Skip to main content
Version: v41

Release Notes for This Release

41.0

2025-09-04

PrivX 41.0 is a major release that adds many new features, such as auto-approval workflow steps, the nftables router type, and expanded feature support for FIPS-approved mode of operation.

After this release, we provide security and stability fixes for PrivX 41.x, 40.x, and 39.x. Older versions are not officially supported. We recommend you upgrade as soon as you can if you are running an unsupported version.

Supported upgrade paths to this release are:

  • Upgrade with downtime: 38.x, 39.x, 40.x
  • Zero-downtime upgrade: 40.x

The latest PrivX LTS version is v36, which can be obtained here.

Important Notes for This Release

License required for FIPS mode (since v41)

From v41 and later, PrivX requires a license for enabling FIPS mode: If you are running PrivX v40 in FIPS mode, ensure that your license allows FIPS before upgrading to v41 or later.

New PrivX documentation website (since v41)

We have renewed the look and feel of the PrivX documentation at https://privx.docs.ssh.com/. We have also made some improvements to the doc search, which should return more relevant results compared to the previous.

v41 Extenders not backwards-compatible

Due to Extender protocol change, v41 PrivX Extenders can't be used with prior PrivX versions. However, older PrivX-Extender versions will still work with PrivX v41.

Switch to discoverable passkeys (since v39)

From PrivX v39 and later, any passkeys added to PrivX will be discoverable. When choosing to log in using a passkey, you may select from any credentials you've registered.

Note that any passkeys added in v38 and earlier are undiscoverable, and support for undiscoverable passkeys will be discontinued in a future release: If you have added passkeys in v38 or earlier, re-add those in v39 to ensure continued functioning.

For more information about setting up passkey login, see Passkey Login.

Deprecation Warnings

SHA-1-Certificates no longer supported
Support for certificates signed with SHA-1 have been dropped in PrivX v41. PrivX no longer supports re-enabling trust for certificates with GODEBUG variables.

Practical attacks against SHA-1 have been demonstrated in 2017 and publicly trusted Certificate Authorities have not issued SHA-1 certificates since 2015.

Kubernetes 1.23 required from PrivX v42

Kubernetes deployments of the upcoming PrivX 42 and later will require the Kubernetes to be version 1.23 or later.

bitnami/nginx-ingress-controller deprecation imminent

The Bitnami public catalog will disable new versions and PrivX will be moving away from bitnami support. We are looking into alternative solutions for PrivX v42 and later.

privx-agent to be deprecated

Due to low usage and alternative features available in PrivX, we plan to drop privx-agents starting from a future PrivX release. These are initial plans and we are open to feedback regarding this matter.

New Features

  • [PX-5812] Auto-approval of role requests
  • [PX-6700] Network target managers supports nftables router
  • Extended feature support in FIPS-approved mode of operation:
    • [PX-7306] FIPS-approved mode supports Extender connections
    • [PX-7460] FIPS-approved mode supports database connections
  • [PX-7318] PrivX setup supports PostgreSQL 17
  • [PX-7796] New license feature flag to run PrivX in FIPS mode
  • [PX-7810] Allow configuration of TERM in SSH web client
  • [PX-7807] License notifications are now shown only to users with privx-admin or license-manage roles, instead of all users.

Bug Fixes and Improvements

  • [PX-5340] Change PrivX default keyvault encryption algorithm to AES 256
  • [PX-5885] Graph API and GSuite user directories do not recover from network errors
  • [PX-7105] PrivX carrier status does not list podman container image
  • [PX-7188] Clearer error message when invalid target domain name is given to deployment scripts
  • [PX-7436] Network target and hosts endpoints support search filter from both body and query params
  • [PX-7473] Host tags from cloud scan and from deployment scripts are not properly separated
  • [PX-7524] Host search sort based on name does not work
  • [PX-7535] support for ECDSA key generation, signing and signature verification to pkcs11vault
  • [PX-7564] role-store scanning cloud providers does not timeout correctly
  • [PX-7595] access_group_id query parameter is not properly forwarded by extender for host deployment with deploy script
  • [PX-7622] CBC ciphers are disabled in nginx.conf shipped with PrivX RPM
  • [PX-7634] Incorrect Service Status in Web GUI
  • [PX-7643] Liveness, readiness and startup probes added to PrivX deployment on kubernetes
  • [PX-7635] Fails to add Passkey to PrivX due to small credential_id size
  • [PX-7675] VMWare host directory if containing a trailing "/" malfunctions
  • [PX-7679] new property x509_extender_ca_valid added to authorizer.toml
  • [PX-7693] VNC file transfers do not work in kubernetes if there are multiple ssh-mitm instances running
  • [PX-7697] Workflow-engine originated emails on Kubernetes deployment miss proper subject
  • [PX-7707] session inactivity timeout allows negative values
  • [PX-7735] PrivX agent for Unix and Windows supports key-type selection with -key-type [rsa|ecdsa]. Defaults to rsa, for compatibility reasons ecdsa is recommended in FIPS deployments.
  • [PX-7737] TLS trust Anchors field added OIDC directory
  • [PX-7759] Nginx pod in Kubernetes deployment does not log to stdout/stderr
  • [PX-7771] "manage" option should be removed from for Authorizer CA certificate under Monitor -> Certificate tab
  • [PX-7772] Updated supported TLS cipher suites for RDP client to RDP Bastion connections.
  • [PX-7781] PrivX backup script does not give clear result when pg_dump fails
  • [PX-7789] Connection to a network target should dropped if the network target is disabled
  • [PX-7791] Multiple replicas of authorizer pods on Kubernetes may create duplicated components CAs
  • [PX-7792] RDP, WEB, and VNC connections do not work, if PrivX host OS has freerdp-libs package installed
  • [PX-7811] PrivX version check at startup should timeout and not not block authorizer service from start
  • [PX-7820] ssh target hostkey algorithms configurable via ssh-algorithms.toml
  • [PX-7857] Improving role-store better recovery from database errors at startup time
  • [PX-7868] Extender page in GUI should indicate if the extender is remote upgradable
  • [PX-7881] More graceful termination of the connections through Extenders
  • [PX-7885] init_db.sh: typo in pg_hba.conf file handling
  • [PX-7894] AD login with an expired password now prompts the user to change their password.
  • [PX-7899] guacd: more logging around host certificate handling
  • [PX-7906] The status of an Active Directory should be displayed on its page in GUI

Known Issues

  • [PX-1517] Permission denied for AuthorizedPrincipalsCommand on AWS RedHat AMI

    • Workaround: To correct SELinux context, copy the principals_command.sh to correct location:

      # scp -i key.pem principals_command.sh user@target:/tmp/
      # ssh -i key.pem user@target "sudo cp /tmp/principals_command.sh /etc/ssh/"
  • [PX-1711] RDP fails to connect to target in maintenance mode, need support for /admin flag

  • [PX-1835] Extender/Carrier/WebProxy configs are not migrated on upgrade

  • [PX-1875] Web proxy login does not work, if login page does requests to multiple domains

  • [PX-2947] No sound when viewing recorded rdp-mitm connection.

  • [PX-3086] PrivX role mapping to AD OU not working as expected.

  • [PX-3529] Default access group CA key is always copied on the host when running the deployment script via Extender

  • [PX-3655] remoteApp cannot be restored after it's minimized

  • [PX-3887] RDP connection to Remote Desktop Server(RDS) Farm is not supported.

  • [PX-4218] RDP native clients do not work in Kubernetes environment when running under non-root account

  • [PX-4352] UI shows deleted local user after delete

  • [PX-4616] Upgrade may stop Carriers and Web Proxies from reconnecting.

    • Workaround: Restart affected Carrier and Web-Proxy services.
  • [PX-4662] Pasting larger text amount in Carrier/Proxy host fails (limited to 16kB for now)

  • [PX-4689] PrivX Linux Agent leaving folders in /tmp

  • [PX-4778] RDP-PROXY: file under scanning can not be overwritten

  • [PX-4809] Empty file(s) created when ICAP detects malicious uploads with SCP via SSH Bastion.

  • [PX-5558] PrivX does not support password change required option for user in auth flow via passkey.

  • [PX-5587] Live playback of WEB will be stuck in live after disconnecting by closing the carrier browser

  • [PX-5589] User cannot login with PrivX Agent if password includes a SPACE at start/end

  • [PX-6209] Attribute mapping for OIDC does not work, if idtoken source attribute name is not all lowercase

  • [PX-6464] Secret-manager crash if database doesn't have valid TLS certificate

  • [PX-6490] PrivX RDP session screen corrupts in Windows 2008 via Chrome and Edge browsers

  • [PX-6636] Web-target vCenter key strokes is not working properly in Bios/Grub menu

  • [PX-7393] Role mapping rules: an "Any Rule Matches" group with nested groups causes an error

  • [PX-7771] Certificates→Manage shows empty page for Authorizer certificates.

Notable API Changes

The endpoint POST /requests/{request-id}/role/revoke previously only allowed revocation by users who have given approvals. Approvals can now be revoked by anybody defined as an approver in the associated workflow.