WinSSHD Version History

Changes in WinSSHD 5.18:    [ 26 May 2010 ]

• WinSSHD now supports synchronization of WinSSHD-configured user authentication public keys with public keys managed by Windows account users through ~/.ssh/authorized_keys. If the administrator enables this option in WinSSHD advanced settings, and the "authorized_keys" file is present in the ".ssh" subdirectory of the user's Windows profile directory, then WinSSHD will read that file when the user logs off, and synchronize the user's public keys in WinSSHD settings with the keys as contained in the file. This feature is enabled by default on new installations, and can be enabled manually on upgraded installations.
• WinSSHD will now properly send the chosen listening port number to a client that requests server-to-client tunneling on port 0.
• Firewall service initialization compatibility improvements.
• Unless configured otherwise, WinSSHD will now load the logged on account's Windows profile before starting the SFTP or SCP subsystems.
• The WinSSHD virtual filesystem provider for SFTP and SCP now supports an additional optional parameter named "ShowHidden". Setting it to "No" causes WinSSHD to omit files and directories with the Hidden attribute from directory listings sent to the client.
• CuteFTP appears to not support SFTP directory entries that lack a modification time. WinSSHD now attempts to detect connections from CuteFTP clients and in that case sends a dummy modification time for mount point directories.
• WinSSHD now supports the "xterm-new" terminal type, which is requested by some clients.
• WinSSHD now supports the "env" channel request for "exec" and "shell" subsystems. This allows clients that also support this request type to set environment variables before remotely executing a program or shell. This feature can be enabled or disabled on a per-user and per-group basis.
• The terminal console subsystem will now properly handle alternative F1-F4 key sequences as sent by PuTTY.
• WinSSHD will now reset the password for the WinSSHD_VirtualUsers account if Windows returns the error code ERROR_PASSWORD_EXPIRED. Previously, virtual user login would fail due to this error if a Windows password expiration policy was in place and WinSSHD had been running for longer than the password expiration period configured in Windows.
• WinSSHD will now only create the WinSSHD_VirtualUsers account if there are any virtual users configured. If created, the account will be disabled automatically when WinSSHD is stopped, and re-enabled when WinSSHD is started.
• WinSSHD 5.15 introduced a change where connections that do not result in successful authentication would automatically be penalized towards IP blocking. This may have introduced problems for installations that receive many such connections from IP addresses that should not be blocked, due to e.g. network monitoring. WinSSHD now has a new setting to control whether such connections should or should not be penalized towards IP blocking.
• Fixed WinSSHD Settings user interface issue where the account or group object selection dialog would fail to open on some Windows versions. (The account or group name could still be entered manually like in previous WinSSHD versions that did not feature the object selection dialog.)
• WinSSHD Control Panel and Settings UI preferences are now saved in such a way that the persistent tray icon and other features can be disabled machine-wide (rather than per-user) with an HKEY_LOCAL_MACHINE-based registry setting.
• Other WinSSHD Control Panel and WinSSHD Settings user interface fixes.
• Improved WinSSHD installer resilience to the WinSSHD Control Panel being slow to exit when upgrading.

Changes in WinSSHD 5.15:    [ 9 February 2010 ]

• Fixed more issues with management of the Windows Firewall. On Windows XP and 2003, the Windows firewall may not yet be available for configuration even if the firewall service is already running. On system startup, WinSSHD now accounts for this possibility and retries configuring the firewall when ready.
• UPnP NAT configuration now uses a smaller but dynamically increasing retry delay to speed up NAT setup during system startup.
• Authentication: connections that do not result in at least one successful authentication method (but not necessarily complete logon) will now be penalized towards IP blocking the same way as a failed password login attempt.
• Fixed a rarely-occuring issue of process exit code not being reported to the client after remote program execution completes.
• WinSSHD Settings now allows users and groups to be verified or searched for using the Windows "Select user or group" dialog.
• Fixes for several WinSSHD Control Panel user interface glitches.
• SFTP: When encoding long file paths in SFTP version 3, the detailed time format will now be used if the file time is less than half a year ago. Previously, the cut-off date for datetime format choice was the beginning of the current year.
• SFTP: The Windows error code ERROR_NOT_READY will now be more properly relayed to the client as the SFTP error "no media".
• SFTP: A '..' entry will now be added to directory listings sent to client, except when listing the root directory.
• Most log events related to client-side port forwarding are now categorized as info messages rather than warnings. Failure events related to server-side port forwarding remain warnings.
• The WinSSHD installer wasn't resolving the -settings=... file path correctly if a relative path was used. An absolute path had to be used in order for this parameter to work. Fixed so that relative paths will now work, too.

Changes in WinSSHD 5.12:    [ 24 December 2009 ]

• Fixed a problem in a core library which caused SFTP sessions to terminate with an exception on a significant proportion of servers.

Changes in WinSSHD 5.11:    [ 20 December 2009 ]

• The WinSSHD Control Panel now provides a simplified view of WinSSHD settings as "Easy settings". The full WinSSHD settings continue to be available as "Advanced settings".
• The WinSSHD settings interface now supports in-line editing of fields in a table view.
• Improvements in Windows Firewall support, especially for better compatibility with Windows 7.
• WinSSHD now allows configuring connections to Windows file shares without requiring that the shares be mapped to a local drive. A share can now simply be configured so that it can be accessed in the SSH session, using its UNC path, without requiring further authentication.
• WinSSHD would previously fail to remove firewall exceptions for server-to-client port forwardings when the SSH session closed. Fixed.
• WinSSHD executables now have data execution prevention (DEP) and address space layout randomization (ASLR) enabled.
• WinSSHD will now request the authenticating client to set a new password if Windows returns the "password expired" error code. Previously, this was only done when Windows returned the "password must change" error code.

Changes in WinSSHD 5.10:    [ 13 October 2009 ]

• Fixed a public key signature verification issue, where verification of a valid signature would fail in about 0.4% of valid public key authentication attempts.
• Server-to-client port forwarding sockets are now created with the SO_REUSEADDR flag. This appears to fix a problem where Windows would not release an S2C listening socket after it has already been closed, preventing a reestablished client session from being able to listen on a port.
• When WinSSHD starts, it sets a long, cryptographically random password for the Windows account used for WinSSHD virtual accounts. When account password complexity requirements were enabled in Windows, previous WinSSHD versions could sometimes fail to start in the event that the long, randomly generated password violated a complexity requirement. WinSSHD should now generate passwords that are not only cryptographically secure, but also, always meet all the requirements.
• SFTP: for improved compatibility with SFTP v3 clients, the SSH_FXP_NOSUCHPATH status code is now translated to SSH_FXP_NOSUCHFILE.
• Improved reliability of the WinSSHD uninstallation and upgrade process. Implemented workarounds to interference of other programs during uninstallation or upgrade.

Changes in WinSSHD 5.09:    [ 18 August 2009 ]

• The SFTP/SCP subsystems now support the advanced filesystem provider setting 'FileShare'. When set to 'Disabled', WinSSHD will not allow other applications to access files while they are being held open by the file transfer client.
• Fixed issue with advanced filesystem provider settings introduced in version 5.06.

Changes in WinSSHD 5.08:    [ 29 July 2009 ]

• SFTP/SCP: when a user's mount points are configured so that the user can access all drives, the user can now also access arbitrary shared folders, without requiring such shared folders to be pre-configured as mount points. File shares can be accessed with paths of the form "/computer/share/dir/file". Computer names must be longer than 1 character to distinguish them from local drives, which are accessed with paths of the form "/c/dir/file".
• SFTP: implemented compatibility workaround for buggy GNOME Nautilus SFTP client.
• The WinSSHD Control Panel contained a GUI handle leak which would cause user interface issues if the WinSSHD Control Panel was left running with pop-up notifications enabled and many notifications were displayed. Fixed.
• In previous 5.xx versions, the on-logon and on-logoff command would only work with batch files if they were executed with two nested instances of the command interpreter ("cmd /c cmd /c batchfile"). Process creation flags are now adjusted so that batch files will execute correctly with a single "cmd /c".

Changes in WinSSHD 5.07:    [ 20 July 2009 ]

• The WinSSHD Control Panel now supports a persistent mode where it will launch automatically on login and stay in the system notification area if closed using the X button. This allows an administrator to receive pop-ups about WinSSHD activity without having to manually launch the WinSSHD Control Panel every time.
• Logging: fixed issue introduced with the firewall management feature in 5.06, where unnecessary errors were logged if the Windows Firewall was off, even if firewall management was disabled in WinSSHD Settings.
• SSH: the session inactivity timeout was effectively doubled in versions 5.05 and 5.06. Fixed.
• SFTP: added workarounds to support OpenSSH link creation handling, which exhibits behavior at odds with the SFTP draft.
• Terminal: reduced excessive use of hide, show, and move cursor instructions.
• Terminal: added terminal name 'tty' as an alias for 'dumb' (no terminal emulation).

Changes in WinSSHD 5.06:    [ 18 June 2009 ]

• The WinSSHD Control Panel now features an additional Activity tab which displays recent SSH server activity in a more casual and accessible form than full log files.
• When running, WinSSHD Control Panel can now display popup notifications on the Administrator's desktop when various types of SSH session activity occur.
• The WinSSHD Control Panel now features its own log file folder viewer, to work around a UAC issue that could obstruct opening of the log file folder through Windows Explorer.
• A remote version of the WinSSHD Control Panel can now again be used to administer WinSSHD remotely, using Tunnelier 4.29 or newer.
• SFTP/SCP: WinSSHD now supports read/write/delete access restrictions for mount points, allowing more configurations to be expressed fully using virtual accounts and mount point settings, instead of involving separate Windows accounts and NTFS permissions.
• SFTP/SCP: added advanced setting 'OwnerGroup' to disable sending of owner and group information to clients, and to ignore these data when they are received. Intended to resolve issues where files end up with undesired owners after transfer.
• SFTP/SCP: added advanced setting 'OnDirPermissionDenied'. If set to ShowEmpty, WinSSHD will send an empty directory listing instead of an error if the client attempts to list a directory it is not permitted to access.
• SFTP/SCP: fixed a path concatenation problem which was discovered with SecureFX 6.1.2.
• WinSSHD can now be configured to automatically open ports in the Windows firewall, as well as to automatically configure UPnP-compatible routers to forward connections to the server running WinSSHD.
• Added a setting which controls whether, as in previous versions, WinSSHD should use only a short list of trusted Windows Sockets Layered Service Providers (LSPs), promoting stability, but at a possible expense of connectivity; or whether WinSSHD should use any LSP, promoting connectivity, but at the possible expense of stability.
• Increased stack sizes for WinSSHD components that use sockets, for increased compatibility with third-party Windows Sockets Layered Service Providers that use stack less efficiently than the default Windows provider.
• Third-party product Net::SSH::Perl contains a bug where packet padding length is interpreted as a signed value (-128...127) instead of as an unsigned value (0...255). This prevented interoperability with WinSSHD 5. Reduced minimal packet size from 200 to 80 bytes to avoid this issue.
• WinSSHD will now launch terminal consoles with small fonts, so that larger terminal windows can be supported.
• Fixed a terminal compatibility issue with the 64-bit version of Windows 7.
• Fixed behavior of the PgUp key under terminal.
• On 64-bit platforms, WinSSHD will now launch any on-logon and on-logoff commands with WoW64 file system redirection disabled.
• A number of user interface improvements and fixes in WinSSHD Settings and WinSSHD Control Panel.

Changes in WinSSHD 5.05:    [ 19 January 2009 ]

• WinSSHD now uses LDAP instead of the WinNT ADSI provider to lookup domain account information. Nested domain group memberships are now recognized and supported. The domain controller must now be a Windows 2000 or newer - Windows NT4 domain controllers do not support LDAP.
• The WinSSHD service will now be restarted as part of an upgrade or reinstallation if the service was previously running.
• The SFTP and SCP subsystems now recognize Windows paths (rather than strictly SFTP paths) when users try to use them.
• In some cases, the SFTP and SCP subsystems were unable to list a root directory (e.g. C:\) when passing a long-path search pattern to Windows. A short-path is now used for root directories instead.
• The SFTP subsystem now correctly encodes the POSIX permission part of the LongName field.
• Fixed timestamp decoding issue which caused SCP uploads to fail when the -p flag (preserve time and mode) was used.
• Improved compatibility with clients such as JSch which read the wrong SFTP field when querying for a filename.
• Fixed a bug which caused the SSH session to terminate if a server-to-client forwarded connection failed to open.
• The WinSSHD terminal subsystem failed to capture the output of 64-bit console programs when running on 64-bit Windows. Fixed.
• Programs started via an SSH session can now use environment variables SSH_CLIENT and SSH_CONNECTION, which are compatible with OpenSSH.
• The SshDisconnect.ConnectionLost event is now properly logged as an information message rather than a warning.

Changes in WinSSHD 5.04:    [ 18 December 2008 ]

• When launching a child process, WinSSHD uses the Microsoft Windows API function CreateEnvironmentBlock() to set up environment variables for the new process. On 64-bit versions of Windows, this function has an issue in that it fails to setup several environment variables which are needed to execute some programs and load some DLLs. WinSSHD now works around this issue by making sure that those environment variables are properly set. This will help users who are having trouble starting certain applications from within an SSH session on 64-bit Windows.

Changes in WinSSHD 5.03:    [ 28 November 2008 ]

• WinSSHD Control Panel now supports selecting multiple sessions in the Sessions tab.
• Virtual accounts: When configuring the built-in Windows account for virtual users introduced in version 5.02, WinSSHD would use a hardcoded name for the 'Users' group instead of looking up the correct group name for the current language version of Windows. Fixed.
• Virtual accounts: WinSSHD would not run if it failed to create the Windows account for virtual users. Fixed - if account creation fails, only a warning will be logged now.
• SSH: common socket closing error codes were being logged as warnings instead of regular info messages. Fixed.
• SCP failed to send an exit code in some cases. Fixed.
• SFTP and SCP: Use of POSIX permissions is now disabled by default. Clients would send POSIX permissions which caused uploaded files to be inaccessible on the server. If you wish your clients to be able to set POSIX permissions, configure the specific mount point where this should be supported, by adding the advanced filesystem provider setting 'PosixPermissions' with value 'Enable'.
• Exec requests: An exec request preceded with a terminal request will now open with terminal emulation, but a terminal request with an empty terminal string or for terminal 'dumb' will be treated as if no terminal request was sent. This brings WinSSHD 5.03 behavior in line with recent WinSSHD 4.xx versions.

• Port forwarding: fixed an issue where a server-to-client port forwarding socket might not be closed, causing subsequent attempts to accept connections on that port to fail until WinSSHD was restarted.

• SSH: Implemented mitigation for the recently discovered probabilistic CBC cipher vulnerability, which permits an attacker with full control over the TCP link, positioned between the client and the server, to extract up to 4 bytes of plaintext from an SSH session if a CBC cipher is used, at the expense of causing the SSH session to break. The attack requires the attacker to break the session about 100,000 times for each successful plaintext extraction attempt. An attack attempt can therefore be detected easily.

  Our mitigation in WinSSHD 5.03 attempts to thwart this attack by denying the attacker any means of distinguishing a successful attempt from an unsuccessful one. This only protects data flowing in the direction to WinSSHD (e.g. the client's password). Clients which do not implement similar mitigation can still allow this attack to succeed, when CBC is used, for data flowing from WinSSHD.

  To fully prevent this attack, use CTR ciphers (supported by all WinSSHD 5.xx versions).

• Added support for additional alternative Microsoft Firewall Client 2004 Layered Sockets Provider IDs for compatibility with more versions of this client.
• WinSSHD 5.xx uses fibers with small stacks, which has been causing trouble for people with third-party or OEM software such as network providers that load themselves into WinSSHD, assume the stack is large, and cause WinSSHD to crash. We increased the stack sizes of a few WinSSHD components to prevent this from occuring with the programs that were reported to us.

Changes in WinSSHD 5.02:    [ 2 November 2008 ]

• WinSSHD now automatically creates a local Windows account for virtual users. Virtual users can now be configured without having to explicitly create and configure a backing Windows account, and without having to seed it in the WinSSHD password cache. This feature is however unavailable on domain controllers, because there are no local accounts on a domain controller, so WinSSHD cannot create one.
• The terminal subsystem now supports the F8 key for command history.
• WinSSHD can now write its textual log files in CSV (comma-separated values) format, with a single line per log entry. Enabling the CSV format in WinSSHD Settings can make it easier to process log files in bulk.
• The WinsshdCfgManip COM object is now implemented as an out-of-process COM server rather than an in-process DLL. This avoids path problems with loading the FIPS cryptographic DLL into a process where the main executable resides in a different directory.
• Added the MS Firewall Client 2004 Windows Sockets Layered Service Provider to the list of LSPs that WinSSHD will trust to use. This enables port forwarding for users who have this firewall client installed.
• The WinSSHD Control Panel can now be started with the '-startMinimized' parameter, which will put it into the system tray - useful for users who need quick access to monitor SSH sessions.
• SSH: fixed key re-exchange issue where the session would hang because higher-level packets weren't being buffered during key re-exchange.
• SFTP and SCP: the file transfer subsystems will now use root ('/') as the default home directory if the home directory configured in settings does not exist.
• SFTP version 3: fixed decoding of time values, which prevented SFTP version 3 clients from setting file times.
• SFTP version 6: fixed encoding and decoding of ACLs.
• The on-logoff command was being executed prematurely. Fixed.
• Improved diagnostic logging facilities.
• We spent several weeks for this release trying to determine why some of our customers are experiencing major slowdowns with WinSSHD version 5 relative to WinSSHD version 4, e.g. a transfer speed of 5 MB/s slowing down to 0.5 MB/s. We made several minor performance improvements in the process, but have been unable to reproduce this drastic slowdown in testing. In the environments we tested, WinSSHD 5 regularly delivered on the order of 10 MB/s. If you experience slow transfer speeds and wish to help us determine the cause of this problem, please contact us. Version 5.02 implements logging facilities that, if enabled, could provide us with the data we need.

Changes in WinSSHD 5.01 (gamma):    [ 12 September 2008 ]

• Fixed all known outstanding issues in WinSSHD 5.00, including compression, virtual accounts, non-profit use, importing and exporting keypairs, SSH session reliability, memory footprint, logging.
• This release should now be factors of magnitude more stable than 5.00 beta. To the extent that new issues arise, they are now expected to be fewer and rarer.
• Should now be suitable for production testing. Deploy in monitored, controlled environments, and contact our tech support if any new issues arise.

Changes in WinSSHD 5.00 (beta):    [ 25 August 2008 ]

• The WinSSHD terminal subsystem has been entirely rewritten, and now provides state-of-the-art terminal support with all terminal types. Now supports a wider variety of terminals, including ansi, cygwin, linux, scoansi, vt100, vt102, vt220, vt320, wyse50, wyse60, and xterm. When used with Tunnelier, bvterm will still be better in some aspects, but WinSSHD support for other terminals is now excellent, too.
• The WinSSHD SFTP and SCP subsystems have been entirely rewritten, and now provide consistent access to a single virtual filesystem with multiple configurable mount points. A modular provider interface allows pluggable virtual filesystem providers to be written by third parties, to fit in seamlessly with existing WinSSHD mount points.
• The WinSSHD Control Panel has been entirely rewritten, and now provides an interactive view of active SSH sessions, interactive control over WinSSHD IP blocking, support for multiple host keypairs and RSA keypairs, and better management of the password cache.
• WinSSHD now uses the fully FIPS 140-2 validated, DLL version of Crypto++, and runs it in FIPS mode. WinSSHD now also uses a pluggable crypto provider model, which allows another cryptographic library to be substituted for Crypto++ without modifying WinSSHD itself, simply by replacing a DLL.
• The SSH implementation has been entirely rewritten to implement a more flexible architecture and to untangle the SSH architecture from Crypto++. The new implementation is FlowSsh and is based on denis bider's Flow architecture.
• WinSSHD can now be installed as a personal edition, which can be used free of charge by non-commercial, personal users, but limits access to organization-centric features:
  • No more than 1 group entry and 10 account entries can be defined in WinSSHD Settings.
  • Cannot login with domain accounts.
  • No support for GSSAPI authentication.

Older Versions

WinSSHD 4.xx Version History

WinSSHD 3.xx Version History