SSH.COM PrivX Documentation Hub

Welcome to the SSH.COM PrivX documentation! Here you'll find the PrivX administration manual, use case specific guides as well as API specifications.

Documentation    API Reference

Release Notes for This Release


Important Notes

Workaround for Legacy Certificates
If your existing PrivX installation has been integrated to systems that use legacy X.509 certificates (certificate CN equals FQDN, and does not contain a Subject-Alt-Name extension), then follow these steps when upgrading to PrivX 18:

  1. Install PrivX-18 RPM without automatic postinstall:
    # SKIP_POSTINSTALL=1 yum install PrivX-18.0-....
  2. Enable legacy-x509-certificate support:
    # echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env
  3. Run postinstall manually:
    # /opt/privx/scripts/



Update your legacy certificates as soon as possible! This workaround for supporting legacy X.509 certificates is temporary and not guaranteed to be available in future releases.

License Upgrade for Future Upgrade Support
If your initial PrivX deployments started with version 15 or earlier it is likely running with a Nalpeiron license, which will be unsupported in future PrivX releases. To enable upgrading to future PrivX versions, request and set up a new license according to Converting to New License Format.

Upgrading to the Latest Version

  • Upgrading to this version is supported from three previous major versions (17.x, 16.x, 15.x)
  • If you are planning to upgrade from an older version, please contact support.

Supported Releases

We produce security and stability fixes for the three latest major releases (18.x, 17.x, 16.x).

New Features

  • [PX-2336] VNC protocol support
    • Graphical VNC connections via PrivX GUI
    • Video playback for VNC session recordings
    • Note: Requires SSH service for tunneling. For more information about setting up VNC connection targets, see Setting up Hosts
  • [PX-2496] Licensed host count changes, disabling unlicensed hosts
  • [PX-3112] SOCKS and http proxy support for SSH Bastion
    • When paired with public-key authentication, connections via SSH Bastion can be automatically authenticated against PrivX. For more information about SSH-Bastion connections via ProxyCommand, see SSH Connections with Native Clients
  • [PX-3219] Additional settings configurable via the PrivX GUI, under Administration→Settings
  • [PX-3351] Customizable SSH certificate template support for PrivX. Allows GitLab and GitHub certificate authentication via PrivX.
  • [PX-3578] Improved secret management through GUI. See Secrets Vault
  • [PX-3534] Support static IP addresses for PrivX license backend
  • [PX-3619] Role request search
  • [PX-3628] Restart PrivX from GUI, under Administration→Settings
  • [PX-3663] Support for OAuth2 server endpoint for fetching PrivX access tokens
  • [PX-3670] Support for SCIM server directory type for importing users and hosts
  • [PX-3702] Support for initialization and availability status in file transfer
  • [PX-3721] Create directory, file & directory rename, and file & directory move support
  • [PX-3734] Paste on right click in SSH
  • [PX-3748] Support display_path in addition to path in file transfer LS command
  • [PX-3761] Allow host/subnet specific SFTP protocol version override


  • [PX-2521] License max hosts & max audited hosts enforcing in proxies and Bastions
  • [PX-2742] LDAP-rule error should also describe the role name as well as offending rule
  • [PX-2853] user-store: listen at a different port than 8084 due to omsagent Network Performance Monitoring (npm) solution
  • [PX-3387] Include PrivX EULA in all binary packages
  • [PX-3392] Add SSH Terms and Conditions/Service agreements to all PrivX components
  • [PX-3393] Pre-fill default username on PrivX login page
  • [PX-3428] Added TLS 1.3 support for PrivX web connectivity
  • [PX-3441] Audit events for hosts do not show the modifications for the host
  • [PX-3473] Audit events do not show who approved the request
  • [PX-3474] Approved workflow requests disappear from other approvers
  • [PX-3551] Service env variables must survive upgrades
  • [PX-3616] Keywords search to access requests
  • [PX-3679] GUI for host disabling/enabling
  • [PX-3689] Additional fields to audit events
  • [PX-3727] Log host tags to audit events
  • [PX-3860] Support for container machine ids for PrivX licenses

Bug Fixes

  • [PX-1980] Most audit events are missing username information
  • [PX-2085] Cannot follow symlinks with PrivX SFTP client
  • [PX-2665] Cannot reuse service address before host is deleted permanently from the database
  • [PX-3269] Role comments are shown to all users on home page.
  • [PX-3328] Create Vault API wrong response
  • [PX-3456] RDP session with native client through PrivX drops, inconsistent with other RDP scenarios
  • [PX-3581] --clean and --show-config return exit code 1
  • [PX-3583] Disabling a directory doesn't delete the hosts
  • [PX-3586] Too long service address or foreign-key violation results in duplicate service address error
  • [PX-3588] RDP resizing: connection reconnected without resizing browser
  • [PX-3631] SSH proxy does not show banner messages
  • [PX-3637] Multipart/form-data logins for web service will fail, if password field name is defined in web service config
  • [PX-3638] Fix excludeMultiplePermissions()
  • [PX-3642] Duplicate entries in host store blocking connections to both hosts
  • [PX-3643] Webpage rendering issue when moving from full screen RDP session to PrivX homepage
  • [PX-3653] SSH cert auth failing for personal account when mapped to multiple roles
  • [PX-3656] timeout_when_no_connmgr is in minutes (not seconds)
  • [PX-3678] ssh-mitm must not forward host[email protected] global requests
  • [PX-3699] Extender status not displayed under Service Status
  • [PX-3700] LTS11 to LTS17 upgrade: directory setting not moved
  • [PX-3701] RHEL8 missing local-env placeholder file
  • [PX-3704] login-rate-limit: too_many_attempts error code is not shown when exceeding burst_size_limit
  • [PX-3707] - Optional components not displayed in the GUI
  • [PX-3709] rdp-proxy panics if DPI params not received
  • [PX-3714] SSH Bastion: publickey client authenticated connections fail when target connection uses keyboard-interactive auth with stored passphrase
  • [PX-3720] Creating directories with the RDP file transfer API makes directories that are not possible to upload to
  • [PX-3733] rdp-proxy: file transfer API command "MV" does not work correctly
  • [PX-3735] Upgrade failed on migration-tool
  • [PX-3737] SSH Bastion: tunnel file transfer API request path validation is too strict
  • [PX-3738] ssh-proxy: file transfer API request path validation is too strict
  • [PX-3740] Skip connectivity test for VNC connections and allow extender connections via SSH tunnel
  • [PX-3743] Data copied to clipboard in PrivX UI is stored into connection's audit trail
  • [PX-3746] SFTP protocol version 4 is broken
  • [PX-3799] Increase allowed maximum values for some settings properties
  • [PX-3810] Old /help is still defined in nginx conf
  • [PX-3811] nginx conf for status and robots.txt are incorrect
  • [PX-3812] Secret editor field font should not default to monospace when using custom schemas
  • [PX-3813] Host modified-event does not unescape services when showing diff
  • [PX-3814] Nginx conf issues
  • [PX-3819] license-manager might panic on license deactivation/activation
  • [PX-3821] Prefilled username in login is wiped after failed login
  • [PX-3824] License invalidation / host disabling does not cut ongoing connections
  • [PX-3826] Connection-authenticated (301) event not consistent
  • [PX-3839] HSTS header validity period fixes
  • [PX-3841] License refresh and analytics enable/disable fails in one instance in HA env after license has been deactivated
  • [PX-3868] Increased RDP file transfer buffer to 2 MB for compatibility
  • [PX-3874] Fixed LDAP library panic after badly timed socket close
  • [PX-3878] Connection manager panic during shutdown

Known Issues

  • [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the to correct location:

      # scp -i key.pem [email protected]:/tmp/
      # ssh -i key.pem [email protected] "sudo cp /tmp/ /etc/ssh/"

  • [PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
    NOTE: In case of manual changes in the extra component .toml files:
    • Before upgrading, please copy the .toml files to another folder.

    • After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.

  • [PX-1875] - Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] - No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] - PrivX role mapping to AD OU not working as expected.

  • [PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections
  • [PX-3529] Wrong CA key is copied on the host when running the deployment script using extender

Updated 41 minutes ago

Release Notes for This Release

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.