Release Notes for This Release
36.2
2024-12-10
36.2 is an incremental release with stability fixes. You can upgrade 36.2 to the upcoming LTS version (whereas 37.0 cannot).
Important Notes for this Release
v36.2 Retaining SID extensions in RDP-certificate authentication
In PrivX 36.0 and 36.1, RDP certificates issued by PrivX for authentication contain the SID extension by default. Some legacy use cases are interrupted in some customers environment because of missing or mismatching SID values. In PrivX 36.2, PrivX supports a setting to control whether the SID extension shall be included in RDP certificates.
If you are upgrading from 36.0 or 36.1, and want to keep your existing default settings for RDP certificate, you will need to perform additional configurations. You can perform these configurations either before or after upgrade to 36.2:
Option 1: Configure before upgrade
Configuring before upgrade allows RDP certificate authentication to work throughout the upgrade process.
Gain root terminal access to any PrivX Server, add the following lines right after the
AUTHORIZER.logging
section in/opt/privx/etc/settings-default-config.toml
:[AUTHORIZER.ca_settings] rdp_x509_include_sid = true
Apply the new settings with:
sudo /opt/privx/bin/settings-tool -command migrate
RDP-certificate authentication will work as normal throughout the upgrade process.
Option 2: Configure after upgrade
If you choose to configure after upgrade, RDP certificate authentication will not work until the following configurations are done.
After upgrade to 36.2, go to Administration→Settings→Authorizer, then under CA Options, enable the setting Add Security ID extension to RDP X.509 certificates.
Save your changes. RDP-certificate authentication should function normally again.
Bug Fixes
[PX-7121] auth: OIDC provider client config does not get synced between nodes
[PX-7192] A setting to control including SID extension in RDP X.509 certificates
[PX-7263] UI banner for user license related grace period is not shown
[PX-7265] Custom attribute mapping for AD only works in lowercase
[PX-7280] Old audit events are prematurely housekept on upgrade
36.1.1
2024-10-11
This minor release fixes Carrier browser images(firefox, firefox_lite). Upgrade involves downloading new browser images and tagging them to match the current PrivX Carrier version.
This example shows how to upgrade the Firefox lite container image on PrivX Carrier 36.1:
docker pull public.ecr.aws/sshprivx/privx_browser_firefox_lite:36.1.1
docker tag public.ecr.aws/sshprivx/privx_browser_firefox_lite:36.1.1 public.ecr.aws/sshprivx/privx_browser_firefox_lite:36.1
36.1
2024-09-30
36.1 is an incremental release with stability fixes.
Bug Fixes
[PX-7064] RDP-Bastion connections fail occationally due to /tmp folder permission error.
36.0
2024-09-02
36.0 is a major release with new features.
After this release, we provide security and stability fixes for PrivX 36.x, 35.x, and 34.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.
Supported upgrade paths to this release are:
- Upgrade with downtime: 33.x, 34.x, 35.x
- Zero-downtime upgrade: 35.x
Important Notes for This Release
UEBA-Server upgrade required
If you are using UEBA Server from PrivX version 35 or earlier, you must upgrade the UEBA Server as follows:
- Before PrivX upgrade, disable UEBA Server.
- After PrivX upgrade, download and run the UEBA-Server install script. Doing this upgrades and restarts UEBA services.
Upgrade not supported with old PostgreSQL versions
You cannot upgrade to PrivX 35 or 36 if your PrivX deployment uses PostgreSQL version 10 or earlier. You must upgrade the PrivX database to PostgreSQL version 11.x or later before upgrading PrivX.
Note that PostgreSQL 11 has already reached EOL and PrivX support for it will be dropped soon, so we recommend upgrading to at least PostgreSQL 12.x or later.
If postinstall.sh fails to correctly determine your PostgreSQL version during upgrade, see this guide for troubleshooting.
API Endpoint GET /role-store/api/v1/roles Breaking Changes
Starting from PrivX version 36 the API endpoint GET /role-store/api/v1/roles
will start using a default limit=50
and enforcing a maximum allowed limit=1000
.
Due to these changes API clients can no longer rely on fetching all roles with one API call. The API clients are required to make multiple API calls with explicit limit
and increasing offset
until all roles - as indicated by the API response's count
property - have been fetched.
Increased upgrade duration
Upgrading to this version may take somewhat longer, especially in environments with many hosts and principals.
Deprecation Warnings
Pure whitespace names will be disallowed in PrivX 37
PrivX 36 and earlier allowed item names consisting of one or more spaces. Such names will be disallowed in PrivX 37 and later. We recommend you check your environment and rename any such items to names containing actual characters.
Pure whitespace names were allowed in:
- Hosts
- Network Targets
- Directories
- Workflows
- Cloud Log Collectors
- External Token Providers
- Identity Provider Clients
- Target Domains
From PrivX 37 onward, items named with spaces only will continue to function. However, you will be unable to edit and save such items unless their names are also changed to something valid.
agent-proxy Deprecation Imminent
The agent-proxy functionality shall be removed in PrivX versions 38 and later.
The agent-proxy functionality allowed SSH clients using privx-agent to connect to Extender targets through ssh-proxy. In recent PrivX versions, you can instead use native SSH clients via SSH Bastion, as described here.
CentOS/RHEL 7 support Ended
CentOS 7 and RHEL 7 are no longer supported as PrivX platforms. If you are running PrivX on CentOS 7 or RHEL 7, see Migrate from EOL Operating Systems.
Amazon Linux 2 support Ending
PrivX aims to end installation support for Amazon Linux by June, 2025. See Migrate from EOL Operating Systems to migrate to a supported OS.
PostgreSQL 11.x Support Ending
PostgreSQL 11.x has reached end of life since Nov. 2023 and official support for this version will be ended in a future release.
SHA-1-Certificate End of Support Imminent
Support for certificates signed with SHA-1 shall be dropped in future PrivX releases.
By default PrivX will not trust certificates with SHA-1 signatures unless they are self-signed. Re-enabling trust for such certificates requires setting the GODEBUG=x509sha1=1
environment variable for PrivX microservices and tools.
Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
New Features
- [PX-6698] - Windows RDP certificate authentication support in Full-Enforcement domains
- [PX-6886] - Allow user to copy text in disconnected ssh-proxy sessions
- [PX-6922] - Windows local account password rotation supports hosts behind PrivX Extenders
- [PX-6940] - Domain password login supports Tectia server
Improvements
- [PX-5797] - PrivX does not need precompiled python anymore, upgrade will remove /opt/py folder.
- [PX-6880] - Clearer error messages at AD account login failure.
- [PX-6923] - RDP connections over Extender are more latency resistant.
- [PX-6972] - Upgraded UEBA dependencies with new images
- [PX-6745] - pkcs11vault: support splitting AES/GCM inputs in chunks for AWS CloudHSM
Bug Fixes
- [PX-6863] - OU field in access group CA certificate should be less than 64 chars
- [PX-6889] - Disabled target domain causes false scanning errors
- [PX-6902] - PrivX may mistake saved ssh target host keys as new keys
- [PX-6909] - Removed accounts in target domain should not be convertible to a managed account.
- [PX-6916] - Logconf collectors endpoint logs are too spammy.
- [PX-6929] - Incorrect error logs when target domain is deleted
- [PX-6931] - secrets-manager events are not sent to cloud log collectors
- [PX-6938] - "Add Passkey" button is shown to user who doesn't have permission to see it.
- [PX-6939] - User with privx-admin role only cannot add passkey.
- [PX-6946] - Directory user with TOTP MFA enabled can't login into PrivX in restricted mode
- [PX-6947] - Managed account status in a domain is sometimes incorrect
- [PX-6950] - Saving expired certificate for access group should not be allowed.
- [PX-6957] - In target domain, account sorting on some columns malfunctions
- [PX-6962] - Directory one-to-many custom attribute mapping does not work
- [PX-6968] - Script templates with empty names shouldn't be allowed to save
- [PX-6985] - Role request rejection from one approver does not finalize the rejection.
- [PX-6988] - Workflow created via API without specifying max_active_requests does not work
- [PX-6999] - connection_permissions table is not cleaned up when connections are removed
- [PX-7025] - Scanned accounts status may be incorrect when multiple target domains point to the same AD endpoint
- [PX-7033] - Unable to add or modify hosts via UI with host-manage and host-view permissions
- [PX-7066] - Target domain disabled scanning affects managed accounts' rotation
Known Issues
[PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI
Workaround: To correct SELinux context, copy the
principals_command.sh
to correct location:# scp -i key.pem principals_command.sh user@target:/tmp/ # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
[PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag
[PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade
[PX-1875] Web proxy login does not work, if login page does requests to multiple domains
[PX-2947] No sound when viewing recorded rdp-mitm connection.
[PX-3086] PrivX role mapping to AD OU not working as expected.
[PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender
[PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.
[PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account
[PX-4352] UI shows deleted local user after delete
[PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.
- Workaround: Restart affected Carrier and Web-Proxy services.
[PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)
[PX-4689] PrivX Linux Agent leaving folders in /tmp
[PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.
[PX-5558] PrivX does not support password change required option for user in auth flow via passkey.
[PX-6809] Local-account password rotation does not support Windows Server behind PrivX Extenders.
[PX-6989] It's possible to save space characters' names in several places in PrivX
- Note: This will be disabled in PrivX versions 37 and later. For more information about this issue, see Deprecation Warnings.
Notable API Changes
Secrets Manager API
- New optional string property
domain_name
has been added to the target domain object. This property specifies the Windows domain name when using the legacy username format (DOMAIN\USER) instead of the upn format in the host account configuration. - New optional property
sam_account_name
has been added to the managed account object. This property is prerequisite for using the legacy username format with this managed account. - New boolean property
disable_rdp_cert_auth
has been added to the managed account object. This property disables the RDP certificate authentication for this target domain user causing RDP login to fall back to password authentication.
Local User Store API
New optional object array property
attributes
has been added to local user object. PrivX uses these attributes for role mapping and host principal username selection in a similar way AD user attributes are used.NOTE: Local user attributes can be modified with the
users-manage
API permission. As a consequence an admin user withusers-manage
API permission is able to influence which roles are implicitly mapped for local users. This affects only those roles that have mapping rules targetting to users in the local user directory.
Was this page helpful?