Bitvise SSH Server Version History

Changes in Bitvise SSH Server 6.24:    [ 17 February 2015 ]

  • Fixed an issue which would cause the SSH Server to stop with an assertion failure if it was configured to use a proxy profile for outgoing port forwarded connections with proxy type set to SOCKS4 and "Resolve locally" disabled.

Changes in Bitvise SSH Server 6.23:    [ 3 February 2015 ]

  • In versions 6.21 and 6.22, the file transfer subsystem would stall after uploading a file if the client's requested access disposition had to be adjusted due to configured mount point access permissions. Most significantly, SCP uploads would stall if the mount point permitted Read/Write/Delete New, but not Write Existing. In previous 6.xx versions, the transfer would complete, but an event would not be logged.
  • SCP upload no longer requires List permission to be enabled for the target virtual filesystem mount point. To upload new files via SCP, it is now sufficient to enable only Read/Write/Delete New. (However, in the event of an error, some error messages will be more accurate if List permission is granted.)
  • In the SSH Server Control Panel, on the Session tab, sorting sessions by account name is now case insensitive and Unicode-aware.

Changes in Bitvise SSH Server 6.22:    [ 31 January 2015 ]

  • The SSH Server now supports SSH protocol obfuscation, configured through Advanced settings > Bindings. The SSH Server can be configured to accept connections on some interface and port combinations with obfuscation, and others without. Only a client that also supports obfuscation can connect to an obfuscated binding. When supported and enabled in both the client and the server, obfuscation makes it harder for an observer to determine that the protocol being used is SSH.
  • Case insensitive name comparisons for virtual group names are now also Unicode-aware.
  • In version 6.21, the username blacklist feature would behave incorrectly, and cause all clients to be locked out if any username was blacklisted. Fixed.
  • In version 6.21, the SCP subsystem would hang on termination of an SCP session, and would have to be forcibly closed. Fixed.

Changes in Bitvise SSH Server 6.21:    [ 23 January 2015 ]

  • Statistics and quotas. Bitvise SSH Server now supports collection and monitoring of transfer and login statistics on a per-user, per-group, and server-wide basis. In Advanced settings, it is possible to configure users with upload and download quotas. If a user's quota is exceeded, the server can be configured to further restrict that user's bandwidth, or to deny connections until more quota is available.
  • Installer:
    • The installer's "-keypairs" parameter now also accepts keypairs in non-passphrase protected Bitvise, OpenSSH, and PuTTY export formats. Previously, only the SSH Server's internal format of the BvSshServer-Keypairs.wpk file was supported.
  • Control Panel and Settings:
    • When importing public keys, the SSH Server will now recognize and import text files with UTF-8 or UTF-16 byte order markers.
    • Fixed an issue which caused mouse wheel scrolling to stop working after expanding and collapsing some help texts.
    • When authorized_keys synchronization was enabled, or when an SSH client managed their public keys using the SSH public key subsystem, the SSH Server would incorrectly create duplicate account settings entries. Fixed.
    • The list that stores Windows account settings entries now implements static sorting, and can no longer be reordered.
    • The settings wizard launched after first installation will no longer be started if the installation was performed non-interactively, or if settings were already modified in another way after installation.
  • Slave-Master synchronization:
    • Slave synchronization sessions are now no longer subject to a session timeout, if it is configured.
  • SSH:
    • Delayed negotiation of zlib compression is now supported. If delayed compression is enabled in Advanced SSH server settings, the SSH Server will not advertise "zlib" compression upfront, but will start a second key exchange to negotiate compression after user authentication is successful, if the client indicated a preference for compression over no compression. A concerned administrator can enable this feature to reduce the server's exposure to unauthenticated attack in the event that an issue is found in the Crypto++ implementation of zlib compression, which our SSH implementation uses.
  • File transfer:
    • The SSH Server can now be configured to execute an On-upload command after a file is written to by an SSH client. The on-upload command can reference expanded parameters SSHUPLOADFILE and SSHUPLOADBYTES, as well as other environment variables. The command can execute a custom action, such as moving the uploaded file to a different directory, or invoking a third-party program to send a notification email.
    • Advanced mount point parameters FileWhitelist and FileBlacklist are now supported. Using these parameters, the server can be configured to block file operations (e.g. uploads, downloads, and renames) on files that match or do not match specific file name patterns (e.g. extensions).
    • In mount point settings for Windows accounts and groups in Advanced SSH Server settings, Windows accounts can now be configured to inherit mount points from multiple groups, instead of only the group from which the user normally inherits settings. This allows users to be granted access to a set of mount points A if they are in group 1; a set of mount points B if they are in group 2; and both sets of mount points if they are in both groups, without having to configure individual account settings entries.
    • Added CuteFTP to the list of clients that must be sent dummy modification time information when an actual modification time is not available. This works around an issue in CuteFTP which prevented it from displaying a directory listing when no root mount point was configured.
    • Added support for SFTP version packet extensions "supported2", "acl-supported", and "versions". Added support for "version-select" extended packet.
    • The SFTP STAT request now works with only List permission on the mount point, without requiring the Read permission as well.
  • Terminal:
    • The terminal server now sends window titles to xterm clients.
  • Port forwarding:
    • Sessions that attempted to register a large number of simultaneous server-to-client port forwarding rules could be terminated by an error. Fixed.
    • Fixed issues that would arise if a proxy was configured for outgoing connections; if an outgoing connection was attempted to a DNS name that resolved to multiple IP addresses; and if the first of the addresses could not be reached, so that another had to be attempted.
    • Fixed issues that could arise when transferring server-to-client port forwarding rules between sessions. Improved handling of transferred server-to-client port forwarding rules.
  • General:
    • The SSH Server will no longer stop if no interfaces are configured on which it can accept connections. The server will now continue to try to bind any configured listening interfaces, and wait for any settings changes, while the SSH Server Control Panel displays a warning notifying about this state.
    • Implemented improvements to environment variable expansion.
    • Dramatically improved handling of LOG_I_SERVICE_CONFIG_DESCRIPTION with large settings.
    • Most case-insensitive string comparisons in the SSH Server are now Unicode-aware. We nevertheless do NOT recommend using non-US-ASCII characters in security identifiers, such as account names. Unicode is ever-changing, and consistency of string comparisons for non-US-ASCII characters is not ensured.
    • Improved disconnection responsiveness and reliability.
    • BvRun now supports the "-w" flag. Providing this flag causes BvRun to wait until the child process has exited, and return its exit code plus 9000.

Changes in Bitvise SSH Server 6.07:    [ 4 May 2014 ]

  • Fixed issue where the SSH Server Control Panel would sometimes refuse to display its main window, especially on slow systems.
  • Rare crashing bug in the SSH Server Control Panel believed fixed. The Control Panel will now enumerate only its own windows, instead of unnecessarily enumerating all top-level windows. This should avoid the possibility that a window becomes invalid between enumeration and access.

Changes in Bitvise SSH Server 6.06:    [ 18 April 2014 ]

  • A change in version 6.05 triggered an issue where, after logging in, the Bitvise SSH Server Control Panel would open displayed instead of minimized, and would have to be minimized manually. Fixed.
  • In the terminal subsystem, the console history buffer now functions properly when the "discard old duplicates" mode is enabled on Windows Vista or newer.

Security Clarification:    [ 9 April 2014 ]

  • We have recently received many inquiries about whether our software is affected by the heartbeat vulnerability in OpenSSL (nicknamed "Heartbleed"). This vulnerability relates to a protocol we do not implement, and a code base that is independent of ours. None of our software shares common code with OpenSSL or OpenSSH.

Changes in Bitvise SSH Server 6.05:    [ 5 April 2014 ]

  • SSH server settings can now be imported additively, so that configurations from multiple SSH servers can be consolidated in a single SSH server installation.
  • In a master/slave configuration, slave servers can now be configured to connect occasionally, with a configurable average delay between connections, instead of maintaining a permanent connection to the master. This should help reduce load on master servers with a very large number of slaves.
  • Individual adjustment of channel window size has proven to be effective with JSCH-based clients, including Cisco appliances, which contain a race condition causing them to stall unless window size is frequently adjusted. Our SSH implementation will now adjust channel window size individually when communicating with JSCH-based software.
  • The less secure MD5-based and 96-bit message integrity algorithms are now disabled by default.

Changes in Bitvise SSH Server 6.04:    [ 11 February 2014 ]

  • Elliptic Curve support: ECDSA host keys and client keys, as well as ECDH key exchange, are now supported. Initially supported curves are secp256k1, nistp256, nistp384, and nistp521. When used with clients that also support ECDSA and ECDH, this is an improvement in effective cryptographic security from 80 - 112 bits of symmetric security, to 128 or more, depending on the curve chosen.
  • Installer:
    • A command line option is now available to abort installation if a specified warning occurs.
    • Full help text for installer exit codes is now available.
  • Control Panel and Settings:
    • Master/slave settings are now fully configurable from the command line using BssCfg, and programmatically using the BssCfgManip COM object.
    • Virtual account password expiration can now be configured on a per-account basis. If password change is disabled for the virtual account user, this can be used to configure virtual accounts with an expiry date.
    • For new Windows groups and new installations, the "Map remote home directory" and "Map remembered shares" settings are now enabled by default, to better meet initial user expectations when logging into a Windows account.
    • On Windows Vista and later, HTTP links are now opened in a non-elevated browser window.
    • Fixed an error which caused an assertion failure when a Remote Control Panel session fails due to packet overflow.
    • Fixed two slow GDI handle leaks that could lead to the Control Panel crashing in specific circumstances after running for a period of several weeks (e.g. in slave installations).
    • Dates are now displayed in a fixed YYYY-MM-DD format, so that lists containing date columns can be sorted by date regardless of Windows locale.
    • A newly added Listen rule in account settings entries will now have a default Accept rule entry. Previously, an Accept rule entry had to be configured manually for the Listen rule to allow any connections.
    • Improved log path links in Log folder viewer.
  • SSH session:
    • Improved disconnect handling, so that sessions are less likely to hang.
    • Username blacklisting is now supported. If a client attempts to authenticate with a username blacklisted by the server administrator (e.g. "root"), the originating IP address will be immediately locked out for the default IP blocking duration.
    • Implemented several adjustments to reduce the possibility of a channel blocking due to buffering and window adjustment issues.
    • The server will no longer try to create a window station and desktop when a virtual account is running in Local System context, avoiding a log warning.
    • Implemented several debugging features related to in-window size and window adjustments, to help investigate compatibility issues with JSCH-based clients that block during SFTP upload.
  • File transfer:
    • An SFTP success reply will now be sent without a description, cutting packet size by 39 bytes. This might improve compatibility with clients that send a large number of small write requests, but lack a large enough buffer to receive all status replies.
    • SFTP can now be limited to version 3 on a per-group and per-account basis, to allow focusing specifically on those users who connect with clients that require this.
  • Terminal:
    • For clients that do not support UTF-8, the terminal code page used by the server is now configurable on a per-group and per-account basis.
  • BvLsa authentication module:
    • Auditing and logging improvements.

Changes in Bitvise SSH Server 6.03:    [ 05 November 2013 ]

  • Utilities: The bvRun utility now supports specifying the command to run on the command line without having to enclose it as part of the -cmd="..." parameter.
  • Control Panel and Settings:
    • Settings pages are now easier to scroll using the mouse wheel.
    • Implemented accessibility improvements in SSH Server Control Panel and Settings.
    • Fixed an issue which could have caused the Log Folder Viewer user interface to become unresponsive if a third-party application was installed that sent an unexpected GUI message.
    • Version 6.01 implemented tolerance for importing invalid keys from a previous version of SSH server settings, but only for public keys stored under accounts. This handling is now extended to public keys stored under groups, as well.
  • Authentication: Implemented a workaround for a memory leak in lsass.exe, which would previously appear when handling SSH logins on recent Windows versions.
  • SSH session:
    • Implemented ability to log and debug changes in channel window sizes.
    • Fixed an issue which caused an SSH session to terminate prematurely if the client sent a characteristic SSH_MSG_DEBUG packet.
  • Exec requests: Implemented a workaround to improve compatibility with Git. The SSH server can now detect exec requests sent by Git, and convert any single-quoted strings into double-quoted strings that work on Windows.
  • Terminal: Fixed an issue with Home and End keys not working with PuTTY.
  • Installation: Fixed an issue which caused the uninstaller to incorrectly believe that a system restart is necessary in order to complete uninstallation.
  • File transfer: With clients that do not specify otherwise, the SSH server will no longer request exclusive write access when opening files the client requested to open for writing. This improves compatibility with clients that open multiple handles to a file and expect to be able to write to them simultaneously; and also, occasions when a client reconnects and attempts to resume a transfer when the server hasn't yet detected termination of the previous session.

Changes in Bitvise SSH Server 6.02:    [ 30 July 2013 ]

  • Fixed a command line parsing issue which prevented quoted parameters from working properly. Commands such as 'bvRun -brj -cmd="..."' now work correctly again.
  • Fixed logging of superfluous warnings related to firewall management, configuration synchronization, and password cache.
  • Fixed an issue which caused IPv6 bit masks to not be generated correctly when significant bits wasn't a multiple of 16.

Changes in Bitvise SSH Server 6.01:    [ 12 July 2013 ]

  • Control Panel and Settings:
    • Bitvise SSH Server now supports master/slave configuration. In clusters and large installations, one SSH server installation can be configured as the master, while secondary installations can be configured as slaves. The slaves will connect to the master, and automatically download and apply settings and configuration changes from the master.
    • Per-user bandwidth limits are now supported. The administrator can limit the maximum speed with which a user can transfer data to or from the server, either per session, or for all concurrent sessions from a user.
    • It is now possible to configure different IP address restrictions for incoming connections on a per-account or per-group basis.
    • Improved automatic router configuration to also support devices that expose only UPnP version 2.
    • File transfer speeds will now again be correctly displayed on the Activity tab. A bug caused file transfer speeds to not be displayed correctly in versions 5.50 - 5.60.
    • Improved memory consumption of SSH server settings when a large number of accounts are configured.
    • Improved support for Microsoft identity accounts (e.g. of the format ...@hotmail.com).
    • Improved backward compatibility when importing settings from versions 3.xx and 4.xx. Proxy profiles and SFTP root directories will now be properly imported from WinSSHD 3.xx. Any invalid public keys in account or group settings entries will now be skipped when importing from WinSSHD 3.xx or 4.xx.
    • BssCfg command line parameters are no longer case-sensitive.
    • The SSH Server Control Panel will now work correctly in high-contrast mode.
    • A warning dialog will now be displayed when the SSH server is started with the Windows Firewall management feature configured so as to restrict access to connections from the local subnet only.
    • Unblocking an IP address will now also clear records of previously failed authentication attempts, so that the next authentication failure will not immediately result in another blocking.
    • The automatic IP blocking feature now supports a configurable whitelist. Addresses entered into the whitelist will not be affected by automatic IP blocking.
    • The settings "Tolerate first window fault" and "Maximum subsequent fault bytes" have been obsolete since SSH server version 5.00, and have been removed.
  • Authentication:
    • The SSH public key management subsystem is now supported. Access to this feature can be enabled on a per-user or per-group basis in Advanced SSH server settings. Users for whom this feature is enabled can manage their public keys on the SSH server if they connect with a client that also supports this feature.
    • Improved the way the SID of the local computer is retrieved. Previously, Bitvise SSH Server would retrieve the wrong local computer SID if there was a local account with the same name as the computer. This would cause the SSH server to incorrectly treat local accounts as if they were domain accounts.
  • SSH session:
    • Improved CPU usage in the SSH server's core infrastructure. Transfer speeds in local loopback testing should now again be where they were in WinSSHD 4.xx. Users should see a decrease in the server's CPU consumption, given the same transfer speeds.
    • Re-implemented SSH session data buffering in order to improve responsiveness for slow clients.
    • Fixed an issue which would cause high CPU usage if the client closed a channel in a non-ready state.
    • The SSH protocol specification is unclear on whether the maximum packet size in the channel data packet refers to the whole packet, or payload only. Previously, Bitvise SSH Server used the interpretation that the size refers to payload only. This caused a compatibility issue with the Axway client. Our implementation has been changed to interpret the outgoing maximum packet size as referring to the whole packet.
    • Fixed issue which caused key re-exchange to not be triggered by the server after a one hour timeout. Key re-exchanges started by the client were still accepted, and key re-exchange was triggered by the server after 1 GB of data transferred.
  • Environment variables:
    • Advanced environment variable syntax is now supported in the same style as used by the Windows command interpreter, and as described in "help set". In addition to basic syntax (%SOMEVAR%), the following suffixes are supported: %SOMEVAR:~N%, %SOMEVAR:~N,M%, %SOMEVAR:findStr=replaceStr%, %SOMEVAR:*findStr=replaceStr%. This allows administrators to configure a single group-wide rule to map structured home directories. For example, a home directory structure such as M:\Home\a\Aaron, M:\Home\b\Benjamin, can be configured with M:\Home\%USERNAME:0,1%\%USERNAME%.
    • Child processes launched over an SSH session will now receive an environment variable named SSHSESSIONID, which can be used to identify the SSH session. Separate terminal sessions will still receive the same SSHSESSIONID if they are launched over the same SSH connection.
    • If SSH server settings permit the client to set environment variables, environment variables set by the client will no longer be used when expanding environment variables in terminal shell or exec request prefix strings configured in SSH server settings. Environment variables provided by the client will still be available to child processes started by the client.
  • Terminal:
    • Advanced environment variable syntax is now supported in the same style as used by the Windows command interpreter, and as described in "help set". In addition to basic syntax (%SOMEVAR%), the following suffixes are supported: %SOMEVAR:~N%, %SOMEVAR:~N,M%, %SOMEVAR:findStr=replaceStr%, %SOMEVAR:*findStr=replaceStr%. This allows administrators to configure a single group-wide rule to map structured home directories. For example, a home directory structure such as M:\Home\a\Aaron, M:\Home\b\Benjamin, can be configured with M:\Home\%USERNAME:0,1%\.
    • Child processes launched over an SSH session will now receive an environment variable named SSHSESSIONID, which can be used to identify the SSH session. Separate terminal sessions will still receive the same SSHSESSIONID if they are launched over the same SSH connection.
  • File transfer:
    • It is now possible to create multiple nested directories at the same time using a single "make directory" command.

Older Versions

Bitvise SSH Server 5.xx Version History

WinSSHD 4.xx Version History

WinSSHD 3.xx Version History