Product Support Notice © 2006 Avaya Inc

Home , Bitvise, Dropbear (software), Lsh

PSN# PSN000906u Original publication date: 10-Aug-2006. This is Issue #4, published 12- Severity/risk level High Urgency Immediately Feb-2007 Name of problem Secure Shell (SSH) Telnet and/or FTP applications Products affected Proactive Contact 3.0, Predictive Dialing System 12.0, Campaign Analyst 4.0, Campaign Director 4.0 Problem description You can create a secure communication channel between the Avaya Proactive Contact server(s), host(s), and clients. Use this channel for sending any data using the forwarding feature. SSH supports a variety of authentication methods. Data is protected with multiple symmetric algorithms that use the key negotiated at the beginning of an SSH session. Both the client and the server can authenticate each other to enhance security against different kinds of attacks. You can change the default telnet and ftp application configuration for Avaya Proactive Contact to use an SSH application.

NOTE: On PDS systems, Administration Manager uses FTP to transfer files to the HP-UX server. It does not support SFTP. You can use SFTP for file transfers (customer downloads/uploads), but for Administration Manager to be used, FTP can not be turned off. There is no workaround for Administration Manager.

The patch to correct the issue with Avaya Proactive Contact 3.0 Editor and the use of SFTP for voice message transfer is available in patch PC3_803. Resolution SSH is most commonly used in the following ways: • in combination with SFTP, as a secure alternative to FTP • in combination with SCP, as a secure alternative for rcp file transfers • for port forwarding or tunneling, frequently as an alternative to a full-fledged VPN. In this type of use, a (non-secure) TCP/IP connection of an external application is redirected to the SSH program (client or server), which forwards it to the other SSH party (server or client), which in turn forwards the connection to the desired destination host. The forwarded connection is cryptographically encrypted and protected on the path between the SSH client and server only. Uses of SSH port forwarding include accessing database servers, email servers, securing X11, Windows Remote Desktop and VNC connections or even forwarding Windows file shares. • with an SSH client that supports dynamic port forwarding (presenting to other programs a SOCKS or HTTP 'CONNECT' proxy interface), SSH can be used even for generally browsing the web through an encrypted proxy connection, using the SSH server as a proxy • with an SSH client that supports terminal protocols, for remote administration of the SSH server computer via terminal (character- mode) console • with an SSH client that supports SSH exec requests (frequently embedded in other software, e.g. a network monitoring program), for automated remote monitoring and management of servers.

For the Avaya Predictive Dialing System and Avaya Proactive Contact HP-UX platforms, Avaya provides Hewlett-Packard’s SSH product (T1471AA) on the periodic OS update CDs. For other distributions of SSH, consult the following (partial) list: Multiplatform • PuTTY - client suite supporting SSH, SFTP, SCP and telnet • Ganymed SSH2 - a Java-based SSH-2 client library • JavaSSH - a Java-based SSH client • MindTerm - a Java implementation available free for personal usage. • sshtools - SSH Tools including sshterm, a java ssh terminal accessible from a web browser. Windows • WinSCP - an open source SFTP and SCP client • freeSSHd - a free full-featured SSH and Telnet server with SFTP and port forwarding support © 2006 Avaya Inc. All Rights Reserved. Page 1 of 4 • OpenSSH for Windows • SSHDOS • Whitehorn Secure Terminal - a freeware SSH/telnet client (PuTTY variant) There are also proprietary SSH implementations available for Windows. Here is a partial list: • Private Shell - SSH and SFTP support • PenguiNet - SSH-1 and 2 client • SFTPPlus - Extends SFTP with additional audit and automation • Fortress - Pragma's SSH-1 and 2 server and client • WinSSHD - Bitvise's SSH server • SSH Tectia Client - from SSH Communications Security • sshlib - Bitvise's C++ SSH-2 library • SecureCRT - Supports ZMODEM / XMODEM file transfers • ShellGuard - Former "Telneat"; SSH-1 and 2 client, also supports telnet protocol and direct connection UNIX-like • Lsh - the GNU Project's client and server • OpenSSH - a highly portable SSH-1, 1.45 and 2 client and server, developed by OpenBSD • Dropbear - client and server • OSSH • libssh - a client-server library • libssh2 - another client-server library

Before you install The system should be in a quiet state. The application should be shut down and users should be logged off. You do not need to change permissions to support SSH and SFTP. The Avaya Proactive Contact UNIX menu commands support SSH and SFTP.

Install SSH on the HP-UX platform 1. Verify that this software has not already been installed by entering: swlist T1471AA 2. If you do not know which block device file is associated with your CD/DVD drive, enter: ioscan –fnd sdisk Use the drive name where you see in the following steps. 3. Insert the media, Secure Shell for HP-UX 11.00 (T1471AA) CD, and mount it by entering: mount /dev/dsk/ /CDROM 4. Start swinstall and select Local Tape as the Source Depot Type (the files on the CD are in tar format, so you access them as though they were on tape). 5. On the Source Depot Path line, enter: /CDROM/T1471AA.depot 6. Tab to OK and press Return. 7. Press the spacebar to highlight T1471AA then press Tab. Use the right arrow key to select Actions and press Return. Select Mark for Install and press Return. 8. Press Tab and use the right arrow key to select Actions and press Return. Select Install and press Return. After the initial analysis phase, you will see that the status is Ready and that 1 of 1 products are scheduled. 9. Tab to OK and press Return. The load take approximately two minutes. When complete, Tab to Done and press Return. Do not exit swinstall yet.

Install PHCO_26089 (libpam cumulative) 1. Determine whether PHCO_26089 is already installed. Enter: swverify PHCO_26089 If you see Verification succeeded, skip to the Self Tests below, otherwise continue here. 2. Insert the update media, HP-UX 11.00 Update for B2000/B2600 CD, and mount it by entering mount /dev/dsk/ /CDROM 3. Start swinstall and select Local CDROM as the Source Depot Type. After seeing that /CDROM is displayed on the Source Depot Path line, Tab to OK and press Return.

PSN000906u © 2006 Avaya Inc. All Rights Reserved. Page 2 of 4 4. Position the cursor on QPK1100 (B.11.00.64.4) and press Return. Position the cursor on PHCO_26089 and highlight it by pressing the space bar. 5. Press Tab and use the right arrow key to select Actions and press Return. Select Mark for Install and press Return. 6. Press Tab and use the right arrow key to select Actions and press Return. Select Install and press Return. After the initial analysis phase, you will see that the status is Ready and that 1 of 1 products are scheduled. 7. Tab to OK and press Return. The load will take approximately one minute. When complete, Tab to Done and press Return. 8. Exit swinstall.

Configure SSH for client System Telnet and PC Analysis 1. Follow the installation instructions provided with the SSH application you chose on the clients. 2. Log in to the PC with administrative privileges. 3. Click Start on the Windows Task Bar, then click Run. 4. Type regedit, then click OK. In the next step you will make a change in the Windows registry entry that defines the location of the PDS Telnet application. Note: Before continuing, you may want to backup the Windows registry. 5. For Campaign Director 4.0 SP4, navigate to the following location in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Avaya Inc\Campaign Director\4.0. For Proactive Contact Supervisor 3.0, navigate to the following location in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Avaya Inc\Proactive Contact Supervisor\3.0. 6. Double-click the entry titled TelnetPath. 7. Type the full path to the new SSH application in the Value field and click OK. 8. Close the registry editor. Your changes will be saved automatically. This procedure will replace System Telnet and PC Analysis.

Test the SSH implementation on the HP-UX server After installation, you should test the connections. You can consult the following man pages on the HP-UX system: ssh(1), scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1), slogin(1), sftp-server(8), sshd(8).

Secure Shell self test 1. Start a secure session on the command line of the machine you’ve just installed. 2. Enter ssh, followed by the hostname. For example, ssh cpu1. The system displays a one-time warning regarding the hostname. 3. Enter yes. The system prompts you for a password. This verifies that both the Secure Shell client-side and server-side function properly. 4. Enter exit to return to your original login. Secure FTP self test 1. Start a secure session on the command line of the machine you’ve just installed. 2. cd to the /tmp directory. 3. Enter sftp, followed by the hostname. For example, sftp cpu1. The system displays a one-time warning regarding the hostname. 4. Enter yes. The system prompts you for a password. 5. At the sftp> prompt, enter get /etc/hosts. 6. Enter quit. 7. Verify that /etc/hosts was copied to the current directory (/tmp). This verifies that both the SFTP client-side and server-side function properly. NOTE: On Japanese, Chinese, and Korean versions, a telnet application is not delivered as part of the Supervisor or Campaign Director suites. Workaround or alternative remediation None Remarks None Patch Notes The information in this section concerns the patch, if any, recommended in the Resolution above. Backup before applying the patch Yes Download SAFE

PSN000906u © 2006 Avaya Inc. All Rights Reserved. Page 3 of 4 Patch install instructions Service-interrupting? See PC3_803 Patch Readme Yes Verification n/a Failure n/a Patch uninstall instructions n/a Security Notes The information in this section concerns the security risk, if any, represented by the topic of this PSN. Security risks n/a Avaya Security Vulnerability Classification Not Susceptible Mitigation n/a

For additional support, contact your Authorized Service Provider. Depending on your coverage entitlements, additional support may incur charges. Support is provided per your warranty or service contract terms unless otherwise specified. Avaya Support Contact Telephone U.S. Remote Technical Services – Enterprise 800-242-2121 U.S. Remote Technical Services – Small Medium Enterprise 800-628-2888 U.S. Remote Technical Services – BusinessPartners for Enterprise Product 877-295-0099 BusinessPartners for Small Medium Product Please contact your distributor. Canada 800-387-4268 Caribbean and Latin America 786-331-0860 Europe, Middle East, and Africa 36-1238-8334 Asia Pacific 65-6872-8686 Disclaimer: ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION AND IS PROVIDED “AS IS”. AVAYA INC., ON BEHALF OF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS “AVAYA”), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS’ SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA. All trademarks identified by ® or TM are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.