Release Notes 1.x - 9.x
Extender v9.0.1
2019-10-03
Important Notes for this Upgrade
The fix addresses a Golang issue by setting tls.minVersion = 1.2 as default. Configuration may be changed in file extender-config.toml.
v9.2
2020-01-21
PrivX 9.2 is an incremental upgrade over the 9.1 release, introducing a bug fix for a licensing error removing known hosts.
Notable Bug fixes and improvements
- [PX-2476] Hosts get removed when licensing error occurs during scan operation
Note: If re-enabling a host directory causes a license error (counts exceed), the hosts of the disabled directory are now visible in PrivX. It is the responsibility of the administrator to correct the licensing error either by removing hosts or services, and/or by disabling audit enabled flags in hosts.
v9.1
2019-11-13
PrivX 9.1 is an incremental upgrade over the 9.0 release, introducing fixes to cloud-host management.
Important upgrade notes
If you have a GCP directory with deleted instances in PrivX before upgrading to 10.1, the deleted instances will remain in hosts list after upgrade. To get rid of the deleted instances you need to either:
Delete the obsolete hosts using Settings→Hosts page in PrivX GUI
or
Delete and re-create the GCP directory
Notable Bug fixes and improvements
- [PX-2261] Host-deployment fails if host-deployment script is run after host scan.
- [PX-2262] Host deletions on Google Cloud are not updated to PrivX host list.
- [PX-2287] Host scanning does not handle the case where number of hosts in a region drops to zero.
Known issues
- [PX-652] User search not using mapped attributes
- [PX-789] When DB connection fails status.html does not show the reason
- [PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] Listing users may time out for directories with more than 100K users
- [PX-1057] Cannot parse scoped literal IPv6 addresses
- [PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] Set proper ownership and permissions for /var/privx
- [PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1524] Login as yourself with windows cert authentication not working if username does not contain domain
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1762] RDP clipboard with web container does not work
- [PX-1798] Authorizer crash with online license when no internet connectivity
- [PX-1805] The first web connection after installation always fails
- [PX-1815] CJK chars not working for web connections
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-1887] licensing: web access gateway functionality requires extender license feature
- [PX-1914] Searching users: Searching with unicode characters doesn't work
- [PX-1980] HOST-STORE audit events are missing username information
v9.0
2019-09-16
PrivX 9.0 introduces a multitude of stability improvements along with some new features.
Important upgrade notes
Upgrading to PrivX 9.0 triggers audit-event migrations that may take tens of minutes to complete.
You must unregister any version 8 Carrier and Web-Proxy components from PrivX before upgrading them to version 9 or later. The whole process is as follows:
In the PrivX GUI, on the Settings→Deployment→Deploy PrivX Web Access Gateways page, Unregister every listed configuration.
Set up new component packages:
On Carriers:
$ sudo yum install PrivX-Carrier-[release].rpm
$ sudo /opt/privx/scripts/carrier-postinstall.sh
On Web-Proxies:
$ sudo yum install PrivX-Web-Proxy-[release].rpm
$ sudo /opt/privx/scripts/web-proxy-postinstall.sh
New features
- SSH-audit-trail indexing and text search
- Host tags for enabling auditing
- Support for PostgreSQL 11
- Path field in file transfer UI to directly access paths
Notable Bug fixes and improvements
- [PX-370] - SSH options not added to role-based public key
- [PX-1204] - PrivX Extender is not automatically started on server boot
- [PX-1255] - "Service-stopped (12)" event is missing
- [PX-1507] - ssh-playback: cursor position has attributes from last drawn cell after seek
- [PX-1534] - Augment the SSH proxy connected event to include information which channels are available for the UI
- [PX-1624] - keyvault: panic when creating symmetric key without size
- [PX-1639] - Host deploy script assumes OpenSSH at port 22
- [PX-1702] - OpenStack host scanning fails with No suitable endpoint could be found in the service catalog.
- [PX-1730] - Auth service key rotation on request
- [PX-1733] - Extender/Carrier/WebProxy status info is missing in service status
- [PX-1803] - Monitor service logging too much
- [PX-1809] - Generating keys fails with Safenet Luna HSM 6.4 and 7.2
- [PX-1836] - Can not login to openstack with PrivX Web Connections
- [PX-1842] - connection-manager client does not survive system time update
- [PX-1868] - ssh-proxy: host unreachable error when websocket upgrade fails
- [PX-1869] - Allow enabling host auditing using host tags
- [PX-1870] - Extender license check is ignored if web proxy is enabled
- [PX-1872] - Service status updates in PrivX home is refreshed slowly
- [PX-1877] - Web Proxy: ICAP is listening to all public addresses
- [PX-1884] - Race condition in role creation and deletion leads to orphan principal keys in DB
- [PX-1888] - License: status is MAX_HOST_EXCEEDED though the number of host is within limit
- [PX-1891] - Update error message on max activations reached
- [PX-1894] - Error when ssh to target with privx-agent: "mesg: ttyname failed: Inappropriate ioctl for device"
- [PX-1900] - Source-addresses is asserted even though cert auth is not the only auth type enabled in role
- [PX-1904] - ssh-proxy: auditing fails with "file already closed"
- [PX-1907] - Extender load balancer cookie resolving should not fall back to single server installation
- [PX-1909] - host-store: same port as splunkd
- [PX-1916] - Deploy script does not work with AWS VPC instances
- [PX-1920] - Indexer Service - Enable Housekeeping
- [PX-1925] - Authentication support for PKCE RFC7636
- [PX-1928] - Monitor-Service: Components table is ever expanding
- [PX-1929] - Manually configured and scanned hosts can have their roles altered using deploy script
- [PX-1930] - HTTPS login fails, if LoginRequestURL is not defined and login request address does not match hostname
- [PX-1932] - HTTPS login autofill does not work for sites, which have loginRequestUrl defined
- [PX-1935] - /privx/users page does not load after refresh
- [PX-1936] - Web SSH / RDP client in background tabs disconnect
- [PX-1937] - Cannot login to azure portal with WEB connection
- [PX-1938] - ssh-proxy: REQ_ENV is not stored to trail
- [PX-1939] - ssh-proxy: REQ_EXEC does not support session recording
- [PX-1943] - ssh-proxy: STREAM_STDIN messages for a sftp channel are processed in ssh-proxy
- [PX-1946] - Connection manager target_host.common_name is wrong for RDP connections
- [PX-1948] - Address condition in host search should also search service addresses
- [PX-1949] - Connection manager connection lacks host data on some cases
- [PX-1955] - Host -> 'List Events' does not list all events associated with that host
- [PX-1966] - rdp-proxy crashes while doing license check for extender
- [PX-1975] - Web connections: browser container does not handle the case where rdp connection setup fails
- [PX-1976] - Extender: HA resolve / extender reconnect logic does not handle PrivX server restart
- [PX-1977] - Login UI robustness with bookmarks, expired tokens and shared urls
- [PX-1979] - DB transactions are not always closed
- [PX-1981] - PrivX allows manual login connection attempts for configured hosts, even if user does not have permissions to the host
- [PX-1987] - RDP MITM: leaking manual connections
- [PX-1993] - ssh-proxy: filetransfer API does not handle correctly empty directory/file names
- [PX-2052] - ssh-proxy: playback of a certain ssh trail causes out of memory situation in UI
- [PX-2054] - PrivX-Web-Proxy registering problems fixed
- [PX-2062] - UI: Web SSH terminal layout is confused after browser width resizing
- [PX-2064] - connmgr: housekeeping fails to remove trails
- [PX-2087] - host-scanning: audit_enabled is set to false on aws directory refresh
- [PX-2089] - Audit-Events - Missing userID
Known issues
- [PX-652] User search not using mapped attributes
- [PX-789] When DB connection fails status.html does not show the reason
- [PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] Listing users may time out for directories with more than 100K users
- [PX-1057] Cannot parse scoped literal IPv6 addresses
- [PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] Set proper ownership and permissions for /var/privx
- [PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1524] Login as yourself with windows cert authentication not working if username does not contain domain
- [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1762] RDP clipboard with web container does not work
- [PX-1798] Authorizer crash with online license when no internet connectivity
- [PX-1805] The first web connection after installation always fails
- [PX-1815] CJK chars not working for web connections
- [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
- [PX-1875] Web proxy login does not work, if login page does requests to multiple domains
- [PX-1887] licensing: web access gateway functionality requires extender license feature
- [PX-1914] Searching users: Searching with unicode characters doesn't work
- [PX-1980] HOST-STORE audit events are missing username information
v8.2
2019-11-13
PrivX 8.2 is an incremental upgrade over the 8.1 release, introducing fixes to cloud-host management.
Important upgrade notes
If you have a GCP directory with deleted instances in PrivX before upgrading to 10.1, the deleted instances will remain in hosts list after upgrade. To get rid of the deleted instances you need to either:
Delete the obsolete hosts using Settings→Hosts page in PrivX GUI
or
Delete and re-create the GCP directory
Notable Bug fixes and improvements
- [PX-2262] Host deletions on Google Cloud are not updated to PrivX host list.
- [PX-2287] Host scanning does not handle the case where number of hosts in a region drops to zero.
Known issues
- [PX-370] - SSH options not added to role-based public key
- [PX-652] - User search not using mapped attributes
- [PX-789] - When DB connection fails status.html does not show the reason
- [PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] - Listing users may time out for directories with more than 100K users
- [PX-1057] - Cannot parse scoped literal IPv6 addresses
- [PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] - Set proper ownership and permissions for /var/privx
- [PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
- [PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1524] - Login as yourself with windows cert authentication not working if username does not contain domain
- [PX-1574] - monitor-service: audit event searching is broken or lacking
- [PX-1624] - keyvault: panic when creating symmetric key without size
- [PX-1702] - OpenStack host scanning fails with No suitable endpoint could be found in the service catalog
- [PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1762] - RDP clipboard with web container does not work
- [PX-1798] - Authorizer crash with online license when no internet connectivity
- [PX-1805] - The first web connection always fails
- [PX-1809] - Generating keys fails with FIPSed Safenet Luna HSM 6.4 and 7.2
- [PX-1815] - CJK chars not working for web connections
- [PX-1827] - Extender/Carrier/Web Proxy configs not migrated on upgrade
v8.1
2019-09-16
PrivX 8.1 is an incremental upgrade over the 8.0 release, introducing security fixes to user sessions. For additional details about security fixes, please contact support at help.ssh.com
Important Notes for this Upgrade
The fixes introduced in this release are also available in PrivX versions 9.0 and later. For additional system stability and the latest features, we recommend upgrading to the latest PrivX instead.
v8.0
2019-06-07
The 8.0 major release expands upon the functionality offered by PrivX. Notable New features include support for connections to HTTP and HTTPS targets, native RDP clients, and granular PrivX-user permissions.
Important upgrade notes
After upgrading from PrivX 7.x with HSM integration, old host-deployment scripts will no longer work: you must re-download the script and use that for subsequent host-deployment operations.
For HA environments, see the Administrator Manual for new upgrade instructions. HA deployments have to be upgraded so that you upgrade one server, and then duplicate the rest.
New features
- Access HTTP and HTTPS services using shared accounts.
- Native RDP-client support: use your existing RDP clients to access targets while authenticating via PrivX.
- New permissions for configuring what users are allowed to do. Specified per role.
- Audit logs available in Common Event Format (CEF), for easier integration with SIEM systems.
- Extender support in PrivX HA deployments.
Notable Bug fixes and improvements
- [PX-757] - User list count is incorrect if limit parameter is used
- [PX-807] - External DB certificate import error in postinstall script
- [PX-1204] - PrivX Extender is not automatically started on server boot
- [PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
- [PX-1533] - Windows Client does not work with system trusted TLS certificate
- [PX-1636] - Troubleshoot: clients secrets are not masked in keyvault-config.toml
- [PX-1639] - Host deploy script assumes OpenSSH at port 22
- [PX-1693] - Deployment script does not work with api-ca-cert-file option and PEM
- [PX-1785] - GSuite OIDC usernames changed to unknown after login to PrivX
Known issues
- [PX-370] - SSH options not added to role-based public key
- [PX-652] - User search not using mapped attributes
- [PX-789] - When DB connection fails status.html does not show the reason
- [PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] - Listing users may time out for directories with more than 100K users
- [PX-1057] - Cannot parse scoped literal IPv6 addresses
- [PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] - Set proper ownership and permissions for /var/privx
- [PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
- [PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1524] - Login as yourself with windows cert authentication not working if username does not contain domain
- [PX-1574] - monitor-service: audit event searching is broken or lacking
- [PX-1624] - keyvault: panic when creating symmetric key without size
- [PX-1702] - OpenStack host scanning fails with No suitable endpoint could be found in the service catalog
- [PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
- [PX-1762] - RDP clipboard with web container does not work
- [PX-1798] - Authorizer crash with online license when no internet connectivity
- [PX-1805] - The first web connection always fails
- [PX-1809] - Generating keys fails with FIPSed Safenet Luna HSM 6.4 and 7.2
- [PX-1815] - CJK chars not working for web connections
- [PX-1827] - Extender/Carrier/Web Proxy configs not migrated on upgrade
v7.4
2019-09-16
PrivX 7.4 is an incremental upgrade over the 7.3 release, introducing security fixes to user sessions. For additional details about security fixes, please contact support at help.ssh.com
Important Notes for this Upgrade
The fixes introduced in this release are also available in PrivX versions 9.0 and later. For additional system stability and the latest features, we recommend upgrading to the latest PrivX instead.
v7.3
2019-06-11
Maintenance release over v7.2, fixes a couple of security issues. For additional details about security fixes, contact support at help.ssh.com
Important upgrade notice
For HA environments, see below for new upgrade instructions. HA deployments have to be upgraded so that you upgrade one server, and then duplicate the rest.
High-Availability-Deployment Upgrade
This section describes the requirements for upgrading a high-availability (HA) PrivX deployment. This section also provides steps in which you may upgrade your HA deployment.
When upgrading a HA PrivX deployment, note the following requirements:
- PrivX servers must not service any users while their PrivX software is being upgraded.
- Ensure that PrivX servers never write to PrivX databases with different product versions.
Note
By default, upgrading the PrivX software also upgrades the connected PrivX database.
If you need to postpone automatic database upgrade, set the environment variable
SKIP_POSTINSTALL before upgrading the PrivX software package:
# export SKIP_POSTINSTALL=1
On PrivX servers upgraded like this, you will later need to run postinstall to finalize upgrade:
# /opt/privx/scripts/postinstall.sh
One way to upgrade HA deployments is by performing the operations on a duplicate database. This method allows un-upgraded portions of the deployment to run during the procedure. To upgrade a HA deployment in this way:
Duplicate the PrivX database.
Upgrade shall be performed against the duplicate database, without modifying the original database.Upgrade one PrivX server along with the duplicate database:
Disconnect the PrivX server from the load balancer to prevent users from connecting to it.
To prevent database activity, stop the PrivX services:
# systemctl stop privx
Connect to the duplicate database by providing its connection parameters. You only need to provide those database-connection parameters that differ between the original and the duplicate database.
The database-server address and port can be changed in `
/opt/privx/etc/shared-config.toml
, under the[db]
section.To change the database name (replace <db_name> with the database name):
# /opt/privx/bin/keyvault-tool -name db-name -value <db_name> set-passphrase
- To change the database-user name (replace <db_user> with the database-user name):
# /opt/privx/bin/keyvault-tool -name db-name -value <db_user> set-passphrase
- To change the password of the database user (replace <db_pwd> with the password):
# /opt/privx/bin/keyvault-tool -name db-name -value <db_pwd> set-passphrase
Upgrade the PrivX software and the connected database:
# yum install PrivX
- Reconnect the PrivX server to the load balancer.
Set up additional PrivX servers into your upgraded environment:
Duplicate the setup of the already-upgraded PrivX server. You can do this using the PrivX backup and restore features, described in the PrivX Administrator Manual section 3.4 Backing Up and Restoring PrivX Servers.
Connect the additional PrivX server to the load balancer.
After all the PrivX servers have been upgraded successfully, you should replicate any new data accumulated during the upgrade from the original database to the duplicate database. This completes the upgrade.
You may remove the original database and leftover PrivX servers after successful upgrade.
Known issues
- [PX-92] - In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-370] - SSH options not added to role-based public key
- [PX-652] - User search not using mapped attributes
- [PX-757] - User list count is incorrect if limit parameter is used
- [PX-789] - When DB connection fails status.html does not show the reason
- [PX-807] - External DB certificate import error in postinstall script
- [PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] - Listing users may time out for directories with more than 100K users
- [PX-1057] - Cannot parse scoped literal IPv6 addresses
- [PX-1204] - PrivX Extender is not automatically started on server boot
- [PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] - Set proper ownership and permissions for /var/privx
- [PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
- [PX-1360] - Role-store sometimes fails to obey the user_cache_refresh_ttl in settings
- [PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1524] - Login as yourself with windows cert authentication not working
- [PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
Workaround: Specify the PrivX-server address in IP format. - [PX-1533] - Windows Client does not work with system trusted TLS certificate
- [PX-1574] - monitor-service: audit event searching is broken or lacking
- [PX-1624] - keyvault: panic when creating symmetric key without size
- [PX-1636] - Troubleshoot: clients secrets are not masked in keyvault-config.toml
- [PX-1639] - Host deploy script assumes OpenSSH at port 22
- [PX-1644] - Host-deployment script should fall back to private addresses if public address is missing
v7.2
2019-05-28
Maintenance release over v7.1, adds Graph-API support for Azure-AD integration.
For additional details about security fixes, contact support at help.ssh.com
Important upgrade notes
After upgrading from PrivX 7.x with HSM integration, old host-deployment scripts will no longer work: you must re-download the script and use that for subsequent host-deployment operations.
Bug fixes and improvements
- [PX-1778] - Graph API support
Known issues
- [PX-92] - In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-370] - SSH options not added to role-based public key
- [PX-652] - User search not using mapped attributes
- [PX-757] - User list count is incorrect if limit parameter is used
- [PX-789] - When DB connection fails status.html does not show the reason
- [PX-807] - External DB certificate import error in postinstall script
- [PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] - Listing users may time out for directories with more than 100K users
- [PX-1057] - Cannot parse scoped literal IPv6 addresses
- [PX-1204] - PrivX Extender is not automatically started on server boot
- [PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] - Set proper ownership and permissions for /var/privx
- [PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
- [PX-1360] - Role-store sometimes fails to obey the user_cache_refresh_ttl in settings
- [PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1524] - Login as yourself with windows cert authentication not working
- [PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
Workaround: Specify the PrivX-server address in IP format. - [PX-1533] - Windows Client does not work with system trusted TLS certificate
- [PX-1574] - monitor-service: audit event searching is broken or lacking
- [PX-1624] - keyvault: panic when creating symmetric key without size
- [PX-1636] - Troubleshoot: clients secrets are not masked in keyvault-config.toml
- [PX-1639] - Host deploy script assumes OpenSSH at port 22
- [PX-1644] - Host-deployment script should fall back to private addresses if public address is missing
v7.1
2019-04-11
Maintenance release for v7.0, fixes couple of usability issues and security issues.
For additional details about security fixes, contact support at help.ssh.com
Notable Bug fixes and improvements
- [PX-1675] - Redis password prompt does not accept empty as it should
- [PX-1676] - Role rules should be empty list instead of missing
- [PX-1680] - Minor security fix related to PrivX agent on Windows.
Known issues
- [PX-92] - In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-370] - SSH options not added to role-based public key
- [PX-652] - User search not using mapped attributes
- [PX-757] - User list count is incorrect if limit parameter is used
- [PX-789] - When DB connection fails status.html does not show the reason
- [PX-807] - External DB certificate import error in postinstall script
- [PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] - Listing users may time out for directories with more than 100K users
- [PX-1057] - Cannot parse scoped literal IPv6 addresses
- [PX-1204] - PrivX Extender is not automatically started on server boot
- [PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] - Set proper ownership and permissions for /var/privx
- [PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
- [PX-1360] - Role-store sometimes fails to obey the user_cache_refresh_ttl in settings
- [PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1524] - Login as yourself with windows cert authentication not working
- [PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
Workaround: Specify the PrivX-server address in IP format. - [PX-1533] - Windows Client does not work with system trusted TLS certificate
- [PX-1574] - monitor-service: audit event searching is broken or lacking
- [PX-1624] - keyvault: panic when creating symmetric key without size
- [PX-1636] - Troubleshoot: clients secrets are not masked in keyvault-config.toml
- [PX-1639] - Host deploy script assumes OpenSSH at port 22
- [PX-1644] - Host-deployment script should fall back to private addresses if public address is missing
v7.0
2019-04-09
New features
- Support for SafeNet Luna HSM.
Requires fresh installation. - GUI-session expiry by idle period and total time from login.
- High-availability support for Extenders.
- New permission for disabling connections to unknown targets (manual connections).
Manual connections are disabled by default for all regular users. - Deployment-page redesign.
- Direct links to available OIDC-login pages.
Notable Bug fixes and improvements
- [PX-857] - Rolestore API: able to create a role that breaks the UI
- [PX-1095] - Backup and restore leaves out Kerberos keytab
- [PX-1392] - Host-deployment script cannot add hosts with non-ascii FQDNs
- [PX-1465] - Connection manager search API improvements
- [PX-1466] - Deployment script download HTTP 400 results in UI crash
- [PX-1473] - Seeking in an SSH trail playback with Japanese characters produces inconsistent outputs
- [PX-1481] - Audit events for authorizer OpenSSH/x509 certificate issue do not contain enough information
- [PX-1504] - Role-store - panics while deleting a role
- [PX-1518] - Show connection-termination message in the GUI
- [PX-1528] - Migration tool does not exit on fsvault migration error
- [PX-1530] - 5.1 -> 6.0 FS vault migration fails to "x509: decryption password incorrect"
- [PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
- [PX-1533] - Windows Client does not work with system trusted TLS certificate
- [PX-1539] - auth: invalid redirect_uri is used when erroring on invalid redirect_uri
- [PX-1540] - keyvault: failed to wipe asymmetric db keys from memory
- [PX-1541] - Do not allow to delete superuser
- [PX-1546] - rdp: clipboard from client to server does not update after first copy
- [PX-1547] - unable to use API clients without getting OAuth creds from deploy script
- [PX-1555] - Current user endpoint, return permissions
- [PX-1562] - PrivX-Extender package missing from the SSH product repository
- [PX-1563] - Implement dbvault key delete
- [PX-1570] - Rolestore does not resolve role names according to specification
- [PX-1575] - workflow-engine: incorrectly treat api client as user in role store query
- [PX-1578] - connection-manager: terminate by user-id and host-id broken
- [PX-1579] - Extender does not work with Azure load balancer
- [PX-1581] - Setting up additional HA instance using restore.sh does not work
- [PX-1587] - Server does not limit the max size of user settings
- [PX-1595] - role-store: ApiVersionLogconfCollectorsIdGet does not check for errors from getCollectorWithId
- [PX-1598] - Log collectors: 201 when creating collector with the same name
- [PX-1601] - Remove broken Ansible link
- [PX-1602] - Local users table init issue on Postgres 10
- [PX-1603] - Create schema for External DB during installation
- [PX-1607] - Install script does not ask password for redis
- [PX-1620] - init_db.sh increases "max_connections" in /var/lib/pgsql/data/postgresql.conf every time init_db.sh is run
- [PX-1630] - Extender status not updated after configuration
- [PX-1675] - Redis password prompt does not accept empty as it should
Known issues
- [PX-92] - In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-370] - SSH options not added to role-based public key
- [PX-652] - User search not using mapped attributes
- [PX-757] - User list count is incorrect if limit parameter is used
- [PX-789] - When DB connection fails status.html does not show the reason
- [PX-807] - External DB certificate import error in postinstall script
- [PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
- [PX-852] - Listing users may time out for directories with more than 100K users
- [PX-1057] - Cannot parse scoped literal IPv6 addresses
- [PX-1204] - PrivX Extender is not automatically started on server boot
- [PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles. - [PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
- [PX-1240] - Set proper ownership and permissions for /var/privx
- [PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances. - [PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
- [PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
- [PX-1360] - Role-store sometimes fails to obey the user_cache_refresh_ttl in settings
- [PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
- [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
- [PX-1524] - Login as yourself with windows cert authentication not working
- [PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
Workaround: Specify the PrivX-server address in IP format. - [PX-1533] - Windows Client does not work with system trusted TLS certificate
- [PX-1574] - monitor-service: audit event searching is broken or lacking
- [PX-1624] - keyvault: panic when creating symmetric key without size
- [PX-1636] - Troubleshoot: clients secrets are not masked in keyvault-config.toml
- [PX-1639] - Host deploy script assumes OpenSSH at port 22
- [PX-1644] - Host-deployment script should fall back to private addresses if public address is missing
v6.1
2019-06-11
Maintenance release over v6.0, fixes a couple of security issues. For additional details about security fixes, contact support at help.ssh.com
Important upgrade notice
For HA environments, see below for new upgrade instructions. HA deployments have to be upgraded so that you upgrade one server, and then duplicate the rest.
High-Availability-Deployment Upgrade
This section describes the requirements for upgrading a high-availability (HA) PrivX deployment. This section also provides steps in which you may upgrade your HA deployment.
When upgrading a HA PrivX deployment, note the following requirements:
* PrivX servers must not service any users while their PrivX software is being upgraded.
* Ensure that PrivX servers never write to PrivX databases with different product versions.
Note
By default, upgrading the PrivX software also upgrades the connected PrivX database.
If you need to postpone automatic database upgrade, set the environment variable
SKIP_POSTINSTALL before upgrading the PrivX software package:
# export SKIP_POSTINSTALL=1
On PrivX servers upgraded like this, you will later need to run postinstall to finalize upgrade:
# /opt/privx/scripts/postinstall.sh
One way to upgrade HA deployments is by performing the operations on a duplicate database. This method allows un-upgraded portions of the deployment to run during the procedure. To upgrade a HA deployment in this way:
Duplicate the PrivX database.
Upgrade shall be performed against the duplicate database, without modifying the original database.Upgrade one PrivX server along with the duplicate database:
Disconnect the PrivX server from the load balancer to prevent users from connecting to it.
To prevent database activity, stop the PrivX services:
# systemctl stop privx
Connect to the duplicate database by providing its connection parameters. You only need to provide those database-connection parameters that differ between the original and the duplicate database.
The database-server address and port can be changed in `
/opt/privx/etc/shared-config.toml
, under the[db]
section.To change the database name (replace <db_name> with the database name):
# /opt/privx/bin/keyvault-tool -name db-name -value <db_name> set-passphrase
- To change the database-user name (replace <db_user> with the database-user name):
# /opt/privx/bin/keyvault-tool -name db-name -value db_user> set-passphrase
- To change the password of the database user (replace <db_pwd> with the password):
# /opt/privx/bin/keyvault-tool -name db-name -value <db_pwd> set-passphrase
Upgrade the PrivX software and the connected database:
# yum install PrivX
- Reconnect the PrivX server to the load balancer.
Set up additional PrivX servers into your upgraded environment:
Duplicate the setup of the already-upgraded PrivX server. You can do this using the PrivX backup and restore features, described in the PrivX Administrator Manual section 3.4 Backing Up and Restoring PrivX Servers.
Connect the additional PrivX server to the load balancer.
After all the PrivX servers have been upgraded successfully, you should replicate any new data accumulated during the upgrade from the original database to the duplicate database. This completes the upgrade.
You may remove the original database and leftover PrivX servers after successful upgrade.
Known issues
- [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-370] SSH options are not added to role-based public key
- [PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow
- [PX-789] When a database connection fails, status.html does not show the reason
- [PX-1095] Backup and restore script is missing out Kerberos keytab file
- [PX-1204] PrivX extender doesn't start automatically on server boot
- [PX-1473] Seeking in an SSH trail playback with Japanese characters produces inconsistent outputs
v6.0
2019-02-26
Version 6 is mainly an internal improvement release, hence not containing lots of new features.
Upgrade notes
To prevent potential database-connection failures, increase the default Postgres max_connections to 1000 or more before any PrivX-software upgrades.
PrivX agents must be upgraded to version 6. Older PrivX agents are not compatible with the latest PrivX.
In case of Unix agents, the start script (to be written down in ~/.profile) must also be updated. The updated script is included in linux-amd64/README.linux
In case offline license is in use, the license should be deactivated before upgrading to version 6.0. After the upgrade, the offline license can be activated again. Normal online licenses are not affected.
The OS temporary folder /tmp must not be used for trail storage. Refer to the PrivX Administrator Manual for instructions about setting up external trail storage.
After upgrade, extenders with invalid name (such as names with capital letters) will stop working with agents.
After upgrade, PrivX blocks SSH connections to PrivX-server local addresses.
To enable/disable such connections, modify allow_connect_to_local_addresses in /opt/privx/etc/ssh-proxy.toml
New features
- Agent support for native SSH clients on Windows
Notable security fixes
- [PX-1439] - Fixed FreeRDP CVEs (2018 October)
CVE 2018-8786
CVE 2018-8787
CVE 2018-8788
CVE 2018-8789
Bug fixes and improvements
- [PX-358] - AD directory: default user filter matches computers and inactive users like Guest account
- [PX-1148] - ssh-playback: should check if terminal emulator parser is in a keyframeable state
- [PX-1194] - When creating an extender trusted client the name restrictions aren't communicated to the user
- [PX-1223] - Directory details does not fit to column if it contains long strings
- [PX-1227] - Some events does not have a value for "userName"
- [PX-1236] - ssh-playback: seeking broken on latin1 characters
- [PX-1237] - Removing workflow deletes approved/denied requests
- [PX-1248] - Workflow-engine: Audit Event 611 should be removed
- [PX-1260] - Refreshing user roles fails if DN contains brackets
- [PX-1264] - Application restrictions fail with usernames with domain part and login-as-self
- [PX-1273] - Wrong response code (201) when editing log collector
- [PX-1275] - SSH-PROXY / Session-added(310) and Session-removed(311) audit events are created twice per connection
- [PX-1303] - Can not login with privx-agent-ctl
- [PX-1304] - FS vault does not check owner for asymmetric Sign operation
- [PX-1305] - keyvault: owner not respected on asymmetric private key operations nor symmetric key operations
- [PX-1321] - keyvault: should filter symmetric keys by search criteria before decrypting key material
- [PX-1322] - User page lists all recent connections instead of the user's connections
- [PX-1323] - rdp-proxy: handle missing drive directory on new connection
- [PX-1340] - Trusted-client TLS anchor displays first cert in ca-chain
- [PX-1341] - Deleting log collector fails
- [PX-1345] - Error in postinstall when upgrading PrivX 4 to latest PrivX
- [PX-1351] - If user has no roles, an error is logged to /var/log/messages
- [PX-1359] - Postinstall / Upgrade logs contains errors
- [PX-1387] - Backspace not handled correctly when prompting user input in init_nginx.sh
- [PX-1454] - keyvault, reduce necessary configuration reading, crash on concurrent map read and map write
- [PX-1455] - Log collector enabled state doesn't work
- [PX-1458] - PrivX UI user information is lost in forwarded connection via Extender
- [PX-1464] - Improve error logging for CFG audit
- [PX-1475] - authorizer issues OpenSSH certificates without any valid principals if user has no roles
- [PX-1232] - Move license files from /tmp to /var/privx/nalp/
- [PX-1257] - keyvault events missing from Monitor service
- [PX-1258] - AUDIT SERVICE stopped creates TrailOpened event
- [PX-1259] - 810, 811, 812 events not in use
- [PX-1461] - Log collector field validation
- [PX-1301] - Troubleshoot.sh documentation
- [PX-1132] - Protect & cleanse in-memory sensitive data
- [PX-1154] - Run postinstall.sh automatically on PrivX update
- [PX-1438] - Use systemd protection mechanisms in rpm installation
- [PX-1509] - Weak secret used for DB vault keys/passphrases
- [PX-1510] - Store encrypted data in authenticated format
Known issues
- [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-370] SSH options are not added to role-based public key
- [PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow
- [PX-789] When a database connection fails, status.html does not show the reason
- [PX-1095] Backup and restore script is missing out Kerberos keytab file
- [PX-1204] PrivX extender doesn't start automatically on server boot
- [PX-1473] Seeking in an SSH trail playback with Japanese characters produces inconsistent outputs
v5.1
2019-01-29
PrivX 5.1 patches an issue related to Active Directory filters failing on escaped characters, such as , \ * . Users running an earlier version of PrivX should consider upgrading to this release if their AD instance contains and is affected by the escaped characters.
v5.0
2018-12-13
New features
- Playback controls for audit-session recordings: pause/resume playback, seeking, and full-screen toggle
- Windows RemoteApp support - Limit RDP user access to specific applications on the target server
- Single sign-on to PrivX using Google GSuite as the identity provider
- SSH agent on Mac and Linux now supports temporary access tokens for AWS CLI access
- Native SSH client traffic can now be routed via PrivX Extenders
- Send audit events to AWS CloudWatch Events or Azure Event Hubs
- Set custom titles to the GUI header, for distinguishing between PrivX deployments
Improvements
- View the current usage of your license quota on hosts configured and audited via the Settings→License page
- Audit trails can now be periodically checked for integrity
- Clean up old audit trails by setting the expiry time (default value is -1, indicating that the files never expire) and the frequency of cleanups (default value 24 hrs)
- View connection history and ongoing connections in the user and host details page
- An audit event is generated when a CA certificate is about to expire
- Manually-added hosts are now grouped together into a local-host directory
- UI enhancements to the Settings→Deployment page
Bug fixes
- [PX-861] Deploy script places configuration directives at the end of sshd_config, conflicts with match block
- [PX-974] postinstall.sh with Trusted DB cert gets stuck importing certificates to database
- [PX-1080] Possible race conditions with file creation and permission setting
- [PX-1083] Deploy script does not handle missing DNS names or IPv6 addresses
- [PX-1085] UI: Connection status "timeout" missing from filters
- [PX-1142] failure in adding a new connection to connmgr or updating one does not cause connection to fail
- [PX-1145] Azure host scanning explodes with specific public IP configurations
- [PX-1153] Host-store: Returns "null" for some empty array values causing UI to crash
- [PX-1169] init_nginx.sh does not update front_end_address in shared_config.toml
- [PX-1174] Zero-value-tickers panics
- [PX-1175] Service-version-mismatch checks not handled correctly
- [PX-1176] Misleading error messages when TLS is disabled from RDP server
- [PX-1177] Disabling source does not update host counter
- [PX-1181] RDP certificate creation audit event missing certificate serial number
- [PX-1183] privx-agent-unix hangs forever if PrivX server is not reachable
- [PX-1186] Unable to install PrivX on CentOS 7.5
- [PX-1189] Agent public key authentication does not work with new OpenSSH versions
- [PX-1191] Deployment script in standalone mode adds host to privx directory ‘Untitled’
- [PX-1196] Directories: Error when adding OpenStack V3 directory
- [PX-1199] Workflow gives 500 database internal error on home page for local normal user
- [PX-1221] PrivX 4.0 stores audit trails in /tmp/privx/audit folder. Migrate the location to /var/privx/audit during upgrade.
Known issues
- [PX-789] When a database connection fails, status.html does not show the reason
- [PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow
- [PX-370] SSH options are not added to role-based public key
- [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-1095] Backup and restore script is missing out Kerberos keytab file
- [PX-1146] It's not possible to use same attribute mapping source for multiple values
v4.0
2018-11-01
New features
- Session recording and playback. Read more about it from the Administrator Manual.
- PrivX can record SSH and RDP sessions. Administrators can later replay these recordings for auditing purposes.
- Trails are encrypted by PrivX.
- Encrypted trail data should be saved on an external NFS share configured by PrivX Administrators.
- View global audit events from Monitor→Events.
- Enable Single Sign On to PrivX using your preferred OpenID Connect provider such as Okta, AWS Cognito and UbiSecure.
- Connect to target hosts in your virtual private cloud (VPC) using PrivX Extender component, available as a separate download. For detailed instructions, please check the * Administrator Manual.
Note: PrivX Extender support for HA deployments will be added in future releases. - As an administrator, grant or revoke users' role memberships immediately without approval workflows.
Upgrade notes
For any PrivX deployments using Azure host directories prior to this release, you must delete and re-add the Azure directory to PrivX after upgrade.
Improvements
- [PX-1036] Performance optimization for the web-UI-based SSH Terminal, especially on IE 11
- [PX-1038] Better support for LDAP directories
- PrivX works with directory servers that do not allow searching by entryDN.
- LDAP directory type now supports mixed case usernames.
Note: If your LDAP directory uses non-default attributes, ensure that they are set correctly in PrivX. If you use AD, please set the directory type to be AD and not LDAP.
- [PX-858] Support for multiple PostgreSQL versions. PrivX verified to work with versions 9.2, 9.3, 9.6 and 10.5.
- [PX-930] Changes to services on cloud hosts tagged by services or principals are now reflected in PrivX.
- [PX-602] You can now modify services and principals for manually-added hosts. Those added by scanning cannot be modified via PrivX UI.
- [PX-602] Host search is now optimized and fine-tuned to reduce false positives.
- [PX-615] Hosts tab no longer displays hosts from disabled directories.
- [PX-976], [PX-984] Better handling of host-store database by the migration tool during installation and upgrade.
- [PX-550] Backup script now works on installations with non-default database name.
- [PX-862] Search highlighter on/off toggle in PrivX UI now works as expected.
- [PX-998] All PrivX micro-services now exit on the command 'service privx stop'.
- [PX-970] Robust handling of PrivX license activation and refresh operations.
- [PX-1020] Access token is periodically rechecked after a manual connection has been established.
- [PX-1037] When host deployment fails, deployment script now exits with error.
- [PX-1041] Fixed an issue in Edge browser where the first entered character after focusing in the SSH terminal is lost.
- [PX-1053] Fixed the existing services to be present when there is no contact address present in the directory setting.
- [PX-1070] Host update checks added to login-as-self feature.
- [PX-1066] Clipboard for RDP connections now works as expected on Firefox.
Known issues
- [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded.
- [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work.
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection. - [PX-342] Once an offline-license request activation certificate is generated, it is not possible to generate another one until the current certificate is submitted.
- [PX-370] SSH options are not added to role-based public key.
- [PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow.
- [PX-789] When db connection fails status.html does not show the reason.
- [PX-861] Deployment script places configuration directives at the end of sshd_config. These may be overriden by existing match blocks in the SSH-server configuration.
Known workarounds: After running the deployment script, move the PrivX configuration directives above other match blocks, then restart the SSH server. - [PX-1092] Due to a recent change in Firefox version 63 on handling text overflow (Bug 1484587), long text spills over table cell borders in PrivX UI.
- [PX-1146] Not possible to use same attribute mapping source for multiple values.
v3.0
2018-09-18
New features
- Get started easily on first use with a guided tutorial
- Automatically scan tagged cloud hosts and add them to PrivX
- Improved auto-discovery of Microsoft Azure hosts
- View hosts accessible by a specific role from its context menu → List access option
- View the current status of the configured hosts under Settings →Hosts
- Sort files in the File Transfer view by Name, Permissions, Modified date or Size
- Option to refresh the user or host directories from the respective context menus under Settings → Directories
- Simplified UI for managing directories for users and hosts
- PrivX user now sees a persistent message when an admin terminates the user's ongoing connection
Security updates
- Randomize keyvault client ID and passphrase on installation and client passphrases on upgrade
- Ensure that database certificates are both valid and issued by a trusted CA
Other fixes
- [PX-114] - Accented characters not working for RDP.
- [PX-297] - Too many hostnames in the system breaks certificate generation in init_db.sh
- [PX-549] - authorize token invalid after auth restart, prevents login
- [PX-557] - Users list is sorted differently when refreshing page
- [PX-596] - Trying to log in with a user which is valid on the AD but not known by role store errors out
- [PX-631] - Restore script breaks upgrade path
- [PX-650] - SSH proxy command line argument parsing broken
- [PX-651] - SSH proxy does not allow connections without connection manager even if in standalone mode
- [PX-665] - DELETE key not working in SSH terminal with IE11 Windows
- [PX-677] - New User: Colons can be added to username even though it says they are not allowed
- [PX-694] - PrivX reports max hosts exceeded error when unable to reach license server
- [PX-699] - Disabling TTY for a user from sshd_config results in an error in PrivX SSH terminal
- [PX-700] - Role query validation incorrectly accepts broken queries
- [PX-729] - Role based access not working as instructed in the manual/UI
- [PX-730] -RDP connection fails if the windows target host auto-rotated host certificate
- [PX-742] - TLS encrypted SMTP connection from PrivX does not work
- [PX-746] - Pagination fails for monitor service
- [PX-749] - Monitor service fails to fetch audit events
- [PX-751] - Audit events search should Ignore keys
- [PX-758] - postinstall.sh fails after offline installation of privx
- [PX-760] - Check file download filename encoding in http header
- [PX-762] - Userstore user fetch with limit fails
- [PX-779] - SSh-Proxy: NewSshProxy() method returns error as "nil" when it cannot read the key
- [PX-793] - keyvault: Get[As|S]ymmetricBy[Name|Owner] does not check for exact match
- [PX-794] - Nil pointer deference in rolestore crashes the service periodically
- [PX-796] - backup/restore handles db server certificate incorrectly
- [PX-801] - SSH connections disconnects at 60sec idle
- [PX-803] - keyvault rest client does not return keyvault.NotFound errors
- [PX-805] - Services panic if DB dies
- [PX-807] - External DB certificate import error in postinstall script
- [PX-814] - "Failed to import certificate to database" in postinstall output
- [PX-815] - Field "key_name" is missing from Postgres certificates table
- [PX-818] - Rolestore drops user directory refresh timers on create/edit
- [PX-833] - Editing a single directory causes other cloud directories to scan hosts
- [PX-839] - Restore script breaks pg_hba.conf
- [PX-840] - Connection manager panics if channel is already closed
- [PX-848] - Role members not listing all members (max 25)
Known issues
- [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection - [PX-342] Once an offline request activation certificate is generated, it is not possible to generate another one until the current certificate is submitted
- [PX-370] SSH options are not added to role-based public key
- [PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow
- [PX-615] Hosts page shows hosts from disabled directories
- [PX-789] When db connection fails status.html does not show the reason
- [PX-858] init_db.sh script does not support Postgres9.3
- [PX-861] Deployment script places configuration directives at the end of sshd_config. These may be overriden by existing match blocks in the SSH-server configuration.
Known workarounds: After running the deployment script, move the PrivX configuration directives above other match blocks, then restart the SSH server. - [PX-862] Search highlighter on/off in the PrivX help UI doesnt work
v2.4.1
2018-08-15
This is a security hotfix on the released version 2.4. It addresses a security vulnerability in the role based access control functionality in the product.
To know if your environment has been compromised by this vulnerability, please download the script linked below and run it on the PrivX server as an admin:
# wget https://info.ssh.com/hubfs/ssh_public_assets/support/px708.py
# ./px708.py
Your environment is OK if you see the following message:
No evidence of signing with CA keys found.
Your environment has been compromised if you see the following message:
PrivX CA key has been used in a non-standard request. System integrity is at risk, please investigate further using events printed above.
If your environment has been compromised, replace the PrivX CA keys immediately according to instructions Rotating the PrivX CA Keys in the Online Administrator Manual.
v2.4
2018-07-04
New features
- As an admin, view past and ongoing connections, and terminate ongoing connections
- Directory users in PrivX can now be configured to authenticate using OpenID Connect
- GPG-signed RPM repository available to install and upgrade to the latest PrivX software
Fixes
- [PX-74] Improved SSH/RDP disconnect visual indication
- [PX-507] Changed PrivX Certificate to PrivX CA key
- [PX-513] Setup logs now include installation and PSQL error logs
- [PX-588] Corrected count returned by host searches
- [PX-612] Fixed an issue where workflows accepted invalid data for steps
Known issues
- [PX-87] PrivX uses its loopback interface for login to localhost.
- [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection - [PX-114] RDP connections do not support accented characters
- [PX-297] Too many hostnames in the system breaks certificate generation in init_db.sh
- [PX-342] Once an offline request activation certificate is generated, it is not possible to generate another one until the current certificate is submitted
- [PX-370] SSH options are not added to role-based public key
- [PX-386] "backup.sh --help" just runs backup (instead of displaying help)
- [PX-535] Disabling multifactor authentication does not immediately prevent users from logging in using MFA
- [PX-557] User entries on Users and Roles pages are not sorted correctly
- [PX-625] END/HOME keys do not scroll to the end/start of the file in the SSH terminal GUI
- [PX-627] Unable to type pipe on Edge browser in Windows 10 using the SSH terminal GUI
v2.3.1
2018-06-07
PrivX 2.3.1 patches a few issues related to Kerberos and LDAP authentication. Users running PrivX 2.3 should consider upgrading to this release under the following circumstances:
- You use Kerberos authentication to access PrivX
- You have had trouble with PrivX LDAP configuration.
Fixes
- [PX-543] Kerberos now works for directory users with differing User Principal Name and sAMAccountName
- [PX-551] Fixed an issue where some LDAP queries were not interpreted correctly
- Fixed a memory leak that caused memory consumption to exceed recommended specs under expected loads
v2.3
2018-05-31
This update breaks upgrade compatibility. Please re-install PrivX if you are running an older version of the software.
New features
- Support for login with personal accounts: You may now allow PrivX users to access their personal accounts. Access is granted in a role-based manner, without having to specify principals for individual target accounts.
- Kerberos SSO support for PrivX login. Users with valid Kerberos tickets may now log into PrivX without having to specify their credentials again.
- Support for scanning Azure hosts.
Fixes
- [PX-195] File transfer is terminated gracefully when target disk runs out of space
- [PX-292] Fixed an issue where roles were created without public keys
- [PX-405] Resolved access requests can no longer be deleted
- [PX-417] Correctly email behavior where multiple approvers have no email address
- [PX-419] Users page now displays user principals instead of names
- [PX-423] Default LDAPS port changed to 636
- [PX-462] Fixed an issue where installing a new license always resulted in the host limit being exceeded
- [PX-489] Regular local users can no longer change passwords for superuser accounts via the PrivX API
- [PX-517] Parentheses in LDAP search filters are now handled correctly
Known issues
- [PX-87] PrivX uses its loopback interface for login to localhost
- [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection - [PX-114] RDP connections do not support accented characters
- [PX-297] Too many hostnames in the system breaks certificate generation in init_db.sh
- [PX-342] Once an offline request activation/deactivation certificate is generated, there is no way to abort the activation/deactivation process
- [PX-370] SSH options are not added to role-based public key
- [PX-386] "backup.sh --help" just runs backup (instead of displaying help)
v2.2
2018-04-24
PrivX shared configuration is not automatically preserved in upgrades from2.0 or 2.1. You must manually back up and restore the shared configuration during upgrade from these versions.
To upgrade while preserving shared configurations, perform the following:
Stop the PrivX service on all PrivX servers: # systemctl stop privxoam
Back up the shared configuration to a safe location on all PrivX servers:
# cp /opt/privx/etc/shared-config.toml /opt/privx/etc/shared-config.toml_old
Install the new PrivX RPM on all PrivX servers: # yum install -y PrivX-OAM-*.rpm
Restore the shared configuration on all PrivX servers:
# cp /opt/privx/etc/shared-config.toml_old /opt/privx/etc/shared-config.toml
Run the post-installation script on all PrivX servers:
# /opt/privx/scripts/postinstall.sh
If you are running a multiple-server deployment, migrate the database once: # /opt/privx/bin/migration-tool -migrate-services-only
Other customisations to PrivX configurations are automatically preserved through the upgrade.
New features
- Support for native clients for SSH on Linux & Mac
- Software update notification in the admin UI when a new PrivX version available for download
- Passwordless RDP login with an ephemeral certificate
- Users' connection history and settings persisted between browsers and computers
- Font size selection to SSH terminal
- Display enaled features against a license code in the UI
- Support for offline license activation
- Possibility to deactivate license
Fixes
- [PX-89] Restore script does not restore deleted directories
- [PX-103] Workflow not updated when role is removed
- [PX-104] Workflow steps can be approved out of order
- [PX-100] Editing copied text on clipboard deletes newlines
- [PX-110] Test mail not sent on "Test SMTP settings" when email notifications option is disabled
- [PX-192] Resizing RDP window too often stops the session from working
- [PX-196] In rare cases PrivX shared drive disappears from Windows file explorer after changing terminal settings
- [PX-248] Host count is not updated correctly in HA deployments
- [PX-411] Auth: MFA step can be bypassed
Known issues
- [PX-87] PrivX uses its loopback interface for login to localhost
- [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection - [PX-114] RDP connections do not support accented characters
- [PX-297] Too many hostnames in the system breaks certificate generation in init_db.sh
- [PX-342] Once an offline request activation/deactivation certificate is generated, there is no way to abort the activation/deactivation process
- [PX-370] SSH options are not added to role-based public key
- [PX-386] "backup.sh --help" just runs backup (instead of displaying help)
- [PX-388] After upgrade from 2.1 to 2.2 the TLS trust anchor on trusted clients page doe not contain sha1/sha256 fingerprints
v2.1
2018-03-19
New features
- PrivX now manages license subscriptions online
- New licenses are automatically installed to your PrivX deployment after you update your subscription
- Note that Internet connectivity is required to activate/update trials and commercial subscriptions
- Analytics on the environment where PrivX is installed is collected to understand the usage pattern and improve our product
- The data sent is anonymous
- Data includes operating system, CPU, memory, device name, geographic location and the version of PrivX
- You may opt out from sending analytics at any time
- Note that Internet connectivity is required for sending analytics
- Utility script troubleshoot.sh automatically generates troubleshooting data of your PrivX deployment
- Eases troubleshooting: run this script and attach the archive to your support tickets
- Gathers system configuration into a tar archive
Fixes
- [56033] It is no longer possible to delete directories that are already used in role configurations
- [56714, PX-85] Connections are terminated once the user's GUI session or required role memberships expire
- [56733] SSH Client correctly re-evaluates the available authentication methods for each authentication attempt
- [57557] Host-deployment script deploy.py automatically restarts OpenSSH server on Ubuntu and Debian
- [57728] Not a bug: Role extensions are no longer configurable
- [57776] Fixed removing user from role members
Known issues
- [PX-87] PrivX uses its loopback interface for login to localhost
- [PX-88] PrivX file transfer does not allow uploading folders
- [PX-89] restore script does not restore deleted directories
- [PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
- [PX-93] PrivX does not receive updated system trust anchors until PrivX is restarted
- [PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection - [PX-100] Editing copied text on clipboard deletes newlines
- [PX-104] Workflow steps can be approved out of order
- [PX-110] Test mail not sent on "Test SMTP settings" when email notifications option is disabled
- [PX-112] Requests cannot be used to remove roles granted via rules
- [PX-114] RDP connections do not support accented characters
- [PX-178] Membership with floating time window starts from the approval, not from initial login
- [PX-192] Resizing RDP window too often stops the session from working
- [PX-196] In rare cases PrivX shared drive disappears from Windows file explorer after changing terminal settings
- [PX-248] Host count is not updated correctly in HA deployments