Previous Releases and Notes

Releases

v16.1

2020-12-08

Bug fixes and improvements

Bug fix for fetching cloud metadata with license

v16.0

2020-11-24

Important notes for this release
Version 16 introduces a fix for Extenders in HA deployments where the load-balancer IP address is dynamic. If you run such an environment you will need to update your Extenders' configurations and certificates. To do this, perform the following after regular upgrade steps:

Set privx_public_ip_address = ” ” in /opt/privx/etc/shared-config.toml and restart PrivX:
# systemctl restart privx
Unregister your Extenders.
Re-obtain certificates by running the following on your Extenders:
# opt/privx/scripts/extender-postinstall.sh --request-cert
Re-download Extender configurations to your Extenders.
Apply changes by restarting Extender services:
# systemctl restart privx-extender
If you are performing a fresh install while having a license from prior to this release, you will need to request a new license from [email protected]

New features

[PX-273] - Ephemeral private key rotation for SSH
[PX-1697] - Allow using AWS role ARN to scan hosts on other AWS accounts
[PX-2027] - Support principal key import for roles
[PX-2714] - Connection duration to connection-closed event
[PX-2722] - Authentication to PrivX via SSH Bastion using public key
[PX-2731] - Allow access to connections using access roles
[PX-3182] - Allow defining web host specific domain restrictions for web access
[PX-3194] - Add advanced search helper description to search fields.
[PX-3224] - Disclaimer improvements

Bug fixes and improvements

[PX-2909] - Override SSH algorithms per target host or pattern
[PX-2912] - Add the license backend address to the license page
[PX-2965] - Fixed connection-manager status check for RDP Bastion playback
[PX-2994] - Support dynamic ELB endpoint: shared-config.privx_public_ip_address can not be set to a reasonable value with ELB
[PX-3147] - Show host comments on connections page
[PX-3177] - Default disclaimer example in shared-config.toml is invalid
[PX-3179] - If host scanning or tag import is disabled, hosts deployed with deploy script don't have any names
[PX-3180] - Focus can go to login form despite popup disclaimer
[PX-3185] - Remove extra event attribute on connection page search results
[PX-3191] - Contextual role restrictions do not work for API clients
[PX-3199] - Race condition in SSH Bastion channel close
[PX-3232] - Unused cache configs on rolestore.toml
[PX-3233] - Auth service should use unified audit event keys
[PX-3234] - RDP file upload fails if 'Overwrite existing files' is checked and file does not exist on target
[PX-3257] - Panic in host-store house-keeping
[PX-3264] - Race condition is auth service startup
[PX-3266] - Expose API clients as role-store users
[PX-3274] - Prevent granting access role to connection for already granted roles
[PX-3280] - The PrivX UI / help documents get indexed by crawlers
[PX-3291] - API clients are not allowed to access workflow engine APIs
[PX-3301] - Google GSuite is nowadays Google Workspace
[PX-3302] - trail-index: crash when attempting playback for trail with missing files
[PX-3306] - Fix data validations for workflow-engine requests
[PX-3315] - Workflow : add role through API but system marks the role added as ROLE REMOVED
[PX-3318] - Notification mechanism does not work well with local caches
[PX-3329] - PrivX web proxy does not support text/x-gwt-rpc content type
[PX-3353] - Fixed installation and backup restore issue for PostgreSQL 11. Added support for PostgreSQL 13.
[PX-3354] - Allow sending keycodes via menu for RDP/web containers
[PX-3356] - Forwarded connection failed where it is expected to succeed
[PX-3365] - Prevent Extender name and routing prefix namespace clashes when modifying or unregistering Extender.
Note: For existing deployments, ensure your Extenders and routing prefixes have unique names.
[PX-3368] - Directory login is attempted even if directory has been disabled
[PX-3370] - Prevent superuser creating trusted clients with too broad permissions
And security fixes

Known issues

[PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:

# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"

[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
[PX-1980] - Several audit events are missing username information.
[PX-2665] - Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
[PX-2947] - No sound when viewing recorded rdp-mitm connection.
[PX-3086] - PrivX role mapping to AD OU not working as expected.
[PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections

v15.1

2020-11-24

PrivX 15.1 is an incremental release over the previous version 15.0, introducing security and stability fixes.

v15.0

2020-10-01

Important notes for this release

For fresh installations of PrivX version 15 and later, the default audit-event and trail-retention time has been changed to 180 days (used to be unlimited).

Upgrading to this version from 12.x may take longer due to the new microservices and migrations introduced in this release. Depending on the size of your deployment, the postinstall step may take up to tens of minutes longer than usual.

New features

[PX-1238] - Feature to sort/search hosts by status (running, stopped..)
[PX-2693] - Roles for API clients
[PX-2729] - Restrict role requests with a role permission
[PX-2730] - License-manager statistics collector (disabled by default)
[PX-2986] - Inform user that sessions will/might be recorded
[PX-3005] - Option for showing disclaimer messages for PrivX users at login
[PX-3085] - Saved searches UI
[PX-3120] - Better indication for when you try to add an invalid role
[PX-3122] - Improve tolerance to broken role rule trees
[PX-3125] - Less intrusive style for find box in terminal
[PX-3128] - RDP clipboard style refinements
[PX-3129] - Support shift-enter to search backwards in terminal
[PX-3134] - Implicit pick on blur
[PX-3136] - Auto complete tag with 0 chars
[PX-3139] - More robust UI if service options are missing for a service
[PX-3142] - Filter roles only if they don't have a principal key - not based on name
[PX-3156] - Don't use tag auto complete if user doesn't have permissions

Bug fixes and improvements

[PX-2349] - privx-admin and privx-user roles don't have public keys
[PX-2626] - Email notification is not sent for the user When access request is created on behalf of another user
[PX-2740] connection-manager: terminating SSH connection triggers trail-open-failed event
[PX-2966] - Error when editing scanned hosts
[PX-2968] - approvals tab to show all the processed records regardless of role restriction
[PX-2971] - Reduce microservice I/O causing TIME_WAIT sockets
[PX-3001] - go routine leak in directory and host scan and in cloud events lib
[PX-3002] - Azure event logger is broken
[PX-3006] - Browser text search on PrivX SSH terminal does not work
[PX-3007] - Web Proxy does not support sites using Authorization: Basic header on regular login page
[PX-3011] - monitor-service sql query for getting/deleting components is unnecessarily complex
[PX-3012] - monitor-service status endpoint has a race condition related to system stats
[PX-3038] - Carrier browser container firefox version is always the latest available
[PX-3044] - Workflow-engine crashes when creating role with name longer than 128 characters
[PX-3050] - Using LDAP directory type for Active Directory causes "User not found" errors
[PX-3053] - workflow-engine: gomail lib is forcing the username to be an email address
[PX-3066] - deploy.py does not set file permissions correctly with non-default umask
[PX-3067] - Incorrect version table name for license manager
[PX-3069] - workflow-engine: approvals tab lists requests incorrectly
[PX-3072] - tags search is not case insensitive
[PX-3081] - license-manager crash on entering license key
[PX-3090] - deploy.py, sys.stdin.encoding returns None on some envs
[PX-3107] - role-store: floating role activation may drop other explicit roles from the user
[PX-3123] - Userstore upgrade does not set all fields when creating roles. Rolestore does not force IPMask validity
[PX-3127] - workflow-engine - When user is not allowed to view the request the error code should be 403
[PX-3130] - Cannot create host with API client
[PX-3131] - Role created from api client does not have public key
[PX-3138] - rdp-proxy and ssh-proxy playback endpoints should require privx-user permission
[PX-3149] - privx-agent: nohup not working as expected
[PX-3150] - UI: "Overwrite existing files" option allows multiple concurrent uploads of the same file
[PX-3154] - rdp-proxy: playback crash when attempting playback for trail with missing files
[PX-3158] - Crash when logging out on workflow page
[PX-3159] - Can't create log collector
[PX-3161] - Work-around for stuck keys in RDP / Web sessions
[PX-3175] - Create proper indexes to audit_event table
[PX-3178] - Connection manager does not handle empty keywords in connection search

Known issues

[PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
```
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
```
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] - Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
PX-1875] - Web proxy login does not work, if login page does requests to multiple domains
PX-1980] - Several audit events are missing username information.
PX-2665] - Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
PX-2738] - privx-on-aws deployment fails, if one stack already exists
[PX-3086] - PrivX role mapping to AD OU not working as expected.
[PX-3183] - Belgian French keyboard layout change does not work in web and xrdp connections

v14.3

2020-11-24

PrivX 14.3 is an incremental release over the previous version 14.2, introducing security and stability fixes.

v14.2

2020-09-25

PrivX 14.2 is an incremental release over the previous version 14.1.

Important upgrade notes

Upgrading from a version older than 13.0 is now faster. Version 13.0 contains a database change that is now working more efficiently.
Improvements:

[3169] Audit event migration more efficient

Known issues

[1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[1875] Web proxy login does not work, if login page does requests to multiple domains
[1980] Several audit events are missing username information.
[2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.

v14.1

2020-08-03

PrivX 14.1 is an incremental release over the previous version 14.0, featuring security and stability fixes.

Important upgrade notes

Upgrading to this version from 12.x or earlier may take longer due to the new microservices and migrations introduced in this release. Depending on the size of your deployment, the postinstall step may take up to tens of minutes longer than usual.

Notable fixes and improvements

[2991] Security and stability fixes incoming in go 1.14.5
[2999] Japanese charsets not supported properly on web container
[3000] Admin cannot grant API client access-groups-manage permission
[3010] Monitor-service housekeeping leaks prepared statements
[3013] Host-store host health check may leak go-routines
[3016] Clean up db queries in host-store host health check
[3018] Duplicate Extender or Carrier registration will clear routing prefix table for the carrier name on registration rejection
[3020] Cannot create Google GSuite user dir

Known issues

[1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[1875] Web proxy login does not work, if login page does requests to multiple domains
[1980] Several audit events are missing username information.
[2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.

v14.0

2020-06-29

Important upgrade notes

[1683] - Access groups to enable segregating and delegating host administration
[2518] - Secret Data Vault
[2649] - Support for Thales Vormetric DSM
[2782] - High-Availability configuration for extender/carrier
[2833] - Role restrictions time zone improvements

Notable fixes and improvements

[2733] Invisible PrivX-Agent icon on some Windows 10 instances.
[2740] Terminating SSH connection triggers trail-open-failed event.
[2779] - Replace sudo with su on installation scripts
[2818] Ignore server_mode for SSH transcripts.
[2836] - Show also the role context limitations with the role listing on the user page
[2848] - Avoid housekeeping audit events spamming
[2961] - Azure Active Directory OIDC integration not working after Microsoft changes synchronization
[2967] Role context restriction enforcement fixes

Known issues

[1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[1875] Web proxy login does not work, if login page does requests to multiple domains
[1980] Several audit events are missing username information.
[2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.

v13.2

2020-08-05

PrivX 13.2 is an incremental release over the previous version, featuring security and stability fixes.

Important upgrade notes

Upgrading to this version from 12.2 or earlier may take longer due to the new microservices and migrations introduced in this release. Depending on the size of your deployment, the postinstall step may take up to tens of minutes longer than usual.

Notable fixes and improvements

[3020] Cannot create Google GSuite user dir
[3029] - Upgrade golang to version 1.14.5

Known issues

[789] When DB connection fails status.html does not show the reason
[852] Listing users may time out for directories with more than 100K users
[1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[1798] Authorizer crash with online license when no internet connectivity
[1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[1875] Web proxy login does not work, if login page does requests to multiple domains
[1980] Several audit events are missing username information.
[2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
[2626] Email notification is not sent for the user when access request is created on behalf of another user.
[2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
[2675] When there is only one privx-admin user, that user cannot be modified in any way.
[2733] Invisible PrivX-Agent icon on some Windows 10 instances.
[2740] Terminating SSH connection triggers trail-open-failed event.
[2818] Ignore server_mode for SSH transcripts.

v13.1

2020-05-25

Important upgrade notes

Notable fixes and improvements

[2835] Allow managing roles outside their context restrictions, without triggering warnings.
[2846] Upgrade no longer resets external user mapping, client-certificate configurations, group filters, nor host-filter tags.

Known issues

[789] When DB connection fails status.html does not show the reason
[852] Listing users may time out for directories with more than 100K users
[1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[1798] Authorizer crash with online license when no internet connectivity
[1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[1875] Web proxy login does not work, if login page does requests to multiple domains
[1980] Several audit events are missing username information.
[2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
[2626] Email notification is not sent for the user when access request is created on behalf of another user.
[2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
[2675] When there is only one privx-admin user, that user cannot be modified in any way.
[2733] Invisible PrivX-Agent icon on some Windows 10 instances.
[2740] Terminating SSH connection triggers trail-open-failed event.
[2818] Ignore server_mode for SSH transcripts.

v13.0

2020-05-07

Important upgrade notes

Upgrading to this version may take longer due to the new microservices and migrations introduced in this release. Depending on the size of your deployment, the postinstall step may take up to tens of minutes longer than usual.
New features

[13] Context-based roles, allowing you to restrict the validity of a role by weekday, time, and client IP.
[1960] User-defined accounts: Allow users to freely specify the target-account name.
[2414] Support for nCipher nShield as a HSM provider.
[2487] Allow defining LDAP TLS trust anchors per directory.
[2550] Allow users and API clients to view access requests.
[2555] Support dedicating PrivX servers to front-end and/or back-end roles.
[2586] Support certificate and public-key authentication on OpenSSH 8.2.
[2606] Tag support for OpenStack hosts.
[2674] Ability to specify NTP server during initial setup.

Notable fixes and improvements

[817] Support ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[832] Disallow creating directories with same name and type.
[836] Correctly warn about missing data in directory settings.
[946, 1062] Correctly warn when attempting to create a local user or role with duplicate name.
[989] Option for override prompt when attempting to upload a file with an existing name.
[1226] Correctly display key and value in User Authentication Failed audit events.
[1822] Correctly populate fields for AWS login even after changing region.
[2012] Leading whitespaces in web targets are trimmed and no longer prevent autofill credentials.
[2066] Correctly calculate non-ascii-password lengths.
[2172] Postinstall correctly sets file permissions regardless of user’s umask.
[2288] Search local users using tags.
[2598] Support secure web sockets in web container on websites using self-signed certificates.
[2604] SFTP file name with Chinese character does not show properly.
[2613] SSH, RDP and Web connections can now use ports up to 65535.
[2618] Fixed local-database setup with external PostgreSQL packages.
[2620] Audit event for when trails are downloaded.
[2628, 2753] Correctly report authentication method for stored credentials and password prompt over RDP Bastion.
[2632] Backup and restore scripts now also back up local postgresql configuration files.
[2636] Correctly show failure status for microservices where Redis is down.
[2641] Fixed postinstall failure on RHEL 8 after restoring from backup.
[2672] Postinstall now checks for failures from previous runs, and offers to clean up the previous installation.
[2673] Missing PostgreSQL 9.2 data directory no longer fails reinstall.
[2732] Correctly parse X-Forwarded-For headers set by Azure load balancers with default configuration.
[2737] Sudden AD outages no longer terminate AD-user sessions with valid cache.
[2743] After removing an account, the GUI displays correct information for the remaining accounts.
[2746] With manual connections PrivX will never grant any role-based credentials, even when target servers would accept them.
[2789] Fixed an issue that prevented components from the same IP being listed on the status page.
[2790] Support ASCII case-sensitive user names for RDP connections.
[2800] RDP-Bastion connection stays up after changing the virtual-container display size.
[2812] Fixed Web container does not obey autohide_navibar=false

Known issues in this release

[789] When DB connection fails status.html does not show the reason
[852] Listing users may time out for directories with more than 100K users
[1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[1798] Authorizer crash with online license when no internet connectivity
[1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[1875] Web proxy login does not work, if login page does requests to multiple domains
[1980] Several audit events are missing username information.
[2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
[2626] Email notification is not sent for the user when access request is created on behalf of another user.
[2665] Cannot reuse the service address of a deleted host until its hosts_deleted_age has elapsed.
[2675] When there is only one privx-admin user, that user cannot be modified in any way.
[2733] Invisible PrivX-Agent icon on some Windows 10 instances.
[2738] privx-on-aws deployment to same account and region fails if one stack already exists.
[2740] Terminating SSH connection triggers trail-open-failed event.
[2818] Ignore server_mode for SSH transcripts.

v12.3

2020-08-05

PrivX 12.3 is an incremental release over the previous version, featuring security and stability fixes.

Known issues in this release

[789] When DB connection fails status.html does not show the reason
[817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[852] Listing users may time out for directories with more than 100K users
[1057] Cannot parse scoped literal IPv6 addresses
[1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[1240] Set proper ownership and permissions for /var/privx
[1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[1798] Authorizer crash with online license when no internet connectivity
[1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[1875] Web proxy login does not work, if login page does requests to multiple domains
[1980] HOST-STORE audit events are missing username information.
[2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
[2544] In some cases initial post install may fail because Nginx cannot be restarted.
[2586] Certificate (and possibly public key) authentication does not work against OpenSSH versions 8.2 and later.

v12.2

2020-05-12

PrivX 12.2 is an incremental release over the previous version 12.1, featuring security and stability fixes.

Important upgrade notes

If you are upgrading from PrivX version 12.0, you need to manually correct the SELinux context type of the NginX and PostgreSQL certificate files. To do this, run these commands on each PrivX server:

# chcon -t httpd_config_t /etc/nginx/ssl/nginx-internal.*
# chcon -t postgresql_db_t /var/lib/pgsql/data/server.*

After this, we recommend creating new backups before upgrading.
Notable Bug fixes and improvements

[2718] Busyloop after disconnecting with xfreerdp
[2767] Online license deactivation does not work
[2780] Clients get stuck on connection-manager after websocket dies

Known issues in this release

[789] When DB connection fails status.html does not show the reason
[817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[852] Listing users may time out for directories with more than 100K users
[1057] Cannot parse scoped literal IPv6 addresses
[1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[1240] Set proper ownership and permissions for /var/privx
[1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[1798] Authorizer crash with online license when no internet connectivity
[1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[1875] Web proxy login does not work, if login page does requests to multiple domains
[1980] HOST-STORE audit events are missing username information.
[2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
[2544] In some cases initial post install may fail because Nginx cannot be restarted.
[2586] Certificate (and possibly public key) authentication does not work against OpenSSH versions 8.2 and later.

v12.1

2020-03-19

PrivX 12.1 is an incremental release over the previous version 12, featuring security and stability fixes.

Important upgrade notes
If you are upgrading from PrivX version 12.0, you need to manually correct the SELinux context type of the NginX and PostgreSQL certificate files. See fix [2624] for additional information.

Notable Bug fixes and improvements

[2613] SSH, RDP and Web connections can now use ports up to 65535.
[2618] Fixed local-database setup with external PostgreSQL packages.
[2624] Postinstall now sets correct SELinux context types for NginX and PostgreSQL certificate files.

Note: If you are upgrading from PrivX version 12.0, you need to first correct the SELinux context type of the NginX and PostgreSQL certificate files. To do this, run these commands on each PrivX server:

# chcon -t httpd_config_t /etc/nginx/ssl/nginx-internal.*
# chcon -t postgresql_db_t /var/lib/pgsql/data/server.*

After this, we recommend creating new backups before upgrading.

[2641] Fixed issue where postinstall failed after restoring backup on RHEL 8.

Known issues in this release

[789] When DB connection fails status.html does not show the reason
[817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[852] Listing users may time out for directories with more than 100K users
[1057] Cannot parse scoped literal IPv6 addresses
[1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[1240] Set proper ownership and permissions for /var/privx
[1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[1798] Authorizer crash with online license when no internet connectivity
[1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
Before upgrading, please copy the .toml files to another folder.
After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[1875] Web proxy login does not work, if login page does requests to multiple domains
[1980] HOST-STORE audit events are missing username information.
[2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
[2544] In some cases initial post install may fail because Nginx cannot be restarted.
[2586] Certificate (and possibly public key) authentication does not work against OpenSSH versions 8.2 and later.

v12.0

2020-03-04

PrivX 12 adds several user-authentication features, such as smart-card authentication and login-rate limiting. This version also includes plenty of stability and performance fixes.

New features

[1337] Support for restricting logins after a number of failed attempts. Useful for preventing brute-force-login attempts:

Restrict logins after failed attempts to a certain user from a certain IP.

Restrict logins after failed attempts from a certain client subnet.
[2246] Client-certificate (smart-card) authentication to PrivX.

Support client certificates from smart cards, and from browser storage.

Support for revocation-status checks via CRL and OCSP.

Note: enabling smart-card authentication in HA environments will require changes to load-balancer configuration for existing PrivX deployments.
[2381] Clipboard contents in RDP-session logs.
[2403] RDP-bastion support for forward credentials.
[2461] Settings for forcing password change on next login (for PrivX local users only).

Notable Bug fixes and improvements

[1056] Ongoing connections are no longer disconnected automatically when ws_keepalive_interval_sec is set to 0.
[1226] Correctly display user ID in User Authentication Failed events.
[1239, 2476] Host scan no longer removes known targets after reaching license limits.
[1762] Support copy-pasting to and from web connections.
[1815] Correctly display CJK characters in web connections.
[1914] Search supports unicode characters.
[2304, 2507] Improved performance with Azure ADs with many groups.
[2363] Include trust anchors in PrivX-Server backup and restore.
[2387] RDP service no longer crashes when generating video for ongoing connections.
[2479] Fixed browser window disappearing after toggling fullscreen mode.
[2503] Correctly update GSuite/Azure Graph directory users when number of directory users becomes 0.
[2514] Fixed login sometimes failing on Firefox after entering correct credentials.
[2541] Fixed issues preventing successful postinstall with PostgreSQL 9.3, 9.4, 9.5, 9.6 and 12.
[2543] Upgrade no longer changes configuration file’s permissions or ownership.
[2552] Fixed issue preventing HA-instance restore.
[2557] RDP: Do not attempt to update host certificate when host is not in host-store.
[2559] Fixed restore script with PrivX servers using local PostgreSQL.
[2574] Adding many accounts to hosts no longer cause index errors.
[2575] Omit Process Step button from workflow mails for denied requests.
[2582] Fixed connection-manager panic on client exit.
[2589] Correct user name in RDP-connection audit events.
[2598] Support web connections that use web-socket connections

Deprecation warnings

The vast majority of PrivX users are using modern browsers like Chrome, Firefox, Edge and Safari, with support for advanced security features and the latest web standards. Supporting Internet Explorer, which is only used by a very small fraction of all PrivX users, and which Microsoft is discouraging the use of, prevents us from adopting these modern web standards, to the detriment of all of our users. We have therefore decided to drop the support for Internet Explorer as of PrivX version 12, in order to better be able to focus our efforts on improving the user experience for all PrivX users.

Known issues in this release

[789] When DB connection fails status.html does not show the reason
[817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[852] Listing users may time out for directories with more than 100K users
[1057] Cannot parse scoped literal IPv6 addresses
[1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[1240] Set proper ownership and permissions for /var/privx
[1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, use cp to copy the principals_command.sh to correct location:
# scp -i key.pem principals_command.sh user@target:/tmp/
# ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[1798] Authorizer crash with online license when no internet connectivity
[1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component.toml files:
- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[1875] Web proxy login does not work, if login page does requests to multiple domains
[1980] HOST-STORE audit events are missing username information.
[2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.
[2530] Web application web socket request error.
[2544] In some cases initial post install may fail because Nginx cannot be restarted.
[2586] Certificate (and possibly public key) authentication does not work against OpenSSH versions 8.2 and later.

v11.2

2020-05-12

PrivX 11.2 is an incremental release over the previous version 11.1, featuring security and stability fixes.

Notable Bug fixes and improvements

[PX-2718] Busyloop after disconnecting with xfreerdp
[PX-2767] Online license deactivation does not work
[PX-2780] Clients get stuck on connection-manager after websocket dies

Known issues in this release

[PX-789] When DB connection fails status.html does not show the reason
[PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] Listing users may time out for directories with more than 100K users
[PX-1057] Cannot parse scoped literal IPv6 addresses
[PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] Set proper ownership and permissions for /var/privx
[PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1762] RDP clipboard with web container does not work
[PX-1798] Authorizer crash with online license when no internet connectivity
[PX-1815] CJK chars not working for web connections
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
[PX-1887] licensing: web access gateway functionality requires extender license feature
[PX-1914] Searching users: Searching with unicode characters doesn't work
[PX-1980] HOST-STORE audit events are missing username information.
[PX-2304] Azure Graph API user fetching is slow with large number of users.
[PX-2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.

v11.1

2020-01-21

PrivX 11.1 is an incremental upgrade over the 11.0 release, introducing a bug fix for a licensing error removing known hosts.

Notable Bug fixes and improvements

[PX-2476] Hosts get removed when licensing error occurs during scan operation

Note: If re-enabling a host directory causes a license error (counts exceed), the hosts of the disabled directory are now visible in PrivX. It is the responsibility of the administrator to correct the licensing error either by removing hosts or services, and/or by disabling audit enabled flags in hosts.

Known issues in this release

[PX-789] When DB connection fails status.html does not show the reason
[PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] Listing users may time out for directories with more than 100K users
[PX-1057] Cannot parse scoped literal IPv6 addresses
[PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] Set proper ownership and permissions for /var/privx
[PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1762] RDP clipboard with web container does not work
[PX-1798] Authorizer crash with online license when no internet connectivity
[PX-1815] CJK chars not working for web connections
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
[PX-1887] licensing: web access gateway functionality requires extender license feature
[PX-1914] Searching users: Searching with unicode characters doesn't work
[PX-1980] HOST-STORE audit events are missing username information.
[PX-2304] Azure Graph API user fetching is slow with large number of users.
[PX-2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.

Carrier v11.1, 10.2 and 9.2

2020-01-20

This release for Carrier 11.1, 10.2 and 9.2 is an update to fix a critical vulnerability CVE-2019-17026 found in Firefox.
Fixed issues

[PX-2475] - Updated Firefox due to critical vulnerability, CVE-2019-17026

v11.0

2019-12-20

PrivX 11 introduces RDP native-client session recording via PrivX RDP Bastion, and adds several auditing features. This version adds support for CentOS and Red Hat Enterprise Linux 8.

New features

[PX-1090] Support for nested group members in AD groups
[PX-1242] Audit SSH/SCP/SFTP connections from native SSH clients (PrivX SSH Bastion)
[PX-1807] Support for CentOS 8 and Red Hat Enterprise Linux 8 as PrivX servers
[PX-1956] Session recording and playback for PrivX RDP Bastion
[PX-2075] Host status monitoring
[PX-2135] Indexing and searching for SFTP channels
[PX-2134] Downloadable SSH-Bastion and web-connection channel logs
[PX-2139] Interactive target selection for native-client SSH connections
[PX-2160] Support filtering scanned cloud instances
[PX-2180] Allow playback and search for exec channels with pty
[PX-2325] New connection field on PrivX Home page
[PX-2347] File transfer and clipboard auditing for RDP Bastion

Notable Bug fixes and improvements

[PX-652] User search not using mapped attributes
[PX-1805] The first web connection after installation always fails
[PX-1869] Allow enabling host audit via host tags
[PX-1915] Web credentials are not being stored or otherwise being passed correctly
[PX-2061] Host-deployment script Python 3 compatibility
[PX-2299] iOS 13 and MacOS 10.15 Catalina policy-compliant TLS certificate handling
[PX-2300] Added setting to change the image scaling algorithm used by RDP web client
[PX-2303] Automatic removal of removed hosts at specified times
[PX-2309] RDP smart card login fails always when all target host service options are disabled
[PX-2312] Web connections support HTTP Basic Authentication
[PX-2319] Support Belgian-French keyboard layout
[PX-2324] Improvements to Web credential autofill for non-standard ports
[PX-2326] New connection page improvements
[PX-2332] Unable to Post-Install to AWS RDS if user name is different to database name
[PX-2368] RDP Bastion uses same bastion syntax as SSH Bastion

Known issues in this release

[PX-789] When DB connection fails status.html does not show the reason
[PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] Listing users may time out for directories with more than 100K users
[PX-1057] Cannot parse scoped literal IPv6 addresses
[PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] Set proper ownership and permissions for /var/privx
[PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1762] RDP clipboard with web container does not work
[PX-1798] Authorizer crash with online license when no internet connectivity
[PX-1815] CJK chars not working for web connections
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
NOTE: In case of manual changes in the extra component .toml files:
- Before upgrading, please copy the .toml files to another folder.
- After upgrade, download new .toml files from PrivX UI and merge the manual changes from your .toml copies to the new .toml files.
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
[PX-1887] licensing: web access gateway functionality requires extender license feature
[PX-1914] Searching users: Searching with unicode characters doesn't work
[PX-1980] HOST-STORE audit events are missing username information.
[PX-2304] Azure Graph API user fetching is slow with large number of users.
[PX-2397] PrivX Agent does not work on RHEL 8 with OpenSSH 7.8p1 due to errors on the OpenSSH side.

v10.2

2020-01-21

PrivX 10.2 is an incremental upgrade over the 10.1 release, introducing a bug fix for a licensing error removing known hosts.

Notable Bug fixes and improvements

[PX-2476] Hosts get removed when licensing error occurs during scan operation

Note: If re-enabling a host directory causes a license error (counts exceed), the hosts of the disabled directory are now visible in PrivX. It is the responsibility of the administrator to correct the licensing error either by removing hosts or services, and/or by disabling audit enabled flags in hosts.

v10.1

2019-11-13

PrivX 10.1 is an incremental upgrade over the 10.0 release, introducing fixes to cloud-host management.

Important upgrade notes

If you have a GCP directory with deleted instances in PrivX before upgrading to 10.1, the deleted instances will remain in hosts list after upgrade. To get rid of the deleted instances you need to either:

Delete the obsolete hosts using Settings→Hosts page in PrivX GUI

Delete and re-create the GCP directory

Notable Bug fixes and improvements

[PX-2261] Host-deployment fails if host-deployment script is run after host scan.
[PX-2262] Host deletions on Google Cloud are not updated to PrivX host list.
[PX-2287] Host scanning does not handle the case where number of hosts in a region drops to zero.

Known issues in this release

[PX-652] User search not using mapped attributes
[PX-789] When DB connection fails status.html does not show the reason
[PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] Listing users may time out for directories with more than 100K users
[PX-1057] Cannot parse scoped literal IPv6 addresses
[PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] Set proper ownership and permissions for /var/privx
[PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1762] RDP clipboard with web container does not work
[PX-1798] Authorizer crash with online license when no internet connectivity
[PX-1805] The first web connection after installation always fails
[PX-1815] CJK chars not working for web connections
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
[PX-1887] licensing: web access gateway functionality requires extender license feature
[PX-1914] Searching users: Searching with unicode characters doesn't work
[PX-1980] HOST-STORE audit events are missing username information
[PX-2309] RDP smart card login fails sometimes when target host service options are disabled
Workaround: Enabling file transfer and/or auditing for the target host.

v10.0

2019-10-31

PrivX 10 introduces an agentless way to connect with native SSH clients and allows greater control over host connection allowed features.

New features

PKCE Support for OIDC directories
Native-client use via SSH Bastion
Control which SSH and RDP channels are allowed for host connections
NOTE: The RDP Allowed Account Service Options are not yet enforced in native-client RDP connections in PrivX 10.

Notable Bug fixes and improvements

[PX-2059] Trail transcript reverse search is slow on EFS
[PX-2068] Event is not created when opening transcript
[PX-2080] Failing SFTP channel will close terminal channel as well
[PX-2109] Carrier, Web Proxy and Extender start too soon
[PX-2165] Connection manager library does not handle message read timeouts correctly
[PX-2171] Fixed web-access vulnerability
[PX-2212] Web Proxy now enforces TLSv1.2. Connecting to targets using TLSv1.1 and earlier now fail with 'Handshake with SSL Server failed'.
[PX-2215] Blank page when clicking datepicker
[PX-2226] In some situations SSH operation fails
[PX-2236] Sometimes postinstall.sh fails with Nginx binding error

Known issues in this release

[PX-652] User search not using mapped attributes
[PX-789] When DB connection fails status.html does not show the reason
[PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] Listing users may time out for directories with more than 100K users
[PX-1057] Cannot parse scoped literal IPv6 addresses
[PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] Set proper ownership and permissions for /var/privx
[PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1762] RDP clipboard with web container does not work
[PX-1798] Authorizer crash with online license when no internet connectivity
[PX-1805] The first web connection after installation always fails
[PX-1815] CJK chars not working for web connections
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
[PX-1887] licensing: web access gateway functionality requires extender license feature
[PX-1914] Searching users: Searching with unicode characters doesn't work
[PX-1980] HOST-STORE audit events are missing username information

Extender v9.0.1

2019-10-03

Important Notes for this Upgrade

The fix addresses a Golang issue by setting tls.minVersion = 1.2 as default. Configuration may be changed in file extender-config.toml.

v9.2

2020-01-21

PrivX 9.2 is an incremental upgrade over the 9.1 release, introducing a bug fix for a licensing error removing known hosts.

Notable Bug fixes and improvements

[PX-2476] Hosts get removed when licensing error occurs during scan operation

v9.1

2019-11-13

PrivX 9.1 is an incremental upgrade over the 9.0 release, introducing fixes to cloud-host management.

Important upgrade notes

Delete the obsolete hosts using Settings→Hosts page in PrivX GUI

Delete and re-create the GCP directory

Notable Bug fixes and improvements

[PX-2261] Host-deployment fails if host-deployment script is run after host scan.
[PX-2262] Host deletions on Google Cloud are not updated to PrivX host list.
[PX-2287] Host scanning does not handle the case where number of hosts in a region drops to zero.

Known issues

[PX-652] User search not using mapped attributes
[PX-789] When DB connection fails status.html does not show the reason
[PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] Listing users may time out for directories with more than 100K users
[PX-1057] Cannot parse scoped literal IPv6 addresses
[PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] Set proper ownership and permissions for /var/privx
[PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1524] Login as yourself with windows cert authentication not working if username does not contain domain
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1762] RDP clipboard with web container does not work
[PX-1798] Authorizer crash with online license when no internet connectivity
[PX-1805] The first web connection after installation always fails
[PX-1815] CJK chars not working for web connections
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
[PX-1887] licensing: web access gateway functionality requires extender license feature
[PX-1914] Searching users: Searching with unicode characters doesn't work
[PX-1980] HOST-STORE audit events are missing username information

v9.0

2019-09-16

PrivX 9.0 introduces a multitude of stability improvements along with some new features.

Important upgrade notes

Upgrading to PrivX 9.0 triggers audit-event migrations that may take tens of minutes to complete.

You must unregister any version 8 Carrier and Web-Proxy components from PrivX before upgrading them to version 9 or later. The whole process is as follows:
In the PrivX GUI, on the Settings→Deployment→Deploy PrivX Web Access Gateways page, Unregister every listed configuration.
Set up new component packages:

On Carriers:
    $ sudo yum install PrivX-Carrier-[release].rpm
    $ sudo /opt/privx/scripts/carrier-postinstall.sh

On Web-Proxies:
    $ sudo yum install PrivX-Web-Proxy-[release].rpm
    $ sudo /opt/privx/scripts/web-proxy-postinstall.sh

New features

SSH-audit-trail indexing and text search
Host tags for enabling auditing
Support for PostgreSQL 11
Path field in file transfer UI to directly access paths

Notable Bug fixes and improvements

[PX-370] - SSH options not added to role-based public key
[PX-1204] - PrivX Extender is not automatically started on server boot
[PX-1255] - "Service-stopped (12)" event is missing
[PX-1507] - ssh-playback: cursor position has attributes from last drawn cell after seek
[PX-1534] - Augment the SSH proxy connected event to include information which channels are available for the UI
[PX-1624] - keyvault: panic when creating symmetric key without size
[PX-1639] - Host deploy script assumes OpenSSH at port 22
[PX-1702] - OpenStack host scanning fails with No suitable endpoint could be found in the service catalog.
[PX-1730] - Auth service key rotation on request
[PX-1733] - Extender/Carrier/WebProxy status info is missing in service status
[PX-1803] - Monitor service logging too much
[PX-1809] - Generating keys fails with Safenet Luna HSM 6.4 and 7.2
[PX-1836] - Can not login to openstack with PrivX Web Connections
[PX-1842] - connection-manager client does not survive system time update
[PX-1868] - ssh-proxy: host unreachable error when websocket upgrade fails
[PX-1869] - Allow enabling host auditing using host tags
[PX-1870] - Extender license check is ignored if web proxy is enabled
[PX-1872] - Service status updates in PrivX home is refreshed slowly
[PX-1877] - Web Proxy: ICAP is listening to all public addresses
[PX-1884] - Race condition in role creation and deletion leads to orphan principal keys in DB
[PX-1888] - License: status is MAX_HOST_EXCEEDED though the number of host is within limit
[PX-1891] - Update error message on max activations reached
[PX-1894] - Error when ssh to target with privx-agent: "mesg: ttyname failed: Inappropriate ioctl for device"
[PX-1900] - Source-addresses is asserted even though cert auth is not the only auth type enabled in role
[PX-1904] - ssh-proxy: auditing fails with "file already closed"
[PX-1907] - Extender load balancer cookie resolving should not fall back to single server installation
[PX-1909] - host-store: same port as splunkd
[PX-1916] - Deploy script does not work with AWS VPC instances
[PX-1920] - Indexer Service - Enable Housekeeping
[PX-1925] - Authentication support for PKCE RFC7636
[PX-1928] - Monitor-Service: Components table is ever expanding
[PX-1929] - Manually configured and scanned hosts can have their roles altered using deploy script
[PX-1930] - HTTPS login fails, if LoginRequestURL is not defined and login request address does not match hostname
[PX-1932] - HTTPS login autofill does not work for sites, which have loginRequestUrl defined
[PX-1935] - /privx/users page does not load after refresh
[PX-1936] - Web SSH / RDP client in background tabs disconnect
[PX-1937] - Cannot login to azure portal with WEB connection
[PX-1938] - ssh-proxy: REQ_ENV is not stored to trail
[PX-1939] - ssh-proxy: REQ_EXEC does not support session recording
[PX-1943] - ssh-proxy: STREAM_STDIN messages for a sftp channel are processed in ssh-proxy
[PX-1946] - Connection manager target_host.common_name is wrong for RDP connections
[PX-1948] - Address condition in host search should also search service addresses
[PX-1949] - Connection manager connection lacks host data on some cases
[PX-1955] - Host -> 'List Events' does not list all events associated with that host
[PX-1966] - rdp-proxy crashes while doing license check for extender
[PX-1975] - Web connections: browser container does not handle the case where rdp connection setup fails
[PX-1976] - Extender: HA resolve / extender reconnect logic does not handle PrivX server restart
[PX-1977] - Login UI robustness with bookmarks, expired tokens and shared urls
[PX-1979] - DB transactions are not always closed
[PX-1981] - PrivX allows manual login connection attempts for configured hosts, even if user does not have permissions to the host
[PX-1987] - RDP MITM: leaking manual connections
[PX-1993] - ssh-proxy: filetransfer API does not handle correctly empty directory/file names
[PX-2052] - ssh-proxy: playback of a certain ssh trail causes out of memory situation in UI
[PX-2054] - PrivX-Web-Proxy registering problems fixed
[PX-2062] - UI: Web SSH terminal layout is confused after browser width resizing
[PX-2064] - connmgr: housekeeping fails to remove trails
[PX-2087] - host-scanning: audit_enabled is set to false on aws directory refresh
[PX-2089] - Audit-Events - Missing userID

Known issues

[PX-652] User search not using mapped attributes
[PX-789] When DB connection fails status.html does not show the reason
[PX-817] Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] Listing users may time out for directories with more than 100K users
[PX-1057] Cannot parse scoped literal IPv6 addresses
[PX-1230] When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] Set proper ownership and permissions for /var/privx
[PX-1325] Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1502] postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1524] Login as yourself with windows cert authentication not working if username does not contain domain
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1762] RDP clipboard with web container does not work
[PX-1798] Authorizer crash with online license when no internet connectivity
[PX-1805] The first web connection after installation always fails
[PX-1815] CJK chars not working for web connections
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
[PX-1887] licensing: web access gateway functionality requires extender license feature
[PX-1914] Searching users: Searching with unicode characters doesn't work
[PX-1980] HOST-STORE audit events are missing username information

v8.2

2019-11-13

PrivX 8.2 is an incremental upgrade over the 8.1 release, introducing fixes to cloud-host management.

Important upgrade notes

Delete the obsolete hosts using Settings→Hosts page in PrivX GUI

Delete and re-create the GCP directory

Notable Bug fixes and improvements

[PX-2262] Host deletions on Google Cloud are not updated to PrivX host list.
[PX-2287] Host scanning does not handle the case where number of hosts in a region drops to zero.

Known issues

[PX-370] - SSH options not added to role-based public key
[PX-652] - User search not using mapped attributes
[PX-789] - When DB connection fails status.html does not show the reason
[PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] - Listing users may time out for directories with more than 100K users
[PX-1057] - Cannot parse scoped literal IPv6 addresses
[PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] - Set proper ownership and permissions for /var/privx
[PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
[PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1524] - Login as yourself with windows cert authentication not working if username does not contain domain
[PX-1574] - monitor-service: audit event searching is broken or lacking
[PX-1624] - keyvault: panic when creating symmetric key without size
[PX-1702] - OpenStack host scanning fails with No suitable endpoint could be found in the service catalog
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1762] - RDP clipboard with web container does not work
[PX-1798] - Authorizer crash with online license when no internet connectivity
[PX-1805] - The first web connection always fails
[PX-1809] - Generating keys fails with FIPSed Safenet Luna HSM 6.4 and 7.2
[PX-1815] - CJK chars not working for web connections
[PX-1827] - Extender/Carrier/Web Proxy configs not migrated on upgrade

v8.1

2019-09-16

PrivX 8.1 is an incremental upgrade over the 8.0 release, introducing security fixes to user sessions. For additional details about security fixes, please contact support at help.ssh.com

Important Notes for this Upgrade

The fixes introduced in this release are also available in PrivX versions 9.0 and later. For additional system stability and the latest features, we recommend upgrading to the latest PrivX instead.

v8.0

2019-06-07
The 8.0 major release expands upon the functionality offered by PrivX. Notable New features include support for connections to HTTP and HTTPS targets, native RDP clients, and granular PrivX-user permissions.

Important upgrade notes

After upgrading from PrivX 7.x with HSM integration, old host-deployment scripts will no longer work: you must re-download the script and use that for subsequent host-deployment operations.

For HA environments, see the Administrator Manual for new upgrade instructions. HA deployments have to be upgraded so that you upgrade one server, and then duplicate the rest.

New features

Access HTTP and HTTPS services using shared accounts.
Native RDP-client support: use your existing RDP clients to access targets while authenticating via PrivX.
New permissions for configuring what users are allowed to do. Specified per role.
Audit logs available in Common Event Format (CEF), for easier integration with SIEM systems.
Extender support in PrivX HA deployments.

Notable Bug fixes and improvements

[PX-757] - User list count is incorrect if limit parameter is used
[PX-807] - External DB certificate import error in postinstall script
[PX-1204] - PrivX Extender is not automatically started on server boot
[PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
[PX-1533] - Windows Client does not work with system trusted TLS certificate
[PX-1636] - Troubleshoot: clients secrets are not masked in keyvault-config.toml
[PX-1639] - Host deploy script assumes OpenSSH at port 22
[PX-1693] - Deployment script does not work with api-ca-cert-file option and PEM
[PX-1785] - GSuite OIDC usernames changed to unknown after login to PrivX

Known issues

[PX-370] - SSH options not added to role-based public key
[PX-652] - User search not using mapped attributes
[PX-789] - When DB connection fails status.html does not show the reason
[PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] - Listing users may time out for directories with more than 100K users
[PX-1057] - Cannot parse scoped literal IPv6 addresses
[PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] - Set proper ownership and permissions for /var/privx
[PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
[PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1524] - Login as yourself with windows cert authentication not working if username does not contain domain
[PX-1574] - monitor-service: audit event searching is broken or lacking
[PX-1624] - keyvault: panic when creating symmetric key without size
[PX-1702] - OpenStack host scanning fails with No suitable endpoint could be found in the service catalog
[PX-1711] - RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1762] - RDP clipboard with web container does not work
[PX-1798] - Authorizer crash with online license when no internet connectivity
[PX-1805] - The first web connection always fails
[PX-1809] - Generating keys fails with FIPSed Safenet Luna HSM 6.4 and 7.2
[PX-1815] - CJK chars not working for web connections
[PX-1827] - Extender/Carrier/Web Proxy configs not migrated on upgrade

v7.4

2019-09-16

PrivX 7.4 is an incremental upgrade over the 7.3 release, introducing security fixes to user sessions. For additional details about security fixes, please contact support at help.ssh.com

Important Notes for this Upgrade

The fixes introduced in this release are also available in PrivX versions 9.0 and later. For additional system stability and the latest features, we recommend upgrading to the latest PrivX instead.

v7.3

2019-06-11

Maintenance release over v7.2, fixes a couple of security issues. For additional details about security fixes, contact support at help.ssh.com
Important upgrade notice

For HA environments, see below for new upgrade instructions. HA deployments have to be upgraded so that you upgrade one server, and then duplicate the rest.
High-Availability-Deployment Upgrade

This section describes the requirements for upgrading a high-availability (HA) PrivX deployment. This section also provides steps in which you may upgrade your HA deployment.

When upgrading a HA PrivX deployment, note the following requirements:

PrivX servers must not service any users while their PrivX software is being upgraded.
Ensure that PrivX servers never write to PrivX databases with different product versions.

Note

By default, upgrading the PrivX software also upgrades the connected PrivX database.

If you need to postpone automatic database upgrade, set the environment variable

SKIP_POSTINSTALL before upgrading the PrivX software package:

# export SKIP_POSTINSTALL=1

On PrivX servers upgraded like this, you will later need to run postinstall to finalize upgrade:

# /opt/privx/scripts/postinstall.sh

One way to upgrade HA deployments is by performing the operations on a duplicate database. This method allows un-upgraded portions of the deployment to run during the procedure. To upgrade a HA deployment in this way:

Duplicate the PrivX database.
Upgrade shall be performed against the duplicate database, without modifying the original database.
Upgrade one PrivX server along with the duplicate database:
1. Disconnect the PrivX server from the load balancer to prevent users from connecting to it.
2. To prevent database activity, stop the PrivX services:
  
  # systemctl stop privx
3. Connect to the duplicate database by providing its connection parameters. You only need to provide those database-connection parameters that differ between the original and the duplicate database.
  - The database-server address and port can be changed in `/opt/privx/etc/shared-config.toml , under the [db] section.
  - To change the database name (replace <db_name> with the database name):
  # /opt/privx/bin/keyvault-tool -name db-name -value <db_name> set-passphrase
  - To change the database-user name (replace <db_user> with the database-user name):
  # /opt/privx/bin/keyvault-tool -name db-name -value <db_user> set-passphrase
  - To change the password of the database user (replace <db_pwd> with the password):
  # /opt/privx/bin/keyvault-tool -name db-name -value <db_pwd> set-passphrase
4. Upgrade the PrivX software and the connected database:
# yum install PrivX
1. Reconnect the PrivX server to the load balancer.
Set up additional PrivX servers into your upgraded environment:
1. Duplicate the setup of the already-upgraded PrivX server. You can do this using the PrivX backup and restore features, described in the PrivX Administrator Manual section 3.4 Backing Up and Restoring PrivX Servers.
2. Connect the additional PrivX server to the load balancer.
After all the PrivX servers have been upgraded successfully, you should replicate any new data accumulated during the upgrade from the original database to the duplicate database. This completes the upgrade.

You may remove the original database and leftover PrivX servers after successful upgrade.

Known issues

[PX-92] - In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-370] - SSH options not added to role-based public key
[PX-652] - User search not using mapped attributes
[PX-757] - User list count is incorrect if limit parameter is used
[PX-789] - When DB connection fails status.html does not show the reason
[PX-807] - External DB certificate import error in postinstall script
[PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] - Listing users may time out for directories with more than 100K users
[PX-1057] - Cannot parse scoped literal IPv6 addresses
[PX-1204] - PrivX Extender is not automatically started on server boot
[PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] - Set proper ownership and permissions for /var/privx
[PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
[PX-1360] - Role-store sometimes fails to obey the user_cache_refresh_ttl in settings
[PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1524] - Login as yourself with windows cert authentication not working
[PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
Workaround: Specify the PrivX-server address in IP format.
[PX-1533] - Windows Client does not work with system trusted TLS certificate
[PX-1574] - monitor-service: audit event searching is broken or lacking
[PX-1624] - keyvault: panic when creating symmetric key without size
[PX-1636] - Troubleshoot: clients secrets are not masked in keyvault-config.toml
[PX-1639] - Host deploy script assumes OpenSSH at port 22
[PX-1644] - Host-deployment script should fall back to private addresses if public address is missing

v7.2

2019-05-28

Maintenance release over v7.1, adds Graph-API support for Azure-AD integration.

For additional details about security fixes, contact support at help.ssh.com
Important upgrade notes

After upgrading from PrivX 7.x with HSM integration, old host-deployment scripts will no longer work: you must re-download the script and use that for subsequent host-deployment operations.

Bug fixes and improvements

[PX-1778] - Graph API support

Known issues

[PX-92] - In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-370] - SSH options not added to role-based public key
[PX-652] - User search not using mapped attributes
[PX-757] - User list count is incorrect if limit parameter is used
[PX-789] - When DB connection fails status.html does not show the reason
[PX-807] - External DB certificate import error in postinstall script
[PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] - Listing users may time out for directories with more than 100K users
[PX-1057] - Cannot parse scoped literal IPv6 addresses
[PX-1204] - PrivX Extender is not automatically started on server boot
[PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] - Set proper ownership and permissions for /var/privx
[PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
[PX-1360] - Role-store sometimes fails to obey the user_cache_refresh_ttl in settings
[PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1524] - Login as yourself with windows cert authentication not working
[PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
Workaround: Specify the PrivX-server address in IP format.
[PX-1533] - Windows Client does not work with system trusted TLS certificate
[PX-1574] - monitor-service: audit event searching is broken or lacking
[PX-1624] - keyvault: panic when creating symmetric key without size
[PX-1636] - Troubleshoot: clients secrets are not masked in keyvault-config.toml
[PX-1639] - Host deploy script assumes OpenSSH at port 22
[PX-1644] - Host-deployment script should fall back to private addresses if public address is missing

v7.1

2019-04-11

Maintenance release for v7.0, fixes couple of usability issues and security issues.

For additional details about security fixes, contact support at help.ssh.com

Notable Bug fixes and improvements

[PX-1675] - Redis password prompt does not accept empty as it should
[PX-1676] - Role rules should be empty list instead of missing
[PX-1680] - Minor security fix related to PrivX agent on Windows.

Known issues

[PX-92] - In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-370] - SSH options not added to role-based public key
[PX-652] - User search not using mapped attributes
[PX-757] - User list count is incorrect if limit parameter is used
[PX-789] - When DB connection fails status.html does not show the reason
[PX-807] - External DB certificate import error in postinstall script
[PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] - Listing users may time out for directories with more than 100K users
[PX-1057] - Cannot parse scoped literal IPv6 addresses
[PX-1204] - PrivX Extender is not automatically started on server boot
[PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] - Set proper ownership and permissions for /var/privx
[PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
[PX-1360] - Role-store sometimes fails to obey the user_cache_refresh_ttl in settings
[PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1524] - Login as yourself with windows cert authentication not working
[PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
Workaround: Specify the PrivX-server address in IP format.
[PX-1533] - Windows Client does not work with system trusted TLS certificate
[PX-1574] - monitor-service: audit event searching is broken or lacking
[PX-1624] - keyvault: panic when creating symmetric key without size
[PX-1636] - Troubleshoot: clients secrets are not masked in keyvault-config.toml
[PX-1639] - Host deploy script assumes OpenSSH at port 22
[PX-1644] - Host-deployment script should fall back to private addresses if public address is missing

v7.0

2019-04-09

New features

Support for SafeNet Luna HSM.
Requires fresh installation.
GUI-session expiry by idle period and total time from login.
High-availability support for Extenders.
New permission for disabling connections to unknown targets (manual connections).
Manual connections are disabled by default for all regular users.
Deployment-page redesign.
Direct links to available OIDC-login pages.

Notable Bug fixes and improvements

[PX-857] - Rolestore API: able to create a role that breaks the UI
[PX-1095] - Backup and restore leaves out Kerberos keytab
[PX-1392] - Host-deployment script cannot add hosts with non-ascii FQDNs
[PX-1465] - Connection manager search API improvements
[PX-1466] - Deployment script download HTTP 400 results in UI crash
[PX-1473] - Seeking in an SSH trail playback with Japanese characters produces inconsistent outputs
[PX-1481] - Audit events for authorizer OpenSSH/x509 certificate issue do not contain enough information
[PX-1504] - Role-store - panics while deleting a role
[PX-1518] - Show connection-termination message in the GUI
[PX-1528] - Migration tool does not exit on fsvault migration error
[PX-1530] - 5.1 -> 6.0 FS vault migration fails to "x509: decryption password incorrect"
[PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
[PX-1533] - Windows Client does not work with system trusted TLS certificate
[PX-1539] - auth: invalid redirect_uri is used when erroring on invalid redirect_uri
[PX-1540] - keyvault: failed to wipe asymmetric db keys from memory
[PX-1541] - Do not allow to delete superuser
[PX-1546] - rdp: clipboard from client to server does not update after first copy
[PX-1547] - unable to use API clients without getting OAuth creds from deploy script
[PX-1555] - Current user endpoint, return permissions
[PX-1562] - PrivX-Extender package missing from the SSH product repository
[PX-1563] - Implement dbvault key delete
[PX-1570] - Rolestore does not resolve role names according to specification
[PX-1575] - workflow-engine: incorrectly treat api client as user in role store query
[PX-1578] - connection-manager: terminate by user-id and host-id broken
[PX-1579] - Extender does not work with Azure load balancer
[PX-1581] - Setting up additional HA instance using restore.sh does not work
[PX-1587] - Server does not limit the max size of user settings
[PX-1595] - role-store: ApiVersionLogconfCollectorsIdGet does not check for errors from getCollectorWithId
[PX-1598] - Log collectors: 201 when creating collector with the same name
[PX-1601] - Remove broken Ansible link
[PX-1602] - Local users table init issue on Postgres 10
[PX-1603] - Create schema for External DB during installation
[PX-1607] - Install script does not ask password for redis
[PX-1620] - init_db.sh increases "max_connections" in /var/lib/pgsql/data/postgresql.conf every time init_db.sh is run
[PX-1630] - Extender status not updated after configuration
[PX-1675] - Redis password prompt does not accept empty as it should

Known issues

[PX-92] - In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-370] - SSH options not added to role-based public key
[PX-652] - User search not using mapped attributes
[PX-757] - User list count is incorrect if limit parameter is used
[PX-789] - When DB connection fails status.html does not show the reason
[PX-807] - External DB certificate import error in postinstall script
[PX-817] - Can not import ECDSA certificate as privx-trust-anchor to replace PrivX TLS CA cert
[PX-852] - Listing users may time out for directories with more than 100K users
[PX-1057] - Cannot parse scoped literal IPv6 addresses
[PX-1204] - PrivX Extender is not automatically started on server boot
[PX-1230] - When AWS role federation is enabled, description is shown instead of name in PrivX
Workaround: Click Refresh on the /privx/deployment/aws-roles page. This associates correct names to AWS roles.
[PX-1239] - Directory shows "STATUS OK / X hosts" even when hosts are not added to host store
[PX-1240] - Set proper ownership and permissions for /var/privx
[PX-1325] - Instance with host tags is not always visible in PrivX after adding an AWS directory
Workaround: Refresh the AWS directory to detect host-tagged instances.
[PX-1342] - privx-agent-unix exits at privx-agent-ctl login if multiple terminals are launched and agent-unix is launched in .bash_profile
[PX-1344] - Possible to establish proxied native-client connections to hosts with session recording
[PX-1360] - Role-store sometimes fails to obey the user_cache_refresh_ttl in settings
[PX-1502] - postinstall does not open HTTP/HTTPS ports on cloud-based RHEL 7.5
[PX-1517] - Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
[PX-1524] - Login as yourself with windows cert authentication not working
[PX-1531] - PrivX win agent parses backend FQDN name incorrectly for login dialog
Workaround: Specify the PrivX-server address in IP format.
[PX-1533] - Windows Client does not work with system trusted TLS certificate
[PX-1574] - monitor-service: audit event searching is broken or lacking
[PX-1624] - keyvault: panic when creating symmetric key without size
[PX-1636] - Troubleshoot: clients secrets are not masked in keyvault-config.toml
[PX-1639] - Host deploy script assumes OpenSSH at port 22
[PX-1644] - Host-deployment script should fall back to private addresses if public address is missing

v6.1

2019-06-11

Maintenance release over v6.0, fixes a couple of security issues. For additional details about security fixes, contact support at help.ssh.com

Important upgrade notice

For HA environments, see below for new upgrade instructions. HA deployments have to be upgraded so that you upgrade one server, and then duplicate the rest.

High-Availability-Deployment Upgrade

This section describes the requirements for upgrading a high-availability (HA) PrivX deployment. This section also provides steps in which you may upgrade your HA deployment.

When upgrading a HA PrivX deployment, note the following requirements:

* PrivX servers must not service any users while their PrivX software is being upgraded.

* Ensure that PrivX servers never write to PrivX databases with different product versions.

Note

By default, upgrading the PrivX software also upgrades the connected PrivX database.

If you need to postpone automatic database upgrade, set the environment variable

SKIP_POSTINSTALL before upgrading the PrivX software package:

# export SKIP_POSTINSTALL=1

On PrivX servers upgraded like this, you will later need to run postinstall to finalize upgrade:

# /opt/privx/scripts/postinstall.sh

Duplicate the PrivX database.
Upgrade shall be performed against the duplicate database, without modifying the original database.
Upgrade one PrivX server along with the duplicate database:
1. Disconnect the PrivX server from the load balancer to prevent users from connecting to it.
2. To prevent database activity, stop the PrivX services:
  
  # systemctl stop privx
3. Connect to the duplicate database by providing its connection parameters. You only need to provide those database-connection parameters that differ between the original and the duplicate database.
  - The database-server address and port can be changed in `/opt/privx/etc/shared-config.toml , under the [db] section.
  - To change the database name (replace <db_name> with the database name):
  # /opt/privx/bin/keyvault-tool -name db-name -value <db_name> set-passphrase
  - To change the database-user name (replace <db_user> with the database-user name):
  # /opt/privx/bin/keyvault-tool -name db-name -value <db_user> set-passphrase
  - To change the password of the database user (replace <db_pwd> with the password):
  # /opt/privx/bin/keyvault-tool -name db-name -value <db_pwd> set-passphrase
4. Upgrade the PrivX software and the connected database:
# yum install PrivX
1. Reconnect the PrivX server to the load balancer.
Set up additional PrivX servers into your upgraded environment:
1. Duplicate the setup of the already-upgraded PrivX server. You can do this using the PrivX backup and restore features, described in the PrivX Administrator Manual section 3.4 Backing Up and Restoring PrivX Servers.
2. Connect the additional PrivX server to the load balancer.
After all the PrivX servers have been upgraded successfully, you should replicate any new data accumulated during the upgrade from the original database to the duplicate database. This completes the upgrade.

You may remove the original database and leftover PrivX servers after successful upgrade.

Known issues

[PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-370] SSH options are not added to role-based public key
[PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow
[PX-789] When a database connection fails, status.html does not show the reason
[PX-1095] Backup and restore script is missing out Kerberos keytab file
[PX-1204] PrivX extender doesn't start automatically on server boot
[PX-1473] Seeking in an SSH trail playback with Japanese characters produces inconsistent outputs

v6.0

2019-02-26

Version 6 is mainly an internal improvement release, hence not containing lots of new features.

Upgrade notes

To prevent potential database-connection failures, increase the default Postgres max_connections to 1000 or more before any PrivX-software upgrades.

PrivX agents must be upgraded to version 6. Older PrivX agents are not compatible with the latest PrivX.

    In case of Unix agents, the start script (to be written down in ~/.profile) must also be updated. The updated script is included in linux-amd64/README.linux

In case offline license is in use, the license should be deactivated before upgrading to version 6.0. After the upgrade, the offline license can be activated again. Normal online licenses are not affected.

The OS temporary folder /tmp must not be used for trail storage. Refer to the PrivX Administrator Manual for instructions about setting up external trail storage.

After upgrade, extenders with invalid name (such as names with capital letters) will stop working with agents.

After upgrade, PrivX blocks SSH connections to PrivX-server local addresses.

    To enable/disable such connections, modify allow_connect_to_local_addresses in /opt/privx/etc/ssh-proxy.toml

New features

Agent support for native SSH clients on Windows

Notable security fixes

[PX-1439] - Fixed FreeRDP CVEs (2018 October)
CVE 2018-8786
CVE 2018-8787
CVE 2018-8788
CVE 2018-8789

Bug fixes and improvements

[PX-358] - AD directory: default user filter matches computers and inactive users like Guest account
[PX-1148] - ssh-playback: should check if terminal emulator parser is in a keyframeable state
[PX-1194] - When creating an extender trusted client the name restrictions aren't communicated to the user
[PX-1223] - Directory details does not fit to column if it contains long strings
[PX-1227] - Some events does not have a value for "userName"
[PX-1236] - ssh-playback: seeking broken on latin1 characters
[PX-1237] - Removing workflow deletes approved/denied requests
[PX-1248] - Workflow-engine: Audit Event 611 should be removed
[PX-1260] - Refreshing user roles fails if DN contains brackets
[PX-1264] - Application restrictions fail with usernames with domain part and login-as-self
[PX-1273] - Wrong response code (201) when editing log collector
[PX-1275] - SSH-PROXY / Session-added(310) and Session-removed(311) audit events are created twice per connection
[PX-1303] - Can not login with privx-agent-ctl
[PX-1304] - FS vault does not check owner for asymmetric Sign operation
[PX-1305] - keyvault: owner not respected on asymmetric private key operations nor symmetric key operations
[PX-1321] - keyvault: should filter symmetric keys by search criteria before decrypting key material
[PX-1322] - User page lists all recent connections instead of the user's connections
[PX-1323] - rdp-proxy: handle missing drive directory on new connection
[PX-1340] - Trusted-client TLS anchor displays first cert in ca-chain
[PX-1341] - Deleting log collector fails
[PX-1345] - Error in postinstall when upgrading PrivX 4 to latest PrivX
[PX-1351] - If user has no roles, an error is logged to /var/log/messages
[PX-1359] - Postinstall / Upgrade logs contains errors
[PX-1387] - Backspace not handled correctly when prompting user input in init_nginx.sh
[PX-1454] - keyvault, reduce necessary configuration reading, crash on concurrent map read and map write
[PX-1455] - Log collector enabled state doesn't work
[PX-1458] - PrivX UI user information is lost in forwarded connection via Extender
[PX-1464] - Improve error logging for CFG audit
[PX-1475] - authorizer issues OpenSSH certificates without any valid principals if user has no roles
[PX-1232] - Move license files from /tmp to /var/privx/nalp/
[PX-1257] - keyvault events missing from Monitor service
[PX-1258] - AUDIT SERVICE stopped creates TrailOpened event
[PX-1259] - 810, 811, 812 events not in use
[PX-1461] - Log collector field validation
[PX-1301] - Troubleshoot.sh documentation
[PX-1132] - Protect & cleanse in-memory sensitive data
[PX-1154] - Run postinstall.sh automatically on PrivX update
[PX-1438] - Use systemd protection mechanisms in rpm installation
[PX-1509] - Weak secret used for DB vault keys/passphrases
[PX-1510] - Store encrypted data in authenticated format

Known issues

[PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-370] SSH options are not added to role-based public key
[PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow
[PX-789] When a database connection fails, status.html does not show the reason
[PX-1095] Backup and restore script is missing out Kerberos keytab file
[PX-1204] PrivX extender doesn't start automatically on server boot
[PX-1473] Seeking in an SSH trail playback with Japanese characters produces inconsistent outputs

v5.1

2019-01-29

PrivX 5.1 patches an issue related to Active Directory filters failing on escaped characters, such as , \ * . Users running an earlier version of PrivX should consider upgrading to this release if their AD instance contains and is affected by the escaped characters.

v5.0

2018-12-13

New features

Playback controls for audit-session recordings: pause/resume playback, seeking, and full-screen toggle
Windows RemoteApp support - Limit RDP user access to specific applications on the target server
Single sign-on to PrivX using Google GSuite as the identity provider
SSH agent on Mac and Linux now supports temporary access tokens for AWS CLI access
Native SSH client traffic can now be routed via PrivX Extenders
Send audit events to AWS CloudWatch Events or Azure Event Hubs
Set custom titles to the GUI header, for distinguishing between PrivX deployments

Improvements

View the current usage of your license quota on hosts configured and audited via the Settings→License page
Audit trails can now be periodically checked for integrity
Clean up old audit trails by setting the expiry time (default value is -1, indicating that the files never expire) and the frequency of cleanups (default value 24 hrs)
View connection history and ongoing connections in the user and host details page
An audit event is generated when a CA certificate is about to expire
Manually-added hosts are now grouped together into a local-host directory
UI enhancements to the Settings→Deployment page

Bug fixes

[PX-861] Deploy script places configuration directives at the end of sshd_config, conflicts with match block
[PX-974] postinstall.sh with Trusted DB cert gets stuck importing certificates to database
[PX-1080] Possible race conditions with file creation and permission setting
[PX-1083] Deploy script does not handle missing DNS names or IPv6 addresses
[PX-1085] UI: Connection status "timeout" missing from filters
[PX-1142] failure in adding a new connection to connmgr or updating one does not cause connection to fail
[PX-1145] Azure host scanning explodes with specific public IP configurations
[PX-1153] Host-store: Returns "null" for some empty array values causing UI to crash
[PX-1169] init_nginx.sh does not update front_end_address in shared_config.toml
[PX-1174] Zero-value-tickers panics
[PX-1175] Service-version-mismatch checks not handled correctly
[PX-1176] Misleading error messages when TLS is disabled from RDP server
[PX-1177] Disabling source does not update host counter
[PX-1181] RDP certificate creation audit event missing certificate serial number
[PX-1183] privx-agent-unix hangs forever if PrivX server is not reachable
[PX-1186] Unable to install PrivX on CentOS 7.5
[PX-1189] Agent public key authentication does not work with new OpenSSH versions
[PX-1191] Deployment script in standalone mode adds host to privx directory ‘Untitled’
[PX-1196] Directories: Error when adding OpenStack V3 directory
[PX-1199] Workflow gives 500 database internal error on home page for local normal user
[PX-1221] PrivX 4.0 stores audit trails in /tmp/privx/audit folder. Migrate the location to /var/privx/audit during upgrade.

Known issues

[PX-789] When a database connection fails, status.html does not show the reason
[PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow
[PX-370] SSH options are not added to role-based public key
[PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-1095] Backup and restore script is missing out Kerberos keytab file
[PX-1146] It's not possible to use same attribute mapping source for multiple values

v4.0

2018-11-01

New features

Session recording and playback. Read more about it from the Administrator Manual.
- Privx can record SSH and RDP sessions. Administrators can later replay these recordings for auditing purposes.
- Trails are encrypted by PrivX.
- Encrypted trail data should be saved on an external NFS share configured by PrivX Administrators.
View global audit events from Monitor→Events.
Enable Single Sign On to PrivX using your preferred OpenID Connect provider such as Okta, AWS Cognito and UbiSecure.
Connect to target hosts in your virtual private cloud (VPC) using PrivX Extender component, available as a separate download. For detailed instructions, please check the * Administrator Manual.
Note: PrivX Extender support for HA deployments will be added in future releases.
As an administrator, grant or revoke users' role memberships immediately without approval workflows.

Upgrade notes

For any PrivX deployments using Azure host directories prior to this release, you must delete and re-add the Azure directory to PrivX after upgrade.

Improvements

[PX-1036] Performance optimization for the web-UI-based SSH Terminal, especially on IE 11
[PX-1038] Better support for LDAP directories
- PrivX works with directory servers that do not allow searching by entryDN.
- LDAP directory type now supports mixed case usernames.
  Note: If your LDAP directory uses non-default attributes, ensure that they are set correctly in PrivX. If you use AD, please set the directory type to be AD and not LDAP.
[PX-858] Support for multiple PostgreSQL versions. PrivX verified to work with versions 9.2, 9.3, 9.6 and 10.5.
[PX-930] Changes to services on cloud hosts tagged by services or principals are now reflected in PrivX.
[PX-602] You can now modify services and principals for manually-added hosts. Those added by scanning cannot be modified via PrivX UI.
[PX-602] Host search is now optimized and fine-tuned to reduce false positives.
[PX-615] Hosts tab no longer displays hosts from disabled directories.
[PX-976], [PX-984] Better handling of host-store database by the migration tool during installation and upgrade.
[PX-550] Backup script now works on installations with non-default database name.
[PX-862] Search highlighter on/off toggle in PrivX UI now works as expected.
[PX-998] All PrivX micro-services now exit on the command 'service privx stop'.
[PX-970] Robust handling of PrivX license activation and refresh operations.
[PX-1020] Access token is periodically rechecked after a manual connection has been established.
[PX-1037] When host deployment fails, deployment script now exits with error.
[PX-1041] Fixed an issue in Edge browser where the first entered character after focusing in the SSH terminal is lost.
[PX-1053] Fixed the existing services to be present when there is no contact address present in the directory setting.
[PX-1070] Host update checks added to login-as-self feature.
[PX-1066] Clipboard for RDP connections now works as expected on Firefox.

Known issues

[PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded.
[PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work.
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection.
[PX-342] Once an offline-license request activation certificate is generated, it is not possible to generate another one until the current certificate is submitted.
[PX-370] SSH options are not added to role-based public key.
[PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow.
[PX-789] When db connection fails status.html does not show the reason.
[PX-861] Deployment script places configuration directives at the end of sshd_config. These may be overriden by existing match blocks in the SSH-server configuration.
Known workarounds: After running the deployment script, move the PrivX configuration directives above other match blocks, then restart the SSH server.
[PX-1092] Due to a recent change in Firefox version 63 on handling text overflow (Bug 1484587), long text spills over table cell borders in PrivX UI.
[PX-1146] Not possible to use same attribute mapping source for multiple values.

v3.0

2018-09-18

New features

Get started easily on first use with a guided tutorial
Automatically scan tagged cloud hosts and add them to PrivX
Improved auto-discovery of Microsoft Azure hosts
View hosts accessible by a specific role from its context menu → List access option
View the current status of the configured hosts under Settings →Hosts
Sort files in the File Transfer view by Name, Permissions, Modified date or Size
Option to refresh the user or host directories from the respective context menus under Settings → Directories
Simplified UI for managing directories for users and hosts
PrivX user now sees a persistent message when an admin terminates the user's ongoing connection

Security updates

Randomize keyvault client ID and passphrase on installation and client passphrases on upgrade
Ensure that database certificates are both valid and issued by a trusted CA

Other fixes

[PX-114] - Accented characters not working for RDP.
[PX-297] - Too many hostnames in the system breaks certificate generation in init_db.sh
[PX-549] - authorize token invalid after auth restart, prevents login
[PX-557] - Users list is sorted differently when refreshing page
[PX-596] - Trying to log in with a user which is valid on the AD but not known by role store errors out
[PX-631] - Restore script breaks upgrade path
[PX-650] - SSH proxy command line argument parsing broken
[PX-651] - SSH proxy does not allow connections without connection manager even if in standalone mode
[PX-665] - DELETE key not working in SSH terminal with IE11 Windows
[PX-677] - New User: Colons can be added to username even though it says they are not allowed
[PX-694] - PrivX reports max hosts exceeded error when unable to reach license server
[PX-699] - Disabling TTY for a user from sshd_config results in an error in PrivX SSH terminal
[PX-700] - Role query validation incorrectly accepts broken queries
[PX-729] - Role based access not working as instructed in the manual/UI
[PX-730] -RDP connection fails if the windows target host auto-rotated host certificate
[PX-742] - TLS encrypted SMTP connection from PrivX does not work
[PX-746] - Pagination fails for monitor service
[PX-749] - Monitor service fails to fetch audit events
[PX-751] - Audit events search should Ignore keys
[PX-758] - postinstall.sh fails after offline installation of privx
[PX-760] - Check file download filename encoding in http header
[PX-762] - Userstore user fetch with limit fails
[PX-779] - SSh-Proxy: NewSshProxy() method returns error as "nil" when it cannot read the key
[PX-793] - keyvault: Get[As|S]ymmetricBy[Name|Owner] does not check for exact match
[PX-794] - Nil pointer deference in rolestore crashes the service periodically
[PX-796] - backup/restore handles db server certificate incorrectly
[PX-801] - SSH connections disconnects at 60sec idle
[PX-803] - keyvault rest client does not return keyvault.NotFound errors
[PX-805] - Services panic if DB dies
[PX-807] - External DB certificate import error in postinstall script
[PX-814] - "Failed to import certificate to database" in postinstall output
[PX-815] - Field "key_name" is missing from Postgres certificates table
[PX-818] - Rolestore drops user directory refresh timers on create/edit
[PX-833] - Editing a single directory causes other cloud directories to scan hosts
[PX-839] - Restore script breaks pg_hba.conf
[PX-840] - Connection manager panics if channel is already closed
[PX-848] - Role members not listing all members (max 25)

Known issues

[PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection
[PX-342] Once an offline request activation certificate is generated, it is not possible to generate another one until the current certificate is submitted
[PX-370] SSH options are not added to role-based public key
[PX-535] Disabling multi-factor authentication takes approximately 1 minute to reflect in the login flow
[PX-615] Hosts page shows hosts from disabled directories
[PX-789] When db connection fails status.html does not show the reason
[PX-858] init_db.sh script does not support Postgres9.3
[PX-861] Deployment script places configuration directives at the end of sshd_config. These may be overriden by existing match blocks in the SSH-server configuration.
Known workarounds: After running the deployment script, move the PrivX configuration directives above other match blocks, then restart the SSH server.
[PX-862] Search highlighter on/off in the PrivX help UI doesnt work

v2.4.1

2018-08-15

This is a security hotfix on the released version 2.4. It addresses a security vulnerability in the role based access control functionality in the product.

To know if your environment has been compromised by this vulnerability, please download the script linked below and run it on the PrivX server as an admin:

# wget https://info.ssh.com/hubfs/ssh_public_assets/support/px708.py

# ./px708.py

Your environment is OK if you see the following message:

No evidence of signing with CA keys found.

Your environment has been compromised if you see the following message:

PrivX CA key has been used in a non-standard request. System integrity is at risk, please investigate further using events printed above.

If your environment has been compromised, replace the PrivX CA keys immediately according to instructions Rotating the PrivX CA Keys in the Online Administrator Manual.

v2.4

2018-07-04

New features

As an admin, view past and ongoing connections, and terminate ongoing connections
Directory users in PrivX can now be configured to authenticate using OpenID Connect
GPG-signed RPM repository available to install and upgrade to the latest PrivX software

Fixes

[PX-74] Improved SSH/RDP disconnect visual indication
[PX-507] Changed PrivX Certificate to PrivX CA key
[PX-513] Setup logs now include installation and PSQL error logs
[PX-588] Corrected count returned by host searches
[PX-612] Fixed an issue where workflows accepted invalid data for steps

Known issues

[PX-87] PrivX uses its loopback interface for login to localhost.
[PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection
[PX-114] RDP connections do not support accented characters
[PX-297] Too many hostnames in the system breaks certificate generation in init_db.sh
[PX-342] Once an offline request activation certificate is generated, it is not possible to generate another one until the current certificate is submitted
[PX-370] SSH options are not added to role-based public key
[PX-386] "backup.sh --help" just runs backup (instead of displaying help)
[PX-535] Disabling multifactor authentication does not immediately prevent users from logging in using MFA
[PX-557] User entries on Users and Roles pages are not sorted correctly
[PX-625] END/HOME keys do not scroll to the end/start of the file in the SSH terminal GUI
[PX-627] Unable to type pipe on Edge browser in Windows 10 using the SSH terminal GUI

v2.3.1

2018-06-07

PrivX 2.3.1 patches a few issues related to Kerberos and LDAP authentication. Users running PrivX 2.3 should consider upgrading to this release under the following circumstances:

You use Kerberos authentication to access PrivX
You have had trouble with PrivX LDAP configuration.

Fixes

[PX-543] Kerberos now works for directory users with differing User Principal Name and sAMAccountName
[PX-551] Fixed an issue where some LDAP queries were not interpreted correctly
Fixed a memory leak that caused memory consumption to exceed recommended specs under expected loads

v2.3

2018-05-31

This update breaks upgrade compatibility. Please re-install PrivX if you are running an older version of the software.

New features

Support for login with personal accounts: You may now allow PrivX users to access their personal accounts. Access is granted in a role-based manner, without having to specify principals for individual target accounts.
Kerberos SSO support for PrivX login. Users with valid Kerberos tickets may now log into PrivX without having to specify their credentials again.
Support for scanning Azure hosts.

Fixes

[PX-195] File transfer is terminated gracefully when target disk runs out of space
[PX-292] Fixed an issue where roles were created without public keys
[PX-405] Resolved access requests can no longer be deleted
[PX-417] Correctly email behavior where multiple approvers have no email address
[PX-419] Users page now displays user principals instead of names
[PX-423] Default LDAPS port changed to 636
[PX-462] Fixed an issue where installing a new license always resulted in the host limit being exceeded
[PX-489] Regular local users can no longer change passwords for superuser accounts via the PrivX API
[PX-517] Parentheses in LDAP search filters are now handled correctly

Known issues

[PX-87] PrivX uses its loopback interface for login to localhost
[PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection
[PX-114] RDP connections do not support accented characters
[PX-297] Too many hostnames in the system breaks certificate generation in init_db.sh
[PX-342] Once an offline request activation/deactivation certificate is generated, there is no way to abort the activation/deactivation process
[PX-370] SSH options are not added to role-based public key
[PX-386] "backup.sh --help" just runs backup (instead of displaying help)

v2.2

2018-04-24

PrivX shared configuration is not automatically preserved in upgrades from2.0 or 2.1. You must manually back up and restore the shared configuration during upgrade from these versions.

To upgrade while preserving shared configurations, perform the following:

Stop the PrivX service on all PrivX servers: # systemctl stop privxoam
Back up the shared configuration to a safe location on all PrivX servers:
# cp /opt/privx/etc/shared-config.toml /opt/privx/etc/shared-config.toml_old
Install the new PrivX RPM on all PrivX servers: # yum install -y PrivX-OAM-*.rpm
Restore the shared configuration on all PrivX servers:
# cp /opt/privx/etc/shared-config.toml_old /opt/privx/etc/shared-config.toml
Run the post-installation script on all PrivX servers:
# /opt/privx/scripts/postinstall.sh
If you are running a multiple-server deployment, migrate the database once: # /opt/privx/bin/migration-tool -migrate-services-only

Other customisations to PrivX configurations are automatically preserved through the upgrade.

New features

Support for native clients for SSH on Linux & Mac
Software update notification in the admin UI when a new PrivX version available for download
Passwordless RDP login with an ephemeral certificate
Users' connection history and settings persisted between browsers and computers
Font size selection to SSH terminal
Display enaled features against a license code in the UI
Support for offline license activation
Possibility to deactivate license

Fixes

[PX-89] Restore script does not restore deleted directories
[PX-103] Workflow not updated when role is removed
[PX-104] Workflow steps can be approved out of order
[PX-100] Editing copied text on clipboard deletes newlines
[PX-110] Test mail not sent on "Test SMTP settings" when email notifications option is disabled
[PX-192] Resizing RDP window too often stops the session from working
[PX-196] In rare cases PrivX shared drive disappears from Windows file explorer after changing terminal settings
[PX-248] Host count is not updated correctly in HA deployments
[PX-411] Auth: MFA step can be bypassed

Known issues

[PX-87] PrivX uses its loopback interface for login to localhost
[PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection
[PX-114] RDP connections do not support accented characters
[PX-297] Too many hostnames in the system breaks certificate generation in init_db.sh
[PX-342] Once an offline request activation/deactivation certificate is generated, there is no way to abort the activation/deactivation process
[PX-370] SSH options are not added to role-based public key
[PX-386] "backup.sh --help" just runs backup (instead of displaying help)
[PX-388] After upgrade from 2.1 to 2.2 the TLS trust anchor on trusted clients page doe not contain sha1/sha256 fingerprints

v2.1

2018-03-19

New features

PrivX now manages license subscriptions online
- New licenses are automatically installed to your PrivX deployment after you update your subscription
- Note that Internet connectivity is required to activate/update trials and commercial subscriptions
Analytics on the environment where PrivX is installed is collected to understand the usage pattern and improve our product
- The data sent is anonymous
- Data includes operating system, CPU, memory, device name, geographic location and the version of PrivX
- You may opt out from sending analytics at any time
- Note that Internet connectivity is required for sending analytics
Utility script troubleshoot.sh automatically generates troubleshooting data of your PrivX deployment
- Eases troubleshooting: run this script and attach the archive to your support tickets
- Gathers system configuration into a tar archive

Fixes

[56033] It is no longer possible to delete directories that are already used in role configurations
[56714, PX-85] Connections are terminated once the user's GUI session or required role memberships expire
[56733] SSH Client correctly re-evaluates the available authentication methods for each authentication attempt
[57557] Host-deployment script deploy.py automatically restarts OpenSSH server on Ubuntu and Debian
[57728] Not a bug: Role extensions are no longer configurable
[57776] Fixed removing user from role members

Known issues

[PX-87] PrivX uses its loopback interface for login to localhost
[PX-88] PrivX file transfer does not allow uploading folders
[PX-89] restore script does not restore deleted directories
[PX-92] In situations where multiple administrators edit the same setting(s), the latest edit is applied and previous edits are discarded
[PX-93] PrivX does not receive updated system trust anchors until PrivX is restarted
[PX-94] Sometimes when reconnecting with RDP, the RDP clipboard does not work
Known workarounds: Over the RDP connection, log out from the target host (instead of just closing the connection), then retry the connection
[PX-100] Editing copied text on clipboard deletes newlines
[PX-104] Workflow steps can be approved out of order
[PX-110] Test mail not sent on "Test SMTP settings" when email notifications option is disabled
[PX-112] Requests cannot be used to remove roles granted via rules
[PX-114] RDP connections do not support accented characters
[PX-178] Membership with floating time window starts from the approval, not from initial login
[PX-192] Resizing RDP window too often stops the session from working
[PX-196] In rare cases PrivX shared drive disappears from Windows file explorer after changing terminal settings
[PX-248] Host count is not updated correctly in HA deployments