to start. The server will still abort the startup if no service was started.

• [unix] Fix launching the server as an Unix daemon.

• Fix reporting of timeout errors for passive connections.

• Fix reporting of errors for PORT command with address in bad format.

• Internal error report for FTP service error now shows full command which triggered the error condition.

• With the introduction of Web Manager GUI and managing services without restarting the server, the enable configuration option for a service was updated to configure if the service should be automatically started at server startup.

• [windows] The SFTPPlus service is stopped gracefully, both on system shut down and when stop command is received via the Services Management Console.

• Allow sending log entries to remote HTTP server using HTTP Post requests.

Upgrade information¶

With the move to dynamic log handlers, all configuration option from [log] section are ignored and new log handlers are required to be configured.

The upgrade procedure will depend on the current version installed:

• If you have installed Server 2.0.X, you only need the upgrade steps specific for version 2.1.0.

• If you have installed Server 1.8.X or 1.7.X then you need to uninstall the previous version, install the new version and follow all upgrade steps since your version up to version 2.0.1

The upgrade steps involve only updating the configuration files and for most customers will be straightforward. We will guide you as necessary.

Upgrade information¶

Due to the configuration changes that were merged in this version, the upgrade from any previous version of SFTPPlus Server to version 2.0.0 can only be done by uninstalling the product and installing the new version.

The following manual changes are required for the 'configuration/server.config' file:

• configuration/server.config has been renamed to configuration/server.ini. Having .ini extension, the configuration file should be automatically associated with a text editor. The rename is optional on Unix/Linux since the Unix init script can work with any filename.

• [services], renamed to [server]

• Removed services_ prefix from all configuration options.

• The new [server] section has new attributes uuid, name, description. For more details see documentation.

• Renamed APPLICATION_GROUP to DEFAULT_GROUP.

• DEFAULT_GROUP is automatically associated to all accounts for which a group was not explicitly defined. These are operating system accounts not defined in the configuration file or legacy SFTPPlus WebAdmin accounts.

• OS_GROUP is now a normal group and accounts are not automatically associated to this group. We recommend renaming it to 'os_group' to hint that it is just a normal.

• ${DEFAULT_GROUP} placeholder was renamed to ${DEFAULT_OS_GROUP}. The new name should make it clear that it is referring to a group name as defined in the operating system.

• ${DEFAULT_USER} placeholder has been renamed ${DEFAULT_OS_USER}. The new name should make it clear that it is referring to an account name as defined in the operating system.

• Services configuration are now defined using a new section marker. Each service has now an universally unique identifier (UUID) and a human readable short name. This allows rename operations and operating multiple services in a cluster environment. For more details see documentation.

  For example to update the service configuration for a service named ftp-partners having the following configuration:

  [ftp-partners]
  service_enabled = yes
  

  update it as:

  [services/550e8400-e29b-41d4-a716-446655440000]
  name = ftp-partners
  enabled = yes
  

• Service configuration options have been moved from dedicated files into the main configuration file. All configuration options for the [service] section of each service configuration file need to be copied inside the dedicate section for each service.

  Here is an example of service section definition for an FTP protocol:

  [services/550e8400-e29b-41d4-a716-446655440000]
  name = ftp-partners
  enabled = yes
  
  ; Protocol options copied from configuration-server/ftp-service.config file.
  banner = Welcome to the FTP/FTPS Service.
  passive_port_range = 9000 - 9200
  

• Groups and accounts configuration have been moved from dedicated file into the main configuration file. All accounts and groups should now have an associated UUID. For more information please check the dedicated documentation.

• Configuration sections for groups are now in the format [groups/550e8400-e29b-41d4-a716-446655440001], and group name has been as a configuration option. 550e8400-e29b-41d4-a716-446655440001 is the group unique ID.

• Configuration sections for accounts are now in the format [accounts/550e8400-e29b-41d4-a716-446655440000] and account name has been moved as a configuration option. 550e8400-e29b-41d4-a716-446655440000 is the account unique ID. This allows renaming for accounts.

  Here is an example of new account definition:

  [accounts/550e8400-e29b-41d4-a716-446655440000]
  name = john
  type = application