SSH.COM PrivX Documentation Hub

Welcome to the SSH.COM PrivX documentation! Here you'll find the PrivX administration manual, use case specific guides as well as API specifications.

Documentation    API Reference

Release Notes for This Release


Important Notes

Old license back end is no longer supported

A new license back end has been taken into use from PrivX 16, and the old back end will no longer be supported by PrivX 19 and future releases. Read Changing to the New License Back End to check if you need to take any actions.

Deprecation Warnings

CentOS 8 support will be terminated once the operating system reaches end of life (around December 2021). PrivX support will continue normally on other supported platforms.

Workaround for Legacy Certificates

If your existing PrivX installation has been integrated to systems that use legacy X.509 certificates (certificate CN equals FQDN, and does not contain a Subject-Alt-Name extension), then follow these steps when upgrading to PrivX 19:

  1. Install PrivX-19 RPM without automatic postinstall:
    # SKIP_POSTINSTALL=1 yum install PrivX-19.0-....
  2. Enable legacy-x509-certificate support:
    # echo "GODEBUG=x509ignoreCN=0" >> /opt/privx/scripts/local-env
  3. Run postinstall manually:
    # /opt/privx/scripts/



Update your legacy certificates as soon as possible! This workaround for supporting legacy X.509 certificates is temporary and not guaranteed to be available in future releases.

Upgrading to the Latest Version

  • Upgrading to this version is supported from three previous major versions (18.x, 17.x, 16.x)
  • If you are planning to upgrade from an older version, please contact support.

Supported Releases

We produce security and stability fixes for the three latest major releases (19.x, 18.x, 17.x).

New Features

  • [PX-3383] SSH X.509 user certificate authentication support for Tectia SSH Server and RFC 6187 compliant hosts
  • [PX-3856] User's OS settings used for determining first day of week and time zone
  • [PX-3832] PrivX "status" page under "Monitor" tab
  • [PX-3579] "Secret" tab is added to connection UI. User can use vaulted secret more easily in browser based connections.


  • [PX-3987] cert-tool cannot access keys in dbvault
  • [PX-3986] Trail file download audit event is lacking session id and username
  • [PX-3965] Userstore and vault REST APIs are hard to use because of role caching
  • [PX-3961] Include ?filter= query string parameter to connection manager API specs for trail log download
  • [PX-3958] Suggest customers to disable smartcard certificate propagation
  • [PX-3854] New LICBE machineid gen not compatible with Kubernetes
  • [PX-3850] Reduced reloads on license page
  • [PX-3828] PrivX login flow and status storage documents
  • [PX-3827] Add an additional httponly cookie to authentication calls
  • [PX-3764] Drop the file-license version requirement
  • [PX-3744] Example guide for VNC server configuration
  • [PX-3741] Deployment script should accept the service address as an input parameter
  • [PX-3708] Filter disabled/enabled hosts
  • [PX-3651] More informative messages to admins when DB connections run out
  • [PX-3558] API clients should be able to fetch (ssh) access credentials from the Authorizer
  • [PX-3449] Grace period for file-based offline license
  • [PX-3419] SSH Bastion targets are not sorted and hard to find
  • [PX-2093] Audit-events: sync microservices to use common fields and values
  • [PX-1995] Improved audit events
  • [PX-1508] Log ssh-proxy/rdp-proxy service host hostname and IP to connections and audit events
  • [PX-277] More user friendly error messages needed in

Bug Fixes

  • [PX-4022] Postinstall fails on Amazon Linux 2
  • [PX-4003] SCIM API users: PUT request can create users whose details cannot be loaded by UI
  • [PX-4002] SCIM API users: panic when getting non-existent user uuid
  • [PX-3988] Unauthorized accesses are shown on “available hosts” page.
  • [PX-3984] Migration from old PrivX version to latest does not work
  • [PX-3983] Authorizer API doc: missing entry for "/authorizer/api/v1/{ca_type}/cas"
  • [PX-3973] Workflow PUT url id not used for anything
  • [PX-3972] Web-proxy, carrier and extender may generate too long CN in the cert requests
  • [PX-3970] AWS Console login via web carrier does not work
  • [PX-3967] User tags appearing and disappearing
  • [PX-3937] TCP Framing Error when sending PrivX SSH-Proxy logs to remote server
  • [PX-3927] PrivX installation complains about missing nalp folder
  • [PX-3913] PrivX Carrier RPM has issues with Selinux on RHEL8-based host
  • [PX-3912] Some RDP web client keymap names mismatch with Guacamole names
  • [PX-3907] API reference: required auth header is missing for the setting services in the documentations
  • [PX-3898] License with unlimited hosts bugs with host disabling
  • [PX-3892] settings - allowed maximum value for some fields is too low
  • [PX-3885] Unnecessary data in Body Parameters for /role-store/api/v1/users/{user_id}/authorizedkeys endpoint with POST method
  • [PX-3884] License status optin not showing the updated status before refresh
  • [PX-3875] SCIM API: 500 internal server error on DELETE non-existent host
  • [PX-3839] HSTS header issues
  • [PX-3806] Monitor service is missing from components list
  • [PX-3661] Turkish keyboard doesn't work in web target connection
  • [PX-3594] Azure AD users do not have unix username field
  • [PX-3526] Updating a user with a duplicate tag is possible.
  • [PX-3507] RDP web session is blurry on high-dpi displays
  • [PX-3183] Belgian French keyboard layout change does not work in web and xrdp connections

Known Issues

  • [PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
    • Workaround: To correct SELinux context, copy the to correct location:

      # scp -i key.pem [email protected]:/tmp/
      # ssh -i key.pem [email protected] "sudo cp /tmp/ /etc/ssh/"

  • [PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
    NOTE: In case of manual changes in the extra component .toml files:
    • Before upgrading, please copy the .toml files to another folder.

    • After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.

  • [PX-1875] - Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] - No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] - PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Wrong CA key is copied on the host when running the deployment script using extender
  • [PX-4035] Multiple tabs may malfunction in Safari 14.1.
    • Workaround: It's a browser bug that causes refresh token out of sync between tabs. Use other versions of Safari or other supported browsers. Read more

Updated about a month ago

Release Notes for This Release

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.